[jira] [Work logged] (KNOX-2948) Make encryptquerystring provision optional

Fri, 08 Sep 2023 12:33:04 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-2948?focusedWorklogId=879585&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-879585
 ]

ASF GitHub Bot logged work on KNOX-2948:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 08/Sep/23 19:32
            Start Date: 08/Sep/23 19:32
    Worklog Time Spent: 10m 
      Work Description: smolnar82 commented on code in PR #793:
URL: https://github.com/apache/knox/pull/793#discussion_r1320260099


##########
gateway-topology-hadoop-xml/src/main/java/org/apache/knox/gateway/topology/hadoop/xml/HadoopXmlResourceParser.java:
##########
@@ -266,6 +267,8 @@ private SimpleDescriptor parseXmlDescriptor(String name, 
String xmlValue) {
         case CONFIG_NAME_PROVIDER_CONFIG_REFERENCE:
           descriptor.setProviderConfig(parameterPairParts[1].trim());
           break;
+        case CONFIG_NAME_PROVISION_ENCRYPT_QUERY_STRING_CREDENTIAL:
+          
descriptor.setProvisionEncryptQueryStringCredential(Boolean.valueOf(parameterPairParts[1].trim()));

Review Comment:
   Indeed; nice catch @zeroflag !
   I submitted a new PS.





Issue Time Tracking
-------------------

    Worklog Id:     (was: 879585)
    Time Spent: 50m  (was: 40m)

> Make encryptquerystring provision optional
> ------------------------------------------
>
>                 Key: KNOX-2948
>                 URL: https://issues.apache.org/jira/browse/KNOX-2948
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 0.14.0, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 2.0.0, 
> 1.6.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 2.1.0
>
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> Since KNOX-1136, Knox saves the {{encryptQueryString}} alias in the given 
> topology's credential store when processing the descriptor.
> The problem with this approach is, that, in some cases, it may happen that 
> 3rd party deployment tools (such as Cloudera Manager) persists that secret in 
> a separate phase and
>  * this makes the Knox call redundant
>  * Knox will override the previously saved value silently
> Proposal:
>  - introduce a new descriptor-level property called 
> {{provision-encrypt-query-string-credential}} (defaults to {{true}}) which 
> controls this behavior
>  - if the descriptor is configured with 
> {{provisionEncryptQueryStringCredential = false}}, no credential store 
> operation should be done to save that alias.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to