Re: [ANNOUNCE] New committer and PMC member: Kevin Risden

2018-04-03 Thread Phil Zampino 
Congrats!

On Tue, Apr 3, 2018 at 10:39 AM, larry mccay  wrote:

> The Project Management Committee (PMC) for Apache Knox
> has invited Kevin Risden to become a committer and PMC member and
> we are pleased to announce that he has accepted.
>
> Kevin has been a contributor to Apache Knox with LDAP and Solr related
> contributions for a number of years. He has also provided tremendous
> assistance
> to others within the community on the dev@ and user@ lists.
>
> I am excited to have him on board as a committer and PMC member and look
> forward to his continued contributions to the project and its direction.
>
> Being a committer enables easier contribution to the
> project since there is no need to go via the patch
> submission process. This should enable better productivity.
> Being a PMC member enables assistance with the management
> and to guide the direction of the project.
>

[ANNOUNCE] New committer and PMC member: Kevin Risden

2018-04-03 Thread larry mccay 
The Project Management Committee (PMC) for Apache Knox
has invited Kevin Risden to become a committer and PMC member and
we are pleased to announce that he has accepted.

Kevin has been a contributor to Apache Knox with LDAP and Solr related
contributions for a number of years. He has also provided tremendous
assistance
to others within the community on the dev@ and user@ lists.

I am excited to have him on board as a committer and PMC member and look
forward to his continued contributions to the project and its direction.

Being a committer enables easier contribution to the
project since there is no need to go via the patch
submission process. This should enable better productivity.
Being a PMC member enables assistance with the management
and to guide the direction of the project.

[jira] [Resolved] (KNOX-2) OAuth Token Endpoint in Knox

2018-04-03 Thread Larry McCay (JIRA) 

 [ 
https://issues.apache.org/jira/browse/KNOX-2?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Larry McCay resolved KNOX-2.

Resolution: Fixed

> OAuth Token Endpoint in Knox
> 
>
> Key: KNOX-2
> URL: https://issues.apache.org/jira/browse/KNOX-2
> Project: Apache Knox
>  Issue Type: New Feature
>  Components: Server
>Affects Versions: 0.2.0
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
>  Labels: OAuth2, REST, SSO, Security
> Fix For: Future
>
>   Original Estimate: 168h
>  Remaining Estimate: 168h
>
> Provide the ability to service requests for authorization codes and access 
> tokens given some proof of a trusted authentication or a submitted auth code.
> We require provider filter that complies with the OAuth protocols for these 
> exchanges as well as a pivoting to return the appropriate request code or 
> error status and details.
> To be used in federated identity provider integration and SSO scenarios.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Resolved] (KNOX-12) Configure aliases for JWT signature verification

2018-04-03 Thread Larry McCay (JIRA) 

 [ 
https://issues.apache.org/jira/browse/KNOX-12?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Larry McCay resolved KNOX-12.
-
Resolution: Fixed

> Configure aliases for JWT signature verification
> 
>
> Key: KNOX-12
> URL: https://issues.apache.org/jira/browse/KNOX-12
> Project: Apache Knox
>  Issue Type: Bug
>  Components: Server
>Affects Versions: 0.2.0
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
>  Labels: JWT, Security, Signature
> Fix For: Future
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> Currently the signature verification assumes that the cert used is the one 
> that represents the gateway-identity.
> We need to be able to configure the alias of the cert for verification based 
> on the issuer of the JWT.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Resolved] (KNOX-6) Validate audience of JWT

2018-04-03 Thread Larry McCay (JIRA) 

 [ 
https://issues.apache.org/jira/browse/KNOX-6?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Larry McCay resolved KNOX-6.

Resolution: Fixed

> Validate audience of JWT
> 
>
> Key: KNOX-6
> URL: https://issues.apache.org/jira/browse/KNOX-6
> Project: Apache Knox
>  Issue Type: Bug
>  Components: Server
>Affects Versions: 0.2.0
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
>  Labels: JWT, Security
> Fix For: Future
>
>
> Must validate that the audience indicated matches the intended target during 
> JWT validation in JWTFederationFilter.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Resolved] (KNOX-288) Separate Topology Files into Topology and Policy

2018-04-03 Thread Larry McCay (JIRA) 

 [ 
https://issues.apache.org/jira/browse/KNOX-288?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Larry McCay resolved KNOX-288.
--
Resolution: Fixed

Addressed by discovery and topology generation framework.

> Separate Topology Files into Topology and Policy
> 
>
> Key: KNOX-288
> URL: https://issues.apache.org/jira/browse/KNOX-288
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: Server
>Affects Versions: 0.4.0
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: Future
>
>
> Introduce policy as a first class citizen of the gateway rather than 
> configuration of each topology. This will allow for more concise and more 
> easily discovered/discerned topologies while allowing policy to be managed in 
> a single source.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Resolved] (KNOX-513) Documentation for Shibboleth Use with Picketlink Federation Provider

2018-04-03 Thread Larry McCay (JIRA) 

 [ 
https://issues.apache.org/jira/browse/KNOX-513?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Larry McCay resolved KNOX-513.
--
Resolution: Won't Fix

> Documentation for Shibboleth Use with Picketlink Federation Provider
> 
>
> Key: KNOX-513
> URL: https://issues.apache.org/jira/browse/KNOX-513
> Project: Apache Knox
>  Issue Type: Sub-task
>  Components: Site
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: Future
>
>
> Documentation for integrating shibboleth (SAML provider) through the 
> picketlink federation provider will be required. 
> Templates should be added to illustrate the shibboleth and Knox topology 
> configuration that is needed.
> The public key exchange between Knox and Shibboleth servers will need to be 
> documented in detail.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Resolved] (KNOX-797) Default Topology Feature Not Working

2018-04-03 Thread Larry McCay (JIRA) 

 [ 
https://issues.apache.org/jira/browse/KNOX-797?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Larry McCay resolved KNOX-797.
--
Resolution: Fixed

This feature was replaced with topology pot mspping.

> Default Topology Feature Not Working
> 
>
> Key: KNOX-797
> URL: https://issues.apache.org/jira/browse/KNOX-797
> Project: Apache Knox
>  Issue Type: Bug
>  Components: Server
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: Future
>
>
> From Mohammad Islam:
> I set  "default.app.topology.name" in gateway-site.xml  to "uber" (my default 
> topology name).  
> It worked fine if I gave the full URL. The command looks like this "curl  
> http:///gateway/uber/webhdfs/v1/?op=GETHOMEDIRECTORY'".
>  
> However, when I tried with command "curl  
> http:///webhdfs/v1/?op=GETHOMEDIRECTORY'". I got the HTTP error 
> code 500. I looked into gateway.log file and found quite a few error related 
> to rewrite. The exact error messages are shown below:
> Error message
> {noformat}
> 2016-11-30 00:39:51,565 ERROR hadoop.gateway 
> (UrlRewriteProcessor.java:rewrite(169)) - Failed to rewrite URL: 
> http:///webhdfs/v1/?op=GETHOMEDIRECTORY, direction: IN via rule: 
> WEBHDFS/webhdfs/inbound/namenode/root, status: FAILURE
> 2016-11-30 00:39:51,565 ERROR hadoop.gateway 
> (UrlRewriteProcessor.java:rewrite(169)) - Failed to rewrite URL: 
> http:///webhdfs/v1/?op=GETHOMEDIRECTORY, direction: IN via rule: 
> WEBHDFS/webhdfs/inbound/namenode/root, status: FAILURE
> {noformat}
> After that, I modified the webhdfs/2.4.0/rewrite.xml by rewriting the 
> following pattern and it worked for short URL but long URL faces the same 
> issue.
> Original: 
> {noformat}
>  pattern="*://*:*/**/webhdfs/{version}/?{**}">
> 
> 
> {noformat}
> Modified :
> {noformat}
>  pattern="*://*:*/webhdfs/{version}/?{**}">
> 
> 
> {noformat}
>   
> Overall, the rewrite pattern may be the issue. We will need to support for 
> both short and long URL. May be, we can add multiple rewrite rules for each 
> route in service.xml.
> Is there any other cleaner way which may work for all cases such as webhdfs, 
> yarn, hive, UIs etc?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

[jira] [Resolved] (KNOX-761) KnoxSSO Needs to Support Multi-tenant Usecases

2018-04-03 Thread Larry McCay (JIRA) 

 [ 
https://issues.apache.org/jira/browse/KNOX-761?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Larry McCay resolved KNOX-761.
--
Resolution: Fixed

This was fixed with pac4j upgrade in 0.14.0.

> KnoxSSO Needs to Support Multi-tenant Usecases
> --
>
> Key: KNOX-761
> URL: https://issues.apache.org/jira/browse/KNOX-761
> Project: Apache Knox
>  Issue Type: Bug
>  Components: Server
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: Future
>
>
> In a deployment that separates tenant access to Hadoop resources through 
> dedicated topologies with tenant specific authentication, there are a couple 
> issues:
> * pac4j provider seems to be caching config settings in a singleton which 
> makes the redirect url nondeterministic.
> * knoxsso cookie would be trusted across tenant specific topologies which 
> could lead to unauthorized access to resources that belongs to another tenant
> The use of tenant specific audience claims within the JWT token could be used 
> to mitigate the cross tenant trust issue.
> We need to investigate the pac4j provider issue with the singleton config.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Jenkins build is back to normal : Knox-master-patch-scan #70573

2018-04-03 Thread Apache Jenkins Server 
See

Build failed in Jenkins: Knox-master-patch-scan #70572

2018-04-03 Thread Apache Jenkins Server 
See 


--
Started by timer
[EnvInject] - Loading node environment variables.
Building remotely on H4 (Hadoop) in workspace 

 > git rev-parse --is-inside-work-tree # timeout=10
Fetching changes from the remote Git repository
 > git config remote.origin.url https://github.com/apache/knox.git # timeout=10
Fetching upstream changes from https://github.com/apache/knox.git
 > git --version # timeout=10
 > git fetch --tags --progress https://github.com/apache/knox.git 
 > +refs/heads/*:refs/remotes/origin/*
 > git rev-parse refs/remotes/origin/master^{commit} # timeout=10
 > git rev-parse refs/remotes/origin/origin/master^{commit} # timeout=10
Checking out Revision 75f1de31248638b2357de365df99ecf0e76c8be1 
(refs/remotes/origin/master)
 > git config core.sparsecheckout # timeout=10
 > git checkout -f 75f1de31248638b2357de365df99ecf0e76c8be1
Commit message: "KNOX-1233 - Pac4j dependency causing intermittent compilation 
errors"
 > git rev-list --no-walk 75f1de31248638b2357de365df99ecf0e76c8be1 # timeout=10
[Knox-master-patch-scan] $ /bin/bash /tmp/jenkins5778292374470148233.sh
  % Total% Received % Xferd  Average Speed   TimeTime Time  Current
 Dload  Upload   Total   SpentLeft  Speed
  0 00 00 0  0  0 --:--:-- --:--:-- --:--:-- 
0100  119k0  119k0 0   137k  0 --:--:-- --:--:-- --:--:--  
137k100  207k0  207k0 0   181k  0 --:--:--  0:00:01 --:--:--  
181k
curl: (18) transfer closed with outstanding read data remaining
Could not retrieve available patches from JIRA
Build step 'Execute shell' marked build as failure