[jira] [Created] (KNOX-2967) Invalid characters in Knox SSO section of dev guide
Philip Zampino created KNOX-2967:
Summary: Invalid characters in Knox SSO section of dev guide
Key: KNOX-2967
URL: https://issues.apache.org/jira/browse/KNOX-2967
Project: Apache Knox
Issue Type: Bug
Components: Document
Affects Versions: 2.0.0
Reporter: Philip Zampino
Assignee: Philip Zampino
In [the KnoxSSO Setup
section|https://knox.apache.org/books/knox-2-0-0/dev-guide.html#KnoxSSO+Setup]:
Under [the knoxsso Topology
example/description|https://knox.apache.org/books/knox-2-0-0/dev-guide.html#knoxsso.xml+Topology]:
{noformat}
What’s great is if you work against the IdP with Basic Auth then you will
work with SAML or anything else as well.{noformat}
Under [the sandbox Topology
example/description|https://knox.apache.org/books/knox-2-0-0/dev-guide.html#sandbox.xml+Topology]:
{noformat}
NOTE: Be aware that when using Chrome as your browser that cookies don’t seem
to work for “localhostâ€{noformat}
{noformat}
Since Knox is the issuer of the cookie and token, we don’t need to configure
the public key since we have programmatic access to the actual keystore for use
at verification time.
{noformat}
There are actually *10 occurrences* of this *â€* character.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Created] (KNOX-2952) Prioritize active nodes in URLs list resulting from CM discovery
Philip Zampino created KNOX-2952: Summary: Prioritize active nodes in URLs list resulting from CM discovery Key: KNOX-2952 URL: https://issues.apache.org/jira/browse/KNOX-2952 Project: Apache Knox Issue Type: Improvement Components: Server Affects Versions: 2.0.0 Reporter: Philip Zampino Currently, Knox's discovery of service URLs from CM is ignorant about the "active"-ness of the URLs it discovers. For WebHDFS for example, Knox blindly consumes the URLs from CM without any regard for which NameNodes are active. This can result in a stand-by node URL being first in the list in the resulting topology. While Knox will fail-over to the active node on the first request, this fail-over is unnecessary and avoidable. There are other services for which discovery can be similarly enhanced. Those should be identified as part of this effort, and as much as possible, support for this new behavior should be implemented once for as many services as are affected. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (KNOX-2892) Separate topology discovery/generation from server start-up
Philip Zampino created KNOX-2892: Summary: Separate topology discovery/generation from server start-up Key: KNOX-2892 URL: https://issues.apache.org/jira/browse/KNOX-2892 Project: Apache Knox Issue Type: Improvement Components: Server Affects Versions: 2.0.0 Reporter: Philip Zampino To address gateway start-up performance, it may be good to skip discovery at that time IFF cluster configuration monitoring is enabled. This way, existing topologies can be quickly deployed as-is during start-up, and then the config monitor can drive any necessary changes more discretely, re-generating only those affected topologies if any at all. Whether the condition of requiring config monitoring enabled for this is correct is up for discussion. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2871) Refine should perform discovery check
[ https://issues.apache.org/jira/browse/KNOX-2871?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2871: - Fix Version/s: 2.0.0 > Refine should perform discovery check > - > > Key: KNOX-2871 > URL: https://issues.apache.org/jira/browse/KNOX-2871 > Project: Apache Knox > Issue Type: Task >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Currently if the discovery-type is set to null or an empty string then it > will default to "ClouderaManager". If service discovery fails for any reason > then the topology is not going to be generated. In some cases the user wants > to use static service URLs for the services while also keeping discovery > enabled. A dummy service discovery type that always returns an empty service > list would make this possible. > cc.: [~smolnar] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2873) Upgrade curator version to 5.4.0 and zookeeper to 3.8.1
[ https://issues.apache.org/jira/browse/KNOX-2873?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2873: - Fix Version/s: 2.0.0 > Upgrade curator version to 5.4.0 and zookeeper to 3.8.1 > > > Key: KNOX-2873 > URL: https://issues.apache.org/jira/browse/KNOX-2873 > Project: Apache Knox > Issue Type: Task >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2869) Possible NPE at CM cluster configuration monitor startup
[
https://issues.apache.org/jira/browse/KNOX-2869?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Philip Zampino updated KNOX-2869:
-
Fix Version/s: 2.0.0
(was: 2.1.0)
> Possible NPE at CM cluster configuration monitor startup
>
>
> Key: KNOX-2869
> URL: https://issues.apache.org/jira/browse/KNOX-2869
> Project: Apache Knox
> Issue Type: Bug
>Affects Versions: 2.0.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.0.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> In some very rare cases, it could happen that CM service discovery-related
> configuration file(s) were wrongly serialized on the file system and the next
> time Knox starts the service initialization fails like this:
> {noformat}
> 2023-01-30 10:39:01,733 FATAL knox.gateway (GatewayServer.java:main(193)) -
> Failed to start gateway: java.lang.NullPointerException
> java.lang.NullPointerException
> at
> java.base/java.util.concurrent.ConcurrentHashMap.computeIfAbsent(ConcurrentHashMap.java:1690)
> at
> org.apache.knox.gateway.topology.discovery.cm.monitor.ClusterConfigurationCache.addDiscoveryConfig(ClusterConfigurationCache.java:73)
> at
> org.apache.knox.gateway.topology.discovery.cm.monitor.ClouderaManagerClusterConfigurationMonitor.loadDiscoveryConfiguration(ClouderaManagerClusterConfigurationMonitor.java:186)
> at
> org.apache.knox.gateway.topology.discovery.cm.monitor.ClouderaManagerClusterConfigurationMonitor.(ClouderaManagerClusterConfigurationMonitor.java:100)
> at
> org.apache.knox.gateway.topology.discovery.cm.monitor.ClouderaManagerClusterConfigurationMonitorProvider.newInstance(ClouderaManagerClusterConfigurationMonitorProvider.java:35)
> at
> org.apache.knox.gateway.services.topology.impl.DefaultClusterConfigurationMonitorService.init(DefaultClusterConfigurationMonitorService.java:44)
> at
> org.apache.knox.gateway.services.DefaultGatewayServices.init(DefaultGatewayServices.java:137)
> at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:184)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.base/java.lang.reflect.Method.invoke(Method.java:566)
> at
> org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
> at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
> at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
> at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
> at
> org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52){noformat}
> In this particular case, the
> {{$KNOX_DATA_DIR/cm-clusters/hCM_HOST_7183-Cluster_1.conf}} file was empty so
> when Knox wanted to load any previously-persisted discovery configuration
> data into its own in-memory cache, an NPE was thrown.
> Although the chance for this to happen is quite low, Knox should handle this
> situation better.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (KNOX-2879) pty4j depends on log4j1
[ https://issues.apache.org/jira/browse/KNOX-2879?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2879: - Fix Version/s: 2.0.0 > pty4j depends on log4j1 > --- > > Key: KNOX-2879 > URL: https://issues.apache.org/jira/browse/KNOX-2879 > Project: Apache Knox > Issue Type: Task >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Transitive Log4j1 dependency should be excluded. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2843) Document SQL DB based topology monitor
[ https://issues.apache.org/jira/browse/KNOX-2843?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2843: - Fix Version/s: 2.0.0 > Document SQL DB based topology monitor > -- > > Key: KNOX-2843 > URL: https://issues.apache.org/jira/browse/KNOX-2843 > Project: Apache Knox > Issue Type: Sub-task >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Fix For: 2.0.0 > > Attachments: KNOX-2843-2.patch, KNOX-2843.patch, Screenshot > 2022-11-23 at 11.27.24.png > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2877) HA support for Knox WebShell
[ https://issues.apache.org/jira/browse/KNOX-2877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2877: - Fix Version/s: (was: 2.0.0) > HA support for Knox WebShell > > > Key: KNOX-2877 > URL: https://issues.apache.org/jira/browse/KNOX-2877 > Project: Apache Knox > Issue Type: Improvement > Components: WebShell >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > > In case of HA we need to make sure requests are routed to correct Knox > instances. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2877) HA support for Knox WebShell
[ https://issues.apache.org/jira/browse/KNOX-2877?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17686515#comment-17686515 ] Philip Zampino commented on KNOX-2877: -- [~smore] It sounds like there is nothing to do from Knox wrt this issue. Load-balancers will need to employ sticky sessions to accommodate the WebShell when Knox is deployed in an HA manner. > HA support for Knox WebShell > > > Key: KNOX-2877 > URL: https://issues.apache.org/jira/browse/KNOX-2877 > Project: Apache Knox > Issue Type: Improvement > Components: WebShell >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.0.0 > > > In case of HA we need to make sure requests are routed to correct Knox > instances. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2877) HA support for Knox WebShell
[ https://issues.apache.org/jira/browse/KNOX-2877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2877: - Fix Version/s: 2.0.0 (was: 2.0..0) > HA support for Knox WebShell > > > Key: KNOX-2877 > URL: https://issues.apache.org/jira/browse/KNOX-2877 > Project: Apache Knox > Issue Type: Improvement > Components: WebShell >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.0.0 > > > In case of HA we need to make sure requests are routed to correct Knox > instances. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2877) HA support for Knox WebShell
[ https://issues.apache.org/jira/browse/KNOX-2877?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17685469#comment-17685469 ] Philip Zampino commented on KNOX-2877: -- Let's address this and get it into the next 2.0.0 RC. > HA support for Knox WebShell > > > Key: KNOX-2877 > URL: https://issues.apache.org/jira/browse/KNOX-2877 > Project: Apache Knox > Issue Type: Improvement > Components: WebShell >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.0..0 > > > In case of HA we need to make sure requests are routed to correct Knox > instances. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2872) Webshell does not work with loadbalancer
[ https://issues.apache.org/jira/browse/KNOX-2872?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2872: - Fix Version/s: 2.0.0 > Webshell does not work with loadbalancer > > > Key: KNOX-2872 > URL: https://issues.apache.org/jira/browse/KNOX-2872 > Project: Apache Knox > Issue Type: Bug > Components: WebShell >Reporter: Abhilash Perla >Assignee: Sandeep More >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Webshell gives "Connection Timeout" error when LB is used in front of Knox. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2877) HA support for Knox WebShell
[ https://issues.apache.org/jira/browse/KNOX-2877?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2877: - Fix Version/s: 2.0..0 > HA support for Knox WebShell > > > Key: KNOX-2877 > URL: https://issues.apache.org/jira/browse/KNOX-2877 > Project: Apache Knox > Issue Type: Improvement > Components: WebShell >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.0..0 > > > In case of HA we need to make sure requests are routed to correct Knox > instances. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2874) Typos in JDBC token state service config docs
[
https://issues.apache.org/jira/browse/KNOX-2874?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Philip Zampino updated KNOX-2874:
-
Description:
There are actually six occurrences of the following characters through the User
Guide.
{noformat}
’{noformat}
{noformat}
If you want to use the newly implemented database token management, you’ve to
set gateway.service.tokenstate.impl in gateway-site.xml to
org.apache.knox.gateway.services.token.impl.JDBCTokenStateService.{noformat}
{noformat}
If your database requires user/password authentication, the following aliases
must be saved into the Knox Gateway’s credential store
(__gateway-credentials.jceks):{noformat}
{noformat}
JWT token - this is the serialized JWT and is fully compatible with the
old-style Bearer authorization method. Clicking the JWT Token label on the page
will copy the value into the clipboard. You might want to use it as the
‘Token’ user:{noformat}
{noformat}
Passcode token - this is the serialized passcode token, which you can use as
the ‘Passcode’ user (Clicking the Passcode Token label on the page will
copy the value into the clipboard):{noformat}
{noformat}
REMOVE_OLDEST - if that’s configured, the oldest token of the user, who the
token is being generated for, will be removed{noformat}
{noformat}
RETURN_ERROR - if that’s configured, Knox will return an error response with
403 error code (as it did in previous versions){noformat}
was:
{noformat}
If you want to use the newly implemented database token management, you’ve to
set gateway.service.tokenstate.impl in gateway-site.xml to
org.apache.knox.gateway.services.token.impl.JDBCTokenStateService.{noformat}
{noformat}
If your database requires user/password authentication, the following aliases
must be saved into the Knox Gateway’s credential store
(__gateway-credentials.jceks):{noformat}
> Typos in JDBC token state service config docs
> -
>
> Key: KNOX-2874
> URL: https://issues.apache.org/jira/browse/KNOX-2874
> Project: Apache Knox
> Issue Type: Improvement
> Components: Document
>Affects Versions: 2.0.0
>Reporter: Philip Zampino
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.0.0
>
>
> There are actually six occurrences of the following characters through the
> User Guide.
> {noformat}
> ’{noformat}
> {noformat}
> If you want to use the newly implemented database token management, you’ve
> to set gateway.service.tokenstate.impl in gateway-site.xml to
> org.apache.knox.gateway.services.token.impl.JDBCTokenStateService.{noformat}
>
> {noformat}
> If your database requires user/password authentication, the following aliases
> must be saved into the Knox Gateway’s credential store
> (__gateway-credentials.jceks):{noformat}
>
> {noformat}
> JWT token - this is the serialized JWT and is fully compatible with the
> old-style Bearer authorization method. Clicking the JWT Token label on the
> page will copy the value into the clipboard. You might want to use it as the
> ‘Token’ user:{noformat}
> {noformat}
> Passcode token - this is the serialized passcode token, which you can use as
> the ‘Passcode’ user (Clicking the Passcode Token label on the page will
> copy the value into the clipboard):{noformat}
> {noformat}
> REMOVE_OLDEST - if that’s configured, the oldest token of the user, who the
> token is being generated for, will be removed{noformat}
> {noformat}
> RETURN_ERROR - if that’s configured, Knox will return an error response
> with 403 error code (as it did in previous versions){noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Created] (KNOX-2876) Admin UI descriptor wizard formats service names and checkboxes weirdly
Philip Zampino created KNOX-2876: Summary: Admin UI descriptor wizard formats service names and checkboxes weirdly Key: KNOX-2876 URL: https://issues.apache.org/jira/browse/KNOX-2876 Project: Apache Knox Issue Type: Bug Components: AdminUI Affects Versions: 2.0.0 Reporter: Philip Zampino Attachments: Screen Shot 2023-02-04 at 11.23.02 AM.png This may be the result of the angular upgrade, but I suspect the width of the window just needs to be increased. !Screen Shot 2023-02-04 at 11.23.02 AM.png! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (KNOX-2875) RDBMS-Based Remote Alias Service
Philip Zampino created KNOX-2875: Summary: RDBMS-Based Remote Alias Service Key: KNOX-2875 URL: https://issues.apache.org/jira/browse/KNOX-2875 Project: Apache Knox Issue Type: New Feature Components: Server Affects Versions: 2.0.0 Reporter: Philip Zampino With the addition of the RDBMS configuration monitor for sharing providers and descriptors across multiple Knox instances, there ought to be a RDBMS implementation of the remote alias service for similarly sharing aliases across Knox instances. This would be similar to the Zookeeper implementation (org.apache.knox.gateway.services.security.impl.ZookeeperRemoteAliasService), but employ a database instead of Zookeeper. The Admin API/UI interactions should behave in exactly the same manner. Subsequently, we could consider whether enabling the RDBMS config monitor should implicitly enable this new RDBMS alias service. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2874) Typos in JDBC token state service config docs
[
https://issues.apache.org/jira/browse/KNOX-2874?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Philip Zampino updated KNOX-2874:
-
Description:
{noformat}
If you want to use the newly implemented database token management, you’ve to
set gateway.service.tokenstate.impl in gateway-site.xml to
org.apache.knox.gateway.services.token.impl.JDBCTokenStateService.{noformat}
{noformat}
If your database requires user/password authentication, the following aliases
must be saved into the Knox Gateway’s credential store
(__gateway-credentials.jceks):{noformat}
was:
{noformat}
If you want to use the newly implemented database token management, you’ve to
set gateway.service.tokenstate.impl in gateway-site.xml to
org.apache.knox.gateway.services.token.impl.JDBCTokenStateService.{noformat}
Summary: Typos in JDBC token state service config docs (was: Typo in
JDBC token state service config docs)
> Typos in JDBC token state service config docs
> -
>
> Key: KNOX-2874
> URL: https://issues.apache.org/jira/browse/KNOX-2874
> Project: Apache Knox
> Issue Type: Improvement
> Components: Document
>Affects Versions: 2.0.0
>Reporter: Philip Zampino
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.0.0
>
>
> {noformat}
> If you want to use the newly implemented database token management, you’ve
> to set gateway.service.tokenstate.impl in gateway-site.xml to
> org.apache.knox.gateway.services.token.impl.JDBCTokenStateService.{noformat}
>
> {noformat}
> If your database requires user/password authentication, the following aliases
> must be saved into the Knox Gateway’s credential store
> (__gateway-credentials.jceks):{noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Created] (KNOX-2874) Typo in JDBC token state service config docs
Philip Zampino created KNOX-2874:
Summary: Typo in JDBC token state service config docs
Key: KNOX-2874
URL: https://issues.apache.org/jira/browse/KNOX-2874
Project: Apache Knox
Issue Type: Improvement
Components: Document
Affects Versions: 2.0.0
Reporter: Philip Zampino
Assignee: Sandor Molnar
Fix For: 2.0.0
{noformat}
If you want to use the newly implemented database token management, you’ve to
set gateway.service.tokenstate.impl in gateway-site.xml to
org.apache.knox.gateway.services.token.impl.JDBCTokenStateService.{noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Comment Edited] (KNOX-2871) Add "Skip" Service Discovery Type
[ https://issues.apache.org/jira/browse/KNOX-2871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17683042#comment-17683042 ] Philip Zampino edited comment on KNOX-2871 at 2/1/23 2:07 PM: -- Discovery is already an option in descriptors. Omitting discovery details should result in the generation of the associated topology if discovery is not configured or cannot be performed. I don't agree that there is a need for a "dummy" discovery type. I can see that discovery-type defaults to a specific type if unspecified, but I suspect this only happens if the discovery-address is specified. Therefore, I think the "dummy" discovery type is accomplished by omitting all the discovery-related attributes from the descriptor. If that is not the case, then that is the bug IMO. was (Author: pzampino): Discovery is already an option in descriptors. Omitting discovery details should result in the generation of the associated topology if discovery is not configured or cannot be performed. I don't agree that there is a need for a "dummy" discovery type. I can see that discovery-type defaults to a specific type if unspecified, but I suspect this only happens if the discovery-address is specified. Therefore, I think the "dummy" discovery type is accomplished by omitting all the discovery-related attributes from the descriptor. If that is not the case, then that is a bug IMO. > Add "Skip" Service Discovery Type > - > > Key: KNOX-2871 > URL: https://issues.apache.org/jira/browse/KNOX-2871 > Project: Apache Knox > Issue Type: Task >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > > Currently if the discovery-type is set to null or an empty string then it > will default to "ClouderaManager". If service discovery fails for any reason > then the topology is not going to be generated. In some cases the user wants > to use static service URLs for the services while also keeping discovery > enabled. A dummy service discovery type that always returns an empty service > list would make this possible. > cc.: [~smolnar] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Comment Edited] (KNOX-2871) Add "Skip" Service Discovery Type
[ https://issues.apache.org/jira/browse/KNOX-2871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17683042#comment-17683042 ] Philip Zampino edited comment on KNOX-2871 at 2/1/23 2:07 PM: -- Discovery is already an option in descriptors. Omitting discovery details should result in the generation of the associated topology if discovery is not configured or cannot be performed. I don't agree that there is a need for a "dummy" discovery type. I can see that discovery-type defaults to a specific type if unspecified, but I suspect this only happens if the discovery-address is specified. Therefore, I think the "dummy" discovery type is accomplished by omitting all the discovery-related attributes from the descriptor. If that is not the case, then that is a bug IMO. was (Author: pzampino): Discovery is already an option in descriptors. Omitting discovery details should result in the generation of the associated topology if discovery is no configured or cannot be performed. I don't agree that there is a need for a "dummy" discovery type. I can see that discovery-type defaults to a specific type if unspecified, but I suspect this only happens if the discovery-address is specified. Therefore, I think the "dummy" discovery type is accomplished by omitting all the discovery-related attributes from the descriptor. If that is not the case, then that is a bug IMO. > Add "Skip" Service Discovery Type > - > > Key: KNOX-2871 > URL: https://issues.apache.org/jira/browse/KNOX-2871 > Project: Apache Knox > Issue Type: Task >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > > Currently if the discovery-type is set to null or an empty string then it > will default to "ClouderaManager". If service discovery fails for any reason > then the topology is not going to be generated. In some cases the user wants > to use static service URLs for the services while also keeping discovery > enabled. A dummy service discovery type that always returns an empty service > list would make this possible. > cc.: [~smolnar] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2871) Add "Skip" Service Discovery Type
[ https://issues.apache.org/jira/browse/KNOX-2871?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17683042#comment-17683042 ] Philip Zampino commented on KNOX-2871: -- Discovery is already an option in descriptors. Omitting discovery details should result in the generation of the associated topology if discovery is no configured or cannot be performed. I don't agree that there is a need for a "dummy" discovery type. I can see that discovery-type defaults to a specific type if unspecified, but I suspect this only happens if the discovery-address is specified. Therefore, I think the "dummy" discovery type is accomplished by omitting all the discovery-related attributes from the descriptor. If that is not the case, then that is a bug IMO. > Add "Skip" Service Discovery Type > - > > Key: KNOX-2871 > URL: https://issues.apache.org/jira/browse/KNOX-2871 > Project: Apache Knox > Issue Type: Task >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > > Currently if the discovery-type is set to null or an empty string then it > will default to "ClouderaManager". If service discovery fails for any reason > then the topology is not going to be generated. In some cases the user wants > to use static service URLs for the services while also keeping discovery > enabled. A dummy service discovery type that always returns an empty service > list would make this possible. > cc.: [~smolnar] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Resolved] (KNOX-2870) Switch to 2.1.0-SNAPSHOT in pom.xml
[ https://issues.apache.org/jira/browse/KNOX-2870?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino resolved KNOX-2870. -- Resolution: Resolved > Switch to 2.1.0-SNAPSHOT in pom.xml > --- > > Key: KNOX-2870 > URL: https://issues.apache.org/jira/browse/KNOX-2870 > Project: Apache Knox > Issue Type: Task > Components: Release >Affects Versions: 2.0.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Critical > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work started] (KNOX-2870) Switch to 2.1.0-SNAPSHOT in pom.xml
[ https://issues.apache.org/jira/browse/KNOX-2870?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on KNOX-2870 started by Philip Zampino. > Switch to 2.1.0-SNAPSHOT in pom.xml > --- > > Key: KNOX-2870 > URL: https://issues.apache.org/jira/browse/KNOX-2870 > Project: Apache Knox > Issue Type: Task > Components: Release >Affects Versions: 2.0.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Critical > Time Spent: 10m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (KNOX-2870) Switch to 2.1.0-SNAPSHOT in pom.xml
Philip Zampino created KNOX-2870: Summary: Switch to 2.1.0-SNAPSHOT in pom.xml Key: KNOX-2870 URL: https://issues.apache.org/jira/browse/KNOX-2870 Project: Apache Knox Issue Type: Task Components: Release Affects Versions: 2.0.0 Reporter: Philip Zampino Assignee: Philip Zampino -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (KNOX-2866) REST API for determining gateway readiness
Philip Zampino created KNOX-2866: Summary: REST API for determining gateway readiness Key: KNOX-2866 URL: https://issues.apache.org/jira/browse/KNOX-2866 Project: Apache Knox Issue Type: Improvement Components: Server Affects Versions: 2.0.0 Reporter: Philip Zampino Fix For: 2.0.1 It will be good to provide a REST API for determining that the gateway has completed its initialization and is completely ready to serve requests. This API should be available to anyone, and should indicate the current status upon invocation. Status values could be as basic as STARTING and STARTED. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2865) Accessing parameters of a x-www-form-urlencoded request consumes the request body
[ https://issues.apache.org/jira/browse/KNOX-2865?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2865: - Fix Version/s: 2.0.0 > Accessing parameters of a x-www-form-urlencoded request consumes the request > body > - > > Key: KNOX-2865 > URL: https://issues.apache.org/jira/browse/KNOX-2865 > Project: Apache Knox > Issue Type: Task >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Doing request.getParameter() on a form url encoded POST request will consume > the request body and knox will dispatch an empty request to the service. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (KNOX-2845) GatewayAdminTopologyFuncTest#testPutTopology failing
Philip Zampino created KNOX-2845:
Summary: GatewayAdminTopologyFuncTest#testPutTopology failing
Key: KNOX-2845
URL: https://issues.apache.org/jira/browse/KNOX-2845
Project: Apache Knox
Issue Type: Test
Components: Tests
Affects Versions: 2.0.0
Reporter: Philip Zampino
Fix For: 2.0.0
GatewayAdminTopologyFuncTest#testPutTopology is failing because it's getting a
204 response instead of the expected 200 trying to PUT a topology via
{{{}/api/v1/topologies/{}}}.
[ERROR] Tests run: 29, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 68.585
s <<< FAILURE! - in org.apache.knox.gateway.GatewayAdminTopologyFuncTest
[ERROR] testPutTopology(org.apache.knox.gateway.GatewayAdminTopologyFuncTest)
Time elapsed: 1.034 s <<< FAILURE!
java.lang.AssertionError:
1 expectation failed.
Expected status code <204> but was <200>.
at
org.apache.knox.gateway.GatewayAdminTopologyFuncTest.testPutTopology(GatewayAdminTopologyFuncTest.java:720)
[INFO]
[INFO] Results:
[INFO]
[ERROR] Failures:
[ERROR] GatewayAdminTopologyFuncTest.testPutTopology:720 1 expectation failed.
Expected status code <204> but was <200>.
It needs to be determined why the response status code has changed, and whether
the test or the API itself needs to be fixed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (KNOX-2840) SecureKnoxShellTest broken
[ https://issues.apache.org/jira/browse/KNOX-2840?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2840: - Resolution: Fixed Status: Resolved (was: Patch Available) > SecureKnoxShellTest broken > -- > > Key: KNOX-2840 > URL: https://issues.apache.org/jira/browse/KNOX-2840 > Project: Apache Knox > Issue Type: Test > Components: Tests >Affects Versions: 2.0.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Fix For: 2.0.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > Apparently, miniDFS now requires mockito, so that dependency needs to be > added, and easymock needs to be consequently upgraded because of a dependency > it shares with mockito. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2840) SecureKnoxShellTest broken
[ https://issues.apache.org/jira/browse/KNOX-2840?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2840: - Status: Patch Available (was: In Progress) > SecureKnoxShellTest broken > -- > > Key: KNOX-2840 > URL: https://issues.apache.org/jira/browse/KNOX-2840 > Project: Apache Knox > Issue Type: Test > Components: Tests >Affects Versions: 2.0.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Fix For: 2.0.0 > > Time Spent: 10m > Remaining Estimate: 0h > > Apparently, miniDFS now requires mockito, so that dependency needs to be > added, and easymock needs to be consequently upgraded because of a dependency > it shares with mockito. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work started] (KNOX-2840) SecureKnoxShellTest broken
[ https://issues.apache.org/jira/browse/KNOX-2840?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on KNOX-2840 started by Philip Zampino. > SecureKnoxShellTest broken > -- > > Key: KNOX-2840 > URL: https://issues.apache.org/jira/browse/KNOX-2840 > Project: Apache Knox > Issue Type: Test > Components: Tests >Affects Versions: 2.0.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Fix For: 2.0.0 > > > Apparently, miniDFS now requires mockito, so that dependency needs to be > added, and easymock needs to be consequently upgraded because of a dependency > it shares with mockito. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (KNOX-2840) SecureKnoxShellTest broken
Philip Zampino created KNOX-2840: Summary: SecureKnoxShellTest broken Key: KNOX-2840 URL: https://issues.apache.org/jira/browse/KNOX-2840 Project: Apache Knox Issue Type: Test Components: Tests Affects Versions: 2.0.0 Reporter: Philip Zampino Assignee: Philip Zampino Fix For: 2.0.0 Apparently, miniDFS now requires mockito, so that dependency needs to be added, and easymock needs to be consequently upgraded because of a dependency it shares with mockito. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2833) Ozone integration for Apache Knox
[ https://issues.apache.org/jira/browse/KNOX-2833?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17628435#comment-17628435 ] Philip Zampino commented on KNOX-2833: -- Such a contribution from Ozone would be welcome. > Ozone integration for Apache Knox > - > > Key: KNOX-2833 > URL: https://issues.apache.org/jira/browse/KNOX-2833 > Project: Apache Knox > Issue Type: Improvement >Reporter: István Fajth >Priority: Major > > As Ozone is getting more and more use, there is an emerging need to have an > integration for Ozone. > The first things we would like to provide is access to Ozone Manager, Storage > Container Manager and Ozone Recon UI integration. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Assigned] (KNOX-2732) Issuer claim in Knox JWTs should be configurable
[ https://issues.apache.org/jira/browse/KNOX-2732?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino reassigned KNOX-2732: Assignee: Attila Magyar > Issuer claim in Knox JWTs should be configurable > > > Key: KNOX-2732 > URL: https://issues.apache.org/jira/browse/KNOX-2732 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Attila Magyar >Priority: Major > > Currently, the issuer claim in JWTs issued by Knox is always "KNOXSSO". This > value should be configurable via a KNOXTOKEN service param in the topology. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Created] (KNOX-2732) Issuer claim in Knox JWTs should be configurable
Philip Zampino created KNOX-2732: Summary: Issuer claim in Knox JWTs should be configurable Key: KNOX-2732 URL: https://issues.apache.org/jira/browse/KNOX-2732 Project: Apache Knox Issue Type: Improvement Components: Server Affects Versions: 1.6.0 Reporter: Philip Zampino Currently, the issuer claim in JWTs issued by Knox is always "KNOXSSO". This value should be configurable via a KNOXTOKEN service param in the topology. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Resolved] (KNOX-2729) Upgrade Spring Framework to 5.3.18
[ https://issues.apache.org/jira/browse/KNOX-2729?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino resolved KNOX-2729. -- Resolution: Duplicate > Upgrade Spring Framework to 5.3.18 > -- > > Key: KNOX-2729 > URL: https://issues.apache.org/jira/browse/KNOX-2729 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > Upgrade the Spring framework version to 5.3.18 -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Work started] (KNOX-2729) Upgrade Spring Framework to 5.3.18
[ https://issues.apache.org/jira/browse/KNOX-2729?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on KNOX-2729 started by Philip Zampino. > Upgrade Spring Framework to 5.3.18 > -- > > Key: KNOX-2729 > URL: https://issues.apache.org/jira/browse/KNOX-2729 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > > Upgrade the Spring framework version to 5.3.18 -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Created] (KNOX-2729) Upgrade Spring Framework to 5.3.18
Philip Zampino created KNOX-2729: Summary: Upgrade Spring Framework to 5.3.18 Key: KNOX-2729 URL: https://issues.apache.org/jira/browse/KNOX-2729 Project: Apache Knox Issue Type: Improvement Components: Server Affects Versions: 1.6.0 Reporter: Philip Zampino Assignee: Philip Zampino Upgrade the Spring framework version to 5.3.18 -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Created] (KNOX-2726) Impersonation Params Declared by Service Definitions
Philip Zampino created KNOX-2726:
Summary: Impersonation Params Declared by Service Definitions
Key: KNOX-2726
URL: https://issues.apache.org/jira/browse/KNOX-2726
Project: Apache Knox
Issue Type: Improvement
Components: Server
Affects Versions: 1.6.0
Reporter: Philip Zampino
Assignee: Philip Zampino
_org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper#getImpersonationParamNames()_
has the following comment:
{noformat}
// TODO: let's have service definitions register their impersonation
// params in a future release and get this list from a central registry.
// This will provide better coverage of protection by removing any
// pre-populated impersonation params.{noformat}
Currently, Knox excludes some well-known impersonation request parameters from
proxied requests. Rather than maintaining a hard-coded list of these params,
service definitions should be able to declare them such that they would be
available at runtime to
{_}org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper{_}.
This will allow service-specific impersonation parameter details to be defined
by the service definitions, and eliminate the need for Knox runtime code
changes when new impersonation params need to be handled.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (KNOX-2716) Document KNOX-2707 Virtual Group Mapping Provider
[ https://issues.apache.org/jira/browse/KNOX-2716?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17514325#comment-17514325 ] Philip Zampino commented on KNOX-2716: -- [KNOX-2716-2.patch|https://issues.apache.org/jira/secure/attachment/13041729/KNOX-2716-2.patch] looks good to me. > Document KNOX-2707 Virtual Group Mapping Provider > - > > Key: KNOX-2716 > URL: https://issues.apache.org/jira/browse/KNOX-2716 > Project: Apache Knox > Issue Type: Improvement > Components: Site >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Attachments: KNOX-2716-2.patch, KNOX-2716.patch > > -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Updated] (KNOX-2706) Possible NPE in redirecting.jsp
[ https://issues.apache.org/jira/browse/KNOX-2706?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2706: - Resolution: Fixed Status: Resolved (was: Patch Available) > Possible NPE in redirecting.jsp > --- > > Key: KNOX-2706 > URL: https://issues.apache.org/jira/browse/KNOX-2706 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > redirecting.jsp may result in a NullPointerException if the originalUrl > request parameter resolves to null. Some defensive logic should be added to > avoid this possibility. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Updated] (KNOX-2706) Possible NPE in redirecting.jsp
[ https://issues.apache.org/jira/browse/KNOX-2706?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2706: - Status: Patch Available (was: In Progress) https://github.com/apache/knox/pull/540 > Possible NPE in redirecting.jsp > --- > > Key: KNOX-2706 > URL: https://issues.apache.org/jira/browse/KNOX-2706 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > redirecting.jsp may result in a NullPointerException if the originalUrl > request parameter resolves to null. Some defensive logic should be added to > avoid this possibility. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Work started] (KNOX-2706) Possible NPE in redirecting.jsp
[ https://issues.apache.org/jira/browse/KNOX-2706?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on KNOX-2706 started by Philip Zampino. > Possible NPE in redirecting.jsp > --- > > Key: KNOX-2706 > URL: https://issues.apache.org/jira/browse/KNOX-2706 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > > redirecting.jsp may result in a NullPointerException if the originalUrl > request parameter resolves to null. Some defensive logic should be added to > avoid this possibility. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Created] (KNOX-2706) Possible NPE in redirecting.jsp
Philip Zampino created KNOX-2706: Summary: Possible NPE in redirecting.jsp Key: KNOX-2706 URL: https://issues.apache.org/jira/browse/KNOX-2706 Project: Apache Knox Issue Type: Bug Components: Server Affects Versions: 1.6.0 Reporter: Philip Zampino Assignee: Philip Zampino redirecting.jsp may result in a NullPointerException if the originalUrl request parameter resolves to null. Some defensive logic should be added to avoid this possibility. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Updated] (KNOX-2686) Update Knox site after releasing 1.6.0
[
https://issues.apache.org/jira/browse/KNOX-2686?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Philip Zampino updated KNOX-2686:
-
Summary: Update Knox site after releasing 1.6.0 (was: Update Knox sire
after releasing 1.6.0)
> Update Knox site after releasing 1.6.0
> --
>
> Key: KNOX-2686
> URL: https://issues.apache.org/jira/browse/KNOX-2686
> Project: Apache Knox
> Issue Type: Task
>Affects Versions: 1.6.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Critical
>
> The following changes should be made on {{knox.apache.org}} site:
> * announcement of 1.6.0
> * updating user/dev/knoxshell guide links
> * introducing books for 2.0.0
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (KNOX-2649) ServiceDefinitionUnmarshaller should disable support for external entities
Philip Zampino created KNOX-2649:
Summary: ServiceDefinitionUnmarshaller should disable support for
external entities
Key: KNOX-2649
URL: https://issues.apache.org/jira/browse/KNOX-2649
Project: Apache Knox
Issue Type: Bug
Components: Server
Affects Versions: 1.5.0
Reporter: Philip Zampino
org.apache.knox.gateway.service.admin.ServiceDefinitionUnmarshaller should
disable support for external XML entities in the _readFrom_ method.
{code:java}
XMLInputFactory f = XMLInputFactory.newFactory();
f.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
f.setProperty(XMLInputFactory.SUPPORT_DTD, false);
XMLStreamReader xsr = f.createXMLStreamReader(entityStream);
return (ServiceDefinitionPair) getUnmarshaller().unmarshal(xsr);
{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Commented] (KNOX-2643) TopologyService should validate descriptor and provider config file paths
[ https://issues.apache.org/jira/browse/KNOX-2643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17405288#comment-17405288 ] Philip Zampino commented on KNOX-2643: -- This is a low-priority issue because TopologiesResource does perform such validation, and it is the only entry point to the affected DefaultTopologyService methods. > TopologyService should validate descriptor and provider config file paths > - > > Key: KNOX-2643 > URL: https://issues.apache.org/jira/browse/KNOX-2643 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.5.0 >Reporter: Philip Zampino >Priority: Major > Fix For: 1.6.0 > > > DefaultTopologyService#deployProviderConfiguration and > DefaultTopologyService#deployDescriptor blindly trust the file name without > validating that the location will be bound to the expected resource directory > (e.g., sharedProvidersDirectory, descriptorsDirectory). > Names that would place the file outside the expected location or intent > (e.g., ../gateway-site.xml) should be rejected. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (KNOX-2645) TopologiesResource should validate input
[ https://issues.apache.org/jira/browse/KNOX-2645?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino resolved KNOX-2645. -- Resolution: Not A Bug This is already being done with the isValidResourceName(String) method. > TopologiesResource should validate input > > > Key: KNOX-2645 > URL: https://issues.apache.org/jira/browse/KNOX-2645 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.5.0 >Reporter: Philip Zampino >Priority: Major > > The TopologiesResource should validate input to at least restrict the values > to some set of valid characters. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KNOX-2644) Topology names should be validated when uploaded via API
[ https://issues.apache.org/jira/browse/KNOX-2644?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17405283#comment-17405283 ] Philip Zampino commented on KNOX-2644: -- This is a low-priority issue because the names are validated in the TopologiesResource from which the DefaultTopologyService method is invoked. > Topology names should be validated when uploaded via API > > > Key: KNOX-2644 > URL: https://issues.apache.org/jira/browse/KNOX-2644 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.5.0 >Reporter: Philip Zampino >Priority: Major > Fix For: 1.6.0 > > > DefaultTopologyService#deployTopology does not validate the topology's name > to prevent the creation of files outside the location or intent of the API. > The name could be something like _*../gateway-site*_, which could be used to > overwrite the gateway configuration. > (e.g., _KNOX_HOME_/conf/topologies/../gateway-site.xml) -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (KNOX-2648) TopologiesResource uploadProviderConfiguration should report calculated file name instead of provided name.
[ https://issues.apache.org/jira/browse/KNOX-2648?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino resolved KNOX-2648. -- Resolution: Invalid The name parameter is already validated by the isValidResourceName(String) method. > TopologiesResource uploadProviderConfiguration should report calculated file > name instead of provided name. > --- > > Key: KNOX-2648 > URL: https://issues.apache.org/jira/browse/KNOX-2648 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.5.0 >Reporter: Philip Zampino >Priority: Major > > The uploadProviderConfiguration method of TopologiesResource may return a > JSON error response that includes the name path param. It would be safer to > use the calculated filename value instead of the mostly-unvalidated name > parameter. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (KNOX-2648) TopologiesResource uploadProviderConfiguration should report calculated file name instead of provided name.
Philip Zampino created KNOX-2648: Summary: TopologiesResource uploadProviderConfiguration should report calculated file name instead of provided name. Key: KNOX-2648 URL: https://issues.apache.org/jira/browse/KNOX-2648 Project: Apache Knox Issue Type: Bug Components: Server Affects Versions: 1.5.0 Reporter: Philip Zampino The uploadProviderConfiguration method of TopologiesResource may return a JSON error response that includes the name path param. It would be safer to use the calculated filename value instead of the mostly-unvalidated name parameter. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (KNOX-2645) TopologiesResource should validate input
Philip Zampino created KNOX-2645: Summary: TopologiesResource should validate input Key: KNOX-2645 URL: https://issues.apache.org/jira/browse/KNOX-2645 Project: Apache Knox Issue Type: Bug Components: Server Affects Versions: 1.5.0 Reporter: Philip Zampino The TopologiesResource should validate input to at least restrict the values to some set of valid characters. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (KNOX-2644) Topology names should be validated when uploaded via API
Philip Zampino created KNOX-2644: Summary: Topology names should be validated when uploaded via API Key: KNOX-2644 URL: https://issues.apache.org/jira/browse/KNOX-2644 Project: Apache Knox Issue Type: Bug Components: Server Affects Versions: 1.5.0 Reporter: Philip Zampino Fix For: 1.6.0 DefaultTopologyService#deployTopology does not validate the topology's name to prevent the creation of files outside the location or intent of the API. The name could be something like _*../gateway-site*_, which could be used to overwrite the gateway configuration. (e.g., _KNOX_HOME_/conf/topologies/../gateway-site.xml) -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (KNOX-2643) TopologyService should validate descriptor and provider config file paths
Philip Zampino created KNOX-2643: Summary: TopologyService should validate descriptor and provider config file paths Key: KNOX-2643 URL: https://issues.apache.org/jira/browse/KNOX-2643 Project: Apache Knox Issue Type: Bug Components: Server Affects Versions: 1.5.0 Reporter: Philip Zampino Fix For: 1.6.0 DefaultTopologyService#deployProviderConfiguration and DefaultTopologyService#deployDescriptor blindly trust the file name without validating that the location will be bound to the expected resource directory (e.g., sharedProvidersDirectory, descriptorsDirectory). Names that would place the file outside the expected location or intent (e.g., ../gateway-site.xml) should be rejected. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KNOX-2610) Typo in token alias persistence log message
[
https://issues.apache.org/jira/browse/KNOX-2610?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17388776#comment-17388776
]
Philip Zampino commented on KNOX-2610:
--
No, I am not working on it. Thanks for taking care of it.
> Typo in token alias persistence log message
> ---
>
> Key: KNOX-2610
> URL: https://issues.apache.org/jira/browse/KNOX-2610
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 1.6.0
>Reporter: Philip Zampino
>Assignee: Philip Zampino
>Priority: Minor
> Time Spent: 50m
> Remaining Estimate: 0h
>
> TokenStateServiceMessages#loadedTokenAliasesFromPersistenceStore(int, long)
> includes a typo:
> {noformat}
> Loaded 0 token aliases from persistence store in 1 milliseonds{noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Resolved] (KNOX-2619) HA dispatch should failover regardless of noFallback config until session is established
[ https://issues.apache.org/jira/browse/KNOX-2619?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino resolved KNOX-2619. -- Resolution: Fixed > HA dispatch should failover regardless of noFallback config until session is > established > > > Key: KNOX-2619 > URL: https://issues.apache.org/jira/browse/KNOX-2619 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Time Spent: 50m > Remaining Estimate: 0h > > When enableStickySession=true and noFallback=true, and the attempt to > establish the session fails, the ConfigurableHaDispatch does not failover > because of the noFallback configuration. > Instead, it should failover until a session can be established, and then > honor the noFallback configuration from that point forward. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (KNOX-2619) HA dispatch should failover regardless of noFallback config until session is established
[ https://issues.apache.org/jira/browse/KNOX-2619?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on KNOX-2619 started by Philip Zampino. > HA dispatch should failover regardless of noFallback config until session is > established > > > Key: KNOX-2619 > URL: https://issues.apache.org/jira/browse/KNOX-2619 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > > When enableStickySession=true and noFallback=true, and the attempt to > establish the session fails, the ConfigurableHaDispatch does not failover > because of the noFallback configuration. > Instead, it should failover until a session can be established, and then > honor the noFallback configuration from that point forward. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (KNOX-2619) HA dispatch should failover regardless of noFallback config until session is established
Philip Zampino created KNOX-2619: Summary: HA dispatch should failover regardless of noFallback config until session is established Key: KNOX-2619 URL: https://issues.apache.org/jira/browse/KNOX-2619 Project: Apache Knox Issue Type: Bug Components: Server Affects Versions: 1.6.0 Reporter: Philip Zampino Assignee: Philip Zampino When enableStickySession=true and noFallback=true, and the attempt to establish the session fails, the ConfigurableHaDispatch does not failover because of the noFallback configuration. Instead, it should failover until a session can be established, and then honor the noFallback configuration from that point forward. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (KNOX-2610) Typo in token alias persistence log message
[
https://issues.apache.org/jira/browse/KNOX-2610?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Work on KNOX-2610 started by Philip Zampino.
> Typo in token alias persistence log message
> ---
>
> Key: KNOX-2610
> URL: https://issues.apache.org/jira/browse/KNOX-2610
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 1.6.0
>Reporter: Philip Zampino
>Assignee: Philip Zampino
>Priority: Minor
>
> TokenStateServiceMessages#loadedTokenAliasesFromPersistenceStore(int, long)
> includes a typo:
> {noformat}
> Loaded 0 token aliases from persistence store in 1 milliseonds{noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Assigned] (KNOX-2610) Typo in token alias persistence log message
[
https://issues.apache.org/jira/browse/KNOX-2610?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Philip Zampino reassigned KNOX-2610:
Assignee: Philip Zampino
> Typo in token alias persistence log message
> ---
>
> Key: KNOX-2610
> URL: https://issues.apache.org/jira/browse/KNOX-2610
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 1.6.0
>Reporter: Philip Zampino
>Assignee: Philip Zampino
>Priority: Minor
>
> TokenStateServiceMessages#loadedTokenAliasesFromPersistenceStore(int, long)
> includes a typo:
> {noformat}
> Loaded 0 token aliases from persistence store in 1 milliseonds{noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Assigned] (KNOX-2611) Token-based providers should cache unsuccessful signature verifications
[ https://issues.apache.org/jira/browse/KNOX-2611?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino reassigned KNOX-2611: Assignee: Philip Zampino > Token-based providers should cache unsuccessful signature verifications > --- > > Key: KNOX-2611 > URL: https://issues.apache.org/jira/browse/KNOX-2611 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > > Similar to KNOX-2544, by which the token-base providers cache SUCCESSFUL > signature verifications to avoid having to re-verify the same token > repeatedly, this issue would add caching of UNSUCCESSFUL signature > verifications toward the goal of preventing DOS-type attacks with "known bad" > tokens. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (KNOX-2611) Token-based providers should cache unsuccessful signature verifications
[ https://issues.apache.org/jira/browse/KNOX-2611?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on KNOX-2611 started by Philip Zampino. > Token-based providers should cache unsuccessful signature verifications > --- > > Key: KNOX-2611 > URL: https://issues.apache.org/jira/browse/KNOX-2611 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > > Similar to KNOX-2544, by which the token-base providers cache SUCCESSFUL > signature verifications to avoid having to re-verify the same token > repeatedly, this issue would add caching of UNSUCCESSFUL signature > verifications toward the goal of preventing DOS-type attacks with "known bad" > tokens. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (KNOX-2612) Knox + webHDFS is not working with Hadoop 3.3
[
https://issues.apache.org/jira/browse/KNOX-2612?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17356497#comment-17356497
]
Philip Zampino commented on KNOX-2612:
--
Is this issue specifically about the impersonation options, or are you saying
that Knox won't proxy webhdfs without them either?
Can you attach any relevant excerpts from the Knox logs?
> Knox + webHDFS is not working with Hadoop 3.3
> --
>
> Key: KNOX-2612
> URL: https://issues.apache.org/jira/browse/KNOX-2612
> Project: Apache Knox
> Issue Type: Bug
> Components: KnoxSSO, Server
>Affects Versions: 1.4.0, 1.5.0
>Reporter: Rohan Nimmagadda
>Priority: Blocker
>
> Hadoop 3.3 Webhdfs is not working with Knox end point getting below exception
> Tried hadoop side of things by changing hadoop.http.filter.initializers in
> core-site to default AuthFilter and
> org.apache.hadoop.security.AuthenticationFilterInitializer value
> result shows same having issues with webHDFS
> Knox Webhdfs API :
> [https://knoxhost:8443/gateway/default/webhdfs/v1/tmp/?|https://drcn1003.target.com:8443/gateway/bigred/webhdfs/v1/tmp/?]
> =LISTSTATUS
> {"RemoteException":\{"exception":"SecurityException","javaClassName":"java.lang.SecurityException","message":"Failed
> to obtain user group information: java.io.IOException: Security enabled but
> user not authenticated by filter"}}
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Created] (KNOX-2611) Token-based providers should cache unsuccessful signature verifications
Philip Zampino created KNOX-2611: Summary: Token-based providers should cache unsuccessful signature verifications Key: KNOX-2611 URL: https://issues.apache.org/jira/browse/KNOX-2611 Project: Apache Knox Issue Type: Bug Components: Server Affects Versions: 1.6.0 Reporter: Philip Zampino Similar to KNOX-2544, by which the token-base providers cache SUCCESSFUL signature verifications to avoid having to re-verify the same token repeatedly, this issue would add caching of UNSUCCESSFUL signature verifications toward the goal of preventing DOS-type attacks with "known bad" tokens. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (KNOX-2610) Typo in token alias persistence log message
Philip Zampino created KNOX-2610:
Summary: Typo in token alias persistence log message
Key: KNOX-2610
URL: https://issues.apache.org/jira/browse/KNOX-2610
Project: Apache Knox
Issue Type: Bug
Components: Server
Affects Versions: 1.6.0
Reporter: Philip Zampino
TokenStateServiceMessages#loadedTokenAliasesFromPersistenceStore(int, long)
includes a typo:
{noformat}
Loaded 0 token aliases from persistence store in 1 milliseonds{noformat}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
[jira] [Updated] (KNOX-2544) Token-based providers should cache successful token verifications
[ https://issues.apache.org/jira/browse/KNOX-2544?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2544: - Status: Patch Available (was: In Progress) https://github.com/apache/knox/pull/440 > Token-based providers should cache successful token verifications > - > > Key: KNOX-2544 > URL: https://issues.apache.org/jira/browse/KNOX-2544 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.5.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Fix For: 1.6.0 > > Time Spent: 10m > Remaining Estimate: 0h > > The token-based providers should record the successful verification of tokens > in a LRU-like cache to minimize the frequency of performing the expensive > (CPU-intensive) operation. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (KNOX-2544) Token-based providers should cache successful token verifications
[ https://issues.apache.org/jira/browse/KNOX-2544?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on KNOX-2544 started by Philip Zampino. > Token-based providers should cache successful token verifications > - > > Key: KNOX-2544 > URL: https://issues.apache.org/jira/browse/KNOX-2544 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.5.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Fix For: 1.6.0 > > > The token-based providers should record the successful verification of tokens > in a LRU-like cache to minimize the frequency of performing the expensive > (CPU-intensive) operation. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (KNOX-2581) Secure token passcode in token state
Philip Zampino created KNOX-2581: Summary: Secure token passcode in token state Key: KNOX-2581 URL: https://issues.apache.org/jira/browse/KNOX-2581 Project: Apache Knox Issue Type: Bug Components: Server Affects Versions: 1.6.0 Reporter: Philip Zampino The Token State Service must be improved to fully protect the token passcode (UUID) that is stored in Zookeeper and journaling implementations, such that the passcode isn't stored in clear text or used as any part of the alias name. The token passcodes should be hashed in token state (instead of using the actual value) with the master secret as the salt. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (KNOX-2578) TokenResource logging token UUIDs
[ https://issues.apache.org/jira/browse/KNOX-2578?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2578: - Fix Version/s: 1.6.0 Resolution: Fixed Status: Resolved (was: Patch Available) > TokenResource logging token UUIDs > - > > Key: KNOX-2578 > URL: https://issues.apache.org/jira/browse/KNOX-2578 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Fix For: 1.6.0 > > Time Spent: 20m > Remaining Estimate: 0h > > TokenResource is logging token UUIDs in their entirety. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (KNOX-2578) TokenResource logging token UUIDs
[ https://issues.apache.org/jira/browse/KNOX-2578?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on KNOX-2578 started by Philip Zampino. > TokenResource logging token UUIDs > - > > Key: KNOX-2578 > URL: https://issues.apache.org/jira/browse/KNOX-2578 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > TokenResource is logging token UUIDs in their entirety. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (KNOX-2578) TokenResource logging token UUIDs
[ https://issues.apache.org/jira/browse/KNOX-2578?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2578: - Status: Patch Available (was: In Progress) > TokenResource logging token UUIDs > - > > Key: KNOX-2578 > URL: https://issues.apache.org/jira/browse/KNOX-2578 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > TokenResource is logging token UUIDs in their entirety. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (KNOX-2578) TokenResource logging token UUIDs
Philip Zampino created KNOX-2578: Summary: TokenResource logging token UUIDs Key: KNOX-2578 URL: https://issues.apache.org/jira/browse/KNOX-2578 Project: Apache Knox Issue Type: Bug Components: Server Affects Versions: 1.6.0 Reporter: Philip Zampino Assignee: Philip Zampino TokenResource is logging token UUIDs in their entirety. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (KNOX-2566) JWT Token Signature Verification Caching NPE
[ https://issues.apache.org/jira/browse/KNOX-2566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino resolved KNOX-2566. -- Fix Version/s: 1.6.0 Resolution: Fixed > JWT Token Signature Verification Caching NPE > > > Key: KNOX-2566 > URL: https://issues.apache.org/jira/browse/KNOX-2566 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Fix For: 1.6.0 > > Time Spent: 1h 40m > Remaining Estimate: 0h > > For JWT tokens that have not been issued by Knox, but which Knox can verify, > the signature verification caching enhancement in the JWT providers > (KNOX-2544) throws a NPE because it's assuming that all JWTs have been issued > by Knox and have a Knox-token-specific claim. > The providers should be able to handle these cases without throwing an > exception. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Issue Comment Deleted] (KNOX-2566) JWT Token Signature Verification Caching NPE
[ https://issues.apache.org/jira/browse/KNOX-2566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2566: - Comment: was deleted (was: ZookeeperTokenStateService and AliasBasedTokenStateService are still logging the UUIDs.) > JWT Token Signature Verification Caching NPE > > > Key: KNOX-2566 > URL: https://issues.apache.org/jira/browse/KNOX-2566 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Time Spent: 1h 40m > Remaining Estimate: 0h > > For JWT tokens that have not been issued by Knox, but which Knox can verify, > the signature verification caching enhancement in the JWT providers > (KNOX-2544) throws a NPE because it's assuming that all JWTs have been issued > by Knox and have a Knox-token-specific claim. > The providers should be able to handle these cases without throwing an > exception. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (KNOX-2572) Unique token identifiers still being logged in entirety
[ https://issues.apache.org/jira/browse/KNOX-2572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2572: - Fix Version/s: 1.6.0 Resolution: Fixed Status: Resolved (was: Patch Available) > Unique token identifiers still being logged in entirety > --- > > Key: KNOX-2572 > URL: https://issues.apache.org/jira/browse/KNOX-2572 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Fix For: 1.6.0 > > Time Spent: 40m > Remaining Estimate: 0h > > The ZookeeperTokenStateService and AliasBasedTokenStateService > implementations are still logging JWT token UUIDs in their entirety, > apparently missed by KNOX-2561. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (KNOX-2572) Unique token identifiers still being logged in entirety
[ https://issues.apache.org/jira/browse/KNOX-2572?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2572: - Status: Patch Available (was: Open) > Unique token identifiers still being logged in entirety > --- > > Key: KNOX-2572 > URL: https://issues.apache.org/jira/browse/KNOX-2572 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > The ZookeeperTokenStateService and AliasBasedTokenStateService > implementations are still logging JWT token UUIDs in their entirety, > apparently missed by KNOX-2561. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (KNOX-2573) Service discovery should support HiveServer2 transport mode all
[ https://issues.apache.org/jira/browse/KNOX-2573?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino resolved KNOX-2573. -- Fix Version/s: 1.6.0 Resolution: Fixed > Service discovery should support HiveServer2 transport mode all > --- > > Key: KNOX-2573 > URL: https://issues.apache.org/jira/browse/KNOX-2573 > Project: Apache Knox > Issue Type: Bug > Components: cm-discovery >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Fix For: 1.6.0 > > Time Spent: 40m > Remaining Estimate: 0h > > HiveServer2 has a transport mode "all", which includes "http", but Knox's CM > discovery does not currently recognize this as a supported transport mode and > thus won't discover the URLs. Knox should treat the "all" mode the same way > it treats the "http" mode. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (KNOX-2573) Service discovery should support HiveServer2 transport mode all
[ https://issues.apache.org/jira/browse/KNOX-2573?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on KNOX-2573 started by Philip Zampino. > Service discovery should support HiveServer2 transport mode all > --- > > Key: KNOX-2573 > URL: https://issues.apache.org/jira/browse/KNOX-2573 > Project: Apache Knox > Issue Type: Bug > Components: cm-discovery >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > HiveServer2 has a transport mode "all", which includes "http", but Knox's CM > discovery does not currently recognize this as a supported transport mode and > thus won't discover the URLs. Knox should treat the "all" mode the same way > it treats the "http" mode. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (KNOX-2573) Service discovery should support HiveServer2 transport mode all
[ https://issues.apache.org/jira/browse/KNOX-2573?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2573: - Summary: Service discovery should support HiveServer2 transport mode all (was: HiveServer2 discovery via CM should support transport mode all) > Service discovery should support HiveServer2 transport mode all > --- > > Key: KNOX-2573 > URL: https://issues.apache.org/jira/browse/KNOX-2573 > Project: Apache Knox > Issue Type: Bug > Components: cm-discovery >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > > HiveServer2 has a transport mode "all", which includes "http", but Knox's CM > discovery does not currently recognize this as a supported transport mode and > thus won't discover the URLs. Knox should treat the "all" mode the same way > it treats the "http" mode. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (KNOX-2573) HiveServer2 discovery via CM should support transport mode all
Philip Zampino created KNOX-2573: Summary: HiveServer2 discovery via CM should support transport mode all Key: KNOX-2573 URL: https://issues.apache.org/jira/browse/KNOX-2573 Project: Apache Knox Issue Type: Bug Components: cm-discovery Affects Versions: 1.6.0 Reporter: Philip Zampino Assignee: Philip Zampino HiveServer2 has a transport mode "all", which includes "http", but Knox's CM discovery does not currently recognize this as a supported transport mode and thus won't discover the URLs. Knox should treat the "all" mode the same way it treats the "http" mode. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (KNOX-2572) Unique token identifiers still being logged in entirety
Philip Zampino created KNOX-2572: Summary: Unique token identifiers still being logged in entirety Key: KNOX-2572 URL: https://issues.apache.org/jira/browse/KNOX-2572 Project: Apache Knox Issue Type: Bug Components: Server Affects Versions: 1.6.0 Reporter: Philip Zampino Assignee: Philip Zampino The ZookeeperTokenStateService and AliasBasedTokenStateService implementations are still logging JWT token UUIDs in their entirety, apparently missed by KNOX-2561. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Reopened] (KNOX-2566) JWT Token Signature Verification Caching NPE
[ https://issues.apache.org/jira/browse/KNOX-2566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino reopened KNOX-2566: -- ZookeeperTokenStateService and AliasBasedTokenStateService are still logging the UUIDs. > JWT Token Signature Verification Caching NPE > > > Key: KNOX-2566 > URL: https://issues.apache.org/jira/browse/KNOX-2566 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Time Spent: 1h 40m > Remaining Estimate: 0h > > For JWT tokens that have not been issued by Knox, but which Knox can verify, > the signature verification caching enhancement in the JWT providers > (KNOX-2544) throws a NPE because it's assuming that all JWTs have been issued > by Knox and have a Knox-token-specific claim. > The providers should be able to handle these cases without throwing an > exception. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Comment Edited] (KNOX-2544) Token-based providers should cache successful token verifications
[ https://issues.apache.org/jira/browse/KNOX-2544?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17313432#comment-17313432 ] Philip Zampino edited comment on KNOX-2544 at 4/1/21, 8:39 PM: --- The solution to this issue should consider third-party JWTs, which will not have the internal Knox UUID. was (Author: pzampino): The solution to this issue should consider third-party JWTs. > Token-based providers should cache successful token verifications > - > > Key: KNOX-2544 > URL: https://issues.apache.org/jira/browse/KNOX-2544 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.5.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Fix For: 1.6.0 > > > The token-based providers should record the successful verification of tokens > in a LRU-like cache to minimize the frequency of performing the expensive > (CPU-intensive) operation. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Reopened] (KNOX-2544) Token-based providers should cache successful token verifications
[ https://issues.apache.org/jira/browse/KNOX-2544?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino reopened KNOX-2544: -- The solution to this issue should consider third-party JWTs. > Token-based providers should cache successful token verifications > - > > Key: KNOX-2544 > URL: https://issues.apache.org/jira/browse/KNOX-2544 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.5.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Fix For: 1.6.0 > > > The token-based providers should record the successful verification of tokens > in a LRU-like cache to minimize the frequency of performing the expensive > (CPU-intensive) operation. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (KNOX-2566) JWT Token Signature Verification Caching NPE
[ https://issues.apache.org/jira/browse/KNOX-2566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2566: - Resolution: Fixed Status: Resolved (was: Patch Available) > JWT Token Signature Verification Caching NPE > > > Key: KNOX-2566 > URL: https://issues.apache.org/jira/browse/KNOX-2566 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Time Spent: 1h 40m > Remaining Estimate: 0h > > For JWT tokens that have not been issued by Knox, but which Knox can verify, > the signature verification caching enhancement in the JWT providers > (KNOX-2544) throws a NPE because it's assuming that all JWTs have been issued > by Knox and have a Knox-token-specific claim. > The providers should be able to handle these cases without throwing an > exception. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (KNOX-2566) JWT Token Signature Verification Caching NPE
[ https://issues.apache.org/jira/browse/KNOX-2566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2566: - Status: Patch Available (was: In Progress) > JWT Token Signature Verification Caching NPE > > > Key: KNOX-2566 > URL: https://issues.apache.org/jira/browse/KNOX-2566 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Time Spent: 1.5h > Remaining Estimate: 0h > > For JWT tokens that have not been issued by Knox, but which Knox can verify, > the signature verification caching enhancement in the JWT providers > (KNOX-2544) throws a NPE because it's assuming that all JWTs have been issued > by Knox and have a Knox-token-specific claim. > The providers should be able to handle these cases without throwing an > exception. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (KNOX-2566) JWT Token Signature Verification Caching NPE
[ https://issues.apache.org/jira/browse/KNOX-2566?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on KNOX-2566 started by Philip Zampino. > JWT Token Signature Verification Caching NPE > > > Key: KNOX-2566 > URL: https://issues.apache.org/jira/browse/KNOX-2566 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > > For JWT tokens that have not been issued by Knox, but which Knox can verify, > the signature verification caching enhancement in the JWT providers > (KNOX-2544) throws a NPE because it's assuming that all JWTs have been issued > by Knox and have a Knox-token-specific claim. > The providers should be able to handle these cases without throwing an > exception. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (KNOX-2566) JWT Token Signature Verification Caching NPE
Philip Zampino created KNOX-2566: Summary: JWT Token Signature Verification Caching NPE Key: KNOX-2566 URL: https://issues.apache.org/jira/browse/KNOX-2566 Project: Apache Knox Issue Type: Bug Components: Server Affects Versions: 1.6.0 Reporter: Philip Zampino Assignee: Philip Zampino For JWT tokens that have not been issued by Knox, but which Knox can verify, the signature verification caching enhancement in the JWT providers (KNOX-2544) throws a NPE because it's assuming that all JWTs have been issued by Knox and have a Knox-token-specific claim. The providers should be able to handle these cases without throwing an exception. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (KNOX-2562) TokenStateService getTokenMetadata method should throw UnknownTokenException
[ https://issues.apache.org/jira/browse/KNOX-2562?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2562: - Resolution: Fixed Status: Resolved (was: Patch Available) > TokenStateService getTokenMetadata method should throw UnknownTokenException > > > Key: KNOX-2562 > URL: https://issues.apache.org/jira/browse/KNOX-2562 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > The TokenStateService getTokenMetadata method should throw > UnknownTokenException if an invalid token identifier is specified. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (KNOX-2562) TokenStateService getTokenMetadata method should throw UnknownTokenException
[ https://issues.apache.org/jira/browse/KNOX-2562?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2562: - Fix Version/s: 1.6.0 > TokenStateService getTokenMetadata method should throw UnknownTokenException > > > Key: KNOX-2562 > URL: https://issues.apache.org/jira/browse/KNOX-2562 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Fix For: 1.6.0 > > Time Spent: 40m > Remaining Estimate: 0h > > The TokenStateService getTokenMetadata method should throw > UnknownTokenException if an invalid token identifier is specified. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (KNOX-2562) TokenStateService getTokenMetadata method should throw UnknownTokenException
[ https://issues.apache.org/jira/browse/KNOX-2562?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2562: - Status: Patch Available (was: In Progress) > TokenStateService getTokenMetadata method should throw UnknownTokenException > > > Key: KNOX-2562 > URL: https://issues.apache.org/jira/browse/KNOX-2562 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > The TokenStateService getTokenMetadata method should throw > UnknownTokenException if an invalid token identifier is specified. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (KNOX-2562) TokenStateService getTokenMetadata method should throw UnknownTokenException
[ https://issues.apache.org/jira/browse/KNOX-2562?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on KNOX-2562 started by Philip Zampino. > TokenStateService getTokenMetadata method should throw UnknownTokenException > > > Key: KNOX-2562 > URL: https://issues.apache.org/jira/browse/KNOX-2562 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > > The TokenStateService getTokenMetadata method should throw > UnknownTokenException if an invalid token identifier is specified. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Assigned] (KNOX-2562) TokenStateService getTokenMetadata method should throw UnknownTokenException
[ https://issues.apache.org/jira/browse/KNOX-2562?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino reassigned KNOX-2562: Assignee: Philip Zampino > TokenStateService getTokenMetadata method should throw UnknownTokenException > > > Key: KNOX-2562 > URL: https://issues.apache.org/jira/browse/KNOX-2562 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > > The TokenStateService getTokenMetadata method should throw > UnknownTokenException if an invalid token identifier is specified. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Resolved] (KNOX-2561) Unique token identifiers must be truncated when logged now that they can be used as secrets
[ https://issues.apache.org/jira/browse/KNOX-2561?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino resolved KNOX-2561. -- Resolution: Fixed > Unique token identifiers must be truncated when logged now that they can be > used as secrets > --- > > Key: KNOX-2561 > URL: https://issues.apache.org/jira/browse/KNOX-2561 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > With KNOX-2555 and KNOX-2556, the unique internal identifiers for Knox tokens > are exposed and may be used as secrets. As such, they should no longer be > fully logged. Rather, they should be truncated as the tokens themselves are > currently. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Work started] (KNOX-2561) Unique token identifiers must be truncated when logged now that they can be used as secrets
[ https://issues.apache.org/jira/browse/KNOX-2561?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Work on KNOX-2561 started by Philip Zampino. > Unique token identifiers must be truncated when logged now that they can be > used as secrets > --- > > Key: KNOX-2561 > URL: https://issues.apache.org/jira/browse/KNOX-2561 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Philip Zampino >Priority: Major > > With KNOX-2555 and KNOX-2556, the unique internal identifiers for Knox tokens > are exposed and may be used as secrets. As such, they should no longer be > fully logged. Rather, they should be truncated as the tokens themselves are > currently. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (KNOX-2556) Enhance JWTProvider to accept knox.id as Passcode Token
[ https://issues.apache.org/jira/browse/KNOX-2556?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2556: - Fix Version/s: 1.6.0 > Enhance JWTProvider to accept knox.id as Passcode Token > --- > > Key: KNOX-2556 > URL: https://issues.apache.org/jira/browse/KNOX-2556 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.6.0 >Reporter: Larry McCay >Assignee: Philip Zampino >Priority: Major > Fix For: 1.6.0 > > Time Spent: 3.5h > Remaining Estimate: 0h > > This enhancement enables the use of the previously internal knox.id as a > Passcode Token for accessing proxied resources as an Authorization Bearer > token or HTTP Basic password. This id has been used to bind incoming > KnoxTokens (JWT) that embed such an id to the metadata in the Token State > Server in order to provide server side state management. > The motivation for this is the fact that certain 3rd party BI tooling such as > tableau not only have the inability to set a bearer token but also have size > limitations on the password field used to collect the username and password > credentials. > We will need to enhance the current JWTProvider to not require an actual JWT > but the Passcode Token will represent the same backend metadata. > This does mean that Passcode Tokens can only be used with the Token State > Server functionality enabled for both the KnoxToken service and the > JWTProvider federation provider. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (KNOX-2556) Enhance JWTProvider to accept knox.id as Passcode Token
[ https://issues.apache.org/jira/browse/KNOX-2556?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2556: - Resolution: Fixed Status: Resolved (was: Patch Available) > Enhance JWTProvider to accept knox.id as Passcode Token > --- > > Key: KNOX-2556 > URL: https://issues.apache.org/jira/browse/KNOX-2556 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.6.0 >Reporter: Larry McCay >Assignee: Philip Zampino >Priority: Major > Time Spent: 3.5h > Remaining Estimate: 0h > > This enhancement enables the use of the previously internal knox.id as a > Passcode Token for accessing proxied resources as an Authorization Bearer > token or HTTP Basic password. This id has been used to bind incoming > KnoxTokens (JWT) that embed such an id to the metadata in the Token State > Server in order to provide server side state management. > The motivation for this is the fact that certain 3rd party BI tooling such as > tableau not only have the inability to set a bearer token but also have size > limitations on the password field used to collect the username and password > credentials. > We will need to enhance the current JWTProvider to not require an actual JWT > but the Passcode Token will represent the same backend metadata. > This does mean that Passcode Tokens can only be used with the Token State > Server functionality enabled for both the KnoxToken service and the > JWTProvider federation provider. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (KNOX-2563) Metadata for server-managed token state should include everything needed for validation
[ https://issues.apache.org/jira/browse/KNOX-2563?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Philip Zampino updated KNOX-2563: - Description: In light of KNOX-2556, the metadata for server-managed token state should include everything needed for validation, including: * intended audience(s) * NotBeforeTime such that the JWTProvider can more thoroughly validate a token UUID presented as a HTTP Basic password. was: In light of KNOX-2556, the metadata for server-managed token state should include everything needed for validation, including: * intended audience(s) * NotBeforeTime * issuer ? such that the JWTProvider can more thoroughly validate a token UUID presented as a HTTP Basic password. > Metadata for server-managed token state should include everything needed for > validation > --- > > Key: KNOX-2563 > URL: https://issues.apache.org/jira/browse/KNOX-2563 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Priority: Major > > In light of KNOX-2556, the metadata for server-managed token state should > include everything needed for validation, including: > * intended audience(s) > * NotBeforeTime > such that the JWTProvider can more thoroughly validate a token UUID presented > as a HTTP Basic password. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (KNOX-2564) Intermittent failure of GatewayAdminTopologyFuncTest#testPutTopology()
Philip Zampino created KNOX-2564: Summary: Intermittent failure of GatewayAdminTopologyFuncTest#testPutTopology() Key: KNOX-2564 URL: https://issues.apache.org/jira/browse/KNOX-2564 Project: Apache Knox Issue Type: Bug Components: Tests Affects Versions: 1.6.0 Reporter: Philip Zampino When running full Knox builds, the GatewayAdminTopologyFuncTest#testPutTopology() test intermittently fails. This happens both locally and with the GitHub CI builds. This test needs to be reviewed to determine the cause of these failures, and subsequently, what can be done to avoid them. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Created] (KNOX-2563) Metadata for server-managed token state should include everything needed for validation
Philip Zampino created KNOX-2563: Summary: Metadata for server-managed token state should include everything needed for validation Key: KNOX-2563 URL: https://issues.apache.org/jira/browse/KNOX-2563 Project: Apache Knox Issue Type: Bug Components: Server Affects Versions: 1.6.0 Reporter: Philip Zampino In light of KNOX-2556, the metadata for server-managed token state should include everything needed for validation, including: * intended audience(s) * NotBeforeTime * issuer ? such that the JWTProvider can more thoroughly validate a token UUID presented as a HTTP Basic password. -- This message was sent by Atlassian Jira (v8.3.4#803005)
