[
https://issues.apache.org/jira/browse/KNOX-3356?focusedWorklogId=1026006&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1026006
]
ASF GitHub Bot logged work on KNOX-3356:
----------------------------------------
Author: ASF GitHub Bot
Created on: 19/Jun/26 14:04
Start Date: 19/Jun/26 14:04
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #1272:
URL: https://github.com/apache/knox/pull/1272
[KNOX-3356](https://issues.apache.org/jira/browse/KNOX-3356) - Allow
Cloudera Manager service discovery over cleartext HTTP
## What changes were proposed in this pull request?
When Knox is configured with TLS but the target Cloudera Manager server is
not, CM service discovery fails with:
```
com.cloudera.api.swagger.client.ApiException:
java.net.UnknownServiceException: CLEARTEXT communication not enabled for client
```
The root cause is in `DiscoveryApiClient.configureSsl()`: it unconditionally
replaced the OkHttp client's `connectionSpecs` with a single TLS-only spec
(`ConnectionSpec.MODERN_TLS`), regardless of the discovery address scheme.
OkHttp matches the request URL's scheme against the allowed connection specs,
so an `http://` discovery address with no `CLEARTEXT` spec is rejected before
any request is sent.
This PR makes TLS configuration conditional on the discovery address
actually being HTTPS:
- Added an `isSecure()` helper that checks whether the configured base
path starts with `https:`.
- `configureSsl()` now returns early (with a DEBUG log) for cleartext
addresses, leaving OkHttp's default connection specs, which include
`CLEARTEXT`, in place.
- Added the `skippingSslConfigurationForCleartextAddress` discovery
message.
Behavior for HTTPS discovery addresses is unchanged.
## How was this patch tested?
Automated unit tests in `ClouderaManagerServiceDiscoveryTest`:
- Corrected
`testApiClientInterceptorsWhenKerberosIsDisabledAndPasswordIsNotSet` to use an
HTTPS discovery address (it previously used an HTTP address while
asserting a TLS-only spec,
i.e. it asserted the buggy behavior); it still verifies the configured
cipher/protocol are
applied on the HTTPS path.
- Added `testApiClientAllowsCleartextForHttpDiscoveryAddress`, which uses
an `http://` address
and asserts the client retains a `CLEARTEXT`-capable connection spec.
Both tests pass: `Tests run: 2, Failures: 0, Errors: 0, Skipped: 0`.
## Integration Tests
N/A
## UI changes
N/A
Issue Time Tracking
-------------------
Worklog Id: (was: 1026006)
Remaining Estimate: 0h
Time Spent: 10m
> CM service discovery won't work if CM server started without TLS
> ----------------------------------------------------------------
>
> Key: KNOX-3356
> URL: https://issues.apache.org/jira/browse/KNOX-3356
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 2.1.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> DiscoveryApiClient.configureSsl() unconditionally replaces the OkHttp
> client's connectionSpecs with a single TLS-only spec
> (ConnectionSpec.MODERN_TLS)
> {{OkHttp}} matches the request URL's scheme against the allowed connection
> specs. When the CM discovery address is http:// (CM TLS not enabled), there's
> no ConnectionSpec.CLEARTEXT in the list, so {{OkHttp}} refuses the connection
> with exactly:
> {noformat}
> java.net.UnknownServiceException: CLEARTEXT communication not enabled for
> client{noformat}
> Knox running TLS for its own gateway is unrelated — this is purely the
> _outbound_ discovery client being locked to TLS regardless of the target
> address.
> We need to fix this issue in a way such that the current HTTPS configuration
> remains untouched, and for non-TLS connections the SSL configuration should
> be skipped.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
