[jira] [Commented] (KNOX-1779) Add HTTP X-XSS-Protection response header support for WebAppSec Provider
[ https://issues.apache.org/jira/browse/KNOX-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772542#comment-16772542 ] Krishna Pandey commented on KNOX-1779: -- [~krisden] I intend to provide a patch shortly. > Add HTTP X-XSS-Protection response header support for WebAppSec Provider > > > Key: KNOX-1779 > URL: https://issues.apache.org/jira/browse/KNOX-1779 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.2.0 >Reporter: Krishna Pandey >Assignee: Krishna Pandey >Priority: Critical > Labels: security > Fix For: 1.3.0 > > Original Estimate: 168h > Remaining Estimate: 168h > > Support to add X-XSS-Protection HTTP response header in Knox's WebAppSec > Provider enabling modern web browsers to detect and thwart Cross-site > Scripting (XSS) attacks. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1765) option to append @realm to usernames
[ https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772464#comment-16772464 ] Larry McCay commented on KNOX-1765: --- However, while we wouldn't want to do make this a change in the core Knox idea of the impersonated identity, you can likely do exactly what you want with one of the existing identity assertion providers. For instance, there is a Concat identity assertion provider [1] that allows you to concatenate a string to the end of the asserted identity. There is also a Regular Expression identity assertion provider [2] which allows you to get more creative. Since an authenticated user in a given topology could be represented as being from any realm, it would be perfectly reasonable to just dedicate a topology to such a realm name. If you would rather a more complex mechanism that derives the realm from the server you could always implement your own identity assertion provider - very easy. Such a provider may make sense to contribute back even. The ability to affect the asserted identity within those providers is exactly what that type of provider was added for. Making any fundamental change to the core notion of the identity when then effect how identity assertion providers work which would be a bad idea. For instance, adding a realm to a username before some provider does its job on the principal on the way through may lead to unexpected results. # [http://knox.apache.org/books/knox-1-2-0/user-guide.html#Concat+Identity+Assertion+Provider] # [http://knox.apache.org/books/knox-1-2-0/user-guide.html#Regular+Expression+Identity+Assertion+Provider] > option to append @realm to usernames > > > Key: KNOX-1765 > URL: https://issues.apache.org/jira/browse/KNOX-1765 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0, 1.2.0 >Reporter: Ruslan Dautkhanov >Assignee: Larry McCay >Priority: Critical > > We'd like Hadoop to map user names to short names. > > For auth_to_local to work, @realm part is mandatory. > > For example, Apache Knox if authenticates users using LDAP, > and then sends requests over to Livy, doesn't append realm. > > It seems we could duplicate rules from Hadoop's auth_to_local > using `livy.server.auth.kerberos.name_rules` but it doesn't work > for the same reason on Livy side. > Spin-off from https://issues.apache.org/jira/browse/LIVY-548 > as it seems Knox is the right place for this fix (as other endpoints like > HDFS, Hive access would need similar mappings). > Hadoop code says opposite - there is an explicit check - if > realm is empty, auth_to_local rules are not applied > > [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376] > > rules application starts down below on line 383 > > so it never reaches rules transformations loop if realm is empty. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (KNOX-1765) option to append @realm to usernames
[ https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay reassigned KNOX-1765: - Assignee: Larry McCay > option to append @realm to usernames > > > Key: KNOX-1765 > URL: https://issues.apache.org/jira/browse/KNOX-1765 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0, 1.2.0 >Reporter: Ruslan Dautkhanov >Assignee: Larry McCay >Priority: Critical > > We'd like Hadoop to map user names to short names. > > For auth_to_local to work, @realm part is mandatory. > > For example, Apache Knox if authenticates users using LDAP, > and then sends requests over to Livy, doesn't append realm. > > It seems we could duplicate rules from Hadoop's auth_to_local > using `livy.server.auth.kerberos.name_rules` but it doesn't work > for the same reason on Livy side. > Spin-off from https://issues.apache.org/jira/browse/LIVY-548 > as it seems Knox is the right place for this fix (as other endpoints like > HDFS, Hive access would need similar mappings). > Hadoop code says opposite - there is an explicit check - if > realm is empty, auth_to_local rules are not applied > > [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376] > > rules application starts down below on line 383 > > so it never reaches rules transformations loop if realm is empty. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1765) option to append @realm to usernames
[ https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772433#comment-16772433 ] Larry McCay commented on KNOX-1765: --- I don't believe this is something that we can/should do. Hadoop auth_to_local rules are distinct from those for C/kerberos and have never been part of the doas/impersonation model used by trusted proxies in Hadoop. Just for some more clarity, you are talking about adding an @realm to the doAs user? Such that the realm would be the kerberos realm for the Knox instance in a secure deployment. If that is the case, that seems like a pretty unnatural representation of the user principal considering that one of the primary reasons to use impersonation is to not use kerberos and the user may not be in the kerberos realm/KDC. Moreover, there are a number of applications/components across the Hadoop ecosystem that implement doas/impersonation on their own and there will not be consistent support for this change in principal propagation. This seems like a non-starter to me. > option to append @realm to usernames > > > Key: KNOX-1765 > URL: https://issues.apache.org/jira/browse/KNOX-1765 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0, 1.2.0 >Reporter: Ruslan Dautkhanov >Priority: Critical > > We'd like Hadoop to map user names to short names. > > For auth_to_local to work, @realm part is mandatory. > > For example, Apache Knox if authenticates users using LDAP, > and then sends requests over to Livy, doesn't append realm. > > It seems we could duplicate rules from Hadoop's auth_to_local > using `livy.server.auth.kerberos.name_rules` but it doesn't work > for the same reason on Livy side. > Spin-off from https://issues.apache.org/jira/browse/LIVY-548 > as it seems Knox is the right place for this fix (as other endpoints like > HDFS, Hive access would need similar mappings). > Hadoop code says opposite - there is an explicit check - if > realm is empty, auth_to_local rules are not applied > > [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376] > > rules application starts down below on line 383 > > so it never reaches rules transformations loop if realm is empty. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1765) option to append @realm to usernames
[ https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772402#comment-16772402 ] Ruslan Dautkhanov commented on KNOX-1765: - also pasting my findings I shared in Livy user list and in LIVY-548 {panel} Hadoop code has an explicit check - if realm is empty, auth_to_local rules are not applied [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376] rules application starts down below on line 383 so it never reaches rules transformations loop if realm is empty. We can argue that this is might be a Hadoop bug, as Kerberos C library states empty realm is possible [https://github.com/krb5/krb5/blob/krb5-1.17-final/src/lib/krb5/os/localauth_rule.c#L38] Although in the same place it says it's can be dangerous - {quote}which can be *dangerous in multi-realm environments*, but is our historical behavior{quote} So we can now say that "bug" is actually a security feature and Hadoop's auth_to_local implementation left this "historical behavior" out for a good reason. I think the only way to enable auth_to_local for proxy authentication like in Livy case is to have a config setting in Livy to append a realm, like explained in https://issues.apache.org/jira/browse/LIVY-548 Thank you, Ruslan {panel} > option to append @realm to usernames > > > Key: KNOX-1765 > URL: https://issues.apache.org/jira/browse/KNOX-1765 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0, 1.2.0 >Reporter: Ruslan Dautkhanov >Priority: Critical > > We'd like Hadoop to map user names to short names. > > For auth_to_local to work, @realm part is mandatory. > > For example, Apache Knox if authenticates users using LDAP, > and then sends requests over to Livy, doesn't append realm. > > It seems we could duplicate rules from Hadoop's auth_to_local > using `livy.server.auth.kerberos.name_rules` but it doesn't work > for the same reason on Livy side. > Spin-off from https://issues.apache.org/jira/browse/LIVY-548 > as it seems Knox is the right place for this fix (as other endpoints like > HDFS, Hive access would need similar mappings). > Hadoop code says opposite - there is an explicit check - if > realm is empty, auth_to_local rules are not applied > > [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376] > > rules application starts down below on line 383 > > so it never reaches rules transformations loop if realm is empty. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1765) option to append @realm to usernames
[ https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772396#comment-16772396 ] Ruslan Dautkhanov commented on KNOX-1765: - Thanks Kevin. Sure, I will post it in Knox user email list. Although I am pretty sure there is no workaround for this unfortunatally. This has also been discussed IBM developers of their Data Science Experience product that we're using. DSX has Knox bundled in. That's where we're running this issue into .. This is internal IBM issue for this - [https://github.ibm.com/PrivateCloud/dsx-integration/issues/1381] IBM Support nor Development teams don't have a good solution for this. Cloudera support doesn't ship / support Knox so we're on our own for this issue and that's why I opened this issue. [~jesus.alv] from IBM can probably chime in here too. > option to append @realm to usernames > > > Key: KNOX-1765 > URL: https://issues.apache.org/jira/browse/KNOX-1765 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0, 1.2.0 >Reporter: Ruslan Dautkhanov >Priority: Critical > > We'd like Hadoop to map user names to short names. > > For auth_to_local to work, @realm part is mandatory. > > For example, Apache Knox if authenticates users using LDAP, > and then sends requests over to Livy, doesn't append realm. > > It seems we could duplicate rules from Hadoop's auth_to_local > using `livy.server.auth.kerberos.name_rules` but it doesn't work > for the same reason on Livy side. > Spin-off from https://issues.apache.org/jira/browse/LIVY-548 > as it seems Knox is the right place for this fix (as other endpoints like > HDFS, Hive access would need similar mappings). > Hadoop code says opposite - there is an explicit check - if > realm is empty, auth_to_local rules are not applied > > [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376] > > rules application starts down below on line 383 > > so it never reaches rules transformations loop if realm is empty. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1765) option to append @realm to usernames
[ https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772382#comment-16772382 ] Kevin Risden commented on KNOX-1765: Linking to mailing list post that hasn't been linked: http://mail-archives.apache.org/mod_mbox/livy-user/201901.mbox/%3CCACdThQ2rD07K1gpYNXHKczavNXdLhjieZy0SHY%2BM3VN8pZWyqQ%40mail.gmail.com%3E > option to append @realm to usernames > > > Key: KNOX-1765 > URL: https://issues.apache.org/jira/browse/KNOX-1765 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0, 1.2.0 >Reporter: Ruslan Dautkhanov >Priority: Critical > > We'd like Hadoop to map user names to short names. > > For auth_to_local to work, @realm part is mandatory. > > For example, Apache Knox if authenticates users using LDAP, > and then sends requests over to Livy, doesn't append realm. > > It seems we could duplicate rules from Hadoop's auth_to_local > using `livy.server.auth.kerberos.name_rules` but it doesn't work > for the same reason on Livy side. > Spin-off from https://issues.apache.org/jira/browse/LIVY-548 > as it seems Knox is the right place for this fix (as other endpoints like > HDFS, Hive access would need similar mappings). > Hadoop code says opposite - there is an explicit check - if > realm is empty, auth_to_local rules are not applied > > [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376] > > rules application starts down below on line 383 > > so it never reaches rules transformations loop if realm is empty. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1606) Supporting information from Apache Flink UI
[ https://issues.apache.org/jira/browse/KNOX-1606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772379#comment-16772379 ] Kevin Risden commented on KNOX-1606: [~adrian-wang] - Are you planning to provide a patch for this? If you have been working on this would be good to understand where you are at with this. > Supporting information from Apache Flink UI > --- > > Key: KNOX-1606 > URL: https://issues.apache.org/jira/browse/KNOX-1606 > Project: Apache Knox > Issue Type: Wish > Components: Server >Reporter: Adrian Wang >Priority: Major > > Currently accessing Flink UI through Knox is not fully supported. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1743) [Yarn UI Service] "Tracking UI" History link is broken
[ https://issues.apache.org/jira/browse/KNOX-1743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772377#comment-16772377 ] Kevin Risden commented on KNOX-1743: [~ncolomer] - It looks like this is against EMR? Did you deploy Knox 1.2.0 yourself? > [Yarn UI Service] "Tracking UI" History link is broken > -- > > Key: KNOX-1743 > URL: https://issues.apache.org/jira/browse/KNOX-1743 > Project: Apache Knox > Issue Type: Bug >Affects Versions: 1.2.0 >Reporter: Nicolas Colomer >Priority: Minor > Attachments: image-2019-01-22-12-58-43-987.png, > image-2019-01-22-13-11-07-837.png > > > The "Tracking UI" History link from the Yarn UI Service points to > {noformat} > https://knox/gateway/cluster/yarn/proxy/{application id}{noformat} > But clicking the link leads to an HTTP 404 error. > !image-2019-01-22-13-11-07-837.png! > I traced the redirections (spaghetti) while simulating a click on the same > link from a non-proxified Yarn UI. Here are the curl debug logs: > {code:java} > $ curl -vL --proxy socks5h://localhost:8157 > http://emr-master-hostname:20888/proxy/application_1547901173230_0014/ > * Trying ::1... > * TCP_NODELAY set > * SOCKS5 communication to emr-master-hostname:20888 > * SOCKS5 request granted. > * Connected to localhost (::1) port 8157 (#0) > > GET /proxy/application_1547901173230_0014/ HTTP/1.1 > > Host: emr-master-hostname:20888 > > User-Agent: curl/7.54.0 > > Accept: */* > > > < HTTP/1.1 302 Found > < Cache-Control: no-cache > < Expires: Sat, 19 Jan 2019 17:31:18 GMT > < Date: Sat, 19 Jan 2019 17:31:18 GMT > < Pragma: no-cache > < Expires: Sat, 19 Jan 2019 17:31:18 GMT > < Date: Sat, 19 Jan 2019 17:31:18 GMT > < Pragma: no-cache > < Content-Type: text/html; charset=utf-8 > < Location: > http://emr-master-hostname:18080/history/application_1547901173230_0014/1 > < Content-Length: 288 > < > * Ignoring the response-body > * Connection #0 to host localhost left intact > * Issue another request to this URL: > 'http://emr-master-hostname:18080/history/application_1547901173230_0014/1' > * Found bundle for host emr-master-hostname: 0x7f8f7b510780 [can pipeline] > * Hostname localhost was found in DNS cache > * Trying ::1... > * TCP_NODELAY set > * SOCKS5 communication to emr-master-hostname:18080 > * SOCKS5 request granted. > * Connected to localhost (::1) port 8157 (#1) > > GET /history/application_1547901173230_0014/1 HTTP/1.1 > > Host: emr-master-hostname:18080 > > User-Agent: curl/7.54.0 > > Accept: */* > > > < HTTP/1.1 302 Found > < Date: Sat, 19 Jan 2019 17:31:18 GMT > < Location: > http://emr-master-hostname:18080/history/application_1547901173230_0014/1/ > < Content-Length: 0 > < Server: Jetty(9.3.z-SNAPSHOT) > < > * Connection #1 to host localhost left intact > * Issue another request to this URL: > 'http://emr-master-hostname:18080/history/application_1547901173230_0014/1/' > * Found bundle for host emr-master-hostname: 0x7f8f7b510780 [can pipeline] > * Re-using existing connection! (#1) with proxy localhost > * Connected to localhost (::1) port 8157 (#1) > > GET /history/application_1547901173230_0014/1/ HTTP/1.1 > > Host: emr-master-hostname:18080 > > User-Agent: curl/7.54.0 > > Accept: */* > > > < HTTP/1.1 302 Found > < Date: Sat, 19 Jan 2019 17:31:18 GMT > < Location: > http://emr-master-hostname:18080/history/application_1547901173230_0014/1/jobs/ > < Content-Length: 0 > < Server: Jetty(9.3.z-SNAPSHOT) > < > * Connection #1 to host localhost left intact > * Issue another request to this URL: > 'http://emr-master-hostname:18080/history/application_1547901173230_0014/1/jobs/' > * Found bundle for host emr-master-hostname: 0x7f8f7b510780 [can pipeline] > * Re-using existing connection! (#1) with proxy localhost > * Connected to localhost (::1) port 8157 (#1) > > GET /history/application_1547901173230_0014/1/jobs/ HTTP/1.1 > > Host: emr-master-hostname:18080 > > User-Agent: curl/7.54.0 > > Accept: */* > > > < HTTP/1.1 200 OK > < Date: Sat, 19 Jan 2019 17:31:18 GMT > < Content-Type: text/html;charset=utf-8 > < Cache-Control: no-cache, no-store, must-revalidate > < X-Frame-Options: SAMEORIGIN > < X-XSS-Protection: 1; mode=block > < X-Content-Type-Options: nosniff > < Content-Length: 28376 > < Server: Jetty(9.3.z-SNAPSHOT) > < > {code} > I guess adding some voodoo in the Knox yarnui's > [rewrite.xml|https://github.com/apache/knox/blob/master/gateway-service-definitions/src/main/resources/services/yarnui/2.7.0/rewrite.xml] > file might be enough to fix this. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1765) option to append @realm to usernames
[ https://issues.apache.org/jira/browse/KNOX-1765?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772375#comment-16772375 ] Kevin Risden commented on KNOX-1765: [~Tagar] - Please email the Knox user mailing list to see if this is something other users have run across. [https://knox.apache.org/mailing-lists.html] I have never seen this be a requirement across a lot of different environments. > option to append @realm to usernames > > > Key: KNOX-1765 > URL: https://issues.apache.org/jira/browse/KNOX-1765 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0, 1.2.0 >Reporter: Ruslan Dautkhanov >Priority: Critical > > We'd like Hadoop to map user names to short names. > > For auth_to_local to work, @realm part is mandatory. > > For example, Apache Knox if authenticates users using LDAP, > and then sends requests over to Livy, doesn't append realm. > > It seems we could duplicate rules from Hadoop's auth_to_local > using `livy.server.auth.kerberos.name_rules` but it doesn't work > for the same reason on Livy side. > Spin-off from https://issues.apache.org/jira/browse/LIVY-548 > as it seems Knox is the right place for this fix (as other endpoints like > HDFS, Hive access would need similar mappings). > Hadoop code says opposite - there is an explicit check - if > realm is empty, auth_to_local rules are not applied > > [https://github.com/apache/hadoop/blob/release-2.7.1/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/util/KerberosName.java#L376] > > rules application starts down below on line 383 > > so it never reaches rules transformations loop if realm is empty. > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1779) Add HTTP X-XSS-Protection response header support for WebAppSec Provider
[ https://issues.apache.org/jira/browse/KNOX-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772372#comment-16772372 ] Kevin Risden commented on KNOX-1779: [~kpandey] - Thanks for this ticket. I see you have assigned it to yourself. Are you planning to provide a patch for this? > Add HTTP X-XSS-Protection response header support for WebAppSec Provider > > > Key: KNOX-1779 > URL: https://issues.apache.org/jira/browse/KNOX-1779 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.2.0 >Reporter: Krishna Pandey >Assignee: Krishna Pandey >Priority: Critical > Labels: security > Fix For: 1.3.0 > > Original Estimate: 168h > Remaining Estimate: 168h > > Support to add X-XSS-Protection HTTP response header in Knox's WebAppSec > Provider enabling modern web browsers to detect and thwart Cross-site > Scripting (XSS) attacks. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1783) Proxy support for Superset UI
[ https://issues.apache.org/jira/browse/KNOX-1783?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772370#comment-16772370 ] Kevin Risden commented on KNOX-1783: Sounds good. Please feel free to ask questions on the user mailing list and someone should be able to point you in the right direction. > Proxy support for Superset UI > - > > Key: KNOX-1783 > URL: https://issues.apache.org/jira/browse/KNOX-1783 > Project: Apache Knox > Issue Type: Improvement >Reporter: Martin Ruskov >Priority: Minor > > Provide proxy UI support for the Superset UI. > > To my understanding, this is a matter of adding a [new > service|https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/adding_new_service_knox_gateway.html] > to the KNOX gateway, but there seem to be problems with trailing slashes -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1783) Proxy support for Superset UI
[ https://issues.apache.org/jira/browse/KNOX-1783?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772371#comment-16772371 ] Kevin Risden commented on KNOX-1783: Assigned ticket to you and set the fix version to 1.3.0 for now to make sure we follow up before the release. > Proxy support for Superset UI > - > > Key: KNOX-1783 > URL: https://issues.apache.org/jira/browse/KNOX-1783 > Project: Apache Knox > Issue Type: Improvement >Reporter: Martin Ruskov >Assignee: Martin Ruskov >Priority: Minor > Fix For: 1.3.0 > > > Provide proxy UI support for the Superset UI. > > To my understanding, this is a matter of adding a [new > service|https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/adding_new_service_knox_gateway.html] > to the KNOX gateway, but there seem to be problems with trailing slashes -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (KNOX-1783) Proxy support for Superset UI
[ https://issues.apache.org/jira/browse/KNOX-1783?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kevin Risden updated KNOX-1783: --- Fix Version/s: 1.3.0 > Proxy support for Superset UI > - > > Key: KNOX-1783 > URL: https://issues.apache.org/jira/browse/KNOX-1783 > Project: Apache Knox > Issue Type: Improvement >Reporter: Martin Ruskov >Assignee: Martin Ruskov >Priority: Minor > Fix For: 1.3.0 > > > Provide proxy UI support for the Superset UI. > > To my understanding, this is a matter of adding a [new > service|https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/adding_new_service_knox_gateway.html] > to the KNOX gateway, but there seem to be problems with trailing slashes -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Assigned] (KNOX-1783) Proxy support for Superset UI
[ https://issues.apache.org/jira/browse/KNOX-1783?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kevin Risden reassigned KNOX-1783: -- Assignee: Martin Ruskov > Proxy support for Superset UI > - > > Key: KNOX-1783 > URL: https://issues.apache.org/jira/browse/KNOX-1783 > Project: Apache Knox > Issue Type: Improvement >Reporter: Martin Ruskov >Assignee: Martin Ruskov >Priority: Minor > > Provide proxy UI support for the Superset UI. > > To my understanding, this is a matter of adding a [new > service|https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/adding_new_service_knox_gateway.html] > to the KNOX gateway, but there seem to be problems with trailing slashes -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1687) Hashicorp Vault alias credential provider
[ https://issues.apache.org/jira/browse/KNOX-1687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772368#comment-16772368 ] Kevin Risden commented on KNOX-1687: Pushed changes to handle: * Check error handling if permission denied/etc from Vault * Handle arbitrary prefix to be nested down inside an existing KV path (ie: /clusters/cluster1/services/knox/...) Looking at integrating with RemoteAliasService. Looks like need to extract the ZK specific handling first. > Hashicorp Vault alias credential provider > - > > Key: KNOX-1687 > URL: https://issues.apache.org/jira/browse/KNOX-1687 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Major > Fix For: 1.3.0 > > Attachments: KNOX-1687.patch, KNOX-1687.patch > > Time Spent: 40m > Remaining Estimate: 0h > > Hashicorp Vault alias credential provider - more details to be added > * https://www.vaultproject.io/ > * https://www.vaultproject.io/api/libraries.html#java -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1783) Proxy support for Superset UI
[ https://issues.apache.org/jira/browse/KNOX-1783?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772321#comment-16772321 ] Martin Ruskov commented on KNOX-1783: - [~krisden], thanks for the response. I'd be looking into providing this, but at this stage I'm not sure I'm in a position to do so. So, if that makes sense, I can assign this issue to myself for now. I will also write on the mailing list to get all the possible directions I could. > Proxy support for Superset UI > - > > Key: KNOX-1783 > URL: https://issues.apache.org/jira/browse/KNOX-1783 > Project: Apache Knox > Issue Type: Improvement >Reporter: Martin Ruskov >Priority: Minor > > Provide proxy UI support for the Superset UI. > > To my understanding, this is a matter of adding a [new > service|https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/adding_new_service_knox_gateway.html] > to the KNOW gateway, but there seem to be problems with trailing slashes -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1786) Use mocking to simplify DefaultRemoteConfigurationMonitorTest
[ https://issues.apache.org/jira/browse/KNOX-1786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772316#comment-16772316 ] ASF subversion and git services commented on KNOX-1786: --- Commit 6aa1759d108250ffd93ba809e7106705c081e8a2 in knox's branch refs/heads/master from Kevin Risden [ https://gitbox.apache.org/repos/asf?p=knox.git;h=6aa1759 ] KNOX-1786 - Use mocking to simplify DefaultRemoteConfigurationMonitorTest Signed-off-by: Kevin Risden > Use mocking to simplify DefaultRemoteConfigurationMonitorTest > - > > Key: KNOX-1786 > URL: https://issues.apache.org/jira/browse/KNOX-1786 > Project: Apache Knox > Issue Type: Test > Components: Tests >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > Attachments: KNOX-1786.patch > > > Currently DefaultRemoteConfigurationMonitorTest stubs out two classes to test > IllegalStateException. This is cleaner with mocking to avoid the big stub > classes. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (KNOX-1786) Use mocking to simplify DefaultRemoteConfigurationMonitorTest
[ https://issues.apache.org/jira/browse/KNOX-1786?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kevin Risden updated KNOX-1786: --- Resolution: Fixed Status: Resolved (was: Patch Available) > Use mocking to simplify DefaultRemoteConfigurationMonitorTest > - > > Key: KNOX-1786 > URL: https://issues.apache.org/jira/browse/KNOX-1786 > Project: Apache Knox > Issue Type: Test > Components: Tests >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > Attachments: KNOX-1786.patch > > > Currently DefaultRemoteConfigurationMonitorTest stubs out two classes to test > IllegalStateException. This is cleaner with mocking to avoid the big stub > classes. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (KNOX-1787) Create PasswordUtils class in gateway-util-common
[ https://issues.apache.org/jira/browse/KNOX-1787?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kevin Risden updated KNOX-1787: --- Resolution: Fixed Status: Resolved (was: Patch Available) > Create PasswordUtils class in gateway-util-common > - > > Key: KNOX-1787 > URL: https://issues.apache.org/jira/browse/KNOX-1787 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > Attachments: KNOX-1787.patch > > > Currently DefaultAliasService has a useful method for generating a password. > This can be reused across alias implementations so putting in > gateway-util-common -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1787) Create PasswordUtils class in gateway-util-common
[ https://issues.apache.org/jira/browse/KNOX-1787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772317#comment-16772317 ] ASF subversion and git services commented on KNOX-1787: --- Commit 9cdf531fb3d7259e8d16d27bb2ed7cdf1de6e4df in knox's branch refs/heads/master from Kevin Risden [ https://gitbox.apache.org/repos/asf?p=knox.git;h=9cdf531 ] KNOX-1787 - Create PasswordUtils class in gateway-util-common Signed-off-by: Kevin Risden > Create PasswordUtils class in gateway-util-common > - > > Key: KNOX-1787 > URL: https://issues.apache.org/jira/browse/KNOX-1787 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > Attachments: KNOX-1787.patch > > > Currently DefaultAliasService has a useful method for generating a password. > This can be reused across alias implementations so putting in > gateway-util-common -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1786) Use mocking to simplify DefaultRemoteConfigurationMonitorTest
[ https://issues.apache.org/jira/browse/KNOX-1786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772309#comment-16772309 ] Kevin Risden commented on KNOX-1786: FYI [~pzampino] since you wrote this test in KNOX-1737 > Use mocking to simplify DefaultRemoteConfigurationMonitorTest > - > > Key: KNOX-1786 > URL: https://issues.apache.org/jira/browse/KNOX-1786 > Project: Apache Knox > Issue Type: Test > Components: Tests >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > Attachments: KNOX-1786.patch > > > Currently DefaultRemoteConfigurationMonitorTest stubs out two classes to test > IllegalStateException. This is cleaner with mocking to avoid the big stub > classes. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1787) Create PasswordUtils class in gateway-util-common
[ https://issues.apache.org/jira/browse/KNOX-1787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772302#comment-16772302 ] Kevin Risden commented on KNOX-1787: Previously this was protected so had to be in the same package which isn't a requirement for other alias implementations. Also could be useful if needing to generate a random password elsewhere. > Create PasswordUtils class in gateway-util-common > - > > Key: KNOX-1787 > URL: https://issues.apache.org/jira/browse/KNOX-1787 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > Attachments: KNOX-1787.patch > > > Currently DefaultAliasService has a useful method for generating a password. > This can be reused across alias implementations so putting in > gateway-util-common -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (KNOX-1787) Create PasswordUtils class in gateway-util-common
[ https://issues.apache.org/jira/browse/KNOX-1787?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kevin Risden updated KNOX-1787: --- Attachment: KNOX-1787.patch > Create PasswordUtils class in gateway-util-common > - > > Key: KNOX-1787 > URL: https://issues.apache.org/jira/browse/KNOX-1787 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > Attachments: KNOX-1787.patch > > > Currently DefaultAliasService has a useful method for generating a password. > This can be reused across alias implementations so putting in > gateway-util-common -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (KNOX-1787) Create PasswordUtils class in gateway-util-common
[ https://issues.apache.org/jira/browse/KNOX-1787?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kevin Risden updated KNOX-1787: --- Attachment: (was: KNOX-1787.patch) > Create PasswordUtils class in gateway-util-common > - > > Key: KNOX-1787 > URL: https://issues.apache.org/jira/browse/KNOX-1787 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > Attachments: KNOX-1787.patch > > > Currently DefaultAliasService has a useful method for generating a password. > This can be reused across alias implementations so putting in > gateway-util-common -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1786) Use mocking to simplify DefaultRemoteConfigurationMonitorTest
[ https://issues.apache.org/jira/browse/KNOX-1786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772292#comment-16772292 ] Kevin Risden commented on KNOX-1786: This change ensures that changes to GatewayConfig interface don't need to be applied to this test. > Use mocking to simplify DefaultRemoteConfigurationMonitorTest > - > > Key: KNOX-1786 > URL: https://issues.apache.org/jira/browse/KNOX-1786 > Project: Apache Knox > Issue Type: Test > Components: Tests >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > Attachments: KNOX-1786.patch > > > Currently DefaultRemoteConfigurationMonitorTest stubs out two classes to test > IllegalStateException. This is cleaner with mocking to avoid the big stub > classes. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (KNOX-1787) Create PasswordUtils class in gateway-util-common
[ https://issues.apache.org/jira/browse/KNOX-1787?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kevin Risden updated KNOX-1787: --- Attachment: KNOX-1787.patch Status: Patch Available (was: In Progress) > Create PasswordUtils class in gateway-util-common > - > > Key: KNOX-1787 > URL: https://issues.apache.org/jira/browse/KNOX-1787 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > Attachments: KNOX-1787.patch > > > Currently DefaultAliasService has a useful method for generating a password. > This can be reused across alias implementations so putting in > gateway-util-common -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (KNOX-1787) Create PasswordUtils class in gateway-util-common
[ https://issues.apache.org/jira/browse/KNOX-1787?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kevin Risden updated KNOX-1787: --- Summary: Create PasswordUtils class in gateway-util-common (was: Create PasswordUtils class in gateway-utils-common) > Create PasswordUtils class in gateway-util-common > - > > Key: KNOX-1787 > URL: https://issues.apache.org/jira/browse/KNOX-1787 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > > Currently DefaultAliasService has a useful method for generating a password. > This can be reused across alias implementations so putting in > gateway-utils-common -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Work started] (KNOX-1786) Use mocking to simplify DefaultRemoteConfigurationMonitorTest
[ https://issues.apache.org/jira/browse/KNOX-1786?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on KNOX-1786 started by Kevin Risden. -- > Use mocking to simplify DefaultRemoteConfigurationMonitorTest > - > > Key: KNOX-1786 > URL: https://issues.apache.org/jira/browse/KNOX-1786 > Project: Apache Knox > Issue Type: Test > Components: Tests >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > > Currently DefaultRemoteConfigurationMonitorTest stubs out two classes to test > IllegalStateException. This is cleaner with mocking to avoid the big stub > classes. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (KNOX-1787) Create PasswordUtils class in gateway-util-common
[ https://issues.apache.org/jira/browse/KNOX-1787?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kevin Risden updated KNOX-1787: --- Description: Currently DefaultAliasService has a useful method for generating a password. This can be reused across alias implementations so putting in gateway-util-common (was: Currently DefaultAliasService has a useful method for generating a password. This can be reused across alias implementations so putting in gateway-utils-common) > Create PasswordUtils class in gateway-util-common > - > > Key: KNOX-1787 > URL: https://issues.apache.org/jira/browse/KNOX-1787 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > > Currently DefaultAliasService has a useful method for generating a password. > This can be reused across alias implementations so putting in > gateway-util-common -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (KNOX-1787) Create PasswordUtils class in gateway-utils-common
Kevin Risden created KNOX-1787: -- Summary: Create PasswordUtils class in gateway-utils-common Key: KNOX-1787 URL: https://issues.apache.org/jira/browse/KNOX-1787 Project: Apache Knox Issue Type: Improvement Reporter: Kevin Risden Assignee: Kevin Risden Fix For: 1.3.0 Currently DefaultAliasService has a useful method for generating a password. This can be reused across alias implementations so putting in gateway-utils-common -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (KNOX-1786) Use mocking to simplify DefaultRemoteConfigurationMonitorTest
[ https://issues.apache.org/jira/browse/KNOX-1786?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kevin Risden updated KNOX-1786: --- Attachment: KNOX-1786.patch Status: Patch Available (was: In Progress) > Use mocking to simplify DefaultRemoteConfigurationMonitorTest > - > > Key: KNOX-1786 > URL: https://issues.apache.org/jira/browse/KNOX-1786 > Project: Apache Knox > Issue Type: Test > Components: Tests >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > Attachments: KNOX-1786.patch > > > Currently DefaultRemoteConfigurationMonitorTest stubs out two classes to test > IllegalStateException. This is cleaner with mocking to avoid the big stub > classes. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (KNOX-1786) Use mocking to simplify DefaultRemoteConfigurationMonitorTest
Kevin Risden created KNOX-1786: -- Summary: Use mocking to simplify DefaultRemoteConfigurationMonitorTest Key: KNOX-1786 URL: https://issues.apache.org/jira/browse/KNOX-1786 Project: Apache Knox Issue Type: Test Components: Tests Reporter: Kevin Risden Assignee: Kevin Risden Fix For: 1.3.0 Currently DefaultRemoteConfigurationMonitorTest stubs out two classes to test IllegalStateException. This is cleaner with mocking to avoid the big stub classes. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200853=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200853 ] ASF GitHub Bot logged work on KNOX-1756: Author: ASF GitHub Bot Created on: 19/Feb/19 20:04 Start Date: 19/Feb/19 20:04 Worklog Time Spent: 10m Work Description: rlevas commented on issue #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#issuecomment-465288878 Abandoning this change due to popular demand. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200853) Time Spent: 2h (was: 1h 50m) > Knox Gateway TLS Keystore and Alias Should be Configurable > -- > > Key: KNOX-1756 > URL: https://issues.apache.org/jira/browse/KNOX-1756 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.3.0 >Reporter: Robert Levas >Assignee: Robert Levas >Priority: Major > Labels: keystore, ssl > Fix For: 1.3.0 > > Time Spent: 2h > Remaining Estimate: 0h > > h1. Problem > The location of the keystore housing the Knox Gateway TLS certificate is > hardcoded to {{/keystores/gateway.jks}} and the > certificate alias is hardcoded to “{{gateway-identity}}”. This limits the > ability for external management facilities to setup a custom TLS key and > certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS > certificate. > Knox has configuration hooks for the following (optional) properties > * Home Directory > ** Gateway-site property: GATEWAY_HOME > ** System property: GATEWAY_HOME > ** Environment variable: GATEWAY_HOME > * Data Directory > ** System property: GATEWAY_DATA_HOME > ** Environment variable: GATEWAY_DATA_HOME > ** Gateway-site property: gateway.data.dir > ** Calculated: [Home Directory] + [Path Separator] + “data” > * Security Directory > ** Gateway-site property: gateway.security.dir > ** Calculated: [Data Directory] + [Path Separator] + “security” > *Note*: the calculation for the home directory is inconsistent with the other > directory calculations. This inconsistency may be confusing to users and thus > should be fixed to be > * System property: GATEWAY_HOME > * Environment variable: GATEWAY_HOME > * Gateway-site property: gateway.home.dir > The path to the Knox Gateway TLS keystore is calculated as > {noformat} > [Security Directory] + [Path Separator] + “keystores” + [Path Separator] + > “gateway.jks” > {noformat} > h1. Solution > To make it easier to use an externally provided TLS key and certificate, the > Knox Gateway should allow the TLS keystore file and alias name to be > configurable. The following properties should be made available: > * TLS Keystore File Path > ** Gateway-site property: gateway.tls.keystore.path > ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path > Separator]+ "gateway.jks" > * TLS Keystore Password Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.keystore.password.alias > ** Calculated: "gateway-identity-keystore-password" > * TLS Keystore Type > ** Gateway-site property: gateway.tls.keystore.type > ** Calculated: :”jks” > * TLS Key Alias > ** Gateway-site property: gateway.tls.key.alias > ** Calculated: “gateway-identity” > * TLS Key Passphrase Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.key.passphrase.alias > ** Calculated: "gateway-identity-passphrase" > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200854=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200854 ] ASF GitHub Bot logged work on KNOX-1756: Author: ASF GitHub Bot Created on: 19/Feb/19 20:04 Start Date: 19/Feb/19 20:04 Worklog Time Spent: 10m Work Description: rlevas commented on pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54 This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200854) Time Spent: 2h 10m (was: 2h) > Knox Gateway TLS Keystore and Alias Should be Configurable > -- > > Key: KNOX-1756 > URL: https://issues.apache.org/jira/browse/KNOX-1756 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.3.0 >Reporter: Robert Levas >Assignee: Robert Levas >Priority: Major > Labels: keystore, ssl > Fix For: 1.3.0 > > Time Spent: 2h 10m > Remaining Estimate: 0h > > h1. Problem > The location of the keystore housing the Knox Gateway TLS certificate is > hardcoded to {{/keystores/gateway.jks}} and the > certificate alias is hardcoded to “{{gateway-identity}}”. This limits the > ability for external management facilities to setup a custom TLS key and > certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS > certificate. > Knox has configuration hooks for the following (optional) properties > * Home Directory > ** Gateway-site property: GATEWAY_HOME > ** System property: GATEWAY_HOME > ** Environment variable: GATEWAY_HOME > * Data Directory > ** System property: GATEWAY_DATA_HOME > ** Environment variable: GATEWAY_DATA_HOME > ** Gateway-site property: gateway.data.dir > ** Calculated: [Home Directory] + [Path Separator] + “data” > * Security Directory > ** Gateway-site property: gateway.security.dir > ** Calculated: [Data Directory] + [Path Separator] + “security” > *Note*: the calculation for the home directory is inconsistent with the other > directory calculations. This inconsistency may be confusing to users and thus > should be fixed to be > * System property: GATEWAY_HOME > * Environment variable: GATEWAY_HOME > * Gateway-site property: gateway.home.dir > The path to the Knox Gateway TLS keystore is calculated as > {noformat} > [Security Directory] + [Path Separator] + “keystores” + [Path Separator] + > “gateway.jks” > {noformat} > h1. Solution > To make it easier to use an externally provided TLS key and certificate, the > Knox Gateway should allow the TLS keystore file and alias name to be > configurable. The following properties should be made available: > * TLS Keystore File Path > ** Gateway-site property: gateway.tls.keystore.path > ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path > Separator]+ "gateway.jks" > * TLS Keystore Password Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.keystore.password.alias > ** Calculated: "gateway-identity-keystore-password" > * TLS Keystore Type > ** Gateway-site property: gateway.tls.keystore.type > ** Calculated: :”jks” > * TLS Key Alias > ** Gateway-site property: gateway.tls.key.alias > ** Calculated: “gateway-identity” > * TLS Key Passphrase Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.key.passphrase.alias > ** Calculated: "gateway-identity-passphrase" > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[GitHub] rlevas closed pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable
rlevas closed pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54 This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] rlevas commented on issue #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable
rlevas commented on issue #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#issuecomment-465288878 Abandoning this change due to popular demand. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[jira] [Updated] (KNOX-1785) Inject tag to simplify rewrite rules
[ https://issues.apache.org/jira/browse/KNOX-1785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Sandeep More updated KNOX-1785: --- Labels: kip-9 (was: ) > Inject tag to simplify rewrite rules > --- > > Key: KNOX-1785 > URL: https://issues.apache.org/jira/browse/KNOX-1785 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Reporter: Sandeep More >Priority: Major > Labels: kip-9 > Fix For: 1.3.0 > > > By inserting the [ tag|https://www.w3schools.com/tags/tag_base.asp] (or > rewriting the existing one if present) will simplify a lot of rewrite rules, > we won't have to rewrite relative URLs then which can be significant number > of rules for doing the same thing again and again. tag would simplify > a lot of things when it comes to rewriting. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (KNOX-1785) Inject tag to simplify rewrite rules
Sandeep More created KNOX-1785: -- Summary: Inject tag to simplify rewrite rules Key: KNOX-1785 URL: https://issues.apache.org/jira/browse/KNOX-1785 Project: Apache Knox Issue Type: Improvement Components: Server Reporter: Sandeep More Fix For: 1.3.0 By inserting the [ tag|https://www.w3schools.com/tags/tag_base.asp] (or rewriting the existing one if present) will simplify a lot of rewrite rules, we won't have to rewrite relative URLs then which can be significant number of rules for doing the same thing again and again. tag would simplify a lot of things when it comes to rewriting. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1783) Proxy support for Superset UI
[ https://issues.apache.org/jira/browse/KNOX-1783?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772138#comment-16772138 ] Kevin Risden commented on KNOX-1783: [~mapto] - not sure if this is a question or if you are planning to provide a patch. If this is a question, you should ask on the Knox user mailing list (https://knox.apache.org/mailing-lists.html) > Proxy support for Superset UI > - > > Key: KNOX-1783 > URL: https://issues.apache.org/jira/browse/KNOX-1783 > Project: Apache Knox > Issue Type: Improvement >Reporter: Martin Ruskov >Priority: Minor > > Provide proxy UI support for the Superset UI. > > To my understanding, this is a matter of adding a [new > service|https://docs.hortonworks.com/HDPDocuments/HDP2/HDP-2.6.5/bk_security/content/adding_new_service_knox_gateway.html] > to the KNOW gateway, but there seem to be problems with trailing slashes -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Resolved] (KNOX-1162) Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration
[ https://issues.apache.org/jira/browse/KNOX-1162?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kevin Risden resolved KNOX-1162. Resolution: Fixed Thanks [~smolnar] > Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration > > > Key: KNOX-1162 > URL: https://issues.apache.org/jira/browse/KNOX-1162 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 0.14.0 >Reporter: Kevin Minder >Assignee: Sandor Molnar >Priority: Minor > Fix For: 1.3.0 > > Time Spent: 3h 40m > Remaining Estimate: 0h > > When there is a misconfiguration in conf/krb5JAASLogin.conf the server fails > to start and the information in gateway.log isn't at all helpful. So two > requests > # Logging should indicate at a minimum what file contains the issue. > # All fatal issues should log stack traces without requiring enabling debug > logging. > This is the error shown in gateway.log > {code} > 2018-01-05 12:05:12,538 FATAL hadoop.gateway (GatewayServer.java:main(163)) - > Failed to start gateway: java.lang.SecurityException: java.io.IOException: > Configuration Error: > Line 7: expected [option key] > {code} > When you enabled debug logging you get somewhat better information. > {code} > 2018-01-05 15:55:54,087 FATAL hadoop.gateway (GatewayServer.java:main(163)) - > Failed to start gateway: java.lang.SecurityException: java.io.IOException: > Configuration Error: > Line 7: expected [option key] > java.lang.SecurityException: java.io.IOException: Configuration Error: > Line 7: expected [option key] > at sun.security.provider.ConfigFile$Spi.(ConfigFile.java:137) > at sun.security.provider.ConfigFile.(ConfigFile.java:102) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at java.lang.Class.newInstance(Class.java:442) > at > javax.security.auth.login.Configuration$2.run(Configuration.java:255) > at > javax.security.auth.login.Configuration$2.run(Configuration.java:247) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.security.auth.login.Configuration.getConfiguration(Configuration.java:246) > at > org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.(RemoteConfigurationRegistryJAASConfig.java:52) > at > org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.configure(RemoteConfigurationRegistryJAASConfig.java:59) > at > org.apache.hadoop.gateway.service.config.remote.zk.CuratorClientService.init(CuratorClientService.java:80) > at > org.apache.hadoop.gateway.services.DefaultGatewayServices.init(DefaultGatewayServices.java:113) > at > org.apache.hadoop.gateway.GatewayServer.main(GatewayServer.java:154) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70) > at org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39) > at org.apache.hadoop.gateway.launcher.Command.run(Command.java:99) > at org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69) > at org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46) > Caused by: java.io.IOException: Configuration Error: > Line 7: expected [option key] > at > sun.security.provider.ConfigFile$Spi.ioException(ConfigFile.java:666) > at sun.security.provider.ConfigFile$Spi.match(ConfigFile.java:572) > at > sun.security.provider.ConfigFile$Spi.parseLoginEntry(ConfigFile.java:477) > at > sun.security.provider.ConfigFile$Spi.readConfig(ConfigFile.java:427) > at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:329) > at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:271) > at sun.security.provider.ConfigFile$Spi.(ConfigFile.java:135) > ... 24 more > {code} > Lastly the particular configuration error in conf/krb5JAASLogin.conf was > missing quotes for the keyTab and principal values. Note, portions of the > principal have been scrubbed
[jira] [Commented] (KNOX-1162) Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration
[ https://issues.apache.org/jira/browse/KNOX-1162?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772094#comment-16772094 ] ASF subversion and git services commented on KNOX-1162: --- Commit dac2f2e289ea4ca99afd37dadcfc623fdac19fb1 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=dac2f2e ] KNOX-1162 - Logging stacktrace for FATAL messages and displaying a meaningful error message in case of missing/non-parsable JAAS configuration (#55) > Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration > > > Key: KNOX-1162 > URL: https://issues.apache.org/jira/browse/KNOX-1162 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 0.14.0 >Reporter: Kevin Minder >Assignee: Sandor Molnar >Priority: Minor > Fix For: 1.3.0 > > Time Spent: 3.5h > Remaining Estimate: 0h > > When there is a misconfiguration in conf/krb5JAASLogin.conf the server fails > to start and the information in gateway.log isn't at all helpful. So two > requests > # Logging should indicate at a minimum what file contains the issue. > # All fatal issues should log stack traces without requiring enabling debug > logging. > This is the error shown in gateway.log > {code} > 2018-01-05 12:05:12,538 FATAL hadoop.gateway (GatewayServer.java:main(163)) - > Failed to start gateway: java.lang.SecurityException: java.io.IOException: > Configuration Error: > Line 7: expected [option key] > {code} > When you enabled debug logging you get somewhat better information. > {code} > 2018-01-05 15:55:54,087 FATAL hadoop.gateway (GatewayServer.java:main(163)) - > Failed to start gateway: java.lang.SecurityException: java.io.IOException: > Configuration Error: > Line 7: expected [option key] > java.lang.SecurityException: java.io.IOException: Configuration Error: > Line 7: expected [option key] > at sun.security.provider.ConfigFile$Spi.(ConfigFile.java:137) > at sun.security.provider.ConfigFile.(ConfigFile.java:102) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at java.lang.Class.newInstance(Class.java:442) > at > javax.security.auth.login.Configuration$2.run(Configuration.java:255) > at > javax.security.auth.login.Configuration$2.run(Configuration.java:247) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.security.auth.login.Configuration.getConfiguration(Configuration.java:246) > at > org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.(RemoteConfigurationRegistryJAASConfig.java:52) > at > org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.configure(RemoteConfigurationRegistryJAASConfig.java:59) > at > org.apache.hadoop.gateway.service.config.remote.zk.CuratorClientService.init(CuratorClientService.java:80) > at > org.apache.hadoop.gateway.services.DefaultGatewayServices.init(DefaultGatewayServices.java:113) > at > org.apache.hadoop.gateway.GatewayServer.main(GatewayServer.java:154) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70) > at org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39) > at org.apache.hadoop.gateway.launcher.Command.run(Command.java:99) > at org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69) > at org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46) > Caused by: java.io.IOException: Configuration Error: > Line 7: expected [option key] > at > sun.security.provider.ConfigFile$Spi.ioException(ConfigFile.java:666) > at sun.security.provider.ConfigFile$Spi.match(ConfigFile.java:572) > at > sun.security.provider.ConfigFile$Spi.parseLoginEntry(ConfigFile.java:477) > at > sun.security.provider.ConfigFile$Spi.readConfig(ConfigFile.java:427) > at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:329) > at
[GitHub] risdenk merged pull request #55: KNOX-1162 - Logging stacktrace for FATAL messages and displaying a meaningful error message in case of missing/non-parsable JAAS configuration
risdenk merged pull request #55: KNOX-1162 - Logging stacktrace for FATAL messages and displaying a meaningful error message in case of missing/non-parsable JAAS configuration URL: https://github.com/apache/knox/pull/55 This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[jira] [Work logged] (KNOX-1162) Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration
[ https://issues.apache.org/jira/browse/KNOX-1162?focusedWorklogId=200747=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200747 ] ASF GitHub Bot logged work on KNOX-1162: Author: ASF GitHub Bot Created on: 19/Feb/19 16:39 Start Date: 19/Feb/19 16:39 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #55: KNOX-1162 - Logging stacktrace for FATAL messages and displaying a meaningful error message in case of missing/non-parsable JAAS configuration URL: https://github.com/apache/knox/pull/55 This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200747) Time Spent: 3.5h (was: 3h 20m) > Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration > > > Key: KNOX-1162 > URL: https://issues.apache.org/jira/browse/KNOX-1162 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 0.14.0 >Reporter: Kevin Minder >Assignee: Sandor Molnar >Priority: Minor > Fix For: 1.3.0 > > Time Spent: 3.5h > Remaining Estimate: 0h > > When there is a misconfiguration in conf/krb5JAASLogin.conf the server fails > to start and the information in gateway.log isn't at all helpful. So two > requests > # Logging should indicate at a minimum what file contains the issue. > # All fatal issues should log stack traces without requiring enabling debug > logging. > This is the error shown in gateway.log > {code} > 2018-01-05 12:05:12,538 FATAL hadoop.gateway (GatewayServer.java:main(163)) - > Failed to start gateway: java.lang.SecurityException: java.io.IOException: > Configuration Error: > Line 7: expected [option key] > {code} > When you enabled debug logging you get somewhat better information. > {code} > 2018-01-05 15:55:54,087 FATAL hadoop.gateway (GatewayServer.java:main(163)) - > Failed to start gateway: java.lang.SecurityException: java.io.IOException: > Configuration Error: > Line 7: expected [option key] > java.lang.SecurityException: java.io.IOException: Configuration Error: > Line 7: expected [option key] > at sun.security.provider.ConfigFile$Spi.(ConfigFile.java:137) > at sun.security.provider.ConfigFile.(ConfigFile.java:102) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at java.lang.Class.newInstance(Class.java:442) > at > javax.security.auth.login.Configuration$2.run(Configuration.java:255) > at > javax.security.auth.login.Configuration$2.run(Configuration.java:247) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.security.auth.login.Configuration.getConfiguration(Configuration.java:246) > at > org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.(RemoteConfigurationRegistryJAASConfig.java:52) > at > org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.configure(RemoteConfigurationRegistryJAASConfig.java:59) > at > org.apache.hadoop.gateway.service.config.remote.zk.CuratorClientService.init(CuratorClientService.java:80) > at > org.apache.hadoop.gateway.services.DefaultGatewayServices.init(DefaultGatewayServices.java:113) > at > org.apache.hadoop.gateway.GatewayServer.main(GatewayServer.java:154) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70) > at org.apache.hadoop.gateway.launcher.Invoker.invoke(Invoker.java:39) > at org.apache.hadoop.gateway.launcher.Command.run(Command.java:99) > at org.apache.hadoop.gateway.launcher.Launcher.run(Launcher.java:69) > at org.apache.hadoop.gateway.launcher.Launcher.main(Launcher.java:46) > Caused by:
[GitHub] risdenk commented on issue #55: KNOX-1162 - Logging stacktrace for FATAL messages and displaying a meaningful error message in case of missing/non-parsable JAAS configuration
risdenk commented on issue #55: KNOX-1162 - Logging stacktrace for FATAL messages and displaying a meaningful error message in case of missing/non-parsable JAAS configuration URL: https://github.com/apache/knox/pull/55#issuecomment-465210433 Thanks @smolnar82 This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
Re: [DISCUSS] Planning for Apache Knox 1.3.0 Release
Hi Rob - Thanks for your thoughts and insights into the KnoxSSO/KnoxToken signing keys and how they should align with the TLS management improvements that you are working on. These details should be captured in any related KIPs/JIRAs. In essence, we are moving actual PKI use of keystores away from the master secret and related assumptions but continue to support them for backward compatibility. This will provide easier integration with external management and provisioning tooling - so I think it makes sense. As for the scope of the 1.3.0 release, it will no doubt be a subset of the listed categories and issues that I outlined in this thread. I wanted to capture as much as I could for the creation of KIP one-pagers that can be used to align like work across releases. We will then select the subset of work from the KIPs that can be accomplished in the timeframe and/or adjust the timeframe. Make sense? thanks, --larry On Mon, Feb 18, 2019 at 12:41 PM Robert Levas wrote: > Larry... > > Being new to the project, I do not have much to contribute related to the > changes for 1.3.0; however, this seems like a pretty large list of items. > Mid-April seems optimistic to me, but then again I am new to the team and > not sure how quickly we work. That said, I am up for the challenge. > > One thing to note on the SSO items is that Knox may need some cleanup on > how the signing key is configured. The current set of configuration > properties used to declare where to find it is lacking and assumes that the > decryption keys for the keystore and key are the master key (with a little > hack in there to customize password for the key). I think this should be > more consistent with how the custom identity and trust store locations > facility will work.. and maybe even utilize some of the work related to > syncing the master key (*Management Improvements/ Master Secret > synchronization across instances*) to also sync the signing key when > multiple instances are involved. However, this could be work that pushes > us over the mid-April target. > > Thanks... > Rob > > > On Fri, Feb 15, 2019 at 10:01 PM Phil Zampino wrote: > > > Thanks for collecting this comprehensive list of improvements. Many of > > these things have been on the “wish list” for a while now, and it would > be > > great to get them done. > > > > I’ll see if I can write up some KIP content and/or one-pagers to propose > > some details for some of this work. Then we can discuss in more detail, > and > > define some specific tasks/Jira issues. > > > > I think shooting for a release mid-April is a good goal, even if we can’t > > complete the list exhaustively. > > > > Thanks again, > > Phil > > > > On Tue, Feb 12, 2019 at 3:51 PM larry mccay wrote: > > > > > All - > > > > > > I'd like to officially start the planning for the 1.3.0 release of > Apache > > > Knox. > > > > > > After looking at the list of outstanding JIRAs with fixVersion of > 1.3.0, > > > existing KIPs and considering requirements for a more containerized and > > > cloud oriented world, I have a like of general categories: > > > > > > * TLS Improvements > > > - Configurable Keystore Location and Password > > > - Configurable Truststore Location and Password > > > - Mutual Auth SSL truststores and client certs keystores > > > - Dynamic keystore/truststore loading > > > * Must keep in mind the KnoxCLI for create-cert, export-cert > > > > > > * Management Improvements > > > There have been a number of people asking about the following and they > > are > > > all encountering similar pain - whether it be from a containerization > > > context, DevOps or management tool, perspective a number of these are > > > painful today for Knox admins. > > > - Eliminate needs to have access to the Knox machines > > > - Bootstrap config for log locations, pids, env variable overrides, > > etc > > > - Remote access to public certs (for SSL and for various signature > > > verification(knoxtoken, knoxsso, etc)) > > > - UI for Alias Management > > > - Surface logs in UI(maybe?) and API > > > - Master Secret synchronization across instances > > > - Service Discovery from new source/s > > > - new Remote Config Monitor source/s > > > - new Remote Alias Service for Vault > > > > > > * SSO > > > Easing the configuration required to enable all of the participating > > > applications for KnoxSSO across a deployment will be important in > general > > > but being able to more easily provision this for cloud deployments will > > be > > > key. > > > - IDP Initiated Flow with Landing Page (Okta portal page) > > > - challenge - particpating apps are configured for a single IDP > > > - Landing Page is like Okta - with links to UIs - how do we > deal > > > with multiple topologies > > > - KnoxSSOut - logout from landing page > > > - Keycloak? > > > - Add a standard integration pattern for SPs to register with > > KnoxSSO - > > >
Re: [DISCUSS] Knox Gateway TLS Keystore and Alias Should be Configurable
I created a KIP for this. Please take a look. https://cwiki.apache.org/confluence/display/KNOX/KIP-12+Knox+Gateway+TLS+Keystore+and+Alias+Should+be+Configurable Rob On Sat, Feb 2, 2019 at 1:41 PM Robert Levas wrote: > Team... > > I would like to start a discussion on making the TLS keystore used by the > Knox gateway. I created a JIRA for this at > https://issues.apache.org/jira/browse/KNOX-1756. > > Please take a look at the JIRA and comment there. > > Thanks, > Rob > > > > >
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200735=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200735 ] ASF GitHub Bot logged work on KNOX-1756: Author: ASF GitHub Bot Created on: 19/Feb/19 16:11 Start Date: 19/Feb/19 16:11 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258111920 ## File path: gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreServiceTest.java ## @@ -0,0 +1,384 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.services.security.impl; + +import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEYSTORE_PASSWORD_ALIAS; +import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEYSTORE_PATH; +import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEYSTORE_TYPE; +import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEY_ALIAS; +import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEY_PASSPHRASE_ALIAS; +import static org.apache.knox.gateway.config.GatewayConfig.SIGNING_KEYSTORE_NAME; +import static org.apache.knox.gateway.config.GatewayConfig.SIGNING_KEY_ALIAS; +import static org.easymock.EasyMock.eq; +import static org.easymock.EasyMock.expect; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import java.io.File; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.nio.file.Paths; +import java.security.Key; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.Locale; + +import org.apache.knox.gateway.config.GatewayConfig; +import org.apache.knox.gateway.config.impl.GatewayConfigImpl; +import org.apache.knox.gateway.services.ServiceLifecycleException; +import org.apache.knox.gateway.services.security.KeystoreService; +import org.apache.knox.gateway.services.security.KeystoreServiceException; +import org.apache.knox.gateway.services.security.MasterService; +import org.easymock.EasyMockSupport; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TemporaryFolder; + +public class DefaultKeystoreServiceTest extends EasyMockSupport { Review comment: Don't need to extend `EasyMockSupport` This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200735) Time Spent: 1h 50m (was: 1h 40m) > Knox Gateway TLS Keystore and Alias Should be Configurable > -- > > Key: KNOX-1756 > URL: https://issues.apache.org/jira/browse/KNOX-1756 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.3.0 >Reporter: Robert Levas >Assignee: Robert Levas >Priority: Major > Labels: keystore, ssl > Fix For: 1.3.0 > > Time Spent: 1h 50m > Remaining Estimate: 0h > > h1. Problem > The location of the keystore housing the Knox Gateway TLS certificate is > hardcoded to {{/keystores/gateway.jks}} and the > certificate alias is hardcoded to
[GitHub] risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable
risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258111920 ## File path: gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreServiceTest.java ## @@ -0,0 +1,384 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.services.security.impl; + +import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEYSTORE_PASSWORD_ALIAS; +import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEYSTORE_PATH; +import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEYSTORE_TYPE; +import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEY_ALIAS; +import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEY_PASSPHRASE_ALIAS; +import static org.apache.knox.gateway.config.GatewayConfig.SIGNING_KEYSTORE_NAME; +import static org.apache.knox.gateway.config.GatewayConfig.SIGNING_KEY_ALIAS; +import static org.easymock.EasyMock.eq; +import static org.easymock.EasyMock.expect; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import java.io.File; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.nio.file.Paths; +import java.security.Key; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.Locale; + +import org.apache.knox.gateway.config.GatewayConfig; +import org.apache.knox.gateway.config.impl.GatewayConfigImpl; +import org.apache.knox.gateway.services.ServiceLifecycleException; +import org.apache.knox.gateway.services.security.KeystoreService; +import org.apache.knox.gateway.services.security.KeystoreServiceException; +import org.apache.knox.gateway.services.security.MasterService; +import org.easymock.EasyMockSupport; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TemporaryFolder; + +public class DefaultKeystoreServiceTest extends EasyMockSupport { Review comment: Don't need to extend `EasyMockSupport` This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200716=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200716 ] ASF GitHub Bot logged work on KNOX-1756: Author: ASF GitHub Bot Created on: 19/Feb/19 16:08 Start Date: 19/Feb/19 16:08 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258100235 ## File path: gateway-spi/src/test/java/org/apache/knox/gateway/services/security/impl/X509CertificateUtilTest.java ## @@ -0,0 +1,162 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.services.security.impl; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertTrue; + +import org.junit.BeforeClass; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TemporaryFolder; + +import java.io.BufferedReader; +import java.io.File; +import java.io.IOException; +import java.io.InputStream; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.CertificateExpiredException; +import java.security.cert.CertificateNotYetValidException; +import java.security.cert.X509Certificate; +import java.util.Calendar; +import java.util.Locale; +import java.util.TimeZone; + +public class X509CertificateUtilTest { Review comment: Looks like this would be useful outside of this PR This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200716) Time Spent: 20m (was: 10m) > Knox Gateway TLS Keystore and Alias Should be Configurable > -- > > Key: KNOX-1756 > URL: https://issues.apache.org/jira/browse/KNOX-1756 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.3.0 >Reporter: Robert Levas >Assignee: Robert Levas >Priority: Major > Labels: keystore, ssl > Fix For: 1.3.0 > > Time Spent: 20m > Remaining Estimate: 0h > > h1. Problem > The location of the keystore housing the Knox Gateway TLS certificate is > hardcoded to {{/keystores/gateway.jks}} and the > certificate alias is hardcoded to “{{gateway-identity}}”. This limits the > ability for external management facilities to setup a custom TLS key and > certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS > certificate. > Knox has configuration hooks for the following (optional) properties > * Home Directory > ** Gateway-site property: GATEWAY_HOME > ** System property: GATEWAY_HOME > ** Environment variable: GATEWAY_HOME > * Data Directory > ** System property: GATEWAY_DATA_HOME > ** Environment variable: GATEWAY_DATA_HOME > ** Gateway-site property: gateway.data.dir > ** Calculated: [Home Directory] + [Path Separator] + “data” > * Security Directory > ** Gateway-site property: gateway.security.dir > ** Calculated: [Data Directory] + [Path Separator] + “security” > *Note*: the calculation for the home directory is inconsistent with the other > directory calculations. This inconsistency may be confusing to users and thus > should be fixed to be > * System property: GATEWAY_HOME > * Environment variable:
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200728=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200728 ] ASF GitHub Bot logged work on KNOX-1756: Author: ASF GitHub Bot Created on: 19/Feb/19 16:08 Start Date: 19/Feb/19 16:08 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258104823 ## File path: gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java ## @@ -643,14 +648,58 @@ public long getGatewayDeploymentsBackupAgeLimit() { return d; } + @Override + public String getIdentityKeystorePath() { +String keystorePath = get(IDENTITY_KEYSTORE_PATH); +if(StringUtils.isEmpty(keystorePath)) { + keystorePath = getGatewayKeystoreDir() + File.separatorChar + "gateway.jks"; Review comment: `Paths.get` This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200728) > Knox Gateway TLS Keystore and Alias Should be Configurable > -- > > Key: KNOX-1756 > URL: https://issues.apache.org/jira/browse/KNOX-1756 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.3.0 >Reporter: Robert Levas >Assignee: Robert Levas >Priority: Major > Labels: keystore, ssl > Fix For: 1.3.0 > > Time Spent: 1h 20m > Remaining Estimate: 0h > > h1. Problem > The location of the keystore housing the Knox Gateway TLS certificate is > hardcoded to {{/keystores/gateway.jks}} and the > certificate alias is hardcoded to “{{gateway-identity}}”. This limits the > ability for external management facilities to setup a custom TLS key and > certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS > certificate. > Knox has configuration hooks for the following (optional) properties > * Home Directory > ** Gateway-site property: GATEWAY_HOME > ** System property: GATEWAY_HOME > ** Environment variable: GATEWAY_HOME > * Data Directory > ** System property: GATEWAY_DATA_HOME > ** Environment variable: GATEWAY_DATA_HOME > ** Gateway-site property: gateway.data.dir > ** Calculated: [Home Directory] + [Path Separator] + “data” > * Security Directory > ** Gateway-site property: gateway.security.dir > ** Calculated: [Data Directory] + [Path Separator] + “security” > *Note*: the calculation for the home directory is inconsistent with the other > directory calculations. This inconsistency may be confusing to users and thus > should be fixed to be > * System property: GATEWAY_HOME > * Environment variable: GATEWAY_HOME > * Gateway-site property: gateway.home.dir > The path to the Knox Gateway TLS keystore is calculated as > {noformat} > [Security Directory] + [Path Separator] + “keystores” + [Path Separator] + > “gateway.jks” > {noformat} > h1. Solution > To make it easier to use an externally provided TLS key and certificate, the > Knox Gateway should allow the TLS keystore file and alias name to be > configurable. The following properties should be made available: > * TLS Keystore File Path > ** Gateway-site property: gateway.tls.keystore.path > ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path > Separator]+ "gateway.jks" > * TLS Keystore Password Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.keystore.password.alias > ** Calculated: "gateway-identity-keystore-password" > * TLS Keystore Type > ** Gateway-site property: gateway.tls.keystore.type > ** Calculated: :”jks” > * TLS Key Alias > ** Gateway-site property: gateway.tls.key.alias > ** Calculated: “gateway-identity” > * TLS Key Passphrase Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.key.passphrase.alias > ** Calculated: "gateway-identity-passphrase" > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200724=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200724 ] ASF GitHub Bot logged work on KNOX-1756: Author: ASF GitHub Bot Created on: 19/Feb/19 16:08 Start Date: 19/Feb/19 16:08 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258095744 ## File path: gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java ## @@ -307,22 +283,15 @@ public Key getSigningKey(String alias, char[] passphrase) throws KeystoreService @Override public Key getSigningKey(String keystoreName, String alias, char[] passphrase) throws KeystoreServiceException { -Key key = null; readLock.lock(); try { - KeyStore ks = getSigningKeystore(keystoreName); - if (passphrase == null) { -passphrase = masterService.getMasterSecret(); -LOG.assumingKeyPassphraseIsMaster(); - } - if (ks != null) { -try { - key = ks.getKey(alias, passphrase); -} catch (UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException e) { - LOG.failedToGetKeyForGateway( alias, e ); -} + try { Review comment: Do we need nested try blocks here? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200724) > Knox Gateway TLS Keystore and Alias Should be Configurable > -- > > Key: KNOX-1756 > URL: https://issues.apache.org/jira/browse/KNOX-1756 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.3.0 >Reporter: Robert Levas >Assignee: Robert Levas >Priority: Major > Labels: keystore, ssl > Fix For: 1.3.0 > > Time Spent: 1h > Remaining Estimate: 0h > > h1. Problem > The location of the keystore housing the Knox Gateway TLS certificate is > hardcoded to {{/keystores/gateway.jks}} and the > certificate alias is hardcoded to “{{gateway-identity}}”. This limits the > ability for external management facilities to setup a custom TLS key and > certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS > certificate. > Knox has configuration hooks for the following (optional) properties > * Home Directory > ** Gateway-site property: GATEWAY_HOME > ** System property: GATEWAY_HOME > ** Environment variable: GATEWAY_HOME > * Data Directory > ** System property: GATEWAY_DATA_HOME > ** Environment variable: GATEWAY_DATA_HOME > ** Gateway-site property: gateway.data.dir > ** Calculated: [Home Directory] + [Path Separator] + “data” > * Security Directory > ** Gateway-site property: gateway.security.dir > ** Calculated: [Data Directory] + [Path Separator] + “security” > *Note*: the calculation for the home directory is inconsistent with the other > directory calculations. This inconsistency may be confusing to users and thus > should be fixed to be > * System property: GATEWAY_HOME > * Environment variable: GATEWAY_HOME > * Gateway-site property: gateway.home.dir > The path to the Knox Gateway TLS keystore is calculated as > {noformat} > [Security Directory] + [Path Separator] + “keystores” + [Path Separator] + > “gateway.jks” > {noformat} > h1. Solution > To make it easier to use an externally provided TLS key and certificate, the > Knox Gateway should allow the TLS keystore file and alias name to be > configurable. The following properties should be made available: > * TLS Keystore File Path > ** Gateway-site property: gateway.tls.keystore.path > ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path > Separator]+ "gateway.jks" > * TLS Keystore Password Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.keystore.password.alias > ** Calculated: "gateway-identity-keystore-password" > * TLS Keystore Type > ** Gateway-site property: gateway.tls.keystore.type > ** Calculated: :”jks” > * TLS Key Alias > ** Gateway-site property: gateway.tls.key.alias > ** Calculated: “gateway-identity” > * TLS Key Passphrase Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.key.passphrase.alias > ** Calculated:
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200726=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200726 ] ASF GitHub Bot logged work on KNOX-1756: Author: ASF GitHub Bot Created on: 19/Feb/19 16:08 Start Date: 19/Feb/19 16:08 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258102739 ## File path: gateway-spi/src/main/java/org/apache/knox/gateway/services/security/impl/BaseKeystoreService.java ## @@ -39,28 +39,26 @@ import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; -public class BaseKeystoreService { +abstract class BaseKeystoreService { private static GatewaySpiMessages LOG = MessagesFactory.get( GatewaySpiMessages.class ); - protected MasterService masterService; - protected String keyStoreDir; + private MasterService masterService; - private static KeyStore loadKeyStore(final File keyStoreFile, final char[] masterPassword, String storeType) + private static KeyStore loadKeyStore(final File keyStoreFile, final char[] storePassword, String storeType) throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException { final KeyStore keyStore = KeyStore.getInstance(storeType); if ( keyStoreFile.exists() ) { try (InputStream input = Files.newInputStream(keyStoreFile.toPath())) { - keyStore.load( input, masterPassword ); + keyStore.load( input, storePassword ); } } else { - keyStore.load( null, masterPassword ); + keyStore.load( null, storePassword ); } return keyStore; } - private static OutputStream createKeyStoreFile(String fileName ) throws IOException { -File file = new File( fileName ); + private static OutputStream createKeyStoreFile(File file) throws IOException { Review comment: Since we are changing the method signature anyway, can we go with `Path` instead of `File`? `Path` is preferred to `File`. https://docs.oracle.com/javase/tutorial/essential/io/legacy.html This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200726) Time Spent: 1h 10m (was: 1h) > Knox Gateway TLS Keystore and Alias Should be Configurable > -- > > Key: KNOX-1756 > URL: https://issues.apache.org/jira/browse/KNOX-1756 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.3.0 >Reporter: Robert Levas >Assignee: Robert Levas >Priority: Major > Labels: keystore, ssl > Fix For: 1.3.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > h1. Problem > The location of the keystore housing the Knox Gateway TLS certificate is > hardcoded to {{/keystores/gateway.jks}} and the > certificate alias is hardcoded to “{{gateway-identity}}”. This limits the > ability for external management facilities to setup a custom TLS key and > certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS > certificate. > Knox has configuration hooks for the following (optional) properties > * Home Directory > ** Gateway-site property: GATEWAY_HOME > ** System property: GATEWAY_HOME > ** Environment variable: GATEWAY_HOME > * Data Directory > ** System property: GATEWAY_DATA_HOME > ** Environment variable: GATEWAY_DATA_HOME > ** Gateway-site property: gateway.data.dir > ** Calculated: [Home Directory] + [Path Separator] + “data” > * Security Directory > ** Gateway-site property: gateway.security.dir > ** Calculated: [Data Directory] + [Path Separator] + “security” > *Note*: the calculation for the home directory is inconsistent with the other > directory calculations. This inconsistency may be confusing to users and thus > should be fixed to be > * System property: GATEWAY_HOME > * Environment variable: GATEWAY_HOME > * Gateway-site property: gateway.home.dir > The path to the Knox Gateway TLS keystore is calculated as > {noformat} > [Security Directory] + [Path Separator] + “keystores” + [Path Separator] + > “gateway.jks” > {noformat} > h1. Solution > To make it easier to use an externally provided TLS key and certificate, the > Knox Gateway should allow the TLS keystore file and
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200731=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200731 ] ASF GitHub Bot logged work on KNOX-1756: Author: ASF GitHub Bot Created on: 19/Feb/19 16:08 Start Date: 19/Feb/19 16:08 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258109073 ## File path: gateway-server/src/test/java/org/apache/knox/gateway/util/KnoxCLITest.java ## @@ -54,12 +55,14 @@ /** * @author larry - * */ public class KnoxCLITest { Review comment: These changes don't look tied to the PR itself. Would be good to separate. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200731) Time Spent: 1h 40m (was: 1.5h) > Knox Gateway TLS Keystore and Alias Should be Configurable > -- > > Key: KNOX-1756 > URL: https://issues.apache.org/jira/browse/KNOX-1756 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.3.0 >Reporter: Robert Levas >Assignee: Robert Levas >Priority: Major > Labels: keystore, ssl > Fix For: 1.3.0 > > Time Spent: 1h 40m > Remaining Estimate: 0h > > h1. Problem > The location of the keystore housing the Knox Gateway TLS certificate is > hardcoded to {{/keystores/gateway.jks}} and the > certificate alias is hardcoded to “{{gateway-identity}}”. This limits the > ability for external management facilities to setup a custom TLS key and > certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS > certificate. > Knox has configuration hooks for the following (optional) properties > * Home Directory > ** Gateway-site property: GATEWAY_HOME > ** System property: GATEWAY_HOME > ** Environment variable: GATEWAY_HOME > * Data Directory > ** System property: GATEWAY_DATA_HOME > ** Environment variable: GATEWAY_DATA_HOME > ** Gateway-site property: gateway.data.dir > ** Calculated: [Home Directory] + [Path Separator] + “data” > * Security Directory > ** Gateway-site property: gateway.security.dir > ** Calculated: [Data Directory] + [Path Separator] + “security” > *Note*: the calculation for the home directory is inconsistent with the other > directory calculations. This inconsistency may be confusing to users and thus > should be fixed to be > * System property: GATEWAY_HOME > * Environment variable: GATEWAY_HOME > * Gateway-site property: gateway.home.dir > The path to the Knox Gateway TLS keystore is calculated as > {noformat} > [Security Directory] + [Path Separator] + “keystores” + [Path Separator] + > “gateway.jks” > {noformat} > h1. Solution > To make it easier to use an externally provided TLS key and certificate, the > Knox Gateway should allow the TLS keystore file and alias name to be > configurable. The following properties should be made available: > * TLS Keystore File Path > ** Gateway-site property: gateway.tls.keystore.path > ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path > Separator]+ "gateway.jks" > * TLS Keystore Password Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.keystore.password.alias > ** Calculated: "gateway-identity-keystore-password" > * TLS Keystore Type > ** Gateway-site property: gateway.tls.keystore.type > ** Calculated: :”jks” > * TLS Key Alias > ** Gateway-site property: gateway.tls.key.alias > ** Calculated: “gateway-identity” > * TLS Key Passphrase Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.key.passphrase.alias > ** Calculated: "gateway-identity-passphrase" > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200725=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200725 ] ASF GitHub Bot logged work on KNOX-1756: Author: ASF GitHub Bot Created on: 19/Feb/19 16:08 Start Date: 19/Feb/19 16:08 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258100857 ## File path: gateway-spi/src/test/java/org/apache/knox/gateway/services/security/impl/X509CertificateUtilTest.java ## @@ -0,0 +1,162 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.services.security.impl; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertTrue; + +import org.junit.BeforeClass; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TemporaryFolder; + +import java.io.BufferedReader; +import java.io.File; +import java.io.IOException; +import java.io.InputStream; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.CertificateExpiredException; +import java.security.cert.CertificateNotYetValidException; +import java.security.cert.X509Certificate; +import java.util.Calendar; +import java.util.Locale; +import java.util.TimeZone; + +public class X509CertificateUtilTest { + @Rule + public TemporaryFolder testFolder = new TemporaryFolder(); + + static X509Certificate certificate; + + @BeforeClass + public static void createCertificate() throws NoSuchAlgorithmException { +KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); +keyPairGenerator.initialize(2048); +KeyPair keyPair = keyPairGenerator.generateKeyPair(); +String dn = "cn=test,ou=hadoop"; + +certificate = X509CertificateUtil.generateCertificate(dn, keyPair, 365, "SHA1withRSA"); + } + + @Test + public void testGenerateCertificate() throws Exception { +String expectedDn = "CN=test, OU=hadoop"; + +assertEquals(expectedDn, certificate.getIssuerDN().getName()); +assertEquals(expectedDn, certificate.getSubjectDN().getName()); +assertEquals("SHA1withRSA", certificate.getSigAlgName()); + +certificate.checkValidity(); + } + + @Test(expected = CertificateNotYetValidException.class) + public void testGenerateCertificateValidityPeriodBefore() throws Exception { +Calendar calendar = Calendar.getInstance(TimeZone.getDefault(), Locale.ROOT); +calendar.add(Calendar.DAY_OF_YEAR, -1); +certificate.checkValidity(calendar.getTime()); + } + + @Test(expected = CertificateExpiredException.class) + public void testGenerateCertificateValidityPeriodAfter() throws Exception { +Calendar calendar = Calendar.getInstance(TimeZone.getDefault(), Locale.ROOT); +calendar.add(Calendar.DAY_OF_YEAR, 365); +certificate.checkValidity(calendar.getTime()); + } + + @Test + public void testWriteCertificateToFile() throws Exception { +File file = testFolder.newFile(); +assertTrue(file.delete()); + +assertFalse(file.exists()); +X509CertificateUtil.writeCertificateToFile(certificate, file); +assertTrue(file.exists()); + +BufferedReader fileReader = Files.newBufferedReader(file.toPath(), StandardCharsets.UTF_8); Review comment: Make sure this gets closed This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200733=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200733 ] ASF GitHub Bot logged work on KNOX-1756: Author: ASF GitHub Bot Created on: 19/Feb/19 16:08 Start Date: 19/Feb/19 16:08 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258103226 ## File path: gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java ## @@ -159,21 +159,36 @@ private void logAndValidateCertificate() throws ServiceLifecycleException { throw new ServiceLifecycleException("Gateway SSL Certificate is not yet valid. Server will not start.", e); } } else { -throw new ServiceLifecycleException("Public certificate for the gateway cannot be found with the alias gateway-identity. Plase check the identity certificate alias."); +throw new ServiceLifecycleException("Public certificate for the gateway cannot be found. Please check the identity certificate alias."); } } else { throw new ServiceLifecycleException("Public certificate for the gateway is not of the expected type of X509Certificate. Something is wrong with the gateway keystore."); } } @Override - public Object buildSslContextFactory(String keystoreFileName ) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException { + public Object buildSslContextFactory(GatewayConfig gatewayConfig) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException { +char[] master = ms.getMasterSecret(); Review comment: move this to line 188? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200733) Time Spent: 1h 40m (was: 1.5h) > Knox Gateway TLS Keystore and Alias Should be Configurable > -- > > Key: KNOX-1756 > URL: https://issues.apache.org/jira/browse/KNOX-1756 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.3.0 >Reporter: Robert Levas >Assignee: Robert Levas >Priority: Major > Labels: keystore, ssl > Fix For: 1.3.0 > > Time Spent: 1h 40m > Remaining Estimate: 0h > > h1. Problem > The location of the keystore housing the Knox Gateway TLS certificate is > hardcoded to {{/keystores/gateway.jks}} and the > certificate alias is hardcoded to “{{gateway-identity}}”. This limits the > ability for external management facilities to setup a custom TLS key and > certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS > certificate. > Knox has configuration hooks for the following (optional) properties > * Home Directory > ** Gateway-site property: GATEWAY_HOME > ** System property: GATEWAY_HOME > ** Environment variable: GATEWAY_HOME > * Data Directory > ** System property: GATEWAY_DATA_HOME > ** Environment variable: GATEWAY_DATA_HOME > ** Gateway-site property: gateway.data.dir > ** Calculated: [Home Directory] + [Path Separator] + “data” > * Security Directory > ** Gateway-site property: gateway.security.dir > ** Calculated: [Data Directory] + [Path Separator] + “security” > *Note*: the calculation for the home directory is inconsistent with the other > directory calculations. This inconsistency may be confusing to users and thus > should be fixed to be > * System property: GATEWAY_HOME > * Environment variable: GATEWAY_HOME > * Gateway-site property: gateway.home.dir > The path to the Knox Gateway TLS keystore is calculated as > {noformat} > [Security Directory] + [Path Separator] + “keystores” + [Path Separator] + > “gateway.jks” > {noformat} > h1. Solution > To make it easier to use an externally provided TLS key and certificate, the > Knox Gateway should allow the TLS keystore file and alias name to be > configurable. The following properties should be made available: > * TLS Keystore File Path > ** Gateway-site property: gateway.tls.keystore.path > ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path > Separator]+ "gateway.jks" > * TLS Keystore Password Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.keystore.password.alias > **
[jira] [Updated] (KNOX-1784) Upgrade bootstrap to 3.4.1
[ https://issues.apache.org/jira/browse/KNOX-1784?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kevin Risden updated KNOX-1784: --- Resolution: Fixed Status: Resolved (was: Patch Available) > Upgrade bootstrap to 3.4.1 > -- > > Key: KNOX-1784 > URL: https://issues.apache.org/jira/browse/KNOX-1784 > Project: Apache Knox > Issue Type: Sub-task > Components: AdminUI >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > Attachments: KNOX-1784.patch > > > Upgrade bootstrap 3.4.0 to 3.4.1 > https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/ -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200718=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200718 ] ASF GitHub Bot logged work on KNOX-1756: Author: ASF GitHub Bot Created on: 19/Feb/19 16:08 Start Date: 19/Feb/19 16:08 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258098677 ## File path: gateway-spi/src/test/java/org/apache/knox/gateway/services/security/impl/BaseKeystoreServiceTest.java ## @@ -0,0 +1,240 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.services.security.impl; + +import static org.easymock.EasyMock.expect; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotSame; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import org.apache.knox.gateway.config.GatewayConfig; +import org.apache.knox.gateway.services.security.KeystoreServiceException; +import org.apache.knox.gateway.services.security.MasterService; +import org.easymock.EasyMockSupport; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TemporaryFolder; + +import java.io.BufferedReader; +import java.io.File; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.UnrecoverableKeyException; +import java.security.cert.Certificate; +import java.security.cert.CertificateEncodingException; +import java.security.cert.CertificateException; +import java.util.Locale; + +public class BaseKeystoreServiceTest extends EasyMockSupport { + + @Rule + public TemporaryFolder testFolder = new TemporaryFolder(); + + @Test(expected = KeystoreServiceException.class) + public void testCreateKeystoreWithBadType() throws IOException, KeystoreServiceException { +BaseKeystoreService baseKeystoreService = createMockBuilder(BaseKeystoreService.class).createMock(); +baseKeystoreService.createKeystore(testFolder.newFile(), "INVALID_TYPE", "password".toCharArray()); + } + + @Test(expected = IllegalArgumentException.class) + public void testCreateKeystoreWithNullPassword() throws IOException, KeystoreServiceException { +BaseKeystoreService baseKeystoreService = createMockBuilder(BaseKeystoreService.class).createMock(); +baseKeystoreService.createKeystore(testFolder.newFile(), "JKS", null); + } + + @Test + public void testCreateGetAndCheckKeystore() throws IOException, KeystoreServiceException, KeyStoreException { +BaseKeystoreService baseKeystoreService = createMockBuilder(BaseKeystoreService.class).createMock(); + +// Test the popular keystore types... +for (String keystoreType : new String[]{"jks", "jceks", "pkcs12"}) { + testCreateGetAndCheckKeystore(baseKeystoreService, keystoreType); +} + } + + @Test + public void testCreateGetAndRemoveCredential() throws Exception { +BaseKeystoreService baseKeystoreService = createMockBuilder(BaseKeystoreService.class).createMock(); + +// This appears to only work for JCEKS keystores. +testCreateGetAndRemoveCredential(baseKeystoreService, "jceks"); + } + + @Test + public void testWriteCertificateToFile() throws IOException, NoSuchAlgorithmException, CertificateEncodingException { +BaseKeystoreService baseKeystoreService = createMockBuilder(BaseKeystoreService.class).createMock(); + +File file = testFolder.newFile(); +Certificate outCertificate = createCertificate(); +baseKeystoreService.writeCertificateToFile(outCertificate, file); + +assertTrue(file.exists()); + +BufferedReader fileReader = Files.newBufferedReader(file.toPath(), StandardCharsets.UTF_8); Review comment: use
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200721=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200721 ] ASF GitHub Bot logged work on KNOX-1756: Author: ASF GitHub Bot Created on: 19/Feb/19 16:08 Start Date: 19/Feb/19 16:08 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258100577 ## File path: gateway-spi/src/test/java/org/apache/knox/gateway/services/security/impl/BaseKeystoreServiceTest.java ## @@ -0,0 +1,240 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.services.security.impl; + +import static org.easymock.EasyMock.expect; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotSame; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import org.apache.knox.gateway.config.GatewayConfig; +import org.apache.knox.gateway.services.security.KeystoreServiceException; +import org.apache.knox.gateway.services.security.MasterService; +import org.easymock.EasyMockSupport; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TemporaryFolder; + +import java.io.BufferedReader; +import java.io.File; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.UnrecoverableKeyException; +import java.security.cert.Certificate; +import java.security.cert.CertificateEncodingException; +import java.security.cert.CertificateException; +import java.util.Locale; + +public class BaseKeystoreServiceTest extends EasyMockSupport { Review comment: don't need to extend `EasyMockSupport` This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200721) Time Spent: 40m (was: 0.5h) > Knox Gateway TLS Keystore and Alias Should be Configurable > -- > > Key: KNOX-1756 > URL: https://issues.apache.org/jira/browse/KNOX-1756 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.3.0 >Reporter: Robert Levas >Assignee: Robert Levas >Priority: Major > Labels: keystore, ssl > Fix For: 1.3.0 > > Time Spent: 40m > Remaining Estimate: 0h > > h1. Problem > The location of the keystore housing the Knox Gateway TLS certificate is > hardcoded to {{/keystores/gateway.jks}} and the > certificate alias is hardcoded to “{{gateway-identity}}”. This limits the > ability for external management facilities to setup a custom TLS key and > certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS > certificate. > Knox has configuration hooks for the following (optional) properties > * Home Directory > ** Gateway-site property: GATEWAY_HOME > ** System property: GATEWAY_HOME > ** Environment variable: GATEWAY_HOME > * Data Directory > ** System property: GATEWAY_DATA_HOME > ** Environment variable: GATEWAY_DATA_HOME > ** Gateway-site property: gateway.data.dir > ** Calculated: [Home Directory] + [Path Separator] + “data” > * Security Directory > ** Gateway-site property: gateway.security.dir > ** Calculated: [Data Directory] + [Path Separator] + “security” > *Note*: the calculation for the home directory is inconsistent with the other >
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200717=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200717 ] ASF GitHub Bot logged work on KNOX-1756: Author: ASF GitHub Bot Created on: 19/Feb/19 16:08 Start Date: 19/Feb/19 16:08 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258097302 ## File path: gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java ## @@ -260,16 +247,13 @@ public boolean isCredentialStoreForClusterAvailable(String clusterName) throws K @Override public boolean isKeystoreForGatewayAvailable() throws KeystoreServiceException { -boolean rc; -final File keyStoreFile = new File( keyStoreDir + GATEWAY_KEYSTORE ); readLock.lock(); try { try { Review comment: Don't need nested try/catch block This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200717) > Knox Gateway TLS Keystore and Alias Should be Configurable > -- > > Key: KNOX-1756 > URL: https://issues.apache.org/jira/browse/KNOX-1756 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.3.0 >Reporter: Robert Levas >Assignee: Robert Levas >Priority: Major > Labels: keystore, ssl > Fix For: 1.3.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > h1. Problem > The location of the keystore housing the Knox Gateway TLS certificate is > hardcoded to {{/keystores/gateway.jks}} and the > certificate alias is hardcoded to “{{gateway-identity}}”. This limits the > ability for external management facilities to setup a custom TLS key and > certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS > certificate. > Knox has configuration hooks for the following (optional) properties > * Home Directory > ** Gateway-site property: GATEWAY_HOME > ** System property: GATEWAY_HOME > ** Environment variable: GATEWAY_HOME > * Data Directory > ** System property: GATEWAY_DATA_HOME > ** Environment variable: GATEWAY_DATA_HOME > ** Gateway-site property: gateway.data.dir > ** Calculated: [Home Directory] + [Path Separator] + “data” > * Security Directory > ** Gateway-site property: gateway.security.dir > ** Calculated: [Data Directory] + [Path Separator] + “security” > *Note*: the calculation for the home directory is inconsistent with the other > directory calculations. This inconsistency may be confusing to users and thus > should be fixed to be > * System property: GATEWAY_HOME > * Environment variable: GATEWAY_HOME > * Gateway-site property: gateway.home.dir > The path to the Knox Gateway TLS keystore is calculated as > {noformat} > [Security Directory] + [Path Separator] + “keystores” + [Path Separator] + > “gateway.jks” > {noformat} > h1. Solution > To make it easier to use an externally provided TLS key and certificate, the > Knox Gateway should allow the TLS keystore file and alias name to be > configurable. The following properties should be made available: > * TLS Keystore File Path > ** Gateway-site property: gateway.tls.keystore.path > ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path > Separator]+ "gateway.jks" > * TLS Keystore Password Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.keystore.password.alias > ** Calculated: "gateway-identity-keystore-password" > * TLS Keystore Type > ** Gateway-site property: gateway.tls.keystore.type > ** Calculated: :”jks” > * TLS Key Alias > ** Gateway-site property: gateway.tls.key.alias > ** Calculated: “gateway-identity” > * TLS Key Passphrase Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.key.passphrase.alias > ** Calculated: "gateway-identity-passphrase" > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200719=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200719 ] ASF GitHub Bot logged work on KNOX-1756: Author: ASF GitHub Bot Created on: 19/Feb/19 16:08 Start Date: 19/Feb/19 16:08 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258099372 ## File path: gateway-spi/src/test/java/org/apache/knox/gateway/services/security/impl/X509CertificateUtilTest.java ## @@ -0,0 +1,162 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.services.security.impl; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertTrue; + +import org.junit.BeforeClass; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TemporaryFolder; + +import java.io.BufferedReader; +import java.io.File; +import java.io.IOException; +import java.io.InputStream; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.CertificateExpiredException; +import java.security.cert.CertificateNotYetValidException; +import java.security.cert.X509Certificate; +import java.util.Calendar; +import java.util.Locale; +import java.util.TimeZone; + +public class X509CertificateUtilTest { + @Rule + public TemporaryFolder testFolder = new TemporaryFolder(); + + static X509Certificate certificate; + + @BeforeClass + public static void createCertificate() throws NoSuchAlgorithmException { +KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); +keyPairGenerator.initialize(2048); +KeyPair keyPair = keyPairGenerator.generateKeyPair(); +String dn = "cn=test,ou=hadoop"; + +certificate = X509CertificateUtil.generateCertificate(dn, keyPair, 365, "SHA1withRSA"); + } + + @Test + public void testGenerateCertificate() throws Exception { +String expectedDn = "CN=test, OU=hadoop"; + +assertEquals(expectedDn, certificate.getIssuerDN().getName()); +assertEquals(expectedDn, certificate.getSubjectDN().getName()); +assertEquals("SHA1withRSA", certificate.getSigAlgName()); + +certificate.checkValidity(); + } + + @Test(expected = CertificateNotYetValidException.class) + public void testGenerateCertificateValidityPeriodBefore() throws Exception { +Calendar calendar = Calendar.getInstance(TimeZone.getDefault(), Locale.ROOT); +calendar.add(Calendar.DAY_OF_YEAR, -1); +certificate.checkValidity(calendar.getTime()); + } + + @Test(expected = CertificateExpiredException.class) + public void testGenerateCertificateValidityPeriodAfter() throws Exception { +Calendar calendar = Calendar.getInstance(TimeZone.getDefault(), Locale.ROOT); +calendar.add(Calendar.DAY_OF_YEAR, 365); +certificate.checkValidity(calendar.getTime()); + } + + @Test + public void testWriteCertificateToFile() throws Exception { +File file = testFolder.newFile(); +assertTrue(file.delete()); + +assertFalse(file.exists()); +X509CertificateUtil.writeCertificateToFile(certificate, file); +assertTrue(file.exists()); + +BufferedReader fileReader = Files.newBufferedReader(file.toPath(), StandardCharsets.UTF_8); + +String line = fileReader.readLine(); +String lastLine = null; + +assertEquals("-BEGIN CERTIFICATE-", line); +while (line != null) { + lastLine = line; + line = fileReader.readLine(); +} + +assertEquals("-END CERTIFICATE-", lastLine); + } + + @Test + public void testWriteCertificateToJks() throws Exception { +
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200723=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200723 ] ASF GitHub Bot logged work on KNOX-1756: Author: ASF GitHub Bot Created on: 19/Feb/19 16:08 Start Date: 19/Feb/19 16:08 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258104585 ## File path: gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java ## @@ -426,6 +426,11 @@ public String getGatewaySecurityDir() { return get(SECURITY_DIR, getGatewayDataDir() + File.separator + DEFAULT_SECURITY_DIR); } + @Override + public String getGatewayKeystoreDir() { +return new File(getGatewaySecurityDir(), "keystores").getAbsolutePath(); Review comment: Can use `Paths.get` here This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200723) Time Spent: 50m (was: 40m) > Knox Gateway TLS Keystore and Alias Should be Configurable > -- > > Key: KNOX-1756 > URL: https://issues.apache.org/jira/browse/KNOX-1756 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.3.0 >Reporter: Robert Levas >Assignee: Robert Levas >Priority: Major > Labels: keystore, ssl > Fix For: 1.3.0 > > Time Spent: 50m > Remaining Estimate: 0h > > h1. Problem > The location of the keystore housing the Knox Gateway TLS certificate is > hardcoded to {{/keystores/gateway.jks}} and the > certificate alias is hardcoded to “{{gateway-identity}}”. This limits the > ability for external management facilities to setup a custom TLS key and > certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS > certificate. > Knox has configuration hooks for the following (optional) properties > * Home Directory > ** Gateway-site property: GATEWAY_HOME > ** System property: GATEWAY_HOME > ** Environment variable: GATEWAY_HOME > * Data Directory > ** System property: GATEWAY_DATA_HOME > ** Environment variable: GATEWAY_DATA_HOME > ** Gateway-site property: gateway.data.dir > ** Calculated: [Home Directory] + [Path Separator] + “data” > * Security Directory > ** Gateway-site property: gateway.security.dir > ** Calculated: [Data Directory] + [Path Separator] + “security” > *Note*: the calculation for the home directory is inconsistent with the other > directory calculations. This inconsistency may be confusing to users and thus > should be fixed to be > * System property: GATEWAY_HOME > * Environment variable: GATEWAY_HOME > * Gateway-site property: gateway.home.dir > The path to the Knox Gateway TLS keystore is calculated as > {noformat} > [Security Directory] + [Path Separator] + “keystores” + [Path Separator] + > “gateway.jks” > {noformat} > h1. Solution > To make it easier to use an externally provided TLS key and certificate, the > Knox Gateway should allow the TLS keystore file and alias name to be > configurable. The following properties should be made available: > * TLS Keystore File Path > ** Gateway-site property: gateway.tls.keystore.path > ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path > Separator]+ "gateway.jks" > * TLS Keystore Password Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.keystore.password.alias > ** Calculated: "gateway-identity-keystore-password" > * TLS Keystore Type > ** Gateway-site property: gateway.tls.keystore.type > ** Calculated: :”jks” > * TLS Key Alias > ** Gateway-site property: gateway.tls.key.alias > ** Calculated: “gateway-identity” > * TLS Key Passphrase Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.key.passphrase.alias > ** Calculated: "gateway-identity-passphrase" > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200727=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200727 ] ASF GitHub Bot logged work on KNOX-1756: Author: ASF GitHub Bot Created on: 19/Feb/19 16:08 Start Date: 19/Feb/19 16:08 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258101064 ## File path: gateway-test/src/test/java/org/apache/knox/gateway/SimpleDescriptorHandlerFuncTest.java ## @@ -50,6 +51,9 @@ import static org.junit.Assert.fail; public class SimpleDescriptorHandlerFuncTest { + @Rule Review comment: Useful but change should be outside of this PR This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200727) Time Spent: 1h 20m (was: 1h 10m) > Knox Gateway TLS Keystore and Alias Should be Configurable > -- > > Key: KNOX-1756 > URL: https://issues.apache.org/jira/browse/KNOX-1756 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.3.0 >Reporter: Robert Levas >Assignee: Robert Levas >Priority: Major > Labels: keystore, ssl > Fix For: 1.3.0 > > Time Spent: 1h 20m > Remaining Estimate: 0h > > h1. Problem > The location of the keystore housing the Knox Gateway TLS certificate is > hardcoded to {{/keystores/gateway.jks}} and the > certificate alias is hardcoded to “{{gateway-identity}}”. This limits the > ability for external management facilities to setup a custom TLS key and > certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS > certificate. > Knox has configuration hooks for the following (optional) properties > * Home Directory > ** Gateway-site property: GATEWAY_HOME > ** System property: GATEWAY_HOME > ** Environment variable: GATEWAY_HOME > * Data Directory > ** System property: GATEWAY_DATA_HOME > ** Environment variable: GATEWAY_DATA_HOME > ** Gateway-site property: gateway.data.dir > ** Calculated: [Home Directory] + [Path Separator] + “data” > * Security Directory > ** Gateway-site property: gateway.security.dir > ** Calculated: [Data Directory] + [Path Separator] + “security” > *Note*: the calculation for the home directory is inconsistent with the other > directory calculations. This inconsistency may be confusing to users and thus > should be fixed to be > * System property: GATEWAY_HOME > * Environment variable: GATEWAY_HOME > * Gateway-site property: gateway.home.dir > The path to the Knox Gateway TLS keystore is calculated as > {noformat} > [Security Directory] + [Path Separator] + “keystores” + [Path Separator] + > “gateway.jks” > {noformat} > h1. Solution > To make it easier to use an externally provided TLS key and certificate, the > Knox Gateway should allow the TLS keystore file and alias name to be > configurable. The following properties should be made available: > * TLS Keystore File Path > ** Gateway-site property: gateway.tls.keystore.path > ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path > Separator]+ "gateway.jks" > * TLS Keystore Password Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.keystore.password.alias > ** Calculated: "gateway-identity-keystore-password" > * TLS Keystore Type > ** Gateway-site property: gateway.tls.keystore.type > ** Calculated: :”jks” > * TLS Key Alias > ** Gateway-site property: gateway.tls.key.alias > ** Calculated: “gateway-identity” > * TLS Key Passphrase Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.key.passphrase.alias > ** Calculated: "gateway-identity-passphrase" > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200732=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200732 ] ASF GitHub Bot logged work on KNOX-1756: Author: ASF GitHub Bot Created on: 19/Feb/19 16:08 Start Date: 19/Feb/19 16:08 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258104177 ## File path: gateway-provider-security-pac4j/src/main/java/org/apache/knox/gateway/pac4j/Pac4jMessages.java ## @@ -47,4 +47,8 @@ @Message( level = MessageLevel.INFO, text = "No private key passphrase alias found. Defaulting to master. Exception encountered: {0}") void noPrivateKeyPasshraseProvisioned(Exception e); + + @Message( level = MessageLevel.ERROR, text = + "No keystore password alias found. Defaulting to master. Exception encountered: {0}") Review comment: master secret This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200732) Time Spent: 1h 40m (was: 1.5h) > Knox Gateway TLS Keystore and Alias Should be Configurable > -- > > Key: KNOX-1756 > URL: https://issues.apache.org/jira/browse/KNOX-1756 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.3.0 >Reporter: Robert Levas >Assignee: Robert Levas >Priority: Major > Labels: keystore, ssl > Fix For: 1.3.0 > > Time Spent: 1h 40m > Remaining Estimate: 0h > > h1. Problem > The location of the keystore housing the Knox Gateway TLS certificate is > hardcoded to {{/keystores/gateway.jks}} and the > certificate alias is hardcoded to “{{gateway-identity}}”. This limits the > ability for external management facilities to setup a custom TLS key and > certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS > certificate. > Knox has configuration hooks for the following (optional) properties > * Home Directory > ** Gateway-site property: GATEWAY_HOME > ** System property: GATEWAY_HOME > ** Environment variable: GATEWAY_HOME > * Data Directory > ** System property: GATEWAY_DATA_HOME > ** Environment variable: GATEWAY_DATA_HOME > ** Gateway-site property: gateway.data.dir > ** Calculated: [Home Directory] + [Path Separator] + “data” > * Security Directory > ** Gateway-site property: gateway.security.dir > ** Calculated: [Data Directory] + [Path Separator] + “security” > *Note*: the calculation for the home directory is inconsistent with the other > directory calculations. This inconsistency may be confusing to users and thus > should be fixed to be > * System property: GATEWAY_HOME > * Environment variable: GATEWAY_HOME > * Gateway-site property: gateway.home.dir > The path to the Knox Gateway TLS keystore is calculated as > {noformat} > [Security Directory] + [Path Separator] + “keystores” + [Path Separator] + > “gateway.jks” > {noformat} > h1. Solution > To make it easier to use an externally provided TLS key and certificate, the > Knox Gateway should allow the TLS keystore file and alias name to be > configurable. The following properties should be made available: > * TLS Keystore File Path > ** Gateway-site property: gateway.tls.keystore.path > ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path > Separator]+ "gateway.jks" > * TLS Keystore Password Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.keystore.password.alias > ** Calculated: "gateway-identity-keystore-password" > * TLS Keystore Type > ** Gateway-site property: gateway.tls.keystore.type > ** Calculated: :”jks” > * TLS Key Alias > ** Gateway-site property: gateway.tls.key.alias > ** Calculated: “gateway-identity” > * TLS Key Passphrase Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.key.passphrase.alias > ** Calculated: "gateway-identity-passphrase" > -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1784) Upgrade bootstrap to 3.4.1
[ https://issues.apache.org/jira/browse/KNOX-1784?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772059#comment-16772059 ] ASF subversion and git services commented on KNOX-1784: --- Commit c5d4111a0ddf1831da8b16abfd0ecf0518aa1dea in knox's branch refs/heads/master from Kevin Risden [ https://gitbox.apache.org/repos/asf?p=knox.git;h=c5d4111 ] KNOX-1784 - Upgrade bootstrap to 3.4.1 Signed-off-by: Kevin Risden > Upgrade bootstrap to 3.4.1 > -- > > Key: KNOX-1784 > URL: https://issues.apache.org/jira/browse/KNOX-1784 > Project: Apache Knox > Issue Type: Sub-task > Components: AdminUI >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > Attachments: KNOX-1784.patch > > > Upgrade bootstrap 3.4.0 to 3.4.1 > https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/ -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200729=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200729 ] ASF GitHub Bot logged work on KNOX-1756: Author: ASF GitHub Bot Created on: 19/Feb/19 16:08 Start Date: 19/Feb/19 16:08 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258108015 ## File path: gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreServiceTest.java ## @@ -0,0 +1,384 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.services.security.impl; + +import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEYSTORE_PASSWORD_ALIAS; +import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEYSTORE_PATH; +import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEYSTORE_TYPE; +import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEY_ALIAS; +import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEY_PASSPHRASE_ALIAS; +import static org.apache.knox.gateway.config.GatewayConfig.SIGNING_KEYSTORE_NAME; +import static org.apache.knox.gateway.config.GatewayConfig.SIGNING_KEY_ALIAS; +import static org.easymock.EasyMock.eq; +import static org.easymock.EasyMock.expect; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import java.io.File; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.nio.file.Paths; +import java.security.Key; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.Locale; + +import org.apache.knox.gateway.config.GatewayConfig; +import org.apache.knox.gateway.config.impl.GatewayConfigImpl; +import org.apache.knox.gateway.services.ServiceLifecycleException; +import org.apache.knox.gateway.services.security.KeystoreService; +import org.apache.knox.gateway.services.security.KeystoreServiceException; +import org.apache.knox.gateway.services.security.MasterService; +import org.easymock.EasyMockSupport; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TemporaryFolder; + +public class DefaultKeystoreServiceTest extends EasyMockSupport { Review comment: Looks like this would be useful outside of the PR This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200729) Time Spent: 1.5h (was: 1h 20m) > Knox Gateway TLS Keystore and Alias Should be Configurable > -- > > Key: KNOX-1756 > URL: https://issues.apache.org/jira/browse/KNOX-1756 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.3.0 >Reporter: Robert Levas >Assignee: Robert Levas >Priority: Major > Labels: keystore, ssl > Fix For: 1.3.0 > > Time Spent: 1.5h > Remaining Estimate: 0h > > h1. Problem > The location of the keystore housing the Knox Gateway TLS certificate is > hardcoded to {{/keystores/gateway.jks}} and the > certificate alias is hardcoded to
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200720=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200720 ] ASF GitHub Bot logged work on KNOX-1756: Author: ASF GitHub Bot Created on: 19/Feb/19 16:08 Start Date: 19/Feb/19 16:08 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258097404 ## File path: gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java ## @@ -278,22 +262,14 @@ public boolean isKeystoreForGatewayAvailable() throws KeystoreServiceException { @Override public Key getKeyForGateway(String alias, char[] passphrase) throws KeystoreServiceException { -Key key = null; readLock.lock(); try { - KeyStore ks = getKeystoreForGateway(); - if (passphrase == null) { -passphrase = masterService.getMasterSecret(); -LOG.assumingKeyPassphraseIsMaster(); - } - if (ks != null) { -try { - key = ks.getKey(alias, passphrase); -} catch (UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException e) { - LOG.failedToGetKeyForGateway( alias, e ); -} + try { Review comment: nested try/catch block not needed This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200720) > Knox Gateway TLS Keystore and Alias Should be Configurable > -- > > Key: KNOX-1756 > URL: https://issues.apache.org/jira/browse/KNOX-1756 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.3.0 >Reporter: Robert Levas >Assignee: Robert Levas >Priority: Major > Labels: keystore, ssl > Fix For: 1.3.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > h1. Problem > The location of the keystore housing the Knox Gateway TLS certificate is > hardcoded to {{/keystores/gateway.jks}} and the > certificate alias is hardcoded to “{{gateway-identity}}”. This limits the > ability for external management facilities to setup a custom TLS key and > certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS > certificate. > Knox has configuration hooks for the following (optional) properties > * Home Directory > ** Gateway-site property: GATEWAY_HOME > ** System property: GATEWAY_HOME > ** Environment variable: GATEWAY_HOME > * Data Directory > ** System property: GATEWAY_DATA_HOME > ** Environment variable: GATEWAY_DATA_HOME > ** Gateway-site property: gateway.data.dir > ** Calculated: [Home Directory] + [Path Separator] + “data” > * Security Directory > ** Gateway-site property: gateway.security.dir > ** Calculated: [Data Directory] + [Path Separator] + “security” > *Note*: the calculation for the home directory is inconsistent with the other > directory calculations. This inconsistency may be confusing to users and thus > should be fixed to be > * System property: GATEWAY_HOME > * Environment variable: GATEWAY_HOME > * Gateway-site property: gateway.home.dir > The path to the Knox Gateway TLS keystore is calculated as > {noformat} > [Security Directory] + [Path Separator] + “keystores” + [Path Separator] + > “gateway.jks” > {noformat} > h1. Solution > To make it easier to use an externally provided TLS key and certificate, the > Knox Gateway should allow the TLS keystore file and alias name to be > configurable. The following properties should be made available: > * TLS Keystore File Path > ** Gateway-site property: gateway.tls.keystore.path > ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path > Separator]+ "gateway.jks" > * TLS Keystore Password Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.keystore.password.alias > ** Calculated: "gateway-identity-keystore-password" > * TLS Keystore Type > ** Gateway-site property: gateway.tls.keystore.type > ** Calculated: :”jks” > * TLS Key Alias > ** Gateway-site property: gateway.tls.key.alias > ** Calculated: “gateway-identity” > * TLS Key Passphrase Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.key.passphrase.alias > ** Calculated: "gateway-identity-passphrase"
[jira] [Work logged] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?focusedWorklogId=200722=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200722 ] ASF GitHub Bot logged work on KNOX-1756: Author: ASF GitHub Bot Created on: 19/Feb/19 16:08 Start Date: 19/Feb/19 16:08 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258101889 ## File path: gateway-spi/src/main/java/org/apache/knox/gateway/services/security/impl/CMFKeystoreService.java ## @@ -41,26 +41,24 @@ private static final String TEST_CERT_DN = "CN=hadoop,OU=Test,O=Hadoop,L=Test,ST=Test,C=US"; private static final String CREDENTIALS_SUFFIX = "-credentials.jceks"; - private String serviceName; + private final String serviceName; + private final File keyStoreDir; public CMFKeystoreService(String keystoreDir, String serviceName) throws ServiceLifecycleException { this.serviceName = serviceName; -this.keyStoreDir = keystoreDir + File.separator; -File ksd = new File(this.keyStoreDir); -if (!ksd.exists() && !ksd.mkdirs()) { +this.keyStoreDir = new File(keystoreDir); +if (!this.keyStoreDir.exists() && !this.keyStoreDir.mkdirs()) { throw new ServiceLifecycleException("Cannot create the keystore directory"); } } public void createKeystore() throws KeystoreServiceException { -String filename = keyStoreDir + serviceName + ".jks"; -createKeystore(filename, "JKS"); +createKeystore(new File(keyStoreDir, serviceName + ".jks"), "JKS", getMasterSecret()); Review comment: you have keystore type defined elsewhere. Use it here instead of "JKS"? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200722) > Knox Gateway TLS Keystore and Alias Should be Configurable > -- > > Key: KNOX-1756 > URL: https://issues.apache.org/jira/browse/KNOX-1756 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.3.0 >Reporter: Robert Levas >Assignee: Robert Levas >Priority: Major > Labels: keystore, ssl > Fix For: 1.3.0 > > Time Spent: 40m > Remaining Estimate: 0h > > h1. Problem > The location of the keystore housing the Knox Gateway TLS certificate is > hardcoded to {{/keystores/gateway.jks}} and the > certificate alias is hardcoded to “{{gateway-identity}}”. This limits the > ability for external management facilities to setup a custom TLS key and > certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS > certificate. > Knox has configuration hooks for the following (optional) properties > * Home Directory > ** Gateway-site property: GATEWAY_HOME > ** System property: GATEWAY_HOME > ** Environment variable: GATEWAY_HOME > * Data Directory > ** System property: GATEWAY_DATA_HOME > ** Environment variable: GATEWAY_DATA_HOME > ** Gateway-site property: gateway.data.dir > ** Calculated: [Home Directory] + [Path Separator] + “data” > * Security Directory > ** Gateway-site property: gateway.security.dir > ** Calculated: [Data Directory] + [Path Separator] + “security” > *Note*: the calculation for the home directory is inconsistent with the other > directory calculations. This inconsistency may be confusing to users and thus > should be fixed to be > * System property: GATEWAY_HOME > * Environment variable: GATEWAY_HOME > * Gateway-site property: gateway.home.dir > The path to the Knox Gateway TLS keystore is calculated as > {noformat} > [Security Directory] + [Path Separator] + “keystores” + [Path Separator] + > “gateway.jks” > {noformat} > h1. Solution > To make it easier to use an externally provided TLS key and certificate, the > Knox Gateway should allow the TLS keystore file and alias name to be > configurable. The following properties should be made available: > * TLS Keystore File Path > ** Gateway-site property: gateway.tls.keystore.path > ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path > Separator]+ "gateway.jks" > * TLS Keystore Password Alias (value to be stored in the Knox Gateway > credential store) > ** Gateway-site property: gateway.tls.keystore.password.alias > ** Calculated: "gateway-identity-keystore-password" > * TLS Keystore Type > ** Gateway-site
[GitHub] risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable
risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258109073 ## File path: gateway-server/src/test/java/org/apache/knox/gateway/util/KnoxCLITest.java ## @@ -54,12 +55,14 @@ /** * @author larry - * */ public class KnoxCLITest { Review comment: These changes don't look tied to the PR itself. Would be good to separate. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable
risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258104585 ## File path: gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java ## @@ -426,6 +426,11 @@ public String getGatewaySecurityDir() { return get(SECURITY_DIR, getGatewayDataDir() + File.separator + DEFAULT_SECURITY_DIR); } + @Override + public String getGatewayKeystoreDir() { +return new File(getGatewaySecurityDir(), "keystores").getAbsolutePath(); Review comment: Can use `Paths.get` here This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable
risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258104823 ## File path: gateway-server/src/main/java/org/apache/knox/gateway/config/impl/GatewayConfigImpl.java ## @@ -643,14 +648,58 @@ public long getGatewayDeploymentsBackupAgeLimit() { return d; } + @Override + public String getIdentityKeystorePath() { +String keystorePath = get(IDENTITY_KEYSTORE_PATH); +if(StringUtils.isEmpty(keystorePath)) { + keystorePath = getGatewayKeystoreDir() + File.separatorChar + "gateway.jks"; Review comment: `Paths.get` This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable
risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258100235 ## File path: gateway-spi/src/test/java/org/apache/knox/gateway/services/security/impl/X509CertificateUtilTest.java ## @@ -0,0 +1,162 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.services.security.impl; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertTrue; + +import org.junit.BeforeClass; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TemporaryFolder; + +import java.io.BufferedReader; +import java.io.File; +import java.io.IOException; +import java.io.InputStream; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.CertificateExpiredException; +import java.security.cert.CertificateNotYetValidException; +import java.security.cert.X509Certificate; +import java.util.Calendar; +import java.util.Locale; +import java.util.TimeZone; + +public class X509CertificateUtilTest { Review comment: Looks like this would be useful outside of this PR This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable
risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258102739 ## File path: gateway-spi/src/main/java/org/apache/knox/gateway/services/security/impl/BaseKeystoreService.java ## @@ -39,28 +39,26 @@ import java.security.cert.CertificateEncodingException; import java.security.cert.CertificateException; -public class BaseKeystoreService { +abstract class BaseKeystoreService { private static GatewaySpiMessages LOG = MessagesFactory.get( GatewaySpiMessages.class ); - protected MasterService masterService; - protected String keyStoreDir; + private MasterService masterService; - private static KeyStore loadKeyStore(final File keyStoreFile, final char[] masterPassword, String storeType) + private static KeyStore loadKeyStore(final File keyStoreFile, final char[] storePassword, String storeType) throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException { final KeyStore keyStore = KeyStore.getInstance(storeType); if ( keyStoreFile.exists() ) { try (InputStream input = Files.newInputStream(keyStoreFile.toPath())) { - keyStore.load( input, masterPassword ); + keyStore.load( input, storePassword ); } } else { - keyStore.load( null, masterPassword ); + keyStore.load( null, storePassword ); } return keyStore; } - private static OutputStream createKeyStoreFile(String fileName ) throws IOException { -File file = new File( fileName ); + private static OutputStream createKeyStoreFile(File file) throws IOException { Review comment: Since we are changing the method signature anyway, can we go with `Path` instead of `File`? `Path` is preferred to `File`. https://docs.oracle.com/javase/tutorial/essential/io/legacy.html This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable
risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258108015 ## File path: gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreServiceTest.java ## @@ -0,0 +1,384 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.services.security.impl; + +import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEYSTORE_PASSWORD_ALIAS; +import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEYSTORE_PATH; +import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEYSTORE_TYPE; +import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEY_ALIAS; +import static org.apache.knox.gateway.config.GatewayConfig.IDENTITY_KEY_PASSPHRASE_ALIAS; +import static org.apache.knox.gateway.config.GatewayConfig.SIGNING_KEYSTORE_NAME; +import static org.apache.knox.gateway.config.GatewayConfig.SIGNING_KEY_ALIAS; +import static org.easymock.EasyMock.eq; +import static org.easymock.EasyMock.expect; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import java.io.File; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.nio.file.Paths; +import java.security.Key; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.X509Certificate; +import java.util.Collections; +import java.util.Locale; + +import org.apache.knox.gateway.config.GatewayConfig; +import org.apache.knox.gateway.config.impl.GatewayConfigImpl; +import org.apache.knox.gateway.services.ServiceLifecycleException; +import org.apache.knox.gateway.services.security.KeystoreService; +import org.apache.knox.gateway.services.security.KeystoreServiceException; +import org.apache.knox.gateway.services.security.MasterService; +import org.easymock.EasyMockSupport; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TemporaryFolder; + +public class DefaultKeystoreServiceTest extends EasyMockSupport { Review comment: Looks like this would be useful outside of the PR This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable
risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258103226 ## File path: gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/JettySSLService.java ## @@ -159,21 +159,36 @@ private void logAndValidateCertificate() throws ServiceLifecycleException { throw new ServiceLifecycleException("Gateway SSL Certificate is not yet valid. Server will not start.", e); } } else { -throw new ServiceLifecycleException("Public certificate for the gateway cannot be found with the alias gateway-identity. Plase check the identity certificate alias."); +throw new ServiceLifecycleException("Public certificate for the gateway cannot be found. Please check the identity certificate alias."); } } else { throw new ServiceLifecycleException("Public certificate for the gateway is not of the expected type of X509Certificate. Something is wrong with the gateway keystore."); } } @Override - public Object buildSslContextFactory(String keystoreFileName ) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException { + public Object buildSslContextFactory(GatewayConfig gatewayConfig) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException { +char[] master = ms.getMasterSecret(); Review comment: move this to line 188? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable
risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258100423 ## File path: gateway-spi/src/test/java/org/apache/knox/gateway/services/security/impl/BaseKeystoreServiceTest.java ## @@ -0,0 +1,240 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.services.security.impl; + +import static org.easymock.EasyMock.expect; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotSame; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import org.apache.knox.gateway.config.GatewayConfig; +import org.apache.knox.gateway.services.security.KeystoreServiceException; +import org.apache.knox.gateway.services.security.MasterService; +import org.easymock.EasyMockSupport; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TemporaryFolder; + +import java.io.BufferedReader; +import java.io.File; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.UnrecoverableKeyException; +import java.security.cert.Certificate; +import java.security.cert.CertificateEncodingException; +import java.security.cert.CertificateException; +import java.util.Locale; + +public class BaseKeystoreServiceTest extends EasyMockSupport { Review comment: Looks like this would be useful outside of this PR This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable
risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258097404 ## File path: gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java ## @@ -278,22 +262,14 @@ public boolean isKeystoreForGatewayAvailable() throws KeystoreServiceException { @Override public Key getKeyForGateway(String alias, char[] passphrase) throws KeystoreServiceException { -Key key = null; readLock.lock(); try { - KeyStore ks = getKeystoreForGateway(); - if (passphrase == null) { -passphrase = masterService.getMasterSecret(); -LOG.assumingKeyPassphraseIsMaster(); - } - if (ks != null) { -try { - key = ks.getKey(alias, passphrase); -} catch (UnrecoverableKeyException | NoSuchAlgorithmException | KeyStoreException e) { - LOG.failedToGetKeyForGateway( alias, e ); -} + try { Review comment: nested try/catch block not needed This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable
risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258104177 ## File path: gateway-provider-security-pac4j/src/main/java/org/apache/knox/gateway/pac4j/Pac4jMessages.java ## @@ -47,4 +47,8 @@ @Message( level = MessageLevel.INFO, text = "No private key passphrase alias found. Defaulting to master. Exception encountered: {0}") void noPrivateKeyPasshraseProvisioned(Exception e); + + @Message( level = MessageLevel.ERROR, text = + "No keystore password alias found. Defaulting to master. Exception encountered: {0}") Review comment: master secret This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable
risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258100857 ## File path: gateway-spi/src/test/java/org/apache/knox/gateway/services/security/impl/X509CertificateUtilTest.java ## @@ -0,0 +1,162 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.services.security.impl; + +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotNull; +import static org.junit.Assert.assertTrue; + +import org.junit.BeforeClass; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TemporaryFolder; + +import java.io.BufferedReader; +import java.io.File; +import java.io.IOException; +import java.io.InputStream; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.security.KeyPair; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.cert.Certificate; +import java.security.cert.CertificateException; +import java.security.cert.CertificateExpiredException; +import java.security.cert.CertificateNotYetValidException; +import java.security.cert.X509Certificate; +import java.util.Calendar; +import java.util.Locale; +import java.util.TimeZone; + +public class X509CertificateUtilTest { + @Rule + public TemporaryFolder testFolder = new TemporaryFolder(); + + static X509Certificate certificate; + + @BeforeClass + public static void createCertificate() throws NoSuchAlgorithmException { +KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA"); +keyPairGenerator.initialize(2048); +KeyPair keyPair = keyPairGenerator.generateKeyPair(); +String dn = "cn=test,ou=hadoop"; + +certificate = X509CertificateUtil.generateCertificate(dn, keyPair, 365, "SHA1withRSA"); + } + + @Test + public void testGenerateCertificate() throws Exception { +String expectedDn = "CN=test, OU=hadoop"; + +assertEquals(expectedDn, certificate.getIssuerDN().getName()); +assertEquals(expectedDn, certificate.getSubjectDN().getName()); +assertEquals("SHA1withRSA", certificate.getSigAlgName()); + +certificate.checkValidity(); + } + + @Test(expected = CertificateNotYetValidException.class) + public void testGenerateCertificateValidityPeriodBefore() throws Exception { +Calendar calendar = Calendar.getInstance(TimeZone.getDefault(), Locale.ROOT); +calendar.add(Calendar.DAY_OF_YEAR, -1); +certificate.checkValidity(calendar.getTime()); + } + + @Test(expected = CertificateExpiredException.class) + public void testGenerateCertificateValidityPeriodAfter() throws Exception { +Calendar calendar = Calendar.getInstance(TimeZone.getDefault(), Locale.ROOT); +calendar.add(Calendar.DAY_OF_YEAR, 365); +certificate.checkValidity(calendar.getTime()); + } + + @Test + public void testWriteCertificateToFile() throws Exception { +File file = testFolder.newFile(); +assertTrue(file.delete()); + +assertFalse(file.exists()); +X509CertificateUtil.writeCertificateToFile(certificate, file); +assertTrue(file.exists()); + +BufferedReader fileReader = Files.newBufferedReader(file.toPath(), StandardCharsets.UTF_8); Review comment: Make sure this gets closed This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable
risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258101064 ## File path: gateway-test/src/test/java/org/apache/knox/gateway/SimpleDescriptorHandlerFuncTest.java ## @@ -50,6 +51,9 @@ import static org.junit.Assert.fail; public class SimpleDescriptorHandlerFuncTest { + @Rule Review comment: Useful but change should be outside of this PR This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable
risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258101889 ## File path: gateway-spi/src/main/java/org/apache/knox/gateway/services/security/impl/CMFKeystoreService.java ## @@ -41,26 +41,24 @@ private static final String TEST_CERT_DN = "CN=hadoop,OU=Test,O=Hadoop,L=Test,ST=Test,C=US"; private static final String CREDENTIALS_SUFFIX = "-credentials.jceks"; - private String serviceName; + private final String serviceName; + private final File keyStoreDir; public CMFKeystoreService(String keystoreDir, String serviceName) throws ServiceLifecycleException { this.serviceName = serviceName; -this.keyStoreDir = keystoreDir + File.separator; -File ksd = new File(this.keyStoreDir); -if (!ksd.exists() && !ksd.mkdirs()) { +this.keyStoreDir = new File(keystoreDir); +if (!this.keyStoreDir.exists() && !this.keyStoreDir.mkdirs()) { throw new ServiceLifecycleException("Cannot create the keystore directory"); } } public void createKeystore() throws KeystoreServiceException { -String filename = keyStoreDir + serviceName + ".jks"; -createKeystore(filename, "JKS"); +createKeystore(new File(keyStoreDir, serviceName + ".jks"), "JKS", getMasterSecret()); Review comment: you have keystore type defined elsewhere. Use it here instead of "JKS"? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable
risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258098677 ## File path: gateway-spi/src/test/java/org/apache/knox/gateway/services/security/impl/BaseKeystoreServiceTest.java ## @@ -0,0 +1,240 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.knox.gateway.services.security.impl; + +import static org.easymock.EasyMock.expect; +import static org.junit.Assert.assertEquals; +import static org.junit.Assert.assertFalse; +import static org.junit.Assert.assertNotSame; +import static org.junit.Assert.assertNull; +import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; + +import org.apache.knox.gateway.config.GatewayConfig; +import org.apache.knox.gateway.services.security.KeystoreServiceException; +import org.apache.knox.gateway.services.security.MasterService; +import org.easymock.EasyMockSupport; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.TemporaryFolder; + +import java.io.BufferedReader; +import java.io.File; +import java.io.IOException; +import java.nio.charset.StandardCharsets; +import java.nio.file.Files; +import java.security.KeyPairGenerator; +import java.security.KeyStore; +import java.security.KeyStoreException; +import java.security.NoSuchAlgorithmException; +import java.security.UnrecoverableKeyException; +import java.security.cert.Certificate; +import java.security.cert.CertificateEncodingException; +import java.security.cert.CertificateException; +import java.util.Locale; + +public class BaseKeystoreServiceTest extends EasyMockSupport { + + @Rule + public TemporaryFolder testFolder = new TemporaryFolder(); + + @Test(expected = KeystoreServiceException.class) + public void testCreateKeystoreWithBadType() throws IOException, KeystoreServiceException { +BaseKeystoreService baseKeystoreService = createMockBuilder(BaseKeystoreService.class).createMock(); +baseKeystoreService.createKeystore(testFolder.newFile(), "INVALID_TYPE", "password".toCharArray()); + } + + @Test(expected = IllegalArgumentException.class) + public void testCreateKeystoreWithNullPassword() throws IOException, KeystoreServiceException { +BaseKeystoreService baseKeystoreService = createMockBuilder(BaseKeystoreService.class).createMock(); +baseKeystoreService.createKeystore(testFolder.newFile(), "JKS", null); + } + + @Test + public void testCreateGetAndCheckKeystore() throws IOException, KeystoreServiceException, KeyStoreException { +BaseKeystoreService baseKeystoreService = createMockBuilder(BaseKeystoreService.class).createMock(); + +// Test the popular keystore types... +for (String keystoreType : new String[]{"jks", "jceks", "pkcs12"}) { + testCreateGetAndCheckKeystore(baseKeystoreService, keystoreType); +} + } + + @Test + public void testCreateGetAndRemoveCredential() throws Exception { +BaseKeystoreService baseKeystoreService = createMockBuilder(BaseKeystoreService.class).createMock(); + +// This appears to only work for JCEKS keystores. +testCreateGetAndRemoveCredential(baseKeystoreService, "jceks"); + } + + @Test + public void testWriteCertificateToFile() throws IOException, NoSuchAlgorithmException, CertificateEncodingException { +BaseKeystoreService baseKeystoreService = createMockBuilder(BaseKeystoreService.class).createMock(); + +File file = testFolder.newFile(); +Certificate outCertificate = createCertificate(); +baseKeystoreService.writeCertificateToFile(outCertificate, file); + +assertTrue(file.exists()); + +BufferedReader fileReader = Files.newBufferedReader(file.toPath(), StandardCharsets.UTF_8); Review comment: use try-with-resources to ensure closed This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[GitHub] risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable
risdenk commented on a change in pull request #54: [WIP] KNOX-1756 - Knox Gateway TLS Keystore and Alias Should be Configurable URL: https://github.com/apache/knox/pull/54#discussion_r258097302 ## File path: gateway-server/src/main/java/org/apache/knox/gateway/services/security/impl/DefaultKeystoreService.java ## @@ -260,16 +247,13 @@ public boolean isCredentialStoreForClusterAvailable(String clusterName) throws K @Override public boolean isKeystoreForGatewayAvailable() throws KeystoreServiceException { -boolean rc; -final File keyStoreFile = new File( keyStoreDir + GATEWAY_KEYSTORE ); readLock.lock(); try { try { Review comment: Don't need nested try/catch block This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
Re: [DISCUSS] Enter the Pull Request?
Wonderful! Thank you for this contribution, Sandor! On Tue, Feb 19, 2019 at 10:14 AM Sandeep Moré wrote: > Great, thanks Sandor ! > > On Tue, Feb 19, 2019 at 10:09 AM Sandor Molnar > > wrote: > > > Hi folks! > > > > It's all set; you can check out the umbrella JIRA for further > information: > > https://issues.apache.org/jira/browse/KNOX-1759 > > > > Additionally, you might want to read the enhanced documentation on how to > > contribute using GitHub PRs here: > > > > > https://cwiki.apache.org/confluence/display/KNOX/Contribution+Process#ContributionProcess-GithubWorkflow > > > > Regards, > > Sandor > > > > On Fri, Feb 8, 2019 at 4:10 PM Sandor Molnar > wrote: > > > > > "We can't do this unless we only accept PRs. It is entirely possible to > > > commit to the repository without opening a PR so we want tests to run. > > The > > > Knox-master-daily job also runs full integration release tests and not > > just > > > the unit tests that are run on PRs currently." > > > > > > Got it; thanks for the clarification! > > > > > > On Fri, Feb 8, 2019 at 3:22 PM Kevin Risden > wrote: > > > > > >> I created https://issues.apache.org/jira/browse/KNOX-1759 with some > > >> subtasks for concrete action items to take to move forward. > > >> > > >> "If that happened we might get rid of the > > >> 'Knox-master-daily' job since it being executed after a commit is > merged > > >> into master (AFAIK) which makes no sense if we only allow a commit to > be > > >> merged if all tests were successfully passed already" > > >> > > >> We can't do this unless we only accept PRs. It is entirely possible to > > >> commit to the repository without opening a PR so we want tests to run. > > The > > >> Knox-master-daily job also runs full integration release tests and not > > >> just > > >> the unit tests that are run on PRs currently. > > >> Kevin Risden > > >> > > >> > > >> On Fri, Feb 8, 2019 at 4:34 AM Sandor Molnar > > > >> > > > >> wrote: > > >> > > >> > +1 for PRs. > > >> > > > >> > My two cents on Kevin's list: > > >> > - PR template is a good idea; Ambari also has one here: > > >> > > > >> > > > >> > > > https://github.com/apache/ambari/blob/trunk/.github/PULL_REQUEST_TEMPLATE.md > > >> > It would also be great if test steps are described in a detailed > > >> manner > > >> > (it helped me many times in case I had to reproduce something months > > >> after > > >> > the PR was merged) > > >> > > > >> > - comments on the PR: in case of Ambari they go to the 'Worklog' tab > > in > > >> the > > >> > corresponding JIRA, which - IMO - was better than put all of these > > stuff > > >> > within the comments; it gave us a clear separation and did not spam > > the > > >> > comments in the JIRA where other useful information may be found > > (i.e. a > > >> > design history, open point clarification, etc...). Not to mention > that > > >> the > > >> > worklogs contain many information > > >> > > > >> > - link the PRs to the JIRA automatically is essential IMO; thanks > for > > >> > pointing that out Kevin! > > >> > > > >> > - I'm not sure if it is feasible (currently does not seem to be the > > >> case) > > >> > but it would be great if contributors could invite others for review > > >> (i.e. > > >> > not only committers) > > >> > > > >> > - Apache has a Jenkins instance to run CI checks on its projects > > (Ambari > > >> > sample: > > >> https://builds.apache.org/job/Ambari-Github-PullRequest-Builder/). > > >> > Since Knox already has some jobs here (for instance > > >> > https://builds.apache.org/job/Knox-master-daily/) we might consider > > >> > creating Knox's PR Builder here too (so that all of our CI related > > jobs > > >> > would be in one place). If that happened we might get rid of the > > >> > 'Knox-master-daily' job since it being executed after a commit is > > merged > > >> > into master (AFAIK) which makes no sense if we only allow a commit > to > > be > > >> > merged if all tests were successfully passed already > > >> > > > >> > Cheers, > > >> > Sandor > > >> > > > >> > On Fri, Feb 8, 2019 at 5:53 AM Jeffrey Rodriguez < > > jeffrey...@gmail.com> > > >> > wrote: > > >> > > > >> > > +1 It is great that we are considering Pull request that would > help > > to > > >> > > increase community collaboration. > > >> > > Jeffrey E Rodriguez > > >> > > > > >> > > On Thu, Feb 7, 2019 at 3:43 PM Robert Levas > > >> > >> > > > > >> > > wrote: > > >> > > > > >> > > > +1. I think this is a great idea. > > >> > > > > > >> > > > On Thu, Feb 7, 2019 at 5:29 PM larry mccay > > >> wrote: > > >> > > > > > >> > > > > Great list of ideas/practices there, Kevin! > > >> > > > > > > >> > > > > I for one would want comments added as comments to JIRA. > > >> > > > > I hate coming across a JIRA that would address something that > I > > am > > >> > > > looking > > >> > > > > for and then find no meaningful comments. > > >> > > > > > > >> > > > > > > >> > > > > On Thu, Feb 7, 2019 at 4:20 PM Phil Zampino < > pzamp...@gmail.com > > > > > >> > >
[jira] [Work started] (KNOX-1784) Upgrade bootstrap to 3.4.1
[ https://issues.apache.org/jira/browse/KNOX-1784?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on KNOX-1784 started by Kevin Risden. -- > Upgrade bootstrap to 3.4.1 > -- > > Key: KNOX-1784 > URL: https://issues.apache.org/jira/browse/KNOX-1784 > Project: Apache Knox > Issue Type: Sub-task > Components: AdminUI >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > > Upgrade bootstrap 3.4.0 to 3.4.1 > https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/ -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (KNOX-1784) Upgrade bootstrap to 3.4.1
[ https://issues.apache.org/jira/browse/KNOX-1784?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kevin Risden updated KNOX-1784: --- Attachment: KNOX-1784.patch Status: Patch Available (was: In Progress) > Upgrade bootstrap to 3.4.1 > -- > > Key: KNOX-1784 > URL: https://issues.apache.org/jira/browse/KNOX-1784 > Project: Apache Knox > Issue Type: Sub-task > Components: AdminUI >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > Attachments: KNOX-1784.patch > > > Upgrade bootstrap 3.4.0 to 3.4.1 > https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/ -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (KNOX-1784) Upgrade bootstrap to 3.4.1
Kevin Risden created KNOX-1784: -- Summary: Upgrade bootstrap to 3.4.1 Key: KNOX-1784 URL: https://issues.apache.org/jira/browse/KNOX-1784 Project: Apache Knox Issue Type: Sub-task Components: AdminUI Reporter: Kevin Risden Assignee: Kevin Risden Fix For: 1.3.0 Upgrade bootstrap 3.4.0 to 3.4.1 https://blog.getbootstrap.com/2019/02/13/bootstrap-4-3-1-and-3-4-1/ -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (KNOX-1756) Knox Gateway TLS Keystore and Alias Should be Configurable
[ https://issues.apache.org/jira/browse/KNOX-1756?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robert Levas updated KNOX-1756: --- Description: h1. Problem The location of the keystore housing the Knox Gateway TLS certificate is hardcoded to {{/keystores/gateway.jks}} and the certificate alias is hardcoded to “{{gateway-identity}}”. This limits the ability for external management facilities to setup a custom TLS key and certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS certificate. Knox has configuration hooks for the following (optional) properties * Home Directory ** Gateway-site property: GATEWAY_HOME ** System property: GATEWAY_HOME ** Environment variable: GATEWAY_HOME * Data Directory ** System property: GATEWAY_DATA_HOME ** Environment variable: GATEWAY_DATA_HOME ** Gateway-site property: gateway.data.dir ** Calculated: [Home Directory] + [Path Separator] + “data” * Security Directory ** Gateway-site property: gateway.security.dir ** Calculated: [Data Directory] + [Path Separator] + “security” *Note*: the calculation for the home directory is inconsistent with the other directory calculations. This inconsistency may be confusing to users and thus should be fixed to be * System property: GATEWAY_HOME * Environment variable: GATEWAY_HOME * Gateway-site property: gateway.home.dir The path to the Knox Gateway TLS keystore is calculated as {noformat} [Security Directory] + [Path Separator] + “keystores” + [Path Separator] + “gateway.jks” {noformat} h1. Solution To make it easier to use an externally provided TLS key and certificate, the Knox Gateway should allow the TLS keystore file and alias name to be configurable. The following properties should be made available: * TLS Keystore File Path ** Gateway-site property: gateway.tls.keystore.path ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path Separator]+ "gateway.jks" * TLS Keystore Password Alias (value to be stored in the Knox Gateway credential store) ** Gateway-site property: gateway.tls.keystore.password.alias ** Calculated: "gateway-identity-keystore-password" * TLS Keystore Type ** Gateway-site property: gateway.tls.keystore.type ** Calculated: :”jks” * TLS Key Alias ** Gateway-site property: gateway.tls.key.alias ** Calculated: “gateway-identity” * TLS Key Passphrase Alias (value to be stored in the Knox Gateway credential store) ** Gateway-site property: gateway.tls.key.passphrase.alias ** Calculated: "gateway-identity-passphrase" was: h1. Problem The location of the keystore housing the Knox Gateway TLS certificate is hardcoded to {{/keystores/gateway.jks}} and the certificate alias is hardcoded to “{{gateway-identity}}”. This limits the ability for external management facilities to setup a custom TLS key and certificate for the Knox Gateway. For example, a host-wide, CA-signed, TLS certificate. Knox has configuration hooks for the following (optional) properties * Home Directory ** Gateway-site property: GATEWAY_HOME ** System property: GATEWAY_HOME ** Environment variable: GATEWAY_HOME * Data Directory ** System property: GATEWAY_DATA_HOME ** Environment variable: GATEWAY_DATA_HOME ** Gateway-site property: gateway.security.dir ** Calculated: [Home Directory] + [Path Separator] + “data” * Security Directory ** Gateway-site property: gateway.security.dir ** Calculated: [Data Directory] + [Path Separator] + “security” *Note*: the calculation for the home directory is inconsistent with the other directory calculations. This inconsistency may be confusing to users and thus should be fixed to be * System property: GATEWAY_HOME * Environment variable: GATEWAY_HOME * Gateway-site property: gateway.home.dir The path to the Knox Gateway TLS keystore is calculated as {noformat} [Security Directory] + [Path Separator] + “keystores” + [Path Separator] + “gateway.jks” {noformat} h1. Solution To make it easier to use an externally provided TLS key and certificate, the Knox Gateway should allow the TLS keystore file and alias name to be configurable. The following properties should be made available: * TLS Keystore File Path ** Gateway-site property: gateway.tls.keystore.path ** Calculated: [Security Directory] + [Path Separator] + "keystores" +[Path Separator]+ "gateway.jks" * TLS Keystore Password Alias (value to be stored in the Knox Gateway credential store) ** Gateway-site property: gateway.tls.keystore.password.alias ** Calculated: "gateway-identity-keystore-password" * TLS Keystore Type ** Gateway-site property: gateway.tls.keystore.type ** Calculated: :”jks” * TLS Key Alias ** Gateway-site property: gateway.tls.key.alias ** Calculated: “gateway-identity” * TLS Key Passphrase Alias (value to be stored in the Knox Gateway credential store) ** Gateway-site property: gateway.tls.key.passphrase.alias ** Calculated:
[jira] [Work logged] (KNOX-1162) Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration
[ https://issues.apache.org/jira/browse/KNOX-1162?focusedWorklogId=200681=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200681 ] ASF GitHub Bot logged work on KNOX-1162: Author: ASF GitHub Bot Created on: 19/Feb/19 15:27 Start Date: 19/Feb/19 15:27 Worklog Time Spent: 10m Work Description: smolnar82 commented on pull request #55: KNOX-1162 - Logging stacktrace for FATAL messages and displaying a meaningful error message in case of missing/non-parsable JAAS configuration URL: https://github.com/apache/knox/pull/55#discussion_r258088484 ## File path: gateway-service-remoteconfig/src/test/java/org/apache/knox/gateway/service/config/remote/zk/RemoteConfigurationRegistryJAASConfigTest.java ## @@ -36,6 +47,14 @@ public class RemoteConfigurationRegistryJAASConfigTest { +@Rule +public final TemporaryFolder testFolder = new TemporaryFolder(); + +@Rule +public final ExpectedException expectedException = ExpectedException.none(); + +private static final String JAAS_CONFIG_ERRROR_PREFIX = "Error while getting secure configuration. This error usually indicates an issue within the supplied JAAS configuration"; Review comment: Fixed; thanks! This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200681) Time Spent: 3h 20m (was: 3h 10m) > Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration > > > Key: KNOX-1162 > URL: https://issues.apache.org/jira/browse/KNOX-1162 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 0.14.0 >Reporter: Kevin Minder >Assignee: Sandor Molnar >Priority: Minor > Fix For: 1.3.0 > > Time Spent: 3h 20m > Remaining Estimate: 0h > > When there is a misconfiguration in conf/krb5JAASLogin.conf the server fails > to start and the information in gateway.log isn't at all helpful. So two > requests > # Logging should indicate at a minimum what file contains the issue. > # All fatal issues should log stack traces without requiring enabling debug > logging. > This is the error shown in gateway.log > {code} > 2018-01-05 12:05:12,538 FATAL hadoop.gateway (GatewayServer.java:main(163)) - > Failed to start gateway: java.lang.SecurityException: java.io.IOException: > Configuration Error: > Line 7: expected [option key] > {code} > When you enabled debug logging you get somewhat better information. > {code} > 2018-01-05 15:55:54,087 FATAL hadoop.gateway (GatewayServer.java:main(163)) - > Failed to start gateway: java.lang.SecurityException: java.io.IOException: > Configuration Error: > Line 7: expected [option key] > java.lang.SecurityException: java.io.IOException: Configuration Error: > Line 7: expected [option key] > at sun.security.provider.ConfigFile$Spi.(ConfigFile.java:137) > at sun.security.provider.ConfigFile.(ConfigFile.java:102) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at java.lang.Class.newInstance(Class.java:442) > at > javax.security.auth.login.Configuration$2.run(Configuration.java:255) > at > javax.security.auth.login.Configuration$2.run(Configuration.java:247) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.security.auth.login.Configuration.getConfiguration(Configuration.java:246) > at > org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.(RemoteConfigurationRegistryJAASConfig.java:52) > at > org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.configure(RemoteConfigurationRegistryJAASConfig.java:59) > at > org.apache.hadoop.gateway.service.config.remote.zk.CuratorClientService.init(CuratorClientService.java:80) > at > org.apache.hadoop.gateway.services.DefaultGatewayServices.init(DefaultGatewayServices.java:113) > at > org.apache.hadoop.gateway.GatewayServer.main(GatewayServer.java:154) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >
[GitHub] smolnar82 commented on a change in pull request #55: KNOX-1162 - Logging stacktrace for FATAL messages and displaying a meaningful error message in case of missing/non-parsable JAAS configura
smolnar82 commented on a change in pull request #55: KNOX-1162 - Logging stacktrace for FATAL messages and displaying a meaningful error message in case of missing/non-parsable JAAS configuration URL: https://github.com/apache/knox/pull/55#discussion_r258088484 ## File path: gateway-service-remoteconfig/src/test/java/org/apache/knox/gateway/service/config/remote/zk/RemoteConfigurationRegistryJAASConfigTest.java ## @@ -36,6 +47,14 @@ public class RemoteConfigurationRegistryJAASConfigTest { +@Rule +public final TemporaryFolder testFolder = new TemporaryFolder(); + +@Rule +public final ExpectedException expectedException = ExpectedException.none(); + +private static final String JAAS_CONFIG_ERRROR_PREFIX = "Error while getting secure configuration. This error usually indicates an issue within the supplied JAAS configuration"; Review comment: Fixed; thanks! This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[jira] [Work logged] (KNOX-1162) Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration
[ https://issues.apache.org/jira/browse/KNOX-1162?focusedWorklogId=200673=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200673 ] ASF GitHub Bot logged work on KNOX-1162: Author: ASF GitHub Bot Created on: 19/Feb/19 15:23 Start Date: 19/Feb/19 15:23 Worklog Time Spent: 10m Work Description: smolnar82 commented on pull request #55: KNOX-1162 - Logging stacktrace for FATAL messages and displaying a meaningful error message in case of missing/non-parsable JAAS configuration URL: https://github.com/apache/knox/pull/55#discussion_r258086184 ## File path: gateway-util-urltemplate/src/test/java/org/apache/knox/gateway/util/urltemplate/MatcherTest.java ## @@ -796,7 +796,7 @@ public void testMultipleDoubleStarPathMatching() throws URISyntaxException { Template template; Template input; Matcher stringMatcher; -Matcher.Match match; Review comment: ``` $ java -version java version "1.8.0_151" Java(TM) SE Runtime Environment (build 1.8.0_151-b12) Java HotSpot(TM) 64-Bit Server VM (build 25.151-b12, mixed mode) ``` I use the same version in my IDE too... The same issue like described here: https://stackoverflow.com/questions/29621138/why-is-assertthatmap1-sameinstancemap2-not-allowed This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200673) Time Spent: 3h 10m (was: 3h) > Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration > > > Key: KNOX-1162 > URL: https://issues.apache.org/jira/browse/KNOX-1162 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 0.14.0 >Reporter: Kevin Minder >Assignee: Sandor Molnar >Priority: Minor > Fix For: 1.3.0 > > Time Spent: 3h 10m > Remaining Estimate: 0h > > When there is a misconfiguration in conf/krb5JAASLogin.conf the server fails > to start and the information in gateway.log isn't at all helpful. So two > requests > # Logging should indicate at a minimum what file contains the issue. > # All fatal issues should log stack traces without requiring enabling debug > logging. > This is the error shown in gateway.log > {code} > 2018-01-05 12:05:12,538 FATAL hadoop.gateway (GatewayServer.java:main(163)) - > Failed to start gateway: java.lang.SecurityException: java.io.IOException: > Configuration Error: > Line 7: expected [option key] > {code} > When you enabled debug logging you get somewhat better information. > {code} > 2018-01-05 15:55:54,087 FATAL hadoop.gateway (GatewayServer.java:main(163)) - > Failed to start gateway: java.lang.SecurityException: java.io.IOException: > Configuration Error: > Line 7: expected [option key] > java.lang.SecurityException: java.io.IOException: Configuration Error: > Line 7: expected [option key] > at sun.security.provider.ConfigFile$Spi.(ConfigFile.java:137) > at sun.security.provider.ConfigFile.(ConfigFile.java:102) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at java.lang.Class.newInstance(Class.java:442) > at > javax.security.auth.login.Configuration$2.run(Configuration.java:255) > at > javax.security.auth.login.Configuration$2.run(Configuration.java:247) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.security.auth.login.Configuration.getConfiguration(Configuration.java:246) > at > org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.(RemoteConfigurationRegistryJAASConfig.java:52) > at > org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.configure(RemoteConfigurationRegistryJAASConfig.java:59) > at > org.apache.hadoop.gateway.service.config.remote.zk.CuratorClientService.init(CuratorClientService.java:80) > at > org.apache.hadoop.gateway.services.DefaultGatewayServices.init(DefaultGatewayServices.java:113) > at > org.apache.hadoop.gateway.GatewayServer.main(GatewayServer.java:154) > at
[jira] [Work logged] (KNOX-1162) Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration
[ https://issues.apache.org/jira/browse/KNOX-1162?focusedWorklogId=200671=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200671 ] ASF GitHub Bot logged work on KNOX-1162: Author: ASF GitHub Bot Created on: 19/Feb/19 15:20 Start Date: 19/Feb/19 15:20 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #55: KNOX-1162 - Logging stacktrace for FATAL messages and displaying a meaningful error message in case of missing/non-parsable JAAS configuration URL: https://github.com/apache/knox/pull/55#discussion_r258084689 ## File path: gateway-service-remoteconfig/pom.xml ## @@ -38,6 +38,10 @@ org.apache.knox gateway-spi + Review comment: Yea just checking that we didn't pull in a new dependency for another reason. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200671) Time Spent: 3h (was: 2h 50m) > Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration > > > Key: KNOX-1162 > URL: https://issues.apache.org/jira/browse/KNOX-1162 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 0.14.0 >Reporter: Kevin Minder >Assignee: Sandor Molnar >Priority: Minor > Fix For: 1.3.0 > > Time Spent: 3h > Remaining Estimate: 0h > > When there is a misconfiguration in conf/krb5JAASLogin.conf the server fails > to start and the information in gateway.log isn't at all helpful. So two > requests > # Logging should indicate at a minimum what file contains the issue. > # All fatal issues should log stack traces without requiring enabling debug > logging. > This is the error shown in gateway.log > {code} > 2018-01-05 12:05:12,538 FATAL hadoop.gateway (GatewayServer.java:main(163)) - > Failed to start gateway: java.lang.SecurityException: java.io.IOException: > Configuration Error: > Line 7: expected [option key] > {code} > When you enabled debug logging you get somewhat better information. > {code} > 2018-01-05 15:55:54,087 FATAL hadoop.gateway (GatewayServer.java:main(163)) - > Failed to start gateway: java.lang.SecurityException: java.io.IOException: > Configuration Error: > Line 7: expected [option key] > java.lang.SecurityException: java.io.IOException: Configuration Error: > Line 7: expected [option key] > at sun.security.provider.ConfigFile$Spi.(ConfigFile.java:137) > at sun.security.provider.ConfigFile.(ConfigFile.java:102) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at java.lang.Class.newInstance(Class.java:442) > at > javax.security.auth.login.Configuration$2.run(Configuration.java:255) > at > javax.security.auth.login.Configuration$2.run(Configuration.java:247) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.security.auth.login.Configuration.getConfiguration(Configuration.java:246) > at > org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.(RemoteConfigurationRegistryJAASConfig.java:52) > at > org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.configure(RemoteConfigurationRegistryJAASConfig.java:59) > at > org.apache.hadoop.gateway.service.config.remote.zk.CuratorClientService.init(CuratorClientService.java:80) > at > org.apache.hadoop.gateway.services.DefaultGatewayServices.init(DefaultGatewayServices.java:113) > at > org.apache.hadoop.gateway.GatewayServer.main(GatewayServer.java:154) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.hadoop.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:70) > at
[GitHub] risdenk commented on a change in pull request #55: KNOX-1162 - Logging stacktrace for FATAL messages and displaying a meaningful error message in case of missing/non-parsable JAAS configurati
risdenk commented on a change in pull request #55: KNOX-1162 - Logging stacktrace for FATAL messages and displaying a meaningful error message in case of missing/non-parsable JAAS configuration URL: https://github.com/apache/knox/pull/55#discussion_r258084689 ## File path: gateway-service-remoteconfig/pom.xml ## @@ -38,6 +38,10 @@ org.apache.knox gateway-spi + Review comment: Yea just checking that we didn't pull in a new dependency for another reason. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services
[jira] [Work logged] (KNOX-1162) Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration
[ https://issues.apache.org/jira/browse/KNOX-1162?focusedWorklogId=200657=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200657 ] ASF GitHub Bot logged work on KNOX-1162: Author: ASF GitHub Bot Created on: 19/Feb/19 15:08 Start Date: 19/Feb/19 15:08 Worklog Time Spent: 10m Work Description: smolnar82 commented on pull request #55: KNOX-1162 - Logging stacktrace for FATAL messages and displaying a meaningful error message in case of missing/non-parsable JAAS configuration URL: https://github.com/apache/knox/pull/55#discussion_r258079051 ## File path: gateway-service-remoteconfig/pom.xml ## @@ -38,6 +38,10 @@ org.apache.knox gateway-spi + Review comment: Yes. If there is an issue with the supplied JAAS config it is a `ConfigurationException`, right? Moreover `ConfigurationException` is not a checked one so that I did not have to modify the API. I think it would be an exaggeration to create a new type of exception just for this purpose if we already have to proper one. Agreed? This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200657) Time Spent: 2h 50m (was: 2h 40m) > Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration > > > Key: KNOX-1162 > URL: https://issues.apache.org/jira/browse/KNOX-1162 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 0.14.0 >Reporter: Kevin Minder >Assignee: Sandor Molnar >Priority: Minor > Fix For: 1.3.0 > > Time Spent: 2h 50m > Remaining Estimate: 0h > > When there is a misconfiguration in conf/krb5JAASLogin.conf the server fails > to start and the information in gateway.log isn't at all helpful. So two > requests > # Logging should indicate at a minimum what file contains the issue. > # All fatal issues should log stack traces without requiring enabling debug > logging. > This is the error shown in gateway.log > {code} > 2018-01-05 12:05:12,538 FATAL hadoop.gateway (GatewayServer.java:main(163)) - > Failed to start gateway: java.lang.SecurityException: java.io.IOException: > Configuration Error: > Line 7: expected [option key] > {code} > When you enabled debug logging you get somewhat better information. > {code} > 2018-01-05 15:55:54,087 FATAL hadoop.gateway (GatewayServer.java:main(163)) - > Failed to start gateway: java.lang.SecurityException: java.io.IOException: > Configuration Error: > Line 7: expected [option key] > java.lang.SecurityException: java.io.IOException: Configuration Error: > Line 7: expected [option key] > at sun.security.provider.ConfigFile$Spi.(ConfigFile.java:137) > at sun.security.provider.ConfigFile.(ConfigFile.java:102) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at java.lang.Class.newInstance(Class.java:442) > at > javax.security.auth.login.Configuration$2.run(Configuration.java:255) > at > javax.security.auth.login.Configuration$2.run(Configuration.java:247) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.security.auth.login.Configuration.getConfiguration(Configuration.java:246) > at > org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.(RemoteConfigurationRegistryJAASConfig.java:52) > at > org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.configure(RemoteConfigurationRegistryJAASConfig.java:59) > at > org.apache.hadoop.gateway.service.config.remote.zk.CuratorClientService.init(CuratorClientService.java:80) > at > org.apache.hadoop.gateway.services.DefaultGatewayServices.init(DefaultGatewayServices.java:113) > at > org.apache.hadoop.gateway.GatewayServer.main(GatewayServer.java:154) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at >
[jira] [Work logged] (KNOX-1162) Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration
[ https://issues.apache.org/jira/browse/KNOX-1162?focusedWorklogId=200655=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-200655 ] ASF GitHub Bot logged work on KNOX-1162: Author: ASF GitHub Bot Created on: 19/Feb/19 15:07 Start Date: 19/Feb/19 15:07 Worklog Time Spent: 10m Work Description: risdenk commented on pull request #55: KNOX-1162 - Logging stacktrace for FATAL messages and displaying a meaningful error message in case of missing/non-parsable JAAS configuration URL: https://github.com/apache/knox/pull/55#discussion_r258078897 ## File path: gateway-server/src/main/java/org/apache/knox/gateway/GatewayMessages.java ## @@ -34,13 +34,13 @@ public interface GatewayMessages { @Message( level = MessageLevel.FATAL, text = "Failed to parse command line: {0}" ) - void failedToParseCommandLine( @StackTrace( level = MessageLevel.DEBUG ) ParseException e ); + void failedToParseCommandLine( @StackTrace( level = MessageLevel.FATAL ) ParseException e ); Review comment: Ok makes sense. Didn't tie the two pieces together. The stacktrace level is basically opposite of what I expected. This is an automated message from the Apache Git Service. To respond to the message, please log on GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org Issue Time Tracking --- Worklog Id: (was: 200655) Time Spent: 2h 40m (was: 2.5h) > Improve diagnostics for conf/krb5JAASLogin.conf misconfiguration > > > Key: KNOX-1162 > URL: https://issues.apache.org/jira/browse/KNOX-1162 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 0.14.0 >Reporter: Kevin Minder >Assignee: Sandor Molnar >Priority: Minor > Fix For: 1.3.0 > > Time Spent: 2h 40m > Remaining Estimate: 0h > > When there is a misconfiguration in conf/krb5JAASLogin.conf the server fails > to start and the information in gateway.log isn't at all helpful. So two > requests > # Logging should indicate at a minimum what file contains the issue. > # All fatal issues should log stack traces without requiring enabling debug > logging. > This is the error shown in gateway.log > {code} > 2018-01-05 12:05:12,538 FATAL hadoop.gateway (GatewayServer.java:main(163)) - > Failed to start gateway: java.lang.SecurityException: java.io.IOException: > Configuration Error: > Line 7: expected [option key] > {code} > When you enabled debug logging you get somewhat better information. > {code} > 2018-01-05 15:55:54,087 FATAL hadoop.gateway (GatewayServer.java:main(163)) - > Failed to start gateway: java.lang.SecurityException: java.io.IOException: > Configuration Error: > Line 7: expected [option key] > java.lang.SecurityException: java.io.IOException: Configuration Error: > Line 7: expected [option key] > at sun.security.provider.ConfigFile$Spi.(ConfigFile.java:137) > at sun.security.provider.ConfigFile.(ConfigFile.java:102) > at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native > Method) > at > sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62) > at > sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) > at java.lang.reflect.Constructor.newInstance(Constructor.java:423) > at java.lang.Class.newInstance(Class.java:442) > at > javax.security.auth.login.Configuration$2.run(Configuration.java:255) > at > javax.security.auth.login.Configuration$2.run(Configuration.java:247) > at java.security.AccessController.doPrivileged(Native Method) > at > javax.security.auth.login.Configuration.getConfiguration(Configuration.java:246) > at > org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.(RemoteConfigurationRegistryJAASConfig.java:52) > at > org.apache.hadoop.gateway.service.config.remote.zk.RemoteConfigurationRegistryJAASConfig.configure(RemoteConfigurationRegistryJAASConfig.java:59) > at > org.apache.hadoop.gateway.service.config.remote.zk.CuratorClientService.init(CuratorClientService.java:80) > at > org.apache.hadoop.gateway.services.DefaultGatewayServices.init(DefaultGatewayServices.java:113) > at > org.apache.hadoop.gateway.GatewayServer.main(GatewayServer.java:154) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at >
[jira] [Updated] (KNOX-1782) Upgrade jetty to 9.4.15.v20190215
[ https://issues.apache.org/jira/browse/KNOX-1782?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kevin Risden updated KNOX-1782: --- Resolution: Fixed Status: Resolved (was: Patch Available) > Upgrade jetty to 9.4.15.v20190215 > - > > Key: KNOX-1782 > URL: https://issues.apache.org/jira/browse/KNOX-1782 > Project: Apache Knox > Issue Type: Sub-task >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > Attachments: KNOX-1782.patch > > > Upgrade jetty 9.4.14.v20181114 to 9.4.15.v20190215 -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1782) Upgrade jetty to 9.4.15.v20190215
[ https://issues.apache.org/jira/browse/KNOX-1782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772002#comment-16772002 ] ASF subversion and git services commented on KNOX-1782: --- Commit a7a353a16ecf7a9f62fa18530afdbdaae85b565c in knox's branch refs/heads/master from Kevin Risden [ https://gitbox.apache.org/repos/asf?p=knox.git;h=a7a353a ] KNOX-1782 - Upgrade jetty to 9.4.15.v20190215 Signed-off-by: Kevin Risden > Upgrade jetty to 9.4.15.v20190215 > - > > Key: KNOX-1782 > URL: https://issues.apache.org/jira/browse/KNOX-1782 > Project: Apache Knox > Issue Type: Sub-task >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > Attachments: KNOX-1782.patch > > > Upgrade jetty 9.4.14.v20181114 to 9.4.15.v20190215 -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1780) Upgrade slf4j to 1.7.26
[ https://issues.apache.org/jira/browse/KNOX-1780?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772004#comment-16772004 ] ASF subversion and git services commented on KNOX-1780: --- Commit 0267cadb094c0c153ff3e77d3e798b7e96e16552 in knox's branch refs/heads/master from Kevin Risden [ https://gitbox.apache.org/repos/asf?p=knox.git;h=0267cad ] KNOX-1780 - Upgrade slf4j to 1.7.26 Signed-off-by: Kevin Risden > Upgrade slf4j to 1.7.26 > --- > > Key: KNOX-1780 > URL: https://issues.apache.org/jira/browse/KNOX-1780 > Project: Apache Knox > Issue Type: Sub-task >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Trivial > Fix For: 1.3.0 > > Attachments: KNOX-1780.patch > > > Upgrade slf4j 1.7.25 to 1.7.26 -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1781) Upgrade commons-codec to 1.12
[ https://issues.apache.org/jira/browse/KNOX-1781?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772003#comment-16772003 ] ASF subversion and git services commented on KNOX-1781: --- Commit 88dda9684886e28a9e6d7b17abe4276877449c91 in knox's branch refs/heads/master from Kevin Risden [ https://gitbox.apache.org/repos/asf?p=knox.git;h=88dda96 ] KNOX-1781 - Upgrade commons-codec to 1.12 Signed-off-by: Kevin Risden > Upgrade commons-codec to 1.12 > - > > Key: KNOX-1781 > URL: https://issues.apache.org/jira/browse/KNOX-1781 > Project: Apache Knox > Issue Type: Sub-task >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > Attachments: KNOX-1781.patch > > > Upgrade commons-codec 1.11 to 1.12 -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (KNOX-1781) Upgrade commons-codec to 1.12
[ https://issues.apache.org/jira/browse/KNOX-1781?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Kevin Risden updated KNOX-1781: --- Resolution: Fixed Status: Resolved (was: Patch Available) > Upgrade commons-codec to 1.12 > - > > Key: KNOX-1781 > URL: https://issues.apache.org/jira/browse/KNOX-1781 > Project: Apache Knox > Issue Type: Sub-task >Reporter: Kevin Risden >Assignee: Kevin Risden >Priority: Minor > Fix For: 1.3.0 > > Attachments: KNOX-1781.patch > > > Upgrade commons-codec 1.11 to 1.12 -- This message was sent by Atlassian JIRA (v7.6.3#76005)