[jira] [Work logged] (KNOX-3023) Extend the Hadoop proxyuser dispatch to optionally include groups in a header in addition to doAs
[ https://issues.apache.org/jira/browse/KNOX-3023?focusedWorklogId=917092=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-917092 ] ASF GitHub Bot logged work on KNOX-3023: Author: ASF GitHub Bot Created on: 01/May/24 00:08 Start Date: 01/May/24 00:08 Worklog Time Spent: 10m Work Description: moresandeep opened a new pull request, #903: URL: https://github.com/apache/knox/pull/903 ## What changes were proposed in this pull request? This PR extends configurable dispatch to optionally add authenticated principal and groups to the outbound request as headers (header names are configurable). By default this feature is turned off and will only be enabled if users update the dispatch config in service defition with param `shouldIncludePrincipalAndGroups` (demonstrated below) Following properties are configurable on dispatch - `shouldIncludePrincipalAndGroups` Should the principal and groups be passed to the dispatched request as request params. - `actorIdHeaderName` Header name for the principal, default value is X-Knox-Actor-ID - `actorGroupsHeaderPrefix` Prefix for header containing groups, default value is X-Knox-Actor-Groups. Note: header names are assigned as X-Knox-Actor-Groups-1, X-Knox-Actor-Groups-2, depending on number of groups. Each header i.e. X-Knox-Actor-Groups-1 can have max 1000 groups, next set of groups will be part of X-Knox-Actor-Groups-2 header and so on. - `groupFilterPattern` Regex patten to filter groups on, default value is `.*`. This is useful when you only want specific groups to flow through dispatch. Complete service definition example: ``` shouldIncludePrincipalAndGroups true actorIdHeaderName X-Apache-Actor-ID ``` Example of dispatched request headers. ``` GET /data/2.5/forecast/city?id=524901=54557732afcfe106bfc955b9da04fb14=sam HTTP/1.1 X-Request-Id: 39df3e87-f0ee-4dbd-bece-795186bf7be4 X-Forwarded-For: [0:0:0:0:0:0:0:1] X-Forwarded-Proto: https X-Forwarded-Port: 8443 X-Forwarded-Host: localhost:8443 X-Forwarded-Server: localhost X-Forwarded-Context: /gateway/sandbox2 Accept: */* User-Agent: curl/8.4.0 X-Apache-Actor-ID: sam X-Knox-Actor-Groups-1: users Host: localhost:50070 Connection: Keep-Alive ``` ## How was this patch tested? This patch was tested locally. Issue Time Tracking --- Worklog Id: (was: 917092) Remaining Estimate: 0h Time Spent: 10m > Extend the Hadoop proxyuser dispatch to optionally include groups in a header > in addition to doAs > - > > Key: KNOX-3023 > URL: https://issues.apache.org/jira/browse/KNOX-3023 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.0.0 > > Time Spent: 10m > Remaining Estimate: 0h > > Currently Hadoop proxyuser dispatch does not have a mechanism to relay user > groups. This JIRA tried to address this problem. This can be done similar to > what we have done in [Knox Auth > Service|https://knox.apache.org/books/knox-2-0-0/user-guide.html#Knox+Auth+Service] > `auth/api/v1/pre` endpoint where a header is added to the response (by > default X-Knox-Actor-ID) with the principal name to the response. In this > case these headers will be added to outgoing requests. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-3032) Passcode token verification doesn't return error when TSS is disabled
[
https://issues.apache.org/jira/browse/KNOX-3032?focusedWorklogId=917041=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-917041
]
ASF GitHub Bot logged work on KNOX-3032:
Author: ASF GitHub Bot
Created on: 30/Apr/24 15:05
Start Date: 30/Apr/24 15:05
Worklog Time Spent: 10m
Work Description: smolnar82 merged PR #902:
URL: https://github.com/apache/knox/pull/902
Issue Time Tracking
---
Worklog Id: (was: 917041)
Time Spent: 1h (was: 50m)
> Passcode token verification doesn't return error when TSS is disabled
> -
>
> Key: KNOX-3032
> URL: https://issues.apache.org/jira/browse/KNOX-3032
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 2.0.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Attachments: proxy-token.xml
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> *Steps to reproduce:*
> * configure a new topology (e.g. proxy-token) with {{JWTProvider}} where
> {{knox.token.exp.server-managed}} is set to {{false}} (see an example in the
> attachment)
> * acquire a Knox Token using the Token Generation UI
> * use the {{Passcode}} field in a {{curl}} request against a service
> endpoint in the new topology
> *Current results:*
> Knox returns an HTTP response with 200 status code
> {noformat}
> $ curl -iku
> Passcode:TkdVd1l6VTBPR0l0TmpVMk9DMDBNRFl4TFdFelpHTXROakk1TURnd09EYzJOVEJoOjpNREV6T0dGaFpXUXRZMkV5WVMwME4yWXhMVGhsWkRndFpUQmpNemszTlRrMlpqazE=
> https://localhost:8443/gateway/proxy-token/health/v1/gateway-status
> HTTP/1.1 200 OK
> Date: Mon, 29 Apr 2024 08:33:06 GMT
> Content-Length: 0
> {noformat}
> *Expected results:*
> An HTTP response should have been received with 401 and the proper error
> message.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3032) Passcode token verification doesn't return error when TSS is disabled
[
https://issues.apache.org/jira/browse/KNOX-3032?focusedWorklogId=917034=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-917034
]
ASF GitHub Bot logged work on KNOX-3032:
Author: ASF GitHub Bot
Created on: 30/Apr/24 14:10
Start Date: 30/Apr/24 14:10
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #902:
URL: https://github.com/apache/knox/pull/902#discussion_r1584899366
##
gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/JWTFederationFilterTest.java:
##
@@ -98,6 +104,61 @@ public void testCookieAuthSupportCustomCookieName() throws
Exception {
testCookieAuthSupport(true, "customCookie");
}
+ @Test
+ public void testVerifyPasscodeTokens() throws Exception {
+testVerifyPasscodeTokens(true);
+ }
+
+ @Test
+ public void testVerifyPasscodeTokensTssDisabled() throws Exception {
+testVerifyPasscodeTokens(false);
+ }
+
+ private void testVerifyPasscodeTokens(boolean tssEnabled) throws Exception {
+final String topologyName = "jwt-topology";
+final String tokenId = "4e0c548b-6568-4061-a3dc-62908087650a";
+final String passcode = "0138aaed-ca2a-47f1-8ed8-e0c397596f95";
+final String passcodeToken =
"UGFzc2NvZGU6VGtkVmQxbDZWVEJQUjBsMFRtcFZNazlETURCTlJGbDRURmRGZWxwSFRYUk9ha2sxVFVSbmQwOUVZekpPVkVKb09qcE5SRVY2VDBkR2FGcFhVWFJaTWtWNVdWTXdNRTR5V1hoTVZHaHNXa1JuZEZwVVFtcE5lbXN6VGxSck1scHFhekU9";
+
+final TokenStateService tokenStateService =
EasyMock.createNiceMock(TokenStateService.class);
+
EasyMock.expect(tokenStateService.getTokenExpiration(tokenId)).andReturn(Long.MAX_VALUE).anyTimes();
+
+final TokenMetadata tokenMetadata =
EasyMock.createNiceMock(TokenMetadata.class);
+EasyMock.expect(tokenMetadata.isEnabled()).andReturn(true).anyTimes();
+
EasyMock.expect(tokenMetadata.getPasscode()).andReturn(passcodeToken).anyTimes();
+
EasyMock.expect(tokenStateService.getTokenMetadata(EasyMock.anyString())).andReturn(tokenMetadata).anyTimes();
+
+final Properties filterConfigProps = getProperties();
+filterConfigProps.put(TokenStateService.CONFIG_SERVER_MANAGED,
Boolean.toString(tssEnabled));
+filterConfigProps.put(TestFilterConfig.TOPOLOGY_NAME_PROP, topologyName);
+final FilterConfig filterConfig = new TestFilterConfig(filterConfigProps,
tokenStateService);
+handler.init(filterConfig);
+
+final HttpServletRequest request =
EasyMock.createNiceMock(HttpServletRequest.class);
+EasyMock.expect(request.getRequestURL()).andReturn(new
StringBuffer(SERVICE_URL)).anyTimes();
+EasyMock.expect(request.getHeader("Authorization")).andReturn("Basic " +
passcodeToken);
+
+final HttpServletResponse response =
EasyMock.createNiceMock(HttpServletResponse.class);
+if (!tssEnabled) {
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
AbstractJWTFilter.TOKEN_STATE_SERVICE_DISABLED_ERROR);
+ EasyMock.expectLastCall().once();
+}
+EasyMock.replay(tokenStateService, tokenMetadata, request, response);
+
+SignatureVerificationCache.getInstance(topologyName,
filterConfig).recordSignatureVerification(passcode);
+
+final TestFilterChain chain = new TestFilterChain();
+handler.doFilter(request, response, chain);
+
+EasyMock.verify(response);
+if (tssEnabled) {
+ Assert.assertTrue(chain.doFilterCalled);
+ Assert.assertNotNull(chain.subject);
+} else {
+ Assert.assertFalse(chain.doFilterCalled);
+}
Review Comment:
Ahhh - expectLastCall does the assert - duh...
Thanks, man!
Issue Time Tracking
---
Worklog Id: (was: 917034)
Time Spent: 50m (was: 40m)
> Passcode token verification doesn't return error when TSS is disabled
> -
>
> Key: KNOX-3032
> URL: https://issues.apache.org/jira/browse/KNOX-3032
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 2.0.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Attachments: proxy-token.xml
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> *Steps to reproduce:*
> * configure a new topology (e.g. proxy-token) with {{JWTProvider}} where
> {{knox.token.exp.server-managed}} is set to {{false}} (see an example in the
> attachment)
> * acquire a Knox Token using the Token Generation UI
> * use the {{Passcode}} field in a {{curl}} request against a service
> endpoint in the new topology
> *Current results:*
> Knox returns an HTTP response with 200 status code
> {noformat}
> $ curl -iku
> Passcode:TkdVd1l6VTBPR0l0TmpVMk9DMDBNRFl4TFdFelpHTXROakk1TURnd09EYzJOVEJoOjpNREV6T0dGaFpXUXRZMkV5WVMwME4yWXhMVGhsWkRndFpUQmpNemszTlRrMlpqazE=
>
[jira] [Work logged] (KNOX-3032) Passcode token verification doesn't return error when TSS is disabled
[
https://issues.apache.org/jira/browse/KNOX-3032?focusedWorklogId=917027=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-917027
]
ASF GitHub Bot logged work on KNOX-3032:
Author: ASF GitHub Bot
Created on: 30/Apr/24 13:24
Start Date: 30/Apr/24 13:24
Worklog Time Spent: 10m
Work Description: smolnar82 commented on code in PR #902:
URL: https://github.com/apache/knox/pull/902#discussion_r1584815961
##
gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/JWTFederationFilterTest.java:
##
@@ -98,6 +104,61 @@ public void testCookieAuthSupportCustomCookieName() throws
Exception {
testCookieAuthSupport(true, "customCookie");
}
+ @Test
+ public void testVerifyPasscodeTokens() throws Exception {
+testVerifyPasscodeTokens(true);
+ }
+
+ @Test
+ public void testVerifyPasscodeTokensTssDisabled() throws Exception {
+testVerifyPasscodeTokens(false);
+ }
+
+ private void testVerifyPasscodeTokens(boolean tssEnabled) throws Exception {
+final String topologyName = "jwt-topology";
+final String tokenId = "4e0c548b-6568-4061-a3dc-62908087650a";
+final String passcode = "0138aaed-ca2a-47f1-8ed8-e0c397596f95";
+final String passcodeToken =
"UGFzc2NvZGU6VGtkVmQxbDZWVEJQUjBsMFRtcFZNazlETURCTlJGbDRURmRGZWxwSFRYUk9ha2sxVFVSbmQwOUVZekpPVkVKb09qcE5SRVY2VDBkR2FGcFhVWFJaTWtWNVdWTXdNRTR5V1hoTVZHaHNXa1JuZEZwVVFtcE5lbXN6VGxSck1scHFhekU9";
+
+final TokenStateService tokenStateService =
EasyMock.createNiceMock(TokenStateService.class);
+
EasyMock.expect(tokenStateService.getTokenExpiration(tokenId)).andReturn(Long.MAX_VALUE).anyTimes();
+
+final TokenMetadata tokenMetadata =
EasyMock.createNiceMock(TokenMetadata.class);
+EasyMock.expect(tokenMetadata.isEnabled()).andReturn(true).anyTimes();
+
EasyMock.expect(tokenMetadata.getPasscode()).andReturn(passcodeToken).anyTimes();
+
EasyMock.expect(tokenStateService.getTokenMetadata(EasyMock.anyString())).andReturn(tokenMetadata).anyTimes();
+
+final Properties filterConfigProps = getProperties();
+filterConfigProps.put(TokenStateService.CONFIG_SERVER_MANAGED,
Boolean.toString(tssEnabled));
+filterConfigProps.put(TestFilterConfig.TOPOLOGY_NAME_PROP, topologyName);
+final FilterConfig filterConfig = new TestFilterConfig(filterConfigProps,
tokenStateService);
+handler.init(filterConfig);
+
+final HttpServletRequest request =
EasyMock.createNiceMock(HttpServletRequest.class);
+EasyMock.expect(request.getRequestURL()).andReturn(new
StringBuffer(SERVICE_URL)).anyTimes();
+EasyMock.expect(request.getHeader("Authorization")).andReturn("Basic " +
passcodeToken);
+
+final HttpServletResponse response =
EasyMock.createNiceMock(HttpServletResponse.class);
+if (!tssEnabled) {
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
AbstractJWTFilter.TOKEN_STATE_SERVICE_DISABLED_ERROR);
+ EasyMock.expectLastCall().once();
+}
+EasyMock.replay(tokenStateService, tokenMetadata, request, response);
+
+SignatureVerificationCache.getInstance(topologyName,
filterConfig).recordSignatureVerification(passcode);
+
+final TestFilterChain chain = new TestFilterChain();
+handler.doFilter(request, response, chain);
+
+EasyMock.verify(response);
+if (tssEnabled) {
+ Assert.assertTrue(chain.doFilterCalled);
+ Assert.assertNotNull(chain.subject);
+} else {
+ Assert.assertFalse(chain.doFilterCalled);
+}
Review Comment:
Even with what we had in 2.0.0 and before, the filter chain is not invoked
if the token state service was disabled. See the relevant code in JWTProvider:
```
if (validateToken((HttpServletRequest) request,
(HttpServletResponse) response, chain, tokenId, passcode)) {
try {
Subject subject = createSubjectFromTokenIdentifier(tokenId);
continueWithEstablishedSecurityContext(subject,
(HttpServletRequest) request, (HttpServletResponse) response, chain);
} catch (UnknownTokenException e) {
((HttpServletResponse)
response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
}
}
```
If TSS was disabled, the `validateToken` returned `false` -> we did not
continue processing the request.
Moreover, we **_do test_** for 401. See the expectation a [couple more lines
above](https://github.com/apache/knox/pull/902/files#diff-5d4c0de65c3e71a37e2cd6836a5eef836a4f9d708240052afec57da23d62ba8eR142-R145).
If TSS is disabled, it's expected that `sendError` is invoked on `response`
with the proper params (401 and the error message). Verification of that
expectation happens
[here](https://github.com/apache/knox/pull/902/files#diff-5d4c0de65c3e71a37e2cd6836a5eef836a4f9d708240052afec57da23d62ba8eR153).
Issue Time Tracking
---
[jira] [Work logged] (KNOX-3032) Passcode token verification doesn't return error when TSS is disabled
[
https://issues.apache.org/jira/browse/KNOX-3032?focusedWorklogId=917026=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-917026
]
ASF GitHub Bot logged work on KNOX-3032:
Author: ASF GitHub Bot
Created on: 30/Apr/24 13:23
Start Date: 30/Apr/24 13:23
Worklog Time Spent: 10m
Work Description: smolnar82 commented on code in PR #902:
URL: https://github.com/apache/knox/pull/902#discussion_r1584815961
##
gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/JWTFederationFilterTest.java:
##
@@ -98,6 +104,61 @@ public void testCookieAuthSupportCustomCookieName() throws
Exception {
testCookieAuthSupport(true, "customCookie");
}
+ @Test
+ public void testVerifyPasscodeTokens() throws Exception {
+testVerifyPasscodeTokens(true);
+ }
+
+ @Test
+ public void testVerifyPasscodeTokensTssDisabled() throws Exception {
+testVerifyPasscodeTokens(false);
+ }
+
+ private void testVerifyPasscodeTokens(boolean tssEnabled) throws Exception {
+final String topologyName = "jwt-topology";
+final String tokenId = "4e0c548b-6568-4061-a3dc-62908087650a";
+final String passcode = "0138aaed-ca2a-47f1-8ed8-e0c397596f95";
+final String passcodeToken =
"UGFzc2NvZGU6VGtkVmQxbDZWVEJQUjBsMFRtcFZNazlETURCTlJGbDRURmRGZWxwSFRYUk9ha2sxVFVSbmQwOUVZekpPVkVKb09qcE5SRVY2VDBkR2FGcFhVWFJaTWtWNVdWTXdNRTR5V1hoTVZHaHNXa1JuZEZwVVFtcE5lbXN6VGxSck1scHFhekU9";
+
+final TokenStateService tokenStateService =
EasyMock.createNiceMock(TokenStateService.class);
+
EasyMock.expect(tokenStateService.getTokenExpiration(tokenId)).andReturn(Long.MAX_VALUE).anyTimes();
+
+final TokenMetadata tokenMetadata =
EasyMock.createNiceMock(TokenMetadata.class);
+EasyMock.expect(tokenMetadata.isEnabled()).andReturn(true).anyTimes();
+
EasyMock.expect(tokenMetadata.getPasscode()).andReturn(passcodeToken).anyTimes();
+
EasyMock.expect(tokenStateService.getTokenMetadata(EasyMock.anyString())).andReturn(tokenMetadata).anyTimes();
+
+final Properties filterConfigProps = getProperties();
+filterConfigProps.put(TokenStateService.CONFIG_SERVER_MANAGED,
Boolean.toString(tssEnabled));
+filterConfigProps.put(TestFilterConfig.TOPOLOGY_NAME_PROP, topologyName);
+final FilterConfig filterConfig = new TestFilterConfig(filterConfigProps,
tokenStateService);
+handler.init(filterConfig);
+
+final HttpServletRequest request =
EasyMock.createNiceMock(HttpServletRequest.class);
+EasyMock.expect(request.getRequestURL()).andReturn(new
StringBuffer(SERVICE_URL)).anyTimes();
+EasyMock.expect(request.getHeader("Authorization")).andReturn("Basic " +
passcodeToken);
+
+final HttpServletResponse response =
EasyMock.createNiceMock(HttpServletResponse.class);
+if (!tssEnabled) {
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
AbstractJWTFilter.TOKEN_STATE_SERVICE_DISABLED_ERROR);
+ EasyMock.expectLastCall().once();
+}
+EasyMock.replay(tokenStateService, tokenMetadata, request, response);
+
+SignatureVerificationCache.getInstance(topologyName,
filterConfig).recordSignatureVerification(passcode);
+
+final TestFilterChain chain = new TestFilterChain();
+handler.doFilter(request, response, chain);
+
+EasyMock.verify(response);
+if (tssEnabled) {
+ Assert.assertTrue(chain.doFilterCalled);
+ Assert.assertNotNull(chain.subject);
+} else {
+ Assert.assertFalse(chain.doFilterCalled);
+}
Review Comment:
Even with what we had in 2.0.0 and before, the filter chain is not invoked
if the token state service was disabled. See the relevant code in JWTProvider:
```
if (validateToken((HttpServletRequest) request,
(HttpServletResponse) response, chain, tokenId, passcode)) {
try {
Subject subject = createSubjectFromTokenIdentifier(tokenId);
continueWithEstablishedSecurityContext(subject,
(HttpServletRequest) request, (HttpServletResponse) response, chain);
} catch (UnknownTokenException e) {
((HttpServletResponse)
response).sendError(HttpServletResponse.SC_UNAUTHORIZED);
}
}
```
If TSS was disabled, the `validateToken` returned `false` -> we did not
continue processing the request.
Moreover, we **_do test_** for 401. See the expectation a [couple more lines
above](https://github.com/apache/knox/pull/902/files#diff-5d4c0de65c3e71a37e2cd6836a5eef836a4f9d708240052afec57da23d62ba8eR142-R145).
If TSS is disabled, it's expected that `sendError` is invoked on `response`
with the proper params (401 and the error message).
Issue Time Tracking
---
Worklog Id: (was: 917026)
Time Spent: 0.5h (was: 20m)
> Passcode token verification doesn't return error when TSS is disabled
>
[jira] [Work logged] (KNOX-3032) Passcode token verification doesn't return error when TSS is disabled
[
https://issues.apache.org/jira/browse/KNOX-3032?focusedWorklogId=917005=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-917005
]
ASF GitHub Bot logged work on KNOX-3032:
Author: ASF GitHub Bot
Created on: 30/Apr/24 12:44
Start Date: 30/Apr/24 12:44
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #902:
URL: https://github.com/apache/knox/pull/902#discussion_r1584746910
##
gateway-provider-security-jwt/src/test/java/org/apache/knox/gateway/provider/federation/JWTFederationFilterTest.java:
##
@@ -98,6 +104,61 @@ public void testCookieAuthSupportCustomCookieName() throws
Exception {
testCookieAuthSupport(true, "customCookie");
}
+ @Test
+ public void testVerifyPasscodeTokens() throws Exception {
+testVerifyPasscodeTokens(true);
+ }
+
+ @Test
+ public void testVerifyPasscodeTokensTssDisabled() throws Exception {
+testVerifyPasscodeTokens(false);
+ }
+
+ private void testVerifyPasscodeTokens(boolean tssEnabled) throws Exception {
+final String topologyName = "jwt-topology";
+final String tokenId = "4e0c548b-6568-4061-a3dc-62908087650a";
+final String passcode = "0138aaed-ca2a-47f1-8ed8-e0c397596f95";
+final String passcodeToken =
"UGFzc2NvZGU6VGtkVmQxbDZWVEJQUjBsMFRtcFZNazlETURCTlJGbDRURmRGZWxwSFRYUk9ha2sxVFVSbmQwOUVZekpPVkVKb09qcE5SRVY2VDBkR2FGcFhVWFJaTWtWNVdWTXdNRTR5V1hoTVZHaHNXa1JuZEZwVVFtcE5lbXN6VGxSck1scHFhekU9";
+
+final TokenStateService tokenStateService =
EasyMock.createNiceMock(TokenStateService.class);
+
EasyMock.expect(tokenStateService.getTokenExpiration(tokenId)).andReturn(Long.MAX_VALUE).anyTimes();
+
+final TokenMetadata tokenMetadata =
EasyMock.createNiceMock(TokenMetadata.class);
+EasyMock.expect(tokenMetadata.isEnabled()).andReturn(true).anyTimes();
+
EasyMock.expect(tokenMetadata.getPasscode()).andReturn(passcodeToken).anyTimes();
+
EasyMock.expect(tokenStateService.getTokenMetadata(EasyMock.anyString())).andReturn(tokenMetadata).anyTimes();
+
+final Properties filterConfigProps = getProperties();
+filterConfigProps.put(TokenStateService.CONFIG_SERVER_MANAGED,
Boolean.toString(tssEnabled));
+filterConfigProps.put(TestFilterConfig.TOPOLOGY_NAME_PROP, topologyName);
+final FilterConfig filterConfig = new TestFilterConfig(filterConfigProps,
tokenStateService);
+handler.init(filterConfig);
+
+final HttpServletRequest request =
EasyMock.createNiceMock(HttpServletRequest.class);
+EasyMock.expect(request.getRequestURL()).andReturn(new
StringBuffer(SERVICE_URL)).anyTimes();
+EasyMock.expect(request.getHeader("Authorization")).andReturn("Basic " +
passcodeToken);
+
+final HttpServletResponse response =
EasyMock.createNiceMock(HttpServletResponse.class);
+if (!tssEnabled) {
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
AbstractJWTFilter.TOKEN_STATE_SERVICE_DISABLED_ERROR);
+ EasyMock.expectLastCall().once();
+}
+EasyMock.replay(tokenStateService, tokenMetadata, request, response);
+
+SignatureVerificationCache.getInstance(topologyName,
filterConfig).recordSignatureVerification(passcode);
+
+final TestFilterChain chain = new TestFilterChain();
+handler.doFilter(request, response, chain);
+
+EasyMock.verify(response);
+if (tssEnabled) {
+ Assert.assertTrue(chain.doFilterCalled);
+ Assert.assertNotNull(chain.subject);
+} else {
+ Assert.assertFalse(chain.doFilterCalled);
+}
Review Comment:
Shouldn't we also test that it is a 401 rather than the current 200? Granted
it will only be coming from the mock but seems like we should test it anyway to
at least show expectations. Current behavior returns a 200 but does the filter
chain continue anyway or was it already being terminated?
Issue Time Tracking
---
Worklog Id: (was: 917005)
Time Spent: 20m (was: 10m)
> Passcode token verification doesn't return error when TSS is disabled
> -
>
> Key: KNOX-3032
> URL: https://issues.apache.org/jira/browse/KNOX-3032
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 2.0.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Attachments: proxy-token.xml
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> *Steps to reproduce:*
> * configure a new topology (e.g. proxy-token) with {{JWTProvider}} where
> {{knox.token.exp.server-managed}} is set to {{false}} (see an example in the
> attachment)
> * acquire a Knox Token using the Token Generation UI
> * use the {{Passcode}} field in a {{curl}} request against a service
> endpoint in the new topology
> *Current
[jira] [Work logged] (KNOX-3032) Passcode token verification doesn't return error when TSS is disabled
[
https://issues.apache.org/jira/browse/KNOX-3032?focusedWorklogId=916840=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-916840
]
ASF GitHub Bot logged work on KNOX-3032:
Author: ASF GitHub Bot
Created on: 29/Apr/24 12:24
Start Date: 29/Apr/24 12:24
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #902:
URL: https://github.com/apache/knox/pull/902
## What changes were proposed in this pull request?
I updated the passcode verification logic in a way such that it returns an
HTTP error response with 401 error code if clients want to verify a passcode
token without properly configured token state service.
## How was this patch tested?
I added the missing JUnit test cases and re-run the `curl` command I used
for reproducing the issue:
```
$ curl -iku
Passcode:TkdVd1l6VTBPR0l0TmpVMk9DMDBNRFl4TFdFelpHTXROakk1TURnd09EYzJOVEJoOjpNREV6T0dGaFpXUXRZMkV5WVMwME4yWXhMVGhsWkRndFpUQmpNemszTlRrMlpqazE=
https://localhost:8443/gateway/proxy-token/health/v1/gateway-status
HTTP/1.1 401 Unauthorized
Cache-Control: must-revalidate,no-cache,no-store
Content-Type: text/html;charset=iso-8859-1
Content-Length: 684
Error 401 Error in token provider config: passcode use with
knox.token.exp.server-managed set to false.
HTTP ERROR 401 Error in token provider config: passcode use with
knox.token.exp.server-managed set to false.
URI:/gateway/proxy-token/health/v1/gateway-status
STATUS:401
MESSAGE:Error in token provider config: passcode use with
knox.token.exp.server-managed set to false.
SERVLET:proxy-token-knox-gateway-servlet
```
Issue Time Tracking
---
Worklog Id: (was: 916840)
Remaining Estimate: 0h
Time Spent: 10m
> Passcode token verification doesn't return error when TSS is disabled
> -
>
> Key: KNOX-3032
> URL: https://issues.apache.org/jira/browse/KNOX-3032
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 2.0.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Attachments: proxy-token.xml
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> *Steps to reproduce:*
> * configure a new topology (e.g. proxy-token) with {{JWTProvider}} where
> {{knox.token.exp.server-managed}} is set to {{false}} (see an example in the
> attachment)
> * acquire a Knox Token using the Token Generation UI
> * use the {{Passcode}} field in a {{curl}} request against a service
> endpoint in the new topology
> *Current results:*
> Knox returns an HTTP response with 200 status code
> {noformat}
> $ curl -iku
> Passcode:TkdVd1l6VTBPR0l0TmpVMk9DMDBNRFl4TFdFelpHTXROakk1TURnd09EYzJOVEJoOjpNREV6T0dGaFpXUXRZMkV5WVMwME4yWXhMVGhsWkRndFpUQmpNemszTlRrMlpqazE=
> https://localhost:8443/gateway/proxy-token/health/v1/gateway-status
> HTTP/1.1 200 OK
> Date: Mon, 29 Apr 2024 08:33:06 GMT
> Content-Length: 0
> {noformat}
> *Expected results:*
> An HTTP response should have been received with 401 and the proper error
> message.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3030) SAXException occurs while parsing old topology on the descriptor handle path
[
https://issues.apache.org/jira/browse/KNOX-3030?focusedWorklogId=915886=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915886
]
ASF GitHub Bot logged work on KNOX-3030:
Author: ASF GitHub Bot
Created on: 22/Apr/24 18:10
Start Date: 22/Apr/24 18:10
Worklog Time Spent: 10m
Work Description: smolnar82 merged PR #901:
URL: https://github.com/apache/knox/pull/901
Issue Time Tracking
---
Worklog Id: (was: 915886)
Time Spent: 20m (was: 10m)
> SAXException occurs while parsing old topology on the descriptor handle path
>
>
> Key: KNOX-3030
> URL: https://issues.apache.org/jira/browse/KNOX-3030
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> In highly concurrent environments Knox may fail to parse the generated
> topology from descriptors/shared providers thus topology deployment fails
> with the following error:
> {noformat}
> 2024-01-26 10:35:25,173 ERROR topology.simple
> (SimpleDescriptorHandler.java:shouldPersistGeneratedTopology(682)) - Error
> comparing the generated cdp-proxy topology with the existing version:
> org.xml.sax.SAXParseException; lineNumber: 35; columnNumber: 20; Error at
> line 35 char 20: class org.apache.knox.gateway.topology.Provider cannot be
> cast to class org.apache.knox.gateway.topology.Param
> (org.apache.knox.gateway.topology.Provider and
> org.apache.knox.gateway.topology.Param are in unnamed module of loader
> java.net.URLClassLoader @668bc3d5)
> 2024-01-26 10:35:25,173 INFO topology.simple
> (SimpleDescriptorHandler.java:generateTopology(622)) - Skipping redeployment
> of the cdp-proxy topology because it already exists and has not changed.
> {noformat}
> This will lead to unreachable end-user endpoints.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3030) SAXException occurs while parsing old topology on the descriptor handle path
[
https://issues.apache.org/jira/browse/KNOX-3030?focusedWorklogId=915478=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-915478
]
ASF GitHub Bot logged work on KNOX-3030:
Author: ASF GitHub Bot
Created on: 19/Apr/24 07:14
Start Date: 19/Apr/24 07:14
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #901:
URL: https://github.com/apache/knox/pull/901
## What changes were proposed in this pull request?
This change makes the `TopologyUtils.parse(...)` methods thread safe by
synchronizing them. Another update is that occurrences of `SAXParseException`
are handled separately and logged properly.
## How was this patch tested?
Multiple automated tests were executed parallel to challenge Knox (more than
50 at a time). These tests were capable of reproducing the issue constantly.
After repeating the same tests 3 times, we found no problems.
Issue Time Tracking
---
Worklog Id: (was: 915478)
Remaining Estimate: 0h
Time Spent: 10m
> SAXException occurs while parsing old topology on the descriptor handle path
>
>
> Key: KNOX-3030
> URL: https://issues.apache.org/jira/browse/KNOX-3030
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> In highly concurrent environments Knox may fail to parse descriptors/shared
> providers thus topology deployment fails with the following error:
> {noformat}
> 2024-01-26 10:35:25,173 ERROR topology.simple
> (SimpleDescriptorHandler.java:shouldPersistGeneratedTopology(682)) - Error
> comparing the generated cdp-proxy topology with the existing version:
> org.xml.sax.SAXParseException; lineNumber: 35; columnNumber: 20; Error at
> line 35 char 20: class org.apache.knox.gateway.topology.Provider cannot be
> cast to class org.apache.knox.gateway.topology.Param
> (org.apache.knox.gateway.topology.Provider and
> org.apache.knox.gateway.topology.Param are in unnamed module of loader
> java.net.URLClassLoader @668bc3d5)
> 2024-01-26 10:35:25,173 INFO topology.simple
> (SimpleDescriptorHandler.java:generateTopology(622)) - Skipping redeployment
> of the cdp-proxy topology because it already exists and has not changed.
> {noformat}
> This will lead to unreachable end-user endpoints.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?focusedWorklogId=914718=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914718
]
ASF GitHub Bot logged work on KNOX-3028:
Author: ASF GitHub Bot
Created on: 15/Apr/24 17:55
Start Date: 15/Apr/24 17:55
Worklog Time Spent: 10m
Work Description: lmccay merged PR #900:
URL: https://github.com/apache/knox/pull/900
Issue Time Tracking
---
Worklog Id: (was: 914718)
Time Spent: 3h (was: 2h 50m)
> KnoxToken extension for OAuth Token Flows
> -
>
> Key: KNOX-3028
> URL: https://issues.apache.org/jira/browse/KNOX-3028
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 3h
> Remaining Estimate: 0h
>
> This change will extend the existing TokenResource for KNOXTOKEN service to
> include OAuth specifics such as expected URL, error messages and flows to
> support Token Exchange Flow and Token Refresh.
> This is being driven by a specific need to proxy access to the Iceberg REST
> Catalog API. In this specific usecase, we need to intercept the use of the
> following endpoint URLs and serve the token exchange flow for the
> authenticating user.
> {code}
> /v1/oauth/tokens
> {code}
> Details for these requirements can be found in the openapi description for
> the catalog API [1].
> In addition to this usecase, we should add generic support for the token
> exchange flow with more generic URL that better aligns with what others use.
> {code}
> /oauth/v1/token
> {code}
> We will support the use of the "oauth" service name within the existing
> KNOXTOKEN service with an extension of the TokenResource which adapts the
> existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
> In order to support both URLs, the deployment contributor will need to
> register a url pattern for each usecase and the resource path within the
> jersey service will need to accommodate the dynamic nature of the Iceberg
> REST Catalog API which will add the catalog API service name as well.
> {code}
> /icecli/v1/oauth/tokens/
> {code}
> Where "icecli" may be some configurable service name and need to match to the
> incoming URL.
> We will wildcard that by making it a regex matched path param.
> We will also need to accommodate a first-class Knox pattern and service name
> of "oauth" and only allow "token" or "oauth" after the v1 with the remaining
> path fragment being optional for the iceberg specific "tokens".
> Not pretty but it will work.
> 1.
> https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?focusedWorklogId=914673=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914673
]
ASF GitHub Bot logged work on KNOX-3028:
Author: ASF GitHub Bot
Created on: 15/Apr/24 15:29
Start Date: 15/Apr/24 15:29
Worklog Time Spent: 10m
Work Description: pzampino commented on code in PR #900:
URL: https://github.com/apache/knox/pull/900#discussion_r1565979770
##
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/OAuthResource.java:
##
@@ -71,7 +71,7 @@ public Response getAuthenticationToken() {
response = enforceTokenLimitsAsRequired(context.userName);
if (response != null) { return response; }
-TokenResponse resp = getTokenResponse(context);
+TokenResponseContext resp = getTokenResponse(context);
Review Comment:
I do like this name better.
Issue Time Tracking
---
Worklog Id: (was: 914673)
Time Spent: 2h 50m (was: 2h 40m)
> KnoxToken extension for OAuth Token Flows
> -
>
> Key: KNOX-3028
> URL: https://issues.apache.org/jira/browse/KNOX-3028
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 2h 50m
> Remaining Estimate: 0h
>
> This change will extend the existing TokenResource for KNOXTOKEN service to
> include OAuth specifics such as expected URL, error messages and flows to
> support Token Exchange Flow and Token Refresh.
> This is being driven by a specific need to proxy access to the Iceberg REST
> Catalog API. In this specific usecase, we need to intercept the use of the
> following endpoint URLs and serve the token exchange flow for the
> authenticating user.
> {code}
> /v1/oauth/tokens
> {code}
> Details for these requirements can be found in the openapi description for
> the catalog API [1].
> In addition to this usecase, we should add generic support for the token
> exchange flow with more generic URL that better aligns with what others use.
> {code}
> /oauth/v1/token
> {code}
> We will support the use of the "oauth" service name within the existing
> KNOXTOKEN service with an extension of the TokenResource which adapts the
> existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
> In order to support both URLs, the deployment contributor will need to
> register a url pattern for each usecase and the resource path within the
> jersey service will need to accommodate the dynamic nature of the Iceberg
> REST Catalog API which will add the catalog API service name as well.
> {code}
> /icecli/v1/oauth/tokens/
> {code}
> Where "icecli" may be some configurable service name and need to match to the
> incoming URL.
> We will wildcard that by making it a regex matched path param.
> We will also need to accommodate a first-class Knox pattern and service name
> of "oauth" and only allow "token" or "oauth" after the v1 with the remaining
> path fragment being optional for the iceberg specific "tokens".
> Not pretty but it will work.
> 1.
> https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?focusedWorklogId=914671=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914671
]
ASF GitHub Bot logged work on KNOX-3028:
Author: ASF GitHub Bot
Created on: 15/Apr/24 15:24
Start Date: 15/Apr/24 15:24
Worklog Time Spent: 10m
Work Description: pzampino commented on code in PR #900:
URL: https://github.com/apache/knox/pull/900#discussion_r1565977800
##
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/OAuthResource.java:
##
@@ -0,0 +1,133 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.service.knoxtoken;
+
+import org.apache.knox.gateway.i18n.messages.MessagesFactory;
+import org.apache.knox.gateway.util.JsonUtils;
+
+import javax.inject.Singleton;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Response;
+
+import java.time.Duration;
+import java.time.format.DateTimeParseException;
+import java.util.HashMap;
+
+import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static javax.ws.rs.core.MediaType.APPLICATION_XML;
+
+@Singleton
+@Path(OAuthResource.RESOURCE_PATH)
+public class OAuthResource extends TokenResource {
+private static TokenServiceMessages log =
MessagesFactory.get(TokenServiceMessages.class);
+static final String RESOURCE_PATH =
"/{serviceName:.*}/v1/{oauthSegment:(oauth|token)}{path:(/tokens)?}";
+public static final String ISSUED_TOKEN_TYPE = "issued_token_type";
+public static final String REFRESH_TOKEN = "refresh_token";
+public static final String ISSUED_TOKEN_TYPE_ACCESS_TOKEN_VALUE =
"urn:ietf:params:oauth:token-type:access_token";
+
+@Override
+@GET
+@Produces({ APPLICATION_JSON, APPLICATION_XML })
+public Response doGet() {
+return super.doGet();
+}
+
+@Override
+@POST
+@Produces({ APPLICATION_JSON, APPLICATION_XML })
+public Response doPost() {
+return super.doPost();
+}
+
+@Override
+public Response getAuthenticationToken() {
+
+Response response = enforceClientCertIfRequired();
+if (response != null) { return response; }
+
+response = onlyAllowGroupsToBeAddedWhenEnabled();
+if (response != null) { return response; }
+
+UserContext context = buildUserContext(request);
+
+response = enforceTokenLimitsAsRequired(context.userName);
+if (response != null) { return response; }
+
+TokenResponse resp = getTokenResponse(context);
+// if the responseMap isn't null then the knoxtoken request was
successful
+// if not then there may have been an error and the underlying response
+// builder will communicate those details
+if (resp.responseMap != null) {
Review Comment:
I'm not necessarily looking for a change, but wanted to understand the
rationale.
Issue Time Tracking
---
Worklog Id: (was: 914671)
Time Spent: 2h 40m (was: 2.5h)
> KnoxToken extension for OAuth Token Flows
> -
>
> Key: KNOX-3028
> URL: https://issues.apache.org/jira/browse/KNOX-3028
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 2h 40m
> Remaining Estimate: 0h
>
> This change will extend the existing TokenResource for KNOXTOKEN service to
> include OAuth specifics such as expected URL, error messages and flows to
> support Token Exchange Flow and Token Refresh.
> This is being driven by a specific need to proxy access to the Iceberg REST
> Catalog API. In this specific usecase, we need to intercept the use of the
> following endpoint URLs and serve the token exchange flow for the
> authenticating user.
> {code}
> /v1/oauth/tokens
> {code}
> Details for these requirements can be found in the openapi description for
> the
[jira] [Work logged] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?focusedWorklogId=914518=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914518
]
ASF GitHub Bot logged work on KNOX-3028:
Author: ASF GitHub Bot
Created on: 13/Apr/24 21:06
Start Date: 13/Apr/24 21:06
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #900:
URL: https://github.com/apache/knox/pull/900#discussion_r1564256326
##
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##
@@ -780,26 +782,98 @@ private X509Certificate
extractCertificate(HttpServletRequest req) {
return null;
}
- private Response getAuthenticationToken() {
-if (clientCertRequired) {
- X509Certificate cert = extractCertificate(request);
- if (cert != null) {
-if
(!allowedDNs.contains(cert.getSubjectDN().getName().replaceAll("\\s+", ""))) {
- return Response.status(Response.Status.FORBIDDEN)
- .entity("{ \"Unable to get token - untrusted client
cert.\" }")
- .build();
-}
+ protected Response getAuthenticationToken() {
+Response response = enforceClientCertIfRequired();
+if (response != null) { return response; }
+
+response = onlyAllowGroupsToBeAddedWhenEnabled();
+if (response != null) { return response; }
+
+UserContext context = buildUserContext(request);
+
+response = enforceTokenLimitsAsRequired(context.userName);
+if (response != null) { return response; }
+
+TokenResponse resp = getTokenResponse(context);
+return resp.build();
+ }
+
+ protected TokenResponse getTokenResponse(UserContext context) {
+TokenResponse response = null;
+long expires = getExpiry();
+setupPublicCertPEM();
+String jku = getJku();
+try
+{
+ JWT token = getJWT(context.userName, expires, jku);
+ if (token != null) {
+ResponseMap result = buildResponseMap(token, expires);
+String jsonResponse = JsonUtils.renderAsJsonString(result.map);
+persistTokenDetails(result, expires, context.userName,
context.createdBy);
+
+response = new TokenResponse(result, jsonResponse, Response.ok());
} else {
-return Response.status(Response.Status.FORBIDDEN)
- .entity("{ \"Unable to get token - client cert
required.\" }")
- .build();
+response = new TokenResponse(null, null, Response.serverError());
+ }
+} catch (TokenServiceException e) {
+ log.unableToIssueToken(e);
+ response = new TokenResponse(null
+ , "{ \"Unable to acquire token.\" }"
+ , Response.serverError());
+}
+return response;
+ }
+
+ protected static class TokenResponse {
Review Comment:
Changed it to TokenResponseContext for now.
Issue Time Tracking
---
Worklog Id: (was: 914518)
Time Spent: 2.5h (was: 2h 20m)
> KnoxToken extension for OAuth Token Flows
> -
>
> Key: KNOX-3028
> URL: https://issues.apache.org/jira/browse/KNOX-3028
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> This change will extend the existing TokenResource for KNOXTOKEN service to
> include OAuth specifics such as expected URL, error messages and flows to
> support Token Exchange Flow and Token Refresh.
> This is being driven by a specific need to proxy access to the Iceberg REST
> Catalog API. In this specific usecase, we need to intercept the use of the
> following endpoint URLs and serve the token exchange flow for the
> authenticating user.
> {code}
> /v1/oauth/tokens
> {code}
> Details for these requirements can be found in the openapi description for
> the catalog API [1].
> In addition to this usecase, we should add generic support for the token
> exchange flow with more generic URL that better aligns with what others use.
> {code}
> /oauth/v1/token
> {code}
> We will support the use of the "oauth" service name within the existing
> KNOXTOKEN service with an extension of the TokenResource which adapts the
> existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
> In order to support both URLs, the deployment contributor will need to
> register a url pattern for each usecase and the resource path within the
> jersey service will need to accommodate the dynamic nature of the Iceberg
> REST Catalog API which will add the catalog API service name as well.
> {code}
> /icecli/v1/oauth/tokens/
> {code}
> Where "icecli" may be some configurable service name and need to match to the
>
[jira] [Work logged] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?focusedWorklogId=914517=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914517
]
ASF GitHub Bot logged work on KNOX-3028:
Author: ASF GitHub Bot
Created on: 13/Apr/24 21:01
Start Date: 13/Apr/24 21:01
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #900:
URL: https://github.com/apache/knox/pull/900#discussion_r1564253699
##
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/OAuthResource.java:
##
@@ -0,0 +1,133 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.service.knoxtoken;
+
+import org.apache.knox.gateway.i18n.messages.MessagesFactory;
+import org.apache.knox.gateway.util.JsonUtils;
+
+import javax.inject.Singleton;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Response;
+
+import java.time.Duration;
+import java.time.format.DateTimeParseException;
+import java.util.HashMap;
+
+import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static javax.ws.rs.core.MediaType.APPLICATION_XML;
+
+@Singleton
+@Path(OAuthResource.RESOURCE_PATH)
+public class OAuthResource extends TokenResource {
+private static TokenServiceMessages log =
MessagesFactory.get(TokenServiceMessages.class);
+static final String RESOURCE_PATH =
"/{serviceName:.*}/v1/{oauthSegment:(oauth|token)}{path:(/tokens)?}";
+public static final String ISSUED_TOKEN_TYPE = "issued_token_type";
+public static final String REFRESH_TOKEN = "refresh_token";
+public static final String ISSUED_TOKEN_TYPE_ACCESS_TOKEN_VALUE =
"urn:ietf:params:oauth:token-type:access_token";
+
+@Override
+@GET
+@Produces({ APPLICATION_JSON, APPLICATION_XML })
+public Response doGet() {
+return super.doGet();
+}
+
+@Override
+@POST
+@Produces({ APPLICATION_JSON, APPLICATION_XML })
+public Response doPost() {
+return super.doPost();
+}
+
+@Override
+public Response getAuthenticationToken() {
+
+Response response = enforceClientCertIfRequired();
+if (response != null) { return response; }
+
+response = onlyAllowGroupsToBeAddedWhenEnabled();
+if (response != null) { return response; }
+
+UserContext context = buildUserContext(request);
+
+response = enforceTokenLimitsAsRequired(context.userName);
+if (response != null) { return response; }
+
+TokenResponse resp = getTokenResponse(context);
+// if the responseMap isn't null then the knoxtoken request was
successful
+// if not then there may have been an error and the underlying response
+// builder will communicate those details
+if (resp.responseMap != null) {
+// let's get the subset of the KnoxToken Response needed for OAuth
+String accessToken = resp.responseMap.accessToken;
+String passcode = resp.responseMap.passcode;
+long expires = (long) resp.responseMap.map.get(EXPIRES_IN);
+String tokenType = (String) resp.responseMap.map.get(TOKEN_TYPE);
+
+// build and return the expected OAuth response
+final HashMap map = new HashMap<>();
+map.put(ACCESS_TOKEN, accessToken);
+map.put(TOKEN_TYPE, tokenType);
+map.put(EXPIRES_IN, expires);
+map.put(ISSUED_TOKEN_TYPE, ISSUED_TOKEN_TYPE_ACCESS_TOKEN_VALUE);
+// let's use the passcode as the refresh token
+map.put(REFRESH_TOKEN, passcode);
+String jsonResponse = JsonUtils.renderAsJsonString(map);
+return resp.responseBuilder.entity(jsonResponse).build();
+}
+// there was an error if we got here - let's surface it appropriately
+// TODO: LJM we may need to translate certain errors into OAuth error
messages
+if (resp.responseStr != null) {
+return resp.responseBuilder.entity(resp.responseStr).build();
+}
+else {
+return
[jira] [Work logged] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?focusedWorklogId=914516=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914516
]
ASF GitHub Bot logged work on KNOX-3028:
Author: ASF GitHub Bot
Created on: 13/Apr/24 21:00
Start Date: 13/Apr/24 21:00
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #900:
URL: https://github.com/apache/knox/pull/900#discussion_r1564253456
##
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##
@@ -780,26 +782,98 @@ private X509Certificate
extractCertificate(HttpServletRequest req) {
return null;
}
- private Response getAuthenticationToken() {
-if (clientCertRequired) {
- X509Certificate cert = extractCertificate(request);
- if (cert != null) {
-if
(!allowedDNs.contains(cert.getSubjectDN().getName().replaceAll("\\s+", ""))) {
- return Response.status(Response.Status.FORBIDDEN)
- .entity("{ \"Unable to get token - untrusted client
cert.\" }")
- .build();
-}
+ protected Response getAuthenticationToken() {
+Response response = enforceClientCertIfRequired();
+if (response != null) { return response; }
+
+response = onlyAllowGroupsToBeAddedWhenEnabled();
+if (response != null) { return response; }
+
+UserContext context = buildUserContext(request);
+
+response = enforceTokenLimitsAsRequired(context.userName);
+if (response != null) { return response; }
+
+TokenResponse resp = getTokenResponse(context);
+return resp.build();
+ }
+
+ protected TokenResponse getTokenResponse(UserContext context) {
+TokenResponse response = null;
+long expires = getExpiry();
+setupPublicCertPEM();
+String jku = getJku();
+try
+{
+ JWT token = getJWT(context.userName, expires, jku);
+ if (token != null) {
+ResponseMap result = buildResponseMap(token, expires);
+String jsonResponse = JsonUtils.renderAsJsonString(result.map);
+persistTokenDetails(result, expires, context.userName,
context.createdBy);
+
+response = new TokenResponse(result, jsonResponse, Response.ok());
} else {
-return Response.status(Response.Status.FORBIDDEN)
- .entity("{ \"Unable to get token - client cert
required.\" }")
- .build();
+response = new TokenResponse(null, null, Response.serverError());
+ }
+} catch (TokenServiceException e) {
+ log.unableToIssueToken(e);
+ response = new TokenResponse(null
+ , "{ \"Unable to acquire token.\" }"
+ , Response.serverError());
+}
+return response;
+ }
+
+ protected static class TokenResponse {
+public ResponseMap responseMap;
+public String responseStr;
+public Response.ResponseBuilder responseBuilder;
+
+public TokenResponse(ResponseMap respMap, String resp,
Response.ResponseBuilder builder) {
+ responseMap = respMap;
+ responseStr = resp;
+ responseBuilder = builder;
+}
+
+public Response build() {
+ Response response = null;
+ if (responseStr != null) {
+response = responseBuilder.entity(responseStr).build();
}
+ else {
Review Comment:
Changing it to be consistent with the rest of the class.
Issue Time Tracking
---
Worklog Id: (was: 914516)
Time Spent: 2h 10m (was: 2h)
> KnoxToken extension for OAuth Token Flows
> -
>
> Key: KNOX-3028
> URL: https://issues.apache.org/jira/browse/KNOX-3028
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 2h 10m
> Remaining Estimate: 0h
>
> This change will extend the existing TokenResource for KNOXTOKEN service to
> include OAuth specifics such as expected URL, error messages and flows to
> support Token Exchange Flow and Token Refresh.
> This is being driven by a specific need to proxy access to the Iceberg REST
> Catalog API. In this specific usecase, we need to intercept the use of the
> following endpoint URLs and serve the token exchange flow for the
> authenticating user.
> {code}
> /v1/oauth/tokens
> {code}
> Details for these requirements can be found in the openapi description for
> the catalog API [1].
> In addition to this usecase, we should add generic support for the token
> exchange flow with more generic URL that better aligns with what others use.
> {code}
> /oauth/v1/token
> {code}
> We will support the use of the "oauth" service name within the existing
> KNOXTOKEN service with an extension of the TokenResource which
[jira] [Work logged] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?focusedWorklogId=914515=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914515
]
ASF GitHub Bot logged work on KNOX-3028:
Author: ASF GitHub Bot
Created on: 13/Apr/24 20:49
Start Date: 13/Apr/24 20:49
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #900:
URL: https://github.com/apache/knox/pull/900#discussion_r1564248082
##
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/OAuthResource.java:
##
@@ -0,0 +1,133 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.service.knoxtoken;
+
+import org.apache.knox.gateway.i18n.messages.MessagesFactory;
+import org.apache.knox.gateway.util.JsonUtils;
+
+import javax.inject.Singleton;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Response;
+
+import java.time.Duration;
+import java.time.format.DateTimeParseException;
+import java.util.HashMap;
+
+import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static javax.ws.rs.core.MediaType.APPLICATION_XML;
+
+@Singleton
+@Path(OAuthResource.RESOURCE_PATH)
+public class OAuthResource extends TokenResource {
+private static TokenServiceMessages log =
MessagesFactory.get(TokenServiceMessages.class);
+static final String RESOURCE_PATH =
"/{serviceName:.*}/v1/{oauthSegment:(oauth|token)}{path:(/tokens)?}";
+public static final String ISSUED_TOKEN_TYPE = "issued_token_type";
+public static final String REFRESH_TOKEN = "refresh_token";
+public static final String ISSUED_TOKEN_TYPE_ACCESS_TOKEN_VALUE =
"urn:ietf:params:oauth:token-type:access_token";
+
+@Override
+@GET
+@Produces({ APPLICATION_JSON, APPLICATION_XML })
+public Response doGet() {
+return super.doGet();
+}
+
+@Override
+@POST
+@Produces({ APPLICATION_JSON, APPLICATION_XML })
+public Response doPost() {
+return super.doPost();
+}
+
+@Override
+public Response getAuthenticationToken() {
+
+Response response = enforceClientCertIfRequired();
+if (response != null) { return response; }
+
+response = onlyAllowGroupsToBeAddedWhenEnabled();
+if (response != null) { return response; }
+
+UserContext context = buildUserContext(request);
+
+response = enforceTokenLimitsAsRequired(context.userName);
+if (response != null) { return response; }
+
+TokenResponse resp = getTokenResponse(context);
+// if the responseMap isn't null then the knoxtoken request was
successful
+// if not then there may have been an error and the underlying response
+// builder will communicate those details
+if (resp.responseMap != null) {
+// let's get the subset of the KnoxToken Response needed for OAuth
+String accessToken = resp.responseMap.accessToken;
+String passcode = resp.responseMap.passcode;
+long expires = (long) resp.responseMap.map.get(EXPIRES_IN);
+String tokenType = (String) resp.responseMap.map.get(TOKEN_TYPE);
+
+// build and return the expected OAuth response
+final HashMap map = new HashMap<>();
+map.put(ACCESS_TOKEN, accessToken);
+map.put(TOKEN_TYPE, tokenType);
+map.put(EXPIRES_IN, expires);
+map.put(ISSUED_TOKEN_TYPE, ISSUED_TOKEN_TYPE_ACCESS_TOKEN_VALUE);
+// let's use the passcode as the refresh token
+map.put(REFRESH_TOKEN, passcode);
+String jsonResponse = JsonUtils.renderAsJsonString(map);
+return resp.responseBuilder.entity(jsonResponse).build();
+}
+// there was an error if we got here - let's surface it appropriately
+// TODO: LJM we may need to translate certain errors into OAuth error
messages
Review Comment:
Yes. Haven't determined whether this is the case yet and would like to
follow up once I do but didn't want to block the overall feature.
[jira] [Work logged] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?focusedWorklogId=914514=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914514
]
ASF GitHub Bot logged work on KNOX-3028:
Author: ASF GitHub Bot
Created on: 13/Apr/24 20:47
Start Date: 13/Apr/24 20:47
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #900:
URL: https://github.com/apache/knox/pull/900#discussion_r1564247287
##
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##
@@ -780,26 +782,98 @@ private X509Certificate
extractCertificate(HttpServletRequest req) {
return null;
}
- private Response getAuthenticationToken() {
-if (clientCertRequired) {
- X509Certificate cert = extractCertificate(request);
- if (cert != null) {
-if
(!allowedDNs.contains(cert.getSubjectDN().getName().replaceAll("\\s+", ""))) {
- return Response.status(Response.Status.FORBIDDEN)
- .entity("{ \"Unable to get token - untrusted client
cert.\" }")
- .build();
-}
+ protected Response getAuthenticationToken() {
+Response response = enforceClientCertIfRequired();
+if (response != null) { return response; }
+
+response = onlyAllowGroupsToBeAddedWhenEnabled();
+if (response != null) { return response; }
+
+UserContext context = buildUserContext(request);
+
+response = enforceTokenLimitsAsRequired(context.userName);
+if (response != null) { return response; }
+
+TokenResponse resp = getTokenResponse(context);
+return resp.build();
+ }
+
+ protected TokenResponse getTokenResponse(UserContext context) {
+TokenResponse response = null;
+long expires = getExpiry();
+setupPublicCertPEM();
+String jku = getJku();
+try
+{
+ JWT token = getJWT(context.userName, expires, jku);
+ if (token != null) {
+ResponseMap result = buildResponseMap(token, expires);
+String jsonResponse = JsonUtils.renderAsJsonString(result.map);
+persistTokenDetails(result, expires, context.userName,
context.createdBy);
+
+response = new TokenResponse(result, jsonResponse, Response.ok());
} else {
-return Response.status(Response.Status.FORBIDDEN)
- .entity("{ \"Unable to get token - client cert
required.\" }")
- .build();
+response = new TokenResponse(null, null, Response.serverError());
+ }
+} catch (TokenServiceException e) {
+ log.unableToIssueToken(e);
+ response = new TokenResponse(null
+ , "{ \"Unable to acquire token.\" }"
+ , Response.serverError());
+}
+return response;
+ }
+
+ protected static class TokenResponse {
Review Comment:
Yeah, I'm not thrilled with it either but can't exactly say it is wrong
given the content. How about TokenResponseContext? Seems more than a context to
me since it includes the builder too. It does have a build() so we could call
it a builder but it is also used to access the other data directly in extension
classes and the build method not called so it isn't always a builder.
Issue Time Tracking
---
Worklog Id: (was: 914514)
Time Spent: 1h 50m (was: 1h 40m)
> KnoxToken extension for OAuth Token Flows
> -
>
> Key: KNOX-3028
> URL: https://issues.apache.org/jira/browse/KNOX-3028
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 1h 50m
> Remaining Estimate: 0h
>
> This change will extend the existing TokenResource for KNOXTOKEN service to
> include OAuth specifics such as expected URL, error messages and flows to
> support Token Exchange Flow and Token Refresh.
> This is being driven by a specific need to proxy access to the Iceberg REST
> Catalog API. In this specific usecase, we need to intercept the use of the
> following endpoint URLs and serve the token exchange flow for the
> authenticating user.
> {code}
> /v1/oauth/tokens
> {code}
> Details for these requirements can be found in the openapi description for
> the catalog API [1].
> In addition to this usecase, we should add generic support for the token
> exchange flow with more generic URL that better aligns with what others use.
> {code}
> /oauth/v1/token
> {code}
> We will support the use of the "oauth" service name within the existing
> KNOXTOKEN service with an extension of the TokenResource which adapts the
> existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
> In order to support both URLs, the deployment contributor will need to
> register
[jira] [Work logged] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?focusedWorklogId=914512=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914512
]
ASF GitHub Bot logged work on KNOX-3028:
Author: ASF GitHub Bot
Created on: 13/Apr/24 20:40
Start Date: 13/Apr/24 20:40
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #900:
URL: https://github.com/apache/knox/pull/900#discussion_r1564244148
##
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/OAuthResource.java:
##
@@ -0,0 +1,133 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.service.knoxtoken;
+
+import org.apache.knox.gateway.i18n.messages.MessagesFactory;
+import org.apache.knox.gateway.util.JsonUtils;
+
+import javax.inject.Singleton;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Response;
+
+import java.time.Duration;
+import java.time.format.DateTimeParseException;
+import java.util.HashMap;
+
+import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static javax.ws.rs.core.MediaType.APPLICATION_XML;
+
+@Singleton
+@Path(OAuthResource.RESOURCE_PATH)
+public class OAuthResource extends TokenResource {
+private static TokenServiceMessages log =
MessagesFactory.get(TokenServiceMessages.class);
+static final String RESOURCE_PATH =
"/{serviceName:.*}/v1/{oauthSegment:(oauth|token)}{path:(/tokens)?}";
+public static final String ISSUED_TOKEN_TYPE = "issued_token_type";
+public static final String REFRESH_TOKEN = "refresh_token";
+public static final String ISSUED_TOKEN_TYPE_ACCESS_TOKEN_VALUE =
"urn:ietf:params:oauth:token-type:access_token";
+
+@Override
+@GET
+@Produces({ APPLICATION_JSON, APPLICATION_XML })
+public Response doGet() {
+return super.doGet();
+}
+
+@Override
+@POST
+@Produces({ APPLICATION_JSON, APPLICATION_XML })
+public Response doPost() {
+return super.doPost();
+}
+
+@Override
+public Response getAuthenticationToken() {
+
+Response response = enforceClientCertIfRequired();
+if (response != null) { return response; }
+
+response = onlyAllowGroupsToBeAddedWhenEnabled();
+if (response != null) { return response; }
+
+UserContext context = buildUserContext(request);
+
+response = enforceTokenLimitsAsRequired(context.userName);
+if (response != null) { return response; }
+
+TokenResponse resp = getTokenResponse(context);
+// if the responseMap isn't null then the knoxtoken request was
successful
+// if not then there may have been an error and the underlying response
+// builder will communicate those details
+if (resp.responseMap != null) {
Review Comment:
This is how they were refactored out and yes it seems that they were
intended to be used as structs which I don't have a problem with. I don't see
an potential for extension and polymorphic differences being necessary. We can
add getters if you like though.
Issue Time Tracking
---
Worklog Id: (was: 914512)
Time Spent: 1.5h (was: 1h 20m)
> KnoxToken extension for OAuth Token Flows
> -
>
> Key: KNOX-3028
> URL: https://issues.apache.org/jira/browse/KNOX-3028
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> This change will extend the existing TokenResource for KNOXTOKEN service to
> include OAuth specifics such as expected URL, error messages and flows to
> support Token Exchange Flow and Token Refresh.
> This is being driven by a specific need to proxy access to the Iceberg REST
> Catalog API. In this specific usecase, we need to intercept the use of the
> following endpoint URLs and serve the
[jira] [Work logged] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?focusedWorklogId=914513=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914513
]
ASF GitHub Bot logged work on KNOX-3028:
Author: ASF GitHub Bot
Created on: 13/Apr/24 20:40
Start Date: 13/Apr/24 20:40
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #900:
URL: https://github.com/apache/knox/pull/900#discussion_r1564244621
##
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##
@@ -853,105 +917,148 @@ private Response getAuthenticationToken() {
if (userTokens.size() >= tokenLimitPerUser) {
log.tokenLimitExceeded(userName);
if (UserLimitExceededAction.RETURN_ERROR == userLimitExceededAction)
{
-return Response.status(Response.Status.FORBIDDEN).entity("{
\"Unable to get token - token limit exceeded.\" }").build();
+response = Response.status(Response.Status.FORBIDDEN).entity("{
\"Unable to get token - token limit exceeded.\" }").build();
} else {
// userTokens is an ordered collection (by issue time) -> the
first element is the oldest one
final String oldestTokenId =
userTokens.iterator().next().getTokenId();
log.generalInfoMessage(String.format(Locale.getDefault(),
"Revoking %s's oldest token %s ...", userName,
Tokens.getTokenIDDisplayText(oldestTokenId)));
final Response revocationResponse = revoke(oldestTokenId);
if (Response.Status.OK.getStatusCode() !=
revocationResponse.getStatus()) {
- return
Response.status(Response.Status.fromStatusCode(revocationResponse.getStatus()))
+ response =
Response.status(Response.Status.fromStatusCode(revocationResponse.getStatus()))
.entity("{\n \"error\": \"An error occurred during the
oldest token revocation of " + userName + " \"\n}\n").build();
}
}
}
}
}
+return response;
+ }
-try {
- final boolean managedToken = tokenStateService != null;
- JWT token;
- JWTokenAttributes jwtAttributes;
- final JWTokenAttributesBuilder jwtAttributesBuilder = new
JWTokenAttributesBuilder();
- jwtAttributesBuilder
- .setIssuer(tokenIssuer)
- .setUserName(userName)
- .setAlgorithm(signatureAlgorithm)
- .setExpires(expires)
- .setManaged(managedToken)
- .setJku(jku)
- .setType(tokenType);
- if (!targetAudiences.isEmpty()) {
-jwtAttributesBuilder.setAudiences(targetAudiences);
+ protected void setupPublicCertPEM() {
+GatewayServices services = getGatewayServices();
+if (endpointPublicCert == null) {
+ // acquire PEM for gateway identity of this gateway instance
+ KeystoreService ks = services.getService(ServiceType.KEYSTORE_SERVICE);
+ if (ks != null) {
+try {
+ Certificate cert = ks.getCertificateForGateway();
+ byte[] bytes = cert.getEncoded();
+ endpointPublicCert = Base64.encodeBase64String(bytes);
+} catch (KeyStoreException | KeystoreServiceException |
CertificateEncodingException e) {
+ // assuming that certs will be properly provisioned across all
clients
+ log.unableToAcquireCertForEndpointClients(e);
+}
}
- if (shouldIncludeGroups()) {
-if (includeGroupsInTokenAllowed) {
- jwtAttributesBuilder.setGroups(groups());
-} else {
- return Response
- .status(Response.Status.BAD_REQUEST)
- .entity("{\n \"error\": \"Including group information in
tokens is disabled\"\n}\n")
- .build();
+}
+ }
+
+ protected Response enforceClientCertIfRequired() {
+Response response = null;
+if (clientCertRequired) {
+ X509Certificate cert = extractCertificate(request);
+ if (cert != null) {
+if
(!allowedDNs.contains(cert.getSubjectDN().getName().replaceAll("\\s+", ""))) {
+ response = Response.status(Response.Status.FORBIDDEN)
+ .entity("{ \"Unable to get token - untrusted client
cert.\" }")
+ .build();
}
+ } else {
+response = Response.status(Response.Status.FORBIDDEN)
+ .entity("{ \"Unable to get token - client cert
required.\" }")
+ .build();
}
+}
+return response;
+ }
- jwtAttributes = jwtAttributesBuilder.build();
- token = ts.issueToken(jwtAttributes);
+ protected void persistTokenDetails(ResponseMap result, long expires, String
userName, String createdBy) {
+// Optional token store service persistence
+if (tokenStateService != null) {
+ final long issueTime = System.currentTimeMillis();
+
[jira] [Work logged] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?focusedWorklogId=914511=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914511
]
ASF GitHub Bot logged work on KNOX-3028:
Author: ASF GitHub Bot
Created on: 13/Apr/24 20:37
Start Date: 13/Apr/24 20:37
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #900:
URL: https://github.com/apache/knox/pull/900#discussion_r1564243026
##
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##
@@ -626,14 +628,14 @@ public Response revoke(String token) {
final String tokenId = getTokenId(token);
if (isKnoxSsoCookie(tokenId)) {
errorStatus = Response.Status.FORBIDDEN;
- error = "SSO cookie (" + Tokens.getTokenIDDisplayText(tokenId) + ")
cannot not be revoked." ;
+ error = "SSO cookie (" + Tokens.getTokenIDDisplayText(tokenId) + ")
cannot not be revoked.";
errorCode = ErrorCode.UNAUTHORIZED;
} else if (triesToRevokeOwnToken(tokenId, revoker) ||
allowedRenewers.contains(revoker)) {
tokenStateService.revokeToken(tokenId);
log.revokedToken(getTopologyName(),
- Tokens.getTokenDisplayText(token),
- Tokens.getTokenIDDisplayText(tokenId),
- revoker);
+ Tokens.getTokenDisplayText(token),
Review Comment:
Not sure why it was the previous indentation. I guess someone is lining up
the dots? That is not a convention that is standard. That said, I don't know
why this was changed at all. Likely some IDE shenanigans related to my
migration to a new dev machine. These are all in the same method and I am
working backwards through them. I ilke how the code reads with this formatting.
If you can look at the code in context and think I should revert the changes
then I will. We should also add to the checkstyle rules if that is the case
though.
Issue Time Tracking
---
Worklog Id: (was: 914511)
Time Spent: 1h 20m (was: 1h 10m)
> KnoxToken extension for OAuth Token Flows
> -
>
> Key: KNOX-3028
> URL: https://issues.apache.org/jira/browse/KNOX-3028
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> This change will extend the existing TokenResource for KNOXTOKEN service to
> include OAuth specifics such as expected URL, error messages and flows to
> support Token Exchange Flow and Token Refresh.
> This is being driven by a specific need to proxy access to the Iceberg REST
> Catalog API. In this specific usecase, we need to intercept the use of the
> following endpoint URLs and serve the token exchange flow for the
> authenticating user.
> {code}
> /v1/oauth/tokens
> {code}
> Details for these requirements can be found in the openapi description for
> the catalog API [1].
> In addition to this usecase, we should add generic support for the token
> exchange flow with more generic URL that better aligns with what others use.
> {code}
> /oauth/v1/token
> {code}
> We will support the use of the "oauth" service name within the existing
> KNOXTOKEN service with an extension of the TokenResource which adapts the
> existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
> In order to support both URLs, the deployment contributor will need to
> register a url pattern for each usecase and the resource path within the
> jersey service will need to accommodate the dynamic nature of the Iceberg
> REST Catalog API which will add the catalog API service name as well.
> {code}
> /icecli/v1/oauth/tokens/
> {code}
> Where "icecli" may be some configurable service name and need to match to the
> incoming URL.
> We will wildcard that by making it a regex matched path param.
> We will also need to accommodate a first-class Knox pattern and service name
> of "oauth" and only allow "token" or "oauth" after the v1 with the remaining
> path fragment being optional for the iceberg specific "tokens".
> Not pretty but it will work.
> 1.
> https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?focusedWorklogId=914510=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914510
]
ASF GitHub Bot logged work on KNOX-3028:
Author: ASF GitHub Bot
Created on: 13/Apr/24 20:34
Start Date: 13/Apr/24 20:34
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #900:
URL: https://github.com/apache/knox/pull/900#discussion_r1564241642
##
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##
@@ -650,14 +652,14 @@ public Response revoke(String token) {
}
if (error.isEmpty()) {
- resp = Response.status(Response.Status.OK)
- .entity("{\n \"revoked\": \"true\"\n}\n")
- .build();
+ resp = Response.status(Response.Status.OK)
+ .entity("{\n \"revoked\": \"true\"\n}\n")
Review Comment:
Not sure why it was the previous indentation. I guess someone is lining up
the dots? That is not a convention that is standard. That said, I don't know
why this was changed at all. Likely some IDE shenanigans related to my
migration to a new dev machine.
Issue Time Tracking
---
Worklog Id: (was: 914510)
Time Spent: 1h 10m (was: 1h)
> KnoxToken extension for OAuth Token Flows
> -
>
> Key: KNOX-3028
> URL: https://issues.apache.org/jira/browse/KNOX-3028
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> This change will extend the existing TokenResource for KNOXTOKEN service to
> include OAuth specifics such as expected URL, error messages and flows to
> support Token Exchange Flow and Token Refresh.
> This is being driven by a specific need to proxy access to the Iceberg REST
> Catalog API. In this specific usecase, we need to intercept the use of the
> following endpoint URLs and serve the token exchange flow for the
> authenticating user.
> {code}
> /v1/oauth/tokens
> {code}
> Details for these requirements can be found in the openapi description for
> the catalog API [1].
> In addition to this usecase, we should add generic support for the token
> exchange flow with more generic URL that better aligns with what others use.
> {code}
> /oauth/v1/token
> {code}
> We will support the use of the "oauth" service name within the existing
> KNOXTOKEN service with an extension of the TokenResource which adapts the
> existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
> In order to support both URLs, the deployment contributor will need to
> register a url pattern for each usecase and the resource path within the
> jersey service will need to accommodate the dynamic nature of the Iceberg
> REST Catalog API which will add the catalog API service name as well.
> {code}
> /icecli/v1/oauth/tokens/
> {code}
> Where "icecli" may be some configurable service name and need to match to the
> incoming URL.
> We will wildcard that by making it a regex matched path param.
> We will also need to accommodate a first-class Knox pattern and service name
> of "oauth" and only allow "token" or "oauth" after the v1 with the remaining
> path fragment being optional for the iceberg specific "tokens".
> Not pretty but it will work.
> 1.
> https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?focusedWorklogId=914509=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914509
]
ASF GitHub Bot logged work on KNOX-3028:
Author: ASF GitHub Bot
Created on: 13/Apr/24 20:34
Start Date: 13/Apr/24 20:34
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #900:
URL: https://github.com/apache/knox/pull/900#discussion_r1564241397
##
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##
@@ -650,14 +652,14 @@ public Response revoke(String token) {
}
if (error.isEmpty()) {
- resp = Response.status(Response.Status.OK)
- .entity("{\n \"revoked\": \"true\"\n}\n")
- .build();
+ resp = Response.status(Response.Status.OK)
+ .entity("{\n \"revoked\": \"true\"\n}\n")
+ .build();
} else {
log.badRevocationRequest(getTopologyName(),
Tokens.getTokenDisplayText(token), error);
resp = Response.status(errorStatus)
- .entity("{\n \"revoked\": \"false\",\n \"error\": \"" +
error + "\",\n \"code\": " + errorCode.toInt() + "\n}\n")
- .build();
+ .entity("{\n \"revoked\": \"false\",\n \"error\": \"" + error
+ "\",\n \"code\": " + errorCode.toInt() + "\n}\n")
Review Comment:
Not sure why it was the previous indentation. I guess someone is lining up
the dots? That is not a convention that is standard. That said, I don't know
why this was changed at all. Likely some IDE shenanigans related to my
migration to a new dev machine.
Issue Time Tracking
---
Worklog Id: (was: 914509)
Time Spent: 1h (was: 50m)
> KnoxToken extension for OAuth Token Flows
> -
>
> Key: KNOX-3028
> URL: https://issues.apache.org/jira/browse/KNOX-3028
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> This change will extend the existing TokenResource for KNOXTOKEN service to
> include OAuth specifics such as expected URL, error messages and flows to
> support Token Exchange Flow and Token Refresh.
> This is being driven by a specific need to proxy access to the Iceberg REST
> Catalog API. In this specific usecase, we need to intercept the use of the
> following endpoint URLs and serve the token exchange flow for the
> authenticating user.
> {code}
> /v1/oauth/tokens
> {code}
> Details for these requirements can be found in the openapi description for
> the catalog API [1].
> In addition to this usecase, we should add generic support for the token
> exchange flow with more generic URL that better aligns with what others use.
> {code}
> /oauth/v1/token
> {code}
> We will support the use of the "oauth" service name within the existing
> KNOXTOKEN service with an extension of the TokenResource which adapts the
> existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
> In order to support both URLs, the deployment contributor will need to
> register a url pattern for each usecase and the resource path within the
> jersey service will need to accommodate the dynamic nature of the Iceberg
> REST Catalog API which will add the catalog API service name as well.
> {code}
> /icecli/v1/oauth/tokens/
> {code}
> Where "icecli" may be some configurable service name and need to match to the
> incoming URL.
> We will wildcard that by making it a regex matched path param.
> We will also need to accommodate a first-class Knox pattern and service name
> of "oauth" and only allow "token" or "oauth" after the v1 with the remaining
> path fragment being optional for the iceberg specific "tokens".
> Not pretty but it will work.
> 1.
> https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?focusedWorklogId=914507=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914507
]
ASF GitHub Bot logged work on KNOX-3028:
Author: ASF GitHub Bot
Created on: 13/Apr/24 20:29
Start Date: 13/Apr/24 20:29
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #900:
URL: https://github.com/apache/knox/pull/900#discussion_r1564239406
##
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##
@@ -780,26 +782,98 @@ private X509Certificate
extractCertificate(HttpServletRequest req) {
return null;
}
- private Response getAuthenticationToken() {
-if (clientCertRequired) {
- X509Certificate cert = extractCertificate(request);
- if (cert != null) {
-if
(!allowedDNs.contains(cert.getSubjectDN().getName().replaceAll("\\s+", ""))) {
- return Response.status(Response.Status.FORBIDDEN)
- .entity("{ \"Unable to get token - untrusted client
cert.\" }")
- .build();
-}
+ protected Response getAuthenticationToken() {
+Response response = enforceClientCertIfRequired();
+if (response != null) { return response; }
+
+response = onlyAllowGroupsToBeAddedWhenEnabled();
+if (response != null) { return response; }
+
+UserContext context = buildUserContext(request);
+
+response = enforceTokenLimitsAsRequired(context.userName);
+if (response != null) { return response; }
+
+TokenResponse resp = getTokenResponse(context);
+return resp.build();
+ }
+
+ protected TokenResponse getTokenResponse(UserContext context) {
+TokenResponse response = null;
+long expires = getExpiry();
+setupPublicCertPEM();
+String jku = getJku();
+try
+{
+ JWT token = getJWT(context.userName, expires, jku);
+ if (token != null) {
+ResponseMap result = buildResponseMap(token, expires);
+String jsonResponse = JsonUtils.renderAsJsonString(result.map);
+persistTokenDetails(result, expires, context.userName,
context.createdBy);
+
+response = new TokenResponse(result, jsonResponse, Response.ok());
} else {
-return Response.status(Response.Status.FORBIDDEN)
- .entity("{ \"Unable to get token - client cert
required.\" }")
- .build();
+response = new TokenResponse(null, null, Response.serverError());
+ }
+} catch (TokenServiceException e) {
+ log.unableToIssueToken(e);
+ response = new TokenResponse(null
+ , "{ \"Unable to acquire token.\" }"
+ , Response.serverError());
+}
+return response;
+ }
+
+ protected static class TokenResponse {
+public ResponseMap responseMap;
+public String responseStr;
+public Response.ResponseBuilder responseBuilder;
+
+public TokenResponse(ResponseMap respMap, String resp,
Response.ResponseBuilder builder) {
+ responseMap = respMap;
+ responseStr = resp;
+ responseBuilder = builder;
+}
+
+public Response build() {
+ Response response = null;
+ if (responseStr != null) {
+response = responseBuilder.entity(responseStr).build();
}
+ else {
Review Comment:
again, always this way. Which is why it isn't a codestyle violation.
Issue Time Tracking
---
Worklog Id: (was: 914507)
Time Spent: 50m (was: 40m)
> KnoxToken extension for OAuth Token Flows
> -
>
> Key: KNOX-3028
> URL: https://issues.apache.org/jira/browse/KNOX-3028
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> This change will extend the existing TokenResource for KNOXTOKEN service to
> include OAuth specifics such as expected URL, error messages and flows to
> support Token Exchange Flow and Token Refresh.
> This is being driven by a specific need to proxy access to the Iceberg REST
> Catalog API. In this specific usecase, we need to intercept the use of the
> following endpoint URLs and serve the token exchange flow for the
> authenticating user.
> {code}
> /v1/oauth/tokens
> {code}
> Details for these requirements can be found in the openapi description for
> the catalog API [1].
> In addition to this usecase, we should add generic support for the token
> exchange flow with more generic URL that better aligns with what others use.
> {code}
> /oauth/v1/token
> {code}
> We will support the use of the "oauth" service name within the existing
> KNOXTOKEN service with an extension of the TokenResource
[jira] [Work logged] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?focusedWorklogId=914506=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914506
]
ASF GitHub Bot logged work on KNOX-3028:
Author: ASF GitHub Bot
Created on: 13/Apr/24 20:27
Start Date: 13/Apr/24 20:27
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #900:
URL: https://github.com/apache/knox/pull/900#discussion_r1564238609
##
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##
@@ -184,7 +184,9 @@ public class TokenResource {
private boolean includeGroupsInTokenAllowed;
private String tokenIssuer;
- enum UserLimitExceededAction {REMOVE_OLDEST, RETURN_ERROR};
+ enum UserLimitExceededAction {REMOVE_OLDEST, RETURN_ERROR}
+
+ ;
Review Comment:
h... :)
Issue Time Tracking
---
Worklog Id: (was: 914506)
Time Spent: 40m (was: 0.5h)
> KnoxToken extension for OAuth Token Flows
> -
>
> Key: KNOX-3028
> URL: https://issues.apache.org/jira/browse/KNOX-3028
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> This change will extend the existing TokenResource for KNOXTOKEN service to
> include OAuth specifics such as expected URL, error messages and flows to
> support Token Exchange Flow and Token Refresh.
> This is being driven by a specific need to proxy access to the Iceberg REST
> Catalog API. In this specific usecase, we need to intercept the use of the
> following endpoint URLs and serve the token exchange flow for the
> authenticating user.
> {code}
> /v1/oauth/tokens
> {code}
> Details for these requirements can be found in the openapi description for
> the catalog API [1].
> In addition to this usecase, we should add generic support for the token
> exchange flow with more generic URL that better aligns with what others use.
> {code}
> /oauth/v1/token
> {code}
> We will support the use of the "oauth" service name within the existing
> KNOXTOKEN service with an extension of the TokenResource which adapts the
> existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
> In order to support both URLs, the deployment contributor will need to
> register a url pattern for each usecase and the resource path within the
> jersey service will need to accommodate the dynamic nature of the Iceberg
> REST Catalog API which will add the catalog API service name as well.
> {code}
> /icecli/v1/oauth/tokens/
> {code}
> Where "icecli" may be some configurable service name and need to match to the
> incoming URL.
> We will wildcard that by making it a regex matched path param.
> We will also need to accommodate a first-class Knox pattern and service name
> of "oauth" and only allow "token" or "oauth" after the v1 with the remaining
> path fragment being optional for the iceberg specific "tokens".
> Not pretty but it will work.
> 1.
> https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?focusedWorklogId=914505=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914505
]
ASF GitHub Bot logged work on KNOX-3028:
Author: ASF GitHub Bot
Created on: 13/Apr/24 20:27
Start Date: 13/Apr/24 20:27
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #900:
URL: https://github.com/apache/knox/pull/900#discussion_r1564238464
##
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/OAuthResource.java:
##
@@ -0,0 +1,133 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.knox.gateway.service.knoxtoken;
+
+import org.apache.knox.gateway.i18n.messages.MessagesFactory;
+import org.apache.knox.gateway.util.JsonUtils;
+
+import javax.inject.Singleton;
+import javax.ws.rs.GET;
+import javax.ws.rs.POST;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.core.Response;
+
+import java.time.Duration;
+import java.time.format.DateTimeParseException;
+import java.util.HashMap;
+
+import static javax.ws.rs.core.MediaType.APPLICATION_JSON;
+import static javax.ws.rs.core.MediaType.APPLICATION_XML;
+
+@Singleton
+@Path(OAuthResource.RESOURCE_PATH)
+public class OAuthResource extends TokenResource {
+private static TokenServiceMessages log =
MessagesFactory.get(TokenServiceMessages.class);
+static final String RESOURCE_PATH =
"/{serviceName:.*}/v1/{oauthSegment:(oauth|token)}{path:(/tokens)?}";
+public static final String ISSUED_TOKEN_TYPE = "issued_token_type";
+public static final String REFRESH_TOKEN = "refresh_token";
+public static final String ISSUED_TOKEN_TYPE_ACCESS_TOKEN_VALUE =
"urn:ietf:params:oauth:token-type:access_token";
+
+@Override
+@GET
+@Produces({ APPLICATION_JSON, APPLICATION_XML })
+public Response doGet() {
+return super.doGet();
+}
+
+@Override
+@POST
+@Produces({ APPLICATION_JSON, APPLICATION_XML })
+public Response doPost() {
+return super.doPost();
+}
+
+@Override
+public Response getAuthenticationToken() {
+
+Response response = enforceClientCertIfRequired();
+if (response != null) { return response; }
+
+response = onlyAllowGroupsToBeAddedWhenEnabled();
+if (response != null) { return response; }
+
+UserContext context = buildUserContext(request);
+
+response = enforceTokenLimitsAsRequired(context.userName);
+if (response != null) { return response; }
+
+TokenResponse resp = getTokenResponse(context);
+// if the responseMap isn't null then the knoxtoken request was
successful
+// if not then there may have been an error and the underlying response
+// builder will communicate those details
+if (resp.responseMap != null) {
+// let's get the subset of the KnoxToken Response needed for OAuth
+String accessToken = resp.responseMap.accessToken;
+String passcode = resp.responseMap.passcode;
+long expires = (long) resp.responseMap.map.get(EXPIRES_IN);
+String tokenType = (String) resp.responseMap.map.get(TOKEN_TYPE);
+
+// build and return the expected OAuth response
+final HashMap map = new HashMap<>();
+map.put(ACCESS_TOKEN, accessToken);
+map.put(TOKEN_TYPE, tokenType);
+map.put(EXPIRES_IN, expires);
+map.put(ISSUED_TOKEN_TYPE, ISSUED_TOKEN_TYPE_ACCESS_TOKEN_VALUE);
+// let's use the passcode as the refresh token
+map.put(REFRESH_TOKEN, passcode);
+String jsonResponse = JsonUtils.renderAsJsonString(map);
+return resp.responseBuilder.entity(jsonResponse).build();
+}
+// there was an error if we got here - let's surface it appropriately
+// TODO: LJM we may need to translate certain errors into OAuth error
messages
+if (resp.responseStr != null) {
+return resp.responseBuilder.entity(resp.responseStr).build();
+}
+else {
+return
[jira] [Work logged] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?focusedWorklogId=914477=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-914477
]
ASF GitHub Bot logged work on KNOX-3028:
Author: ASF GitHub Bot
Created on: 12/Apr/24 21:23
Start Date: 12/Apr/24 21:23
Worklog Time Spent: 10m
Work Description: pzampino commented on code in PR #900:
URL: https://github.com/apache/knox/pull/900#discussion_r1563146549
##
gateway-service-knoxtoken/src/main/java/org/apache/knox/gateway/service/knoxtoken/TokenResource.java:
##
@@ -853,105 +917,148 @@ private Response getAuthenticationToken() {
if (userTokens.size() >= tokenLimitPerUser) {
log.tokenLimitExceeded(userName);
if (UserLimitExceededAction.RETURN_ERROR == userLimitExceededAction)
{
-return Response.status(Response.Status.FORBIDDEN).entity("{
\"Unable to get token - token limit exceeded.\" }").build();
+response = Response.status(Response.Status.FORBIDDEN).entity("{
\"Unable to get token - token limit exceeded.\" }").build();
} else {
// userTokens is an ordered collection (by issue time) -> the
first element is the oldest one
final String oldestTokenId =
userTokens.iterator().next().getTokenId();
log.generalInfoMessage(String.format(Locale.getDefault(),
"Revoking %s's oldest token %s ...", userName,
Tokens.getTokenIDDisplayText(oldestTokenId)));
final Response revocationResponse = revoke(oldestTokenId);
if (Response.Status.OK.getStatusCode() !=
revocationResponse.getStatus()) {
- return
Response.status(Response.Status.fromStatusCode(revocationResponse.getStatus()))
+ response =
Response.status(Response.Status.fromStatusCode(revocationResponse.getStatus()))
.entity("{\n \"error\": \"An error occurred during the
oldest token revocation of " + userName + " \"\n}\n").build();
}
}
}
}
}
+return response;
+ }
-try {
- final boolean managedToken = tokenStateService != null;
- JWT token;
- JWTokenAttributes jwtAttributes;
- final JWTokenAttributesBuilder jwtAttributesBuilder = new
JWTokenAttributesBuilder();
- jwtAttributesBuilder
- .setIssuer(tokenIssuer)
- .setUserName(userName)
- .setAlgorithm(signatureAlgorithm)
- .setExpires(expires)
- .setManaged(managedToken)
- .setJku(jku)
- .setType(tokenType);
- if (!targetAudiences.isEmpty()) {
-jwtAttributesBuilder.setAudiences(targetAudiences);
+ protected void setupPublicCertPEM() {
+GatewayServices services = getGatewayServices();
+if (endpointPublicCert == null) {
+ // acquire PEM for gateway identity of this gateway instance
+ KeystoreService ks = services.getService(ServiceType.KEYSTORE_SERVICE);
+ if (ks != null) {
+try {
+ Certificate cert = ks.getCertificateForGateway();
+ byte[] bytes = cert.getEncoded();
+ endpointPublicCert = Base64.encodeBase64String(bytes);
+} catch (KeyStoreException | KeystoreServiceException |
CertificateEncodingException e) {
+ // assuming that certs will be properly provisioned across all
clients
+ log.unableToAcquireCertForEndpointClients(e);
+}
}
- if (shouldIncludeGroups()) {
-if (includeGroupsInTokenAllowed) {
- jwtAttributesBuilder.setGroups(groups());
-} else {
- return Response
- .status(Response.Status.BAD_REQUEST)
- .entity("{\n \"error\": \"Including group information in
tokens is disabled\"\n}\n")
- .build();
+}
+ }
+
+ protected Response enforceClientCertIfRequired() {
+Response response = null;
+if (clientCertRequired) {
+ X509Certificate cert = extractCertificate(request);
+ if (cert != null) {
+if
(!allowedDNs.contains(cert.getSubjectDN().getName().replaceAll("\\s+", ""))) {
+ response = Response.status(Response.Status.FORBIDDEN)
+ .entity("{ \"Unable to get token - untrusted client
cert.\" }")
+ .build();
}
+ } else {
+response = Response.status(Response.Status.FORBIDDEN)
+ .entity("{ \"Unable to get token - client cert
required.\" }")
+ .build();
}
+}
+return response;
+ }
- jwtAttributes = jwtAttributesBuilder.build();
- token = ts.issueToken(jwtAttributes);
+ protected void persistTokenDetails(ResponseMap result, long expires, String
userName, String createdBy) {
+// Optional token store service persistence
+if (tokenStateService != null) {
+ final long issueTime = System.currentTimeMillis();
+
[jira] [Work logged] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?focusedWorklogId=913787=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-913787
]
ASF GitHub Bot logged work on KNOX-3028:
Author: ASF GitHub Bot
Created on: 09/Apr/24 23:27
Start Date: 09/Apr/24 23:27
Worklog Time Spent: 10m
Work Description: lmccay opened a new pull request, #900:
URL: https://github.com/apache/knox/pull/900
## What changes were proposed in this pull request?
This change will extend the existing TokenResource for KNOXTOKEN service to
include OAuth specifics such as expected URL, error messages and flows to
support Token Exchange Flow and Token Refresh.
This is being driven by a specific need to proxy access to the Iceberg REST
Catalog API. In this specific usecase, we need to intercept the use of the
following endpoint URLs and serve the token exchange flow for the
authenticating user.
/v1/oauth/tokens
Details for these requirements can be found in the openapi description for
the catalog API [1].
In addition to this usecase, we should add generic support for the token
exchange flow with more generic URL that better aligns with what others use.
/oauth/v1/token
We will support the use of the "oauth" service name within the existing
KNOXTOKEN service with an extension of the TokenResource which adapts the
existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
In order to support both URLs, the deployment contributor will need to
register a url pattern for each usecase and the resource path within the jersey
service will need to accommodate the dynamic nature of the Iceberg REST Catalog
API which will add the catalog API service name as well.
/icecli/v1/oauth/tokens/
Where "icecli" may be some configurable service name and need to match to
the incoming URL.
We will wildcard that by making it a regex matched path param.
We will also need to accommodate a first-class Knox pattern and service name
of "oauth" and only allow "token" or "oauth" after the v1 with the remaining
path fragment being optional for the iceberg specific "tokens".
Not pretty but it will work.
1.
https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml
## How was this patch tested?
Ran existing tests and added a new unit test to existing
TokenServiceResourceTest for OAuth token changes
Please review [Knox Contributing
Process](https://cwiki.apache.org/confluence/display/KNOX/Contribution+Process#ContributionProcess-GithubWorkflow)
before opening a pull request.
Issue Time Tracking
---
Worklog Id: (was: 913787)
Remaining Estimate: 0h
Time Spent: 10m
> KnoxToken extension for OAuth Token Flows
> -
>
> Key: KNOX-3028
> URL: https://issues.apache.org/jira/browse/KNOX-3028
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> This change will extend the existing TokenResource for KNOXTOKEN service to
> include OAuth specifics such as expected URL, error messages and flows to
> support Token Exchange Flow and Token Refresh.
> This is being driven by a specific need to proxy access to the Iceberg REST
> Catalog API. In this specific usecase, we need to intercept the use of the
> following endpoint URLs and serve the token exchange flow for the
> authenticating user.
> {code}
> /v1/oauth/tokens
> {code}
> Details for these requirements can be found in the openapi description for
> the catalog API [1].
> In addition to this usecase, we should add generic support for the token
> exchange flow with more generic URL that better aligns with what others use.
> {code}
> /oauth/v1/token
> {code}
> We will support the use of the "oauth" service name within the existing
> KNOXTOKEN service with an extension of the TokenResource which adapts the
> existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
> In order to support both URLs, the deployment contributor will need to
> register a url pattern for each usecase and the resource path within the
> jersey service will need to accommodate the dynamic nature of the Iceberg
> REST Catalog API which will add the catalog API service name as well.
> {code}
> /icecli/v1/oauth/tokens/
> {code}
> Where "icecli" may be some configurable service name and need to match to the
> incoming URL.
> We will wildcard that by making it a regex matched path param.
> We will also need to accommodate a first-class Knox pattern and service name
> of "oauth" and only allow "token" or
[jira] [Work logged] (KNOX-3029) Fix Ozone version in ozone-scm 1.4.0 service.xml
[ https://issues.apache.org/jira/browse/KNOX-3029?focusedWorklogId=913688=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-913688 ] ASF GitHub Bot logged work on KNOX-3029: Author: ASF GitHub Bot Created on: 09/Apr/24 11:14 Start Date: 09/Apr/24 11:14 Worklog Time Spent: 10m Work Description: smolnar82 merged PR #899: URL: https://github.com/apache/knox/pull/899 Issue Time Tracking --- Worklog Id: (was: 913688) Time Spent: 20m (was: 10m) > Fix Ozone version in ozone-scm 1.4.0 service.xml > > > Key: KNOX-3029 > URL: https://issues.apache.org/jira/browse/KNOX-3029 > Project: Apache Knox > Issue Type: Bug >Reporter: Zita Dombi >Assignee: Zita Dombi >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > In KNOX-3012 I added the 1.4.0 folder to the ozone-scm folder with some > changes, but I forgot to change the version in the service.xml > ([here|https://github.com/apache/knox/pull/873/files#diff-f6a3a05c8f6edd4805134a9314f93e6859d6c628df0975b6676d627f8987b1c1R18]). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-3029) Fix Ozone version in ozone-scm 1.4.0 service.xml
[ https://issues.apache.org/jira/browse/KNOX-3029?focusedWorklogId=913656=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-913656 ] ASF GitHub Bot logged work on KNOX-3029: Author: ASF GitHub Bot Created on: 09/Apr/24 09:00 Start Date: 09/Apr/24 09:00 Worklog Time Spent: 10m Work Description: dombizita opened a new pull request, #899: URL: https://github.com/apache/knox/pull/899 ## What changes were proposed in this pull request? I fixed the ozone version in the ozone-scm 1.4.0 service.xml. ## How was this patch tested? I tested the changes on a cluster. Issue Time Tracking --- Worklog Id: (was: 913656) Remaining Estimate: 0h Time Spent: 10m > Fix Ozone version in ozone-scm 1.4.0 service.xml > > > Key: KNOX-3029 > URL: https://issues.apache.org/jira/browse/KNOX-3029 > Project: Apache Knox > Issue Type: Bug >Reporter: Zita Dombi >Assignee: Zita Dombi >Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > In KNOX-3012 I added the 1.4.0 folder to the ozone-scm folder with some > changes, but I forgot to change the version in the service.xml > ([here|https://github.com/apache/knox/pull/873/files#diff-f6a3a05c8f6edd4805134a9314f93e6859d6c628df0975b6676d627f8987b1c1R18]). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-3025) Use newer browser features in knoxauth.js + Removal of used variables
[
https://issues.apache.org/jira/browse/KNOX-3025?focusedWorklogId=913189=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-913189
]
ASF GitHub Bot logged work on KNOX-3025:
Author: ASF GitHub Bot
Created on: 05/Apr/24 10:22
Start Date: 05/Apr/24 10:22
Worklog Time Spent: 10m
Work Description: RedYetiDev commented on PR #892:
URL: https://github.com/apache/knox/pull/892#issuecomment-2039434482
Please ignore the close, I will re open this shortly, I accidentally deleted
the repository
Issue Time Tracking
---
Worklog Id: (was: 913189)
Time Spent: 0.5h (was: 20m)
> Use newer browser features in knoxauth.js + Removal of used variables
> -
>
> Key: KNOX-3025
> URL: https://issues.apache.org/jira/browse/KNOX-3025
> Project: Apache Knox
> Issue Type: Improvement
>Reporter: Aviv Keller
>Priority: Minor
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> The knoxauth.js file currently utilizes outdated and inefficient browser
> features. It could be optimized by leveraging newer, more efficient
> alternatives.
> Details:
> - Rename the 'get' function to 'getQueryParam' and implement it using
> URLSearchParams for clarity and efficiency.
> - Update the 'isSameOrigin' function to utilize URL instead of
> document.create("a") for improved performance.
> - Fully rely on window.location.replace for redirect operations to enhance
> efficiency and reliability.
> - Implement newer techniques in the 'login' function to achieve the desired
> outcome more efficiently.
> - Replace jQuery usage with native features to improve speed and reduce
> complexity in the codebase.
> - And more
> [https://github.com/apache/knox/pull/892/]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3025) Use newer browser features in knoxauth.js + Removal of used variables
[
https://issues.apache.org/jira/browse/KNOX-3025?focusedWorklogId=913124=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-913124
]
ASF GitHub Bot logged work on KNOX-3025:
Author: ASF GitHub Bot
Created on: 05/Apr/24 02:08
Start Date: 05/Apr/24 02:08
Worklog Time Spent: 10m
Work Description: RedYetiDev closed pull request #892: KNOX-3025 -
Optimize knoxauth.js
URL: https://github.com/apache/knox/pull/892
Issue Time Tracking
---
Worklog Id: (was: 913124)
Time Spent: 20m (was: 10m)
> Use newer browser features in knoxauth.js + Removal of used variables
> -
>
> Key: KNOX-3025
> URL: https://issues.apache.org/jira/browse/KNOX-3025
> Project: Apache Knox
> Issue Type: Improvement
>Reporter: Aviv Keller
>Priority: Minor
> Time Spent: 20m
> Remaining Estimate: 0h
>
> The knoxauth.js file currently utilizes outdated and inefficient browser
> features. It could be optimized by leveraging newer, more efficient
> alternatives.
> Details:
> - Rename the 'get' function to 'getQueryParam' and implement it using
> URLSearchParams for clarity and efficiency.
> - Update the 'isSameOrigin' function to utilize URL instead of
> document.create("a") for improved performance.
> - Fully rely on window.location.replace for redirect operations to enhance
> efficiency and reliability.
> - Implement newer techniques in the 'login' function to achieve the desired
> outcome more efficiently.
> - Replace jQuery usage with native features to improve speed and reduce
> complexity in the codebase.
> - And more
> [https://github.com/apache/knox/pull/892/]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3026) Exclude services/roles from being discovered
[ https://issues.apache.org/jira/browse/KNOX-3026?focusedWorklogId=912069=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-912069 ] ASF GitHub Bot logged work on KNOX-3026: Author: ASF GitHub Bot Created on: 28/Mar/24 14:07 Start Date: 28/Mar/24 14:07 Worklog Time Spent: 10m Work Description: smolnar82 merged PR #893: URL: https://github.com/apache/knox/pull/893 Issue Time Tracking --- Worklog Id: (was: 912069) Time Spent: 40m (was: 0.5h) > Exclude services/roles from being discovered > > > Key: KNOX-3026 > URL: https://issues.apache.org/jira/browse/KNOX-3026 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 2.0.0, 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Critical > Fix For: 2.1.0 > > Time Spent: 40m > Remaining Estimate: 0h > > Currently, even after implementing KNOX-2899, CM service discovery is running > on the entire CM cluster and fetches information on all services and roles > that are available on that target cluster. We may want to revisit the > service-based discovery enablement (that is now disabled by KNOX-2899). > However, there is a need for end-users to be able to declare services and > roles that should be explicitly excluded during service discovery. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-3026) Exclude services/roles from being discovered
[
https://issues.apache.org/jira/browse/KNOX-3026?focusedWorklogId=911917=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-911917
]
ASF GitHub Bot logged work on KNOX-3026:
Author: ASF GitHub Bot
Created on: 27/Mar/24 20:42
Start Date: 27/Mar/24 20:42
Worklog Time Spent: 10m
Work Description: smolnar82 commented on code in PR #893:
URL: https://github.com/apache/knox/pull/893#discussion_r1542009457
##
gateway-discovery-cm/src/main/java/org/apache/knox/gateway/topology/discovery/cm/ClouderaManagerServiceDiscovery.java:
##
@@ -356,6 +361,14 @@ private List
getClusterServices(ServiceDiscoveryConfig serviceDiscov
final ApiServiceList serviceList =
servicesResourceApi.readServices(serviceDiscoveryConfig.getCluster(),
VIEW_SUMMARY);
services = serviceList == null ? new ArrayList<>() :
serviceList.getItems();
+services = services.stream().filter(service -> {
+ if (excludedServiceTypes.contains(service.getType())) {
Review Comment:
This is a good idea. Let me fix that and submit a new PR soon.
Issue Time Tracking
---
Worklog Id: (was: 911917)
Time Spent: 0.5h (was: 20m)
> Exclude services/roles from being discovered
>
>
> Key: KNOX-3026
> URL: https://issues.apache.org/jira/browse/KNOX-3026
> Project: Apache Knox
> Issue Type: Improvement
>Affects Versions: 2.0.0, 1.6.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Currently, even after implementing KNOX-2899, CM service discovery is running
> on the entire CM cluster and fetches information on all services and roles
> that are available on that target cluster. We may want to revisit the
> service-based discovery enablement (that is now disabled by KNOX-2899).
> However, there is a need for end-users to be able to declare services and
> roles that should be explicitly excluded during service discovery.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3026) Exclude services/roles from being discovered
[
https://issues.apache.org/jira/browse/KNOX-3026?focusedWorklogId=911911=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-911911
]
ASF GitHub Bot logged work on KNOX-3026:
Author: ASF GitHub Bot
Created on: 27/Mar/24 20:23
Start Date: 27/Mar/24 20:23
Worklog Time Spent: 10m
Work Description: pzampino commented on code in PR #893:
URL: https://github.com/apache/knox/pull/893#discussion_r1541978985
##
gateway-discovery-cm/src/main/java/org/apache/knox/gateway/topology/discovery/cm/ClouderaManagerServiceDiscovery.java:
##
@@ -422,6 +437,21 @@ private ApiRoleList getRoles(ServiceDiscoveryConfig
serviceDiscoveryConfig, Role
return roles;
}
+ private ApiRoleList excludeRoles(ApiRoleList roles) {
+if (roles == null || roles.getItems() == null) {
+ return roles;
+}
+final ApiRoleList filteredRoles = new ApiRoleList();
+roles.getItems().forEach(role -> {
+ if (excludedRoleTypes.contains(role.getType())) {
Review Comment:
Same concern as I have with the services wrt case sensitivty.
##
gateway-discovery-cm/src/main/java/org/apache/knox/gateway/topology/discovery/cm/ClouderaManagerServiceDiscovery.java:
##
@@ -356,6 +361,14 @@ private List
getClusterServices(ServiceDiscoveryConfig serviceDiscov
final ApiServiceList serviceList =
servicesResourceApi.readServices(serviceDiscoveryConfig.getCluster(),
VIEW_SUMMARY);
services = serviceList == null ? new ArrayList<>() :
serviceList.getItems();
+services = services.stream().filter(service -> {
+ if (excludedServiceTypes.contains(service.getType())) {
Review Comment:
I'm wondering if we can avoid case-sensitivity issues with this. For
example, if the case of the service type is mistyped in the config or changes
on the CM side. Perhaps, we can lowercase the values prior to the comparison?
Issue Time Tracking
---
Worklog Id: (was: 911911)
Time Spent: 20m (was: 10m)
> Exclude services/roles from being discovered
>
>
> Key: KNOX-3026
> URL: https://issues.apache.org/jira/browse/KNOX-3026
> Project: Apache Knox
> Issue Type: Improvement
>Affects Versions: 2.0.0, 1.6.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Currently, even after implementing KNOX-2899, CM service discovery is running
> on the entire CM cluster and fetches information on all services and roles
> that are available on that target cluster. We may want to revisit the
> service-based discovery enablement (that is now disabled by KNOX-2899).
> However, there is a need for end-users to be able to declare services and
> roles that should be explicitly excluded during service discovery.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3026) Exclude services/roles from being discovered
[ https://issues.apache.org/jira/browse/KNOX-3026?focusedWorklogId=911909=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-911909 ] ASF GitHub Bot logged work on KNOX-3026: Author: ASF GitHub Bot Created on: 27/Mar/24 20:00 Start Date: 27/Mar/24 20:00 Worklog Time Spent: 10m Work Description: smolnar82 opened a new pull request, #893: URL: https://github.com/apache/knox/pull/893 ## What changes were proposed in this pull request? //TODO: this is still under eating, I just wanted to have this out for review ASAP. ## How was this patch tested? I added and updated existing JUnit tests. E2E testing on a real CM cluster is ongoing... Issue Time Tracking --- Worklog Id: (was: 911909) Remaining Estimate: 0h Time Spent: 10m > Exclude services/roles from being discovered > > > Key: KNOX-3026 > URL: https://issues.apache.org/jira/browse/KNOX-3026 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 2.0.0, 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Critical > Fix For: 2.1.0 > > Time Spent: 10m > Remaining Estimate: 0h > > Currently, even after implementing KNOX-2899, CM service discovery is running > on the entire CM cluster and fetches information on all services and roles > that are available on that target cluster. We may want to revisit the > service-based discovery enablement (that is now disabled by KNOX-2899). > However, there is a need for end-users to be able to declare services and > roles that should be explicitly excluded during service discovery. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-3025) Use newer browser features in knoxauth.js + Removal of used variables
[
https://issues.apache.org/jira/browse/KNOX-3025?focusedWorklogId=911572=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-911572
]
ASF GitHub Bot logged work on KNOX-3025:
Author: ASF GitHub Bot
Created on: 26/Mar/24 13:15
Start Date: 26/Mar/24 13:15
Worklog Time Spent: 10m
Work Description: RedYetiDev commented on PR #892:
URL: https://github.com/apache/knox/pull/892#issuecomment-2020402616
Apologies for the mistake, Jira pulled up the wrong issue initially
(weird!). Please see
[KNOX-3025](https://issues.apache.org/jira/browse/KNOX-3025)
Issue Time Tracking
---
Worklog Id: (was: 911572)
Remaining Estimate: 0h
Time Spent: 10m
> Use newer browser features in knoxauth.js + Removal of used variables
> -
>
> Key: KNOX-3025
> URL: https://issues.apache.org/jira/browse/KNOX-3025
> Project: Apache Knox
> Issue Type: Improvement
>Reporter: Aviv Keller
>Priority: Minor
> Time Spent: 10m
> Remaining Estimate: 0h
>
> The knoxauth.js file currently utilizes outdated and inefficient browser
> features. It could be optimized by leveraging newer, more efficient
> alternatives.
> Details:
> - Rename the 'get' function to 'getQueryParam' and implement it using
> URLSearchParams for clarity and efficiency.
> - Update the 'isSameOrigin' function to utilize URL instead of
> document.create("a") for improved performance.
> - Fully rely on window.location.replace for redirect operations to enhance
> efficiency and reliability.
> - Implement newer techniques in the 'login' function to achieve the desired
> outcome more efficiently.
> - Replace jQuery usage with native features to improve speed and reduce
> complexity in the codebase.
> - And more
> [https://github.com/apache/knox/pull/892/]
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3024) Fix findJava in knox-functions.sh
[
https://issues.apache.org/jira/browse/KNOX-3024?focusedWorklogId=911570=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-911570
]
ASF GitHub Bot logged work on KNOX-3024:
Author: ASF GitHub Bot
Created on: 26/Mar/24 13:13
Start Date: 26/Mar/24 13:13
Worklog Time Spent: 10m
Work Description: RedYetiDev commented on PR #892:
URL: https://github.com/apache/knox/pull/892#issuecomment-2020398838
Thank you! Please see
[KNOX-3024](https://issues.apache.org/jira/browse/KNOX-3024)
Issue Time Tracking
---
Worklog Id: (was: 911570)
Time Spent: 1h (was: 50m)
> Fix findJava in knox-functions.sh
> -
>
> Key: KNOX-3024
> URL: https://issues.apache.org/jira/browse/KNOX-3024
> Project: Apache Knox
> Issue Type: Bug
> Components: Release
>Affects Versions: 1.4.0, 1.5.0, 2.0.0, 1.6.0, 1.6.1, 1.6.2
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Blocker
> Fix For: 2.1.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> 5 years ago, when I added {{shellcheck}} support to our build in the scope of
> KNOX-1816, I introduced a bug in the {{findJava}} function in
> {{{}knox-functions.sh{}}}: when $JAVA_HOME is not set, and Java is not
> available on the path, the function tries to find java executables under
> {{{}/usr{}}}. However, the current implementation is wrong:
> {noformat}
> $ which java
> /usr/bin/which: no java in
> (/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
> $ echo $JAVA_HOME
> $ bin/knoxcli.sh export-cert --type JKS
> Warning: JAVA is not set and could not be found.
> ... {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3024) Fix findJava in knox-functions.sh
[
https://issues.apache.org/jira/browse/KNOX-3024?focusedWorklogId=911571=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-911571
]
ASF GitHub Bot logged work on KNOX-3024:
Author: ASF GitHub Bot
Created on: 26/Mar/24 13:13
Start Date: 26/Mar/24 13:13
Worklog Time Spent: 10m
Work Description: RedYetiDev commented on PR #892:
URL: https://github.com/apache/knox/pull/892#issuecomment-2020399744
Nevermind wrong issue let me get my number
Issue Time Tracking
---
Worklog Id: (was: 911571)
Time Spent: 1h 10m (was: 1h)
> Fix findJava in knox-functions.sh
> -
>
> Key: KNOX-3024
> URL: https://issues.apache.org/jira/browse/KNOX-3024
> Project: Apache Knox
> Issue Type: Bug
> Components: Release
>Affects Versions: 1.4.0, 1.5.0, 2.0.0, 1.6.0, 1.6.1, 1.6.2
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Blocker
> Fix For: 2.1.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> 5 years ago, when I added {{shellcheck}} support to our build in the scope of
> KNOX-1816, I introduced a bug in the {{findJava}} function in
> {{{}knox-functions.sh{}}}: when $JAVA_HOME is not set, and Java is not
> available on the path, the function tries to find java executables under
> {{{}/usr{}}}. However, the current implementation is wrong:
> {noformat}
> $ which java
> /usr/bin/which: no java in
> (/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
> $ echo $JAVA_HOME
> $ bin/knoxcli.sh export-cert --type JKS
> Warning: JAVA is not set and could not be found.
> ... {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3024) Fix findJava in knox-functions.sh
[
https://issues.apache.org/jira/browse/KNOX-3024?focusedWorklogId=910901=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-910901
]
ASF GitHub Bot logged work on KNOX-3024:
Author: ASF GitHub Bot
Created on: 21/Mar/24 13:21
Start Date: 21/Mar/24 13:21
Worklog Time Spent: 10m
Work Description: moresandeep commented on code in PR #891:
URL: https://github.com/apache/knox/pull/891#discussion_r1533895612
##
gateway-release-common/home/bin/knox-functions.sh:
##
@@ -50,6 +50,17 @@ DEFAULT_APP_STATUS_TEST_RETRY_SLEEP=2
# common functions #
+function setVerbose() {
Review Comment:
i see makes sense :)
Issue Time Tracking
---
Worklog Id: (was: 910901)
Time Spent: 50m (was: 40m)
> Fix findJava in knox-functions.sh
> -
>
> Key: KNOX-3024
> URL: https://issues.apache.org/jira/browse/KNOX-3024
> Project: Apache Knox
> Issue Type: Bug
> Components: Release
>Affects Versions: 1.4.0, 1.5.0, 2.0.0, 1.6.0, 1.6.1, 1.6.2
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Blocker
> Fix For: 2.1.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> 5 years ago, when I added {{shellcheck}} support to our build in the scope of
> KNOX-1816, I introduced a bug in the {{findJava}} function in
> {{{}knox-functions.sh{}}}: when $JAVA_HOME is not set, and Java is not
> available on the path, the function tries to find java executables under
> {{{}/usr{}}}. However, the current implementation is wrong:
> {noformat}
> $ which java
> /usr/bin/which: no java in
> (/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
> $ echo $JAVA_HOME
> $ bin/knoxcli.sh export-cert --type JKS
> Warning: JAVA is not set and could not be found.
> ... {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3024) Fix findJava in knox-functions.sh
[
https://issues.apache.org/jira/browse/KNOX-3024?focusedWorklogId=910898=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-910898
]
ASF GitHub Bot logged work on KNOX-3024:
Author: ASF GitHub Bot
Created on: 21/Mar/24 13:17
Start Date: 21/Mar/24 13:17
Worklog Time Spent: 10m
Work Description: smolnar82 commented on code in PR #891:
URL: https://github.com/apache/knox/pull/891#discussion_r1533888556
##
gateway-release-common/home/bin/knox-functions.sh:
##
@@ -50,6 +50,17 @@ DEFAULT_APP_STATUS_TEST_RETRY_SLEEP=2
# common functions #
+function setVerbose() {
Review Comment:
KnoxCLI only supports `--verbose`, hence the long version only. Maybe
later...
Issue Time Tracking
---
Worklog Id: (was: 910898)
Time Spent: 40m (was: 0.5h)
> Fix findJava in knox-functions.sh
> -
>
> Key: KNOX-3024
> URL: https://issues.apache.org/jira/browse/KNOX-3024
> Project: Apache Knox
> Issue Type: Bug
> Components: Release
>Affects Versions: 1.4.0, 1.5.0, 2.0.0, 1.6.0, 1.6.1, 1.6.2
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Blocker
> Fix For: 2.1.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> 5 years ago, when I added {{shellcheck}} support to our build in the scope of
> KNOX-1816, I introduced a bug in the {{findJava}} function in
> {{{}knox-functions.sh{}}}: when $JAVA_HOME is not set, and Java is not
> available on the path, the function tries to find java executables under
> {{{}/usr{}}}. However, the current implementation is wrong:
> {noformat}
> $ which java
> /usr/bin/which: no java in
> (/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
> $ echo $JAVA_HOME
> $ bin/knoxcli.sh export-cert --type JKS
> Warning: JAVA is not set and could not be found.
> ... {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3024) Fix findJava in knox-functions.sh
[
https://issues.apache.org/jira/browse/KNOX-3024?focusedWorklogId=910897=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-910897
]
ASF GitHub Bot logged work on KNOX-3024:
Author: ASF GitHub Bot
Created on: 21/Mar/24 13:16
Start Date: 21/Mar/24 13:16
Worklog Time Spent: 10m
Work Description: smolnar82 merged PR #891:
URL: https://github.com/apache/knox/pull/891
Issue Time Tracking
---
Worklog Id: (was: 910897)
Time Spent: 0.5h (was: 20m)
> Fix findJava in knox-functions.sh
> -
>
> Key: KNOX-3024
> URL: https://issues.apache.org/jira/browse/KNOX-3024
> Project: Apache Knox
> Issue Type: Bug
> Components: Release
>Affects Versions: 1.4.0, 1.5.0, 2.0.0, 1.6.0, 1.6.1, 1.6.2
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Blocker
> Fix For: 2.1.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> 5 years ago, when I added {{shellcheck}} support to our build in the scope of
> KNOX-1816, I introduced a bug in the {{findJava}} function in
> {{{}knox-functions.sh{}}}: when $JAVA_HOME is not set, and Java is not
> available on the path, the function tries to find java executables under
> {{{}/usr{}}}. However, the current implementation is wrong:
> {noformat}
> $ which java
> /usr/bin/which: no java in
> (/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
> $ echo $JAVA_HOME
> $ bin/knoxcli.sh export-cert --type JKS
> Warning: JAVA is not set and could not be found.
> ... {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3024) Fix findJava in knox-functions.sh
[
https://issues.apache.org/jira/browse/KNOX-3024?focusedWorklogId=910896=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-910896
]
ASF GitHub Bot logged work on KNOX-3024:
Author: ASF GitHub Bot
Created on: 21/Mar/24 13:07
Start Date: 21/Mar/24 13:07
Worklog Time Spent: 10m
Work Description: moresandeep commented on code in PR #891:
URL: https://github.com/apache/knox/pull/891#discussion_r1533871582
##
gateway-release-common/home/bin/knox-functions.sh:
##
@@ -50,6 +50,17 @@ DEFAULT_APP_STATUS_TEST_RETRY_SLEEP=2
# common functions #
+function setVerbose() {
Review Comment:
nitpick: May be accommodate shortform as well `-v`
Issue Time Tracking
---
Worklog Id: (was: 910896)
Time Spent: 20m (was: 10m)
> Fix findJava in knox-functions.sh
> -
>
> Key: KNOX-3024
> URL: https://issues.apache.org/jira/browse/KNOX-3024
> Project: Apache Knox
> Issue Type: Bug
> Components: Release
>Affects Versions: 1.4.0, 1.5.0, 2.0.0, 1.6.0, 1.6.1, 1.6.2
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Blocker
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> 5 years ago, when I added {{shellcheck}} support to our build in the scope of
> KNOX-1816, I introduced a bug in the {{findJava}} function in
> {{{}knox-functions.sh{}}}: when $JAVA_HOME is not set, and Java is not
> available on the path, the function tries to find java executables under
> {{{}/usr{}}}. However, the current implementation is wrong:
> {noformat}
> $ which java
> /usr/bin/which: no java in
> (/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
> $ echo $JAVA_HOME
> $ bin/knoxcli.sh export-cert --type JKS
> Warning: JAVA is not set and could not be found.
> ... {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3024) Fix findJava in knox-functions.sh
[
https://issues.apache.org/jira/browse/KNOX-3024?focusedWorklogId=910850=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-910850
]
ASF GitHub Bot logged work on KNOX-3024:
Author: ASF GitHub Bot
Created on: 21/Mar/24 10:43
Start Date: 21/Mar/24 10:43
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #891:
URL: https://github.com/apache/knox/pull/891
## What changes were proposed in this pull request?
I updated the existing login in `knox-functions.sh` to successfully check
Java executables under `/usr` if no `JAVA_HOME` is set or Java is not available
on the path.
In addition to fixing the issue, I added an option to display the Java with
the `--verbose` option (when using KnoxCLI, `--verbose true` should be used.
## How was this patch tested?
Checked the updated scripts on [shellcheck.net](https://www.shellcheck.net/)
and tested them manually:
- `gateway.sh`
```
$ bin/gateway.sh restart --verbose
Found Java at /usr/local/opt/openjdk@8/bin/java
Stopping Gateway with PID 12173 succeeded.
Starting Gateway succeeded with PID 12346.
$ bin/gateway.sh restart
Stopping Gateway with PID 12346 succeeded.
Starting Gateway succeeded with PID 12419.
```
- `knoxcli.sh`
```
$ bin/knoxcli.sh export-cert --type JKS --verbose true
Found Java at /usr/local/opt/openjdk@8/bin/java
Certificate gateway-identity has been successfully exported to:
/Users/sandormolnar/test/knoxGateway/data/security/keystores/gateway-client-trust.jks
$ bin/knoxcli.sh export-cert --type JKS
Certificate gateway-identity has been successfully exported to:
/Users/sandormolnar/test/knoxGateway/data/security/keystores/gateway-client-trust.jks
```
- `ldap.sh`
```
$ bin/ldap.sh start --verbose
Found Java at /usr/local/opt/openjdk@8/bin/java
Starting LDAP succeeded with PID 12531.
$ bin/ldap.sh stop
Stopping LDAP with PID 12531 succeeded.
$ bin/ldap.sh start
Starting LDAP succeeded with PID 12573.
```
Issue Time Tracking
---
Worklog Id: (was: 910850)
Remaining Estimate: 0h
Time Spent: 10m
> Fix findJava in knox-functions.sh
> -
>
> Key: KNOX-3024
> URL: https://issues.apache.org/jira/browse/KNOX-3024
> Project: Apache Knox
> Issue Type: Bug
> Components: Release
>Affects Versions: 1.4.0, 1.5.0, 2.0.0, 1.6.0, 1.6.1, 1.6.2
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Blocker
> Fix For: 2.1.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> 5 years ago, when I added {{shellcheck}} support to our build in the scope of
> KNOX-1816, I introduced a bug in the {{findJava}} function in
> {{{}knox-functions.sh{}}}: when $JAVA_HOME is not set, and Java is not
> available on the path, the function tries to find java executables under
> {{{}/usr{}}}. However, the current implementation is wrong:
> {noformat}
> $ which java
> /usr/bin/which: no java in
> (/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
> $ echo $JAVA_HOME
> $ bin/knoxcli.sh export-cert --type JKS
> Warning: JAVA is not set and could not be found.
> ... {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3022) Possible NPE at CM cluster configuration monitor startup due to cluster configuration file issues
[
https://issues.apache.org/jira/browse/KNOX-3022?focusedWorklogId=910617=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-910617
]
ASF GitHub Bot logged work on KNOX-3022:
Author: ASF GitHub Bot
Created on: 19/Mar/24 18:10
Start Date: 19/Mar/24 18:10
Worklog Time Spent: 10m
Work Description: smolnar82 merged PR #890:
URL: https://github.com/apache/knox/pull/890
Issue Time Tracking
---
Worklog Id: (was: 910617)
Time Spent: 20m (was: 10m)
> Possible NPE at CM cluster configuration monitor startup due to cluster
> configuration file issues
> -
>
> Key: KNOX-3022
> URL: https://issues.apache.org/jira/browse/KNOX-3022
> Project: Apache Knox
> Issue Type: Bug
> Components: cm-discovery
>Affects Versions: 2.0.0, 1.6.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> In KNOX-2869, we handled the case where
> {{$KNOX_DATA_DIR/cm-clusters/hCM_HOST_7183-Cluster_1.conf}} file was empty.
> However, it might be the same for the
> {{$KNOX_DATA_DIR/cm-clusters/hCM_HOST_7183-Cluster_1.ver}} file where
> previously persisted cluster configuration (with service/role details) is
> stored.
> If that file is empty, the following error is thrown:
> {noformat}
> 2024-03-18 19:01:34,840 ERROR discovery.cm
> (ClusterConfigurationFileStore.java:get(106)) - Failed to load persisted
> service configuration data for cluster monitor CM :
> com.fasterxml.jackson.databind.exc.MismatchedInputException: No content to
> map due to end-of-input
> at [Source: (sun.nio.ch.ChannelInputStream); line: 1, column: 0]
> 2024-03-18 19:01:34,841 FATAL knox.gateway (GatewayServer.java:main(193)) -
> Failed to start gateway: java.lang.NullPointerException
> java.lang.NullPointerException
> at
> org.apache.knox.gateway.topology.discovery.cm.monitor.ClouderaManagerClusterConfigurationMonitor.loadServiceConfiguration(ClouderaManagerClusterConfigurationMonitor.java:196)
> at
> org.apache.knox.gateway.topology.discovery.cm.monitor.ClouderaManagerClusterConfigurationMonitor.(ClouderaManagerClusterConfigurationMonitor.java:103)
> at
> org.apache.knox.gateway.topology.discovery.cm.monitor.ClouderaManagerClusterConfigurationMonitorProvider.newInstance(ClouderaManagerClusterConfigurationMonitorProvider.java:35)
> at
> org.apache.knox.gateway.services.topology.impl.DefaultClusterConfigurationMonitorService.init(DefaultClusterConfigurationMonitorService.java:44)
> at
> org.apache.knox.gateway.services.DefaultGatewayServices.init(DefaultGatewayServices.java:137)
> at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:184)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
> at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
> at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
> at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
> at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52)
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3022) Possible NPE at CM cluster configuration monitor startup due to cluster configuration file issues
[
https://issues.apache.org/jira/browse/KNOX-3022?focusedWorklogId=910495=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-910495
]
ASF GitHub Bot logged work on KNOX-3022:
Author: ASF GitHub Bot
Created on: 19/Mar/24 10:23
Start Date: 19/Mar/24 10:23
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #890:
URL: https://github.com/apache/knox/pull/890
## What changes were proposed in this pull request?
As described in the corresponding KNOX-3022 JIRA, it might happen - due to
various IO reasons - that the CM cluster configuration file is empty at Knox
startup time. This could prevent the Knox Gateway from starting.
In this PR we fix this issue.
## How was this patch tested?
Added a new JUnit test case as well as ran manual testing on a real cluster
using CM discovery. Once my patch was applied, the Knox Gateway started
properly, and the empty file log entry appeared as expected:
```
grep "is empty" /var/log/knox/gateway/gateway.log
2024-03-19 02:56:57,434 WARN discovery.cm
(ClusterConfigurationFileStore.java:get(107)) - Previously saved cluster
configuration file
/var/lib/knox/gateway/data/cm-clusters/https___CM-HOST_CM-PORT-Cluster_1.ver is
empty.
```
Issue Time Tracking
---
Worklog Id: (was: 910495)
Remaining Estimate: 0h
Time Spent: 10m
> Possible NPE at CM cluster configuration monitor startup due to cluster
> configuration file issues
> -
>
> Key: KNOX-3022
> URL: https://issues.apache.org/jira/browse/KNOX-3022
> Project: Apache Knox
> Issue Type: Bug
> Components: cm-discovery
>Affects Versions: 2.0.0, 1.6.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> In KNOX-2869, we handled the case where
> {{$KNOX_DATA_DIR/cm-clusters/hCM_HOST_7183-Cluster_1.conf}} file was empty.
> However, it might be the same for the
> {{$KNOX_DATA_DIR/cm-clusters/hCM_HOST_7183-Cluster_1.ver}} file where
> previously persisted cluster configuration (with service/role details) is
> stored.
> If that file is empty, the following error is thrown:
> {noformat}
> 2024-03-18 19:01:34,840 ERROR discovery.cm
> (ClusterConfigurationFileStore.java:get(106)) - Failed to load persisted
> service configuration data for cluster monitor CM :
> com.fasterxml.jackson.databind.exc.MismatchedInputException: No content to
> map due to end-of-input
> at [Source: (sun.nio.ch.ChannelInputStream); line: 1, column: 0]
> 2024-03-18 19:01:34,841 FATAL knox.gateway (GatewayServer.java:main(193)) -
> Failed to start gateway: java.lang.NullPointerException
> java.lang.NullPointerException
> at
> org.apache.knox.gateway.topology.discovery.cm.monitor.ClouderaManagerClusterConfigurationMonitor.loadServiceConfiguration(ClouderaManagerClusterConfigurationMonitor.java:196)
> at
> org.apache.knox.gateway.topology.discovery.cm.monitor.ClouderaManagerClusterConfigurationMonitor.(ClouderaManagerClusterConfigurationMonitor.java:103)
> at
> org.apache.knox.gateway.topology.discovery.cm.monitor.ClouderaManagerClusterConfigurationMonitorProvider.newInstance(ClouderaManagerClusterConfigurationMonitorProvider.java:35)
> at
> org.apache.knox.gateway.services.topology.impl.DefaultClusterConfigurationMonitorService.init(DefaultClusterConfigurationMonitorService.java:44)
> at
> org.apache.knox.gateway.services.DefaultGatewayServices.init(DefaultGatewayServices.java:137)
> at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:184)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
> at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
> at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
> at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
> at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52)
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3020) Introduce type Knox Token metadata
[
https://issues.apache.org/jira/browse/KNOX-3020?focusedWorklogId=909893=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909893
]
ASF GitHub Bot logged work on KNOX-3020:
Author: ASF GitHub Bot
Created on: 14/Mar/24 13:53
Start Date: 14/Mar/24 13:53
Worklog Time Spent: 10m
Work Description: smolnar82 merged PR #881:
URL: https://github.com/apache/knox/pull/881
Issue Time Tracking
---
Worklog Id: (was: 909893)
Time Spent: 50m (was: 40m)
> Introduce type Knox Token metadata
> --
>
> Key: KNOX-3020
> URL: https://issues.apache.org/jira/browse/KNOX-3020
> Project: Apache Knox
> Issue Type: Task
>Affects Versions: 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> With KNOX-3016, there is a need to distinguish different Knox Token types as
> follows:
> * JWT (default)
> * KNOXSSO_COOKIE
> * CLIENT_ID
> This little refactor will allow us to handle every type-related decision
> within the scope of the\{{TokenMetadata}} class.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3020) Introduce type Knox Token metadata
[
https://issues.apache.org/jira/browse/KNOX-3020?focusedWorklogId=909868=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909868
]
ASF GitHub Bot logged work on KNOX-3020:
Author: ASF GitHub Bot
Created on: 14/Mar/24 11:46
Start Date: 14/Mar/24 11:46
Worklog Time Spent: 10m
Work Description: smolnar82 commented on code in PR #881:
URL: https://github.com/apache/knox/pull/881#discussion_r1524703070
##
gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/TokenMetadata.java:
##
@@ -142,6 +139,32 @@ public Instant getLastUsedAt() {
return lastUsedAt == null ? null : Instant.parse(lastUsedAt);
}
+ public void setType(String type) {
Review Comment:
Done.
##
gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/TokenMetadata.java:
##
@@ -32,14 +32,18 @@
import com.fasterxml.jackson.annotation.JsonIgnore;
public class TokenMetadata {
+ public enum Type {
+JWT, KNOXSSO_COOKIE, CLIENT_ID
+ }
+
public static final String USER_NAME = "userName";
public static final String COMMENT = "comment";
public static final String ENABLED = "enabled";
public static final String PASSCODE = "passcode";
public static final String CREATED_BY = "createdBy";
- public static final String KNOX_SSO_COOKIE = "knoxSSOCookie";
public static final String LAST_USED_AT = "lastUsedAt";
- private static final List KNOWN_MD_NAMES = Arrays.asList(USER_NAME,
COMMENT, ENABLED, PASSCODE, CREATED_BY, KNOX_SSO_COOKIE, LAST_USED_AT);
+ public static final String TYPE = "type";
Review Comment:
Done.
Issue Time Tracking
---
Worklog Id: (was: 909868)
Time Spent: 40m (was: 0.5h)
> Introduce type Knox Token metadata
> --
>
> Key: KNOX-3020
> URL: https://issues.apache.org/jira/browse/KNOX-3020
> Project: Apache Knox
> Issue Type: Task
>Affects Versions: 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> With KNOX-3016, there is a need to distinguish different Knox Token types as
> follows:
> * JWT (default)
> * KNOXSSO_COOKIE
> * CLIENT_ID
> This little refactor will allow us to handle every type-related decision
> within the scope of the\{{TokenMetadata}} class.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3020) Introduce type Knox Token metadata
[
https://issues.apache.org/jira/browse/KNOX-3020?focusedWorklogId=909867=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909867
]
ASF GitHub Bot logged work on KNOX-3020:
Author: ASF GitHub Bot
Created on: 14/Mar/24 11:42
Start Date: 14/Mar/24 11:42
Worklog Time Spent: 10m
Work Description: smolnar82 commented on code in PR #881:
URL: https://github.com/apache/knox/pull/881#discussion_r1524697107
##
gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/TokenMetadata.java:
##
@@ -142,6 +139,32 @@ public Instant getLastUsedAt() {
return lastUsedAt == null ? null : Instant.parse(lastUsedAt);
}
+ public void setType(String type) {
Review Comment:
Ack.
##
gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/TokenMetadata.java:
##
@@ -32,14 +32,18 @@
import com.fasterxml.jackson.annotation.JsonIgnore;
public class TokenMetadata {
+ public enum Type {
+JWT, KNOXSSO_COOKIE, CLIENT_ID
+ }
+
public static final String USER_NAME = "userName";
public static final String COMMENT = "comment";
public static final String ENABLED = "enabled";
public static final String PASSCODE = "passcode";
public static final String CREATED_BY = "createdBy";
- public static final String KNOX_SSO_COOKIE = "knoxSSOCookie";
public static final String LAST_USED_AT = "lastUsedAt";
- private static final List KNOWN_MD_NAMES = Arrays.asList(USER_NAME,
COMMENT, ENABLED, PASSCODE, CREATED_BY, KNOX_SSO_COOKIE, LAST_USED_AT);
+ public static final String TYPE = "type";
Review Comment:
The enum is TokenMetadata.Type. Let me figure out something.
Issue Time Tracking
---
Worklog Id: (was: 909867)
Time Spent: 0.5h (was: 20m)
> Introduce type Knox Token metadata
> --
>
> Key: KNOX-3020
> URL: https://issues.apache.org/jira/browse/KNOX-3020
> Project: Apache Knox
> Issue Type: Task
>Affects Versions: 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> With KNOX-3016, there is a need to distinguish different Knox Token types as
> follows:
> * JWT (default)
> * KNOXSSO_COOKIE
> * CLIENT_ID
> This little refactor will allow us to handle every type-related decision
> within the scope of the\{{TokenMetadata}} class.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3020) Introduce type Knox Token metadata
[
https://issues.apache.org/jira/browse/KNOX-3020?focusedWorklogId=909863=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909863
]
ASF GitHub Bot logged work on KNOX-3020:
Author: ASF GitHub Bot
Created on: 14/Mar/24 11:02
Start Date: 14/Mar/24 11:02
Worklog Time Spent: 10m
Work Description: moresandeep commented on code in PR #881:
URL: https://github.com/apache/knox/pull/881#discussion_r1524649135
##
gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/TokenMetadata.java:
##
@@ -142,6 +139,32 @@ public Instant getLastUsedAt() {
return lastUsedAt == null ? null : Instant.parse(lastUsedAt);
}
+ public void setType(String type) {
Review Comment:
Can we use just enum Type for simplicity?
##
gateway-spi/src/main/java/org/apache/knox/gateway/services/security/token/TokenMetadata.java:
##
@@ -32,14 +32,18 @@
import com.fasterxml.jackson.annotation.JsonIgnore;
public class TokenMetadata {
+ public enum Type {
+JWT, KNOXSSO_COOKIE, CLIENT_ID
+ }
+
public static final String USER_NAME = "userName";
public static final String COMMENT = "comment";
public static final String ENABLED = "enabled";
public static final String PASSCODE = "passcode";
public static final String CREATED_BY = "createdBy";
- public static final String KNOX_SSO_COOKIE = "knoxSSOCookie";
public static final String LAST_USED_AT = "lastUsedAt";
- private static final List KNOWN_MD_NAMES = Arrays.asList(USER_NAME,
COMMENT, ENABLED, PASSCODE, CREATED_BY, KNOX_SSO_COOKIE, LAST_USED_AT);
+ public static final String TYPE = "type";
Review Comment:
Using two types of Type with same name is confusing (to read and write as
well ;) )
- String Type
- enum Type
Issue Time Tracking
---
Worklog Id: (was: 909863)
Time Spent: 20m (was: 10m)
> Introduce type Knox Token metadata
> --
>
> Key: KNOX-3020
> URL: https://issues.apache.org/jira/browse/KNOX-3020
> Project: Apache Knox
> Issue Type: Task
>Affects Versions: 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> With KNOX-3016, there is a need to distinguish different Knox Token types as
> follows:
> * JWT (default)
> * KNOXSSO_COOKIE
> * CLIENT_ID
> This little refactor will allow us to handle every type-related decision
> within the scope of the\{{TokenMetadata}} class.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3021) Http connection properties are not applied when SSL is disabled
[
https://issues.apache.org/jira/browse/KNOX-3021?focusedWorklogId=909862=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909862
]
ASF GitHub Bot logged work on KNOX-3021:
Author: ASF GitHub Bot
Created on: 14/Mar/24 10:51
Start Date: 14/Mar/24 10:51
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #882:
URL: https://github.com/apache/knox/pull/882
## What changes were proposed in this pull request?
as described in KNOX-3021, when SSL is disabled, the created Jetty connector
are not populated with the pre-configured HTTP configuration. This patch fixes
this issue.
## How was this patch tested?
Added new unit tests and executed the entire test set locally.
Issue Time Tracking
---
Worklog Id: (was: 909862)
Remaining Estimate: 0h
Time Spent: 10m
> Http connection properties are not applied when SSL is disabled
> ---
>
> Key: KNOX-3021
> URL: https://issues.apache.org/jira/browse/KNOX-3021
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 2.0.0, 1.6.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> This is what we have now:
> {noformat}
> HttpConfiguration httpConfig = new HttpConfiguration();
> httpConfig.setRequestHeaderSize(
> config.getHttpServerRequestHeaderBuffer() );
> httpConfig.setResponseHeaderSize(
> config.getHttpServerResponseHeaderBuffer() );
> httpConfig.setOutputBufferSize( config.getHttpServerResponseBuffer() );
> if (config.isSSLEnabled()) {
> HttpConfiguration httpsConfig = new HttpConfiguration( httpConfig );
> ...
> connector = new ServerConnector( server, sslContextFactory, new
> HttpConnectionFactory( httpsConfig ) );
> } else {
> connector = new ServerConnector( server );
> } {noformat}
> When SSL is not enabled, the previously created {{httpConfig}} is not set in
> the created {{ServerConnector}} instance. Therefore, those properties do not
> take effect in those clusters.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3020) Introduce type Knox Token metadata
[
https://issues.apache.org/jira/browse/KNOX-3020?focusedWorklogId=909716=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909716
]
ASF GitHub Bot logged work on KNOX-3020:
Author: ASF GitHub Bot
Created on: 13/Mar/24 18:17
Start Date: 13/Mar/24 18:17
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #881:
URL: https://github.com/apache/knox/pull/881
## What changes were proposed in this pull request?
//TODO
## How was this patch tested?
https://github.com/apache/knox/assets/34065904/51253976-d0aa-4ad5-b0b9-8054fc938fdb;>
Issue Time Tracking
---
Worklog Id: (was: 909716)
Remaining Estimate: 0h
Time Spent: 10m
> Introduce type Knox Token metadata
> --
>
> Key: KNOX-3020
> URL: https://issues.apache.org/jira/browse/KNOX-3020
> Project: Apache Knox
> Issue Type: Task
>Affects Versions: 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> With KNOX-3016, there is a need to distinguish different Knox Token types as
> follows:
> * JWT (default)
> * KNOXSSO_COOKIE
> * CLIENT_ID
> This little refactor will allow us to handle every type-related decision
> within the scope of the\{{TokenMetadata}} class.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3014) Unauthenticated paths support for Shiro provider
[ https://issues.apache.org/jira/browse/KNOX-3014?focusedWorklogId=909713=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909713 ] ASF GitHub Bot logged work on KNOX-3014: Author: ASF GitHub Bot Created on: 13/Mar/24 17:55 Start Date: 13/Mar/24 17:55 Worklog Time Spent: 10m Work Description: moresandeep merged PR #879: URL: https://github.com/apache/knox/pull/879 Issue Time Tracking --- Worklog Id: (was: 909713) Time Spent: 40m (was: 0.5h) > Unauthenticated paths support for Shiro provider > > > Key: KNOX-3014 > URL: https://issues.apache.org/jira/browse/KNOX-3014 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > Looks like we have only support unauthenticated paths for > * JWTProvider > * HadoopAuthProvider > * SSOCookieProvider > Shiro auth provider does not have support for unauthenticated path parameter. > see KNOX-2582 and KNOX-2393 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-3019) Allow tokens to be renewed any times
[
https://issues.apache.org/jira/browse/KNOX-3019?focusedWorklogId=909637=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909637
]
ASF GitHub Bot logged work on KNOX-3019:
Author: ASF GitHub Bot
Created on: 13/Mar/24 12:18
Start Date: 13/Mar/24 12:18
Worklog Time Spent: 10m
Work Description: smolnar82 merged PR #880:
URL: https://github.com/apache/knox/pull/880
Issue Time Tracking
---
Worklog Id: (was: 909637)
Time Spent: 20m (was: 10m)
> Allow tokens to be renewed any times
>
>
> Key: KNOX-3019
> URL: https://issues.apache.org/jira/browse/KNOX-3019
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server, TokenGenerationUI
>Affects Versions: 2.0.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Setting the TTL to {{-1}} results in tokens that never expire. If the TTL is
> configured to a positive number, renewing the token is the only way to extend
> its expiration time. By default, there is a cap on this event: a token cannot
> be renewed after it reaches the configured maximum lifetime (defaults to
> {{{}7 days{}}}).
> This task aims to provide end-users with a way to bypass this check and let
> tokens be renewed whenever they want. The logic would be similar to the
> {{Unlimited token}} handling: if the maximum lifetime is set to {{{}-1{}}},
> tokens would be subject to renewal without checking the maximum lifetime.
> Please note that token renewal still must be configured with a list of
> trusted users via the {{knox.token.renewer.whitelist}} configuration.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3019) Allow tokens to be renewed any times
[
https://issues.apache.org/jira/browse/KNOX-3019?focusedWorklogId=909627=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909627
]
ASF GitHub Bot logged work on KNOX-3019:
Author: ASF GitHub Bot
Created on: 13/Mar/24 11:02
Start Date: 13/Mar/24 11:02
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #880:
URL: https://github.com/apache/knox/pull/880
## What changes were proposed in this pull request?
Implemented what's described in
[KNOX-3019](https://issues.apache.org/jira/browse/KNOX-3019):
- if `knox.token.exp.max-lifetime` is set to a negative value, tokens can be
renewed without a maximum lifetime check
- only non-expired tokens can be renewed
## How was this patch tested?
Updated current and added new JUnit tests.
Conducted manual testing. In both test rounds, the Token TTL was set to 60
seconds and the token renewal interval was 30 seconds
**1. Maximum lifetime set to 120 seconds**
```
knox.token.exp.max-lifetime
12
knox.token.exp.renew-interval
3
```
```
curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 09:48:02 GMT
...
{"access_token":"eyJqa3UiOiJo...cd3baa","managed":"true",...}
```
```
curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 09:48:17 GMT
...
{"tokens":[{"tokenId":"896fa357-2db4-42ec-b70a-8a63fecd3baa","issueTime":"2024-03-13T10:48:03.574+0100","expiration":"2024-03-13T10:49:03.445+0100","maxLifetime":"2024-03-13T10:50:03.574+0100","metadata":{"knoxSsoCookie":false,"customMetadataMap":{},"lastUsedAt":null,"createdBy":null,"enabled":true,"userName":"admin","comment":null},"issueTimeLong":1710323283574,"expirationLong":1710323343445,"maxLifetimeLong":1710323403574}]}
```
```
export
KNOX_TOKEN="eyJqa3UiOiJodHRwczpcL1wvbG9jYWxob3N0Ojg0NDNcL2dhdGV3YXlcL3NhbmRib3hcL2tub3h0b2tlblwvYXBpXC92Mlwvandrcy5qc29uIiwia2lkIjoiaEZLVjIwMFRvUlpvZ3h2STZGVnZrODgxY3dsbzhUZHV2NlV4OTZZbmVhRSIsInR5cCI6IkpXVCIsImFsZyI6IlJTMjU2In0.eyJzdWIiOiJhZG1pbiIsImprdSI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6ODQ0M1wvZ2F0ZXdheVwvc2FuZGJveFwva25veHRva2VuXC9hcGlcL3YyXC9qd2tzLmpzb24iLCJraWQiOiJoRktWMjAwVG9SWm9neHZJNkZWdms4ODFjd2xvOFRkdXY2VXg5NlluZWFFIiwiaXNzIjoiS05PWFNTTyIsImV4cCI6MTcxMDMyMzM0MywibWFuYWdlZC50b2tlbiI6InRydWUiLCJrbm94LmlkIjoiODk2ZmEzNTctMmRiNC00MmVjLWI3MGEtOGE2M2ZlY2QzYmFhIn0.B83Nk8tdo_rsOWTJNHjYqYTkJ89vCaTqb1ICc_4stNl-lI2qd7WHA6vJ_5r-8VJ3m-DnnM4eYobiiCM7cYcX8pOdTcKKJtdxf71qTjHaAcLLEfsZrPTNqjRaOyyXYSMc4FhAHgZST_tzalqCZlRkEXmjb8ujKiSy4mjKsTp0kBr-YuzX7pFXYmTm-MHhJMtsgUkRMUJJ1U_f8idX1ey75JKiQHpo6pq3f05hdUxE0Sf3cIgdu26i61Fz2LP4HiLdyEC2D8AsgshG0gcJ3iO9219G5JE7L7wBk2srmF5FSifw5r6ame9mbPC6jf38ILnAjH98ZxtsvLVlyKoPg1VN5w"
```
```
$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 09:48:35 GMT
...
{
"renewed": "true",
"expires": "1710323345043"
}
```
```
$ curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
...
{"tokens":[{"tokenId":"896fa357-2db4-42ec-b70a-8a63fecd3baa","issueTime":"2024-03-13T10:48:03.574+0100","expiration":"2024-03-13T10:49:05.043+0100","maxLifetime":"2024-03-13T10:50:03.574+0100","metadata":{"knoxSsoCookie":false,"customMetadataMap":{},"lastUsedAt":null,"createdBy":null,"enabled":true,"userName":"admin","comment":null},"issueTimeLong":1710323283574,"expirationLong":1710323345043,"maxLifetimeLong":1710323403574}]}
```
```
$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 09:49:02 GMT
...
{
"renewed": "true",
"expires": "1710323372533"
}
```
```
$ curl -iku admin:admin-password -X PUT -d $KNOX_TOKEN
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/renew
HTTP/1.1 400 Bad Request
Date: Wed, 13 Mar 2024 09:49:15 GMT
...
{
"renewed": "false",
"error": "The renewal limit for the token has been exceeded",
"code": 30
}
```
```
$ curl -iku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v2/token/getUserTokens?userName=admin
HTTP/1.1 200 OK
Date: Wed, 13 Mar 2024 09:49:35 GMT
...
[jira] [Work logged] (KNOX-3016) Add Support for Client Credentials Flow with KnoxTokens
[ https://issues.apache.org/jira/browse/KNOX-3016?focusedWorklogId=909514=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909514 ] ASF GitHub Bot logged work on KNOX-3016: Author: ASF GitHub Bot Created on: 12/Mar/24 22:13 Start Date: 12/Mar/24 22:13 Worklog Time Spent: 10m Work Description: lmccay merged PR #876: URL: https://github.com/apache/knox/pull/876 Issue Time Tracking --- Worklog Id: (was: 909514) Time Spent: 1h 10m (was: 1h) > Add Support for Client Credentials Flow with KnoxTokens > --- > > Key: KNOX-3016 > URL: https://issues.apache.org/jira/browse/KNOX-3016 > Project: Apache Knox > Issue Type: Bug > Components: JWT >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > Adding support for integrations to Knox proxied services and APIs via OAuth > style cllient credentials flow. This allows an integration that is provided a > CLIENT_ID and CLIENT_SECRET to authenticate to Knox and directly access > proxied services with those or exchange those credentials for short lived JWT > based access, id and refresh tokens. > This change introduces only the acceptance of the Knox TokenID and Passcode > tokens as CLIENT_ID and CLIENT_SECRET in a standard OAuth 2.0 client > credentials flow request body. This body will contain the following params: > 1. grant_type and it will be "client_credentials" > 2. client_id which will be the KnoxToken tokenId or KnoxID > 3. client_secret which will be the passcode token for which we store the hash > Authentication using this flow will result in the effective user being what > is provided as the CLIENT_ID. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-3016) Add Support for Client Credentials Flow with KnoxTokens
[
https://issues.apache.org/jira/browse/KNOX-3016?focusedWorklogId=909496=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909496
]
ASF GitHub Bot logged work on KNOX-3016:
Author: ASF GitHub Bot
Created on: 12/Mar/24 20:40
Start Date: 12/Mar/24 20:40
Worklog Time Spent: 10m
Work Description: smolnar82 commented on code in PR #876:
URL: https://github.com/apache/knox/pull/876#discussion_r1522084981
##
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java:
##
@@ -300,8 +302,23 @@ protected Subject createSubjectFromToken(final JWT token)
throws UnknownTokenExc
public Subject createSubjectFromTokenIdentifier(final String tokenId) throws
UnknownTokenException {
TokenMetadata metadata = tokenStateService.getTokenMetadata(tokenId);
+String username = null;
if (metadata != null) {
- return createSubjectFromTokenData(metadata.getUserName(), null);
+ String type = metadata.getMetadata(TYPE);
Review Comment:
As we discussed offline, there's going to be a follow-up JIRA to handle the
`type` metadata.
Issue Time Tracking
---
Worklog Id: (was: 909496)
Time Spent: 1h (was: 50m)
> Add Support for Client Credentials Flow with KnoxTokens
> ---
>
> Key: KNOX-3016
> URL: https://issues.apache.org/jira/browse/KNOX-3016
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Adding support for integrations to Knox proxied services and APIs via OAuth
> style cllient credentials flow. This allows an integration that is provided a
> CLIENT_ID and CLIENT_SECRET to authenticate to Knox and directly access
> proxied services with those or exchange those credentials for short lived JWT
> based access, id and refresh tokens.
> This change introduces only the acceptance of the Knox TokenID and Passcode
> tokens as CLIENT_ID and CLIENT_SECRET in a standard OAuth 2.0 client
> credentials flow request body. This body will contain the following params:
> 1. grant_type and it will be "client_credentials"
> 2. client_id which will be the KnoxToken tokenId or KnoxID
> 3. client_secret which will be the passcode token for which we store the hash
> Authentication using this flow will result in the effective user being what
> is provided as the CLIENT_ID.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3014) Unauthenticated paths support for Shiro provider
[ https://issues.apache.org/jira/browse/KNOX-3014?focusedWorklogId=909447=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909447 ] ASF GitHub Bot logged work on KNOX-3014: Author: ASF GitHub Bot Created on: 12/Mar/24 14:43 Start Date: 12/Mar/24 14:43 Worklog Time Spent: 10m Work Description: moresandeep commented on PR #879: URL: https://github.com/apache/knox/pull/879#issuecomment-1991817355 > Please add `knoxtoken/api/v2/jwks.json` instead of `v1` as we are going to deprecate it. Thanks! Issue Time Tracking --- Worklog Id: (was: 909447) Time Spent: 0.5h (was: 20m) > Unauthenticated paths support for Shiro provider > > > Key: KNOX-3014 > URL: https://issues.apache.org/jira/browse/KNOX-3014 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > Looks like we have only support unauthenticated paths for > * JWTProvider > * HadoopAuthProvider > * SSOCookieProvider > Shiro auth provider does not have support for unauthenticated path parameter. > see KNOX-2582 and KNOX-2393 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-3014) Unauthenticated paths support for Shiro provider
[ https://issues.apache.org/jira/browse/KNOX-3014?focusedWorklogId=909446=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909446 ] ASF GitHub Bot logged work on KNOX-3014: Author: ASF GitHub Bot Created on: 12/Mar/24 14:41 Start Date: 12/Mar/24 14:41 Worklog Time Spent: 10m Work Description: smolnar82 commented on PR #879: URL: https://github.com/apache/knox/pull/879#issuecomment-1991810958 Please add `knoxtoken/api/v2/jwks.json` instead of `v1` as we are going to deprecate it. Issue Time Tracking --- Worklog Id: (was: 909446) Time Spent: 20m (was: 10m) > Unauthenticated paths support for Shiro provider > > > Key: KNOX-3014 > URL: https://issues.apache.org/jira/browse/KNOX-3014 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Looks like we have only support unauthenticated paths for > * JWTProvider > * HadoopAuthProvider > * SSOCookieProvider > Shiro auth provider does not have support for unauthenticated path parameter. > see KNOX-2582 and KNOX-2393 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-3014) Unauthenticated paths support for Shiro provider
[
https://issues.apache.org/jira/browse/KNOX-3014?focusedWorklogId=909438=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909438
]
ASF GitHub Bot logged work on KNOX-3014:
Author: ASF GitHub Bot
Created on: 12/Mar/24 14:34
Start Date: 12/Mar/24 14:34
Worklog Time Spent: 10m
Work Description: moresandeep opened a new pull request, #879:
URL: https://github.com/apache/knox/pull/879
## What changes were proposed in this pull request?
- Support `anon` in Shiro provider i.e. support for following param in shiro
provider
```
urls./knoxtoken/api/v1/jwks.json
anon
```
- Add `/knoxtoken/api/v1/jwks.json` to unauthenticated path list in Shiro
provider example in sandbox.xml
## How was this patch tested?
Tested locally
```
curl -v -k GET
https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/jwks.json
* Trying 127.0.0.1:8443...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: C=US; ST=Test; L=Test; O=Hadoop; OU=Test; CN=localhost
* start date: Mar 11 17:19:27 2024 GMT
* expire date: Mar 11 17:19:27 2025 GMT
* issuer: C=US; ST=Test; L=Test; O=Hadoop; OU=Test; CN=localhost
* SSL certificate verify result: self signed certificate (18), continuing
anyway.
* using HTTP/1.x
> GET /gateway/sandbox/knoxtoken/api/v1/jwks.json HTTP/1.1
> Host: localhost:8443
> User-Agent: curl/7.88.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
< Date: Tue, 12 Mar 2024 14:24:25 GMT
< Content-Type: application/json
< Content-Length: 462
<
* Connection #0 to host localhost left intact
{"keys":[{"kty":"RSA","e":"AQAB","use":"sig","kid":"milmJraf-UtaM9Bt1jmzRHAwyIc-8ivgXtwF_-k-SHY","alg":"RS256","n":"gp1GHeqEN3rYqTq-E0yrpelr_sKrrTSCCL7MsBQ2r9NUY8kYl1TOukW0Dw4ruF85z2NxgOj864zjaqmOzN1quyuNPNNuxFCYnBsAPV0nhQIgSSuRgTzkihfuosmB3vEvxFJYx1FfF-TOGEjyfBNiDRuj_tTK3b7Y77n9bQnc_Juv5xC7KdGbNaYaIPVZmhycEeSzIGHK7QeeFF5XLg5NX1UH4KRrr4Bk60s23IygWLz5z9GK_VeSRcrFDB3ELe6y_VUMrxAWtO9QdJD-ize6AIvKhgSK3nao1NzuQoTCgSNNwzoTk2hN-YyruyE6W3kTHffdxDUTAtR_3G6gl5BO5Q"}]}
```
Issue Time Tracking
---
Worklog Id: (was: 909438)
Remaining Estimate: 0h
Time Spent: 10m
> Unauthenticated paths support for Shiro provider
>
>
> Key: KNOX-3014
> URL: https://issues.apache.org/jira/browse/KNOX-3014
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Reporter: Sandeep More
>Assignee: Sandeep More
>Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Looks like we have only support unauthenticated paths for
> * JWTProvider
> * HadoopAuthProvider
> * SSOCookieProvider
> Shiro auth provider does not have support for unauthenticated path parameter.
> see KNOX-2582 and KNOX-2393
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3018) Unlimited token generation - Wrong expiration time is shown
[
https://issues.apache.org/jira/browse/KNOX-3018?focusedWorklogId=909395=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909395
]
ASF GitHub Bot logged work on KNOX-3018:
Author: ASF GitHub Bot
Created on: 12/Mar/24 11:20
Start Date: 12/Mar/24 11:20
Worklog Time Spent: 10m
Work Description: smolnar82 merged PR #878:
URL: https://github.com/apache/knox/pull/878
Issue Time Tracking
---
Worklog Id: (was: 909395)
Time Spent: 20m (was: 10m)
> Unlimited token generation - Wrong expiration time is shown
> ---
>
> Key: KNOX-3018
> URL: https://issues.apache.org/jira/browse/KNOX-3018
> Project: Apache Knox
> Issue Type: Bug
> Components: TokenGenerationUI
>Affects Versions: 2.0.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Attachments: Screenshot 2024-03-11 at 14.25.04.png, Screenshot
> 2024-03-11 at 14.25.27.png
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> *Steps to reproduce*
> * set the {{knox.token.ttl}} to {{-1}} in the {{homepage}} topology for the
> {{KNOXTOKEN}} service
> * set {{knox.token.lifespan.input.enabled = false}} in the {{homepage}}
> topology for the {{KNOXTOKEN}} service
> *Actual results*
> With KNOX-3017 in place, the token is generated, but the expiration is wrong,
> see attached screenshots.
> In addition to this UI bug, the background reaper thread removes this token
> the next time it's triggered. This is also incorrect: unlimited tokens should
> never be removed automatically as they never expire.
> *Expected result*
> Token expiration should indicate an unlimited lifespan and unlimited tokens
> should not be revoked automatically.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3017) Unlimited token generation - invalid warning poopup
[
https://issues.apache.org/jira/browse/KNOX-3017?focusedWorklogId=909384=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909384
]
ASF GitHub Bot logged work on KNOX-3017:
Author: ASF GitHub Bot
Created on: 12/Mar/24 09:20
Start Date: 12/Mar/24 09:20
Worklog Time Spent: 10m
Work Description: smolnar82 merged PR #877:
URL: https://github.com/apache/knox/pull/877
Issue Time Tracking
---
Worklog Id: (was: 909384)
Time Spent: 20m (was: 10m)
> Unlimited token generation - invalid warning poopup
> ---
>
> Key: KNOX-3017
> URL: https://issues.apache.org/jira/browse/KNOX-3017
> Project: Apache Knox
> Issue Type: Bug
> Components: TokenGenerationUI
>Affects Versions: 2.0.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Attachments: Screenshot 2024-03-11 at 12.57.12.png, Screenshot
> 2024-03-11 at 12.57.35.png
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> *Steps to reproduce*
> * set the {{knox.token.ttl}} to {{-1}} in the {{homepage}} topology for the
> {{KNOXTOKEN}} service
> * go to the {{Token Generation UI}} and set the {{Lifetime}} to 365 days
> *Actual results*
> The lifespan adjusting warning popup says that 365 days is greater than the
> configured maximum lifetime. This is not true, because, as you can see in the
> screenshot, we are creating tokens with {{unlimited lifetime}}
> *Expected result*
> The popup should not be displayed in case of unlimited token lifetime
> configurations.
> *Note*
> After clicking the {{Generate token anyway}} button, the token was created
> with the correct expiration time (1 year from today).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3018) Unlimited token generation - Wrong expiration time is shown
[
https://issues.apache.org/jira/browse/KNOX-3018?focusedWorklogId=909245=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909245
]
ASF GitHub Bot logged work on KNOX-3018:
Author: ASF GitHub Bot
Created on: 11/Mar/24 16:28
Start Date: 11/Mar/24 16:28
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #878:
URL: https://github.com/apache/knox/pull/878
## What changes were proposed in this pull request?
The `Token Management` and `Token Generation` UIs are updated in a way such
that they display `Never expires` in case a token never expires (that is, if
the token's expiration is set to a negative number).
Moreover, the automated token eviction logic is modified to never remove
those tokens from the underlying token state backend.
## How was this patch tested?
Updated existing unit tests to cover the token eviction logic change and ran
manual testing on the UI.
https://github.com/apache/knox/assets/34065904/fe510492-25f8-4ab8-993e-2936af93a001;>
https://github.com/apache/knox/assets/34065904/74304b4f-dce9-42c9-aaea-2b4223f72c41;>
https://github.com/apache/knox/assets/34065904/db8a6b11-84ba-4c9e-b94e-c8c13f46093d;>
https://github.com/apache/knox/assets/34065904/af1876ff-d884-4ca1-9bf2-6ab28052cba2;>
Issue Time Tracking
---
Worklog Id: (was: 909245)
Remaining Estimate: 0h
Time Spent: 10m
> Unlimited token generation - Wrong expiration time is shown
> ---
>
> Key: KNOX-3018
> URL: https://issues.apache.org/jira/browse/KNOX-3018
> Project: Apache Knox
> Issue Type: Bug
> Components: TokenGenerationUI
>Affects Versions: 2.0.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Attachments: Screenshot 2024-03-11 at 14.25.04.png, Screenshot
> 2024-03-11 at 14.25.27.png
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> *Steps to reproduce*
> * set the {{knox.token.ttl}} to {{-1}} in the {{homepage}} topology for the
> {{KNOXTOKEN}} service
> * set {{knox.token.lifespan.input.enabled = false}} in the {{homepage}}
> topology for the {{KNOXTOKEN}} service
> *Actual results*
> With KNOX-3017 in place, the token is generated, but the expiration is wrong,
> see attached screenshots.
> In addition to this UI bug, the background reaper thread removes this token
> the next time it's triggered. This is also incorrect: unlimited tokens should
> never be removed automatically as they never expire.
> *Expected result*
> Token expiration should indicate an unlimited lifespan and unlimited tokens
> should not be revoked automatically.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3016) Add Support for Client Credentials Flow with KnoxTokens
[
https://issues.apache.org/jira/browse/KNOX-3016?focusedWorklogId=909242=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909242
]
ASF GitHub Bot logged work on KNOX-3016:
Author: ASF GitHub Bot
Created on: 11/Mar/24 15:55
Start Date: 11/Mar/24 15:55
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #876:
URL: https://github.com/apache/knox/pull/876#discussion_r1519964319
##
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java:
##
@@ -238,10 +241,33 @@ public Pair getWireToken(final
ServletRequest request) {
}
}
+ /*
+ POST /{tenant}/oauth2/v2.0/token HTTP/1.1
+ Host: login.microsoftonline.com:443
+ Content-Type: application/x-www-form-urlencoded
+
+ client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
+ =https%3A%2F%2Fgraph.microsoft.com%2F.default
+ _secret=sampleCredentials
+ _type=client_credentials
+ */
+
+ // Let's check whether this is a client credentials oauth request or
whether
+ // the token has been configured for another usecase specific header
if (parsed == null) {
- token = request.getParameter(this.paramName);
- if (token != null) {
-parsed = Pair.of(TokenType.JWT, token);
+ String grantType = request.getParameter(GRANT_TYPE);
+ if (CLIENT_CREDENTIALS.equals(grantType)) {
+// this is indeed a client credentials flow client_id and
+// client_secret are expected now the client_id will be in
+// the token as the token_id so we will get that later
+token = request.getParameter(CLIENT_SECRET);
+parsed = Pair.of(TokenType.Passcode, token);
+ }
Review Comment:
I can buy that. I'll change that and fix the type in the other comment.
Issue Time Tracking
---
Worklog Id: (was: 909242)
Time Spent: 50m (was: 40m)
> Add Support for Client Credentials Flow with KnoxTokens
> ---
>
> Key: KNOX-3016
> URL: https://issues.apache.org/jira/browse/KNOX-3016
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> Adding support for integrations to Knox proxied services and APIs via OAuth
> style cllient credentials flow. This allows an integration that is provided a
> CLIENT_ID and CLIENT_SECRET to authenticate to Knox and directly access
> proxied services with those or exchange those credentials for short lived JWT
> based access, id and refresh tokens.
> This change introduces only the acceptance of the Knox TokenID and Passcode
> tokens as CLIENT_ID and CLIENT_SECRET in a standard OAuth 2.0 client
> credentials flow request body. This body will contain the following params:
> 1. grant_type and it will be "client_credentials"
> 2. client_id which will be the KnoxToken tokenId or KnoxID
> 3. client_secret which will be the passcode token for which we store the hash
> Authentication using this flow will result in the effective user being what
> is provided as the CLIENT_ID.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3016) Add Support for Client Credentials Flow with KnoxTokens
[
https://issues.apache.org/jira/browse/KNOX-3016?focusedWorklogId=909233=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909233
]
ASF GitHub Bot logged work on KNOX-3016:
Author: ASF GitHub Bot
Created on: 11/Mar/24 15:22
Start Date: 11/Mar/24 15:22
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #876:
URL: https://github.com/apache/knox/pull/876#discussion_r1519906008
##
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java:
##
@@ -300,8 +302,23 @@ protected Subject createSubjectFromToken(final JWT token)
throws UnknownTokenExc
public Subject createSubjectFromTokenIdentifier(final String tokenId) throws
UnknownTokenException {
TokenMetadata metadata = tokenStateService.getTokenMetadata(tokenId);
+String username = null;
if (metadata != null) {
- return createSubjectFromTokenData(metadata.getUserName(), null);
+ String type = metadata.getMetadata(TYPE);
Review Comment:
Yeah, this is kind of a weird thing. I have a python script that is
targeting this usecase for the time being and is setting that metadata now. It
wouldn't surface in Knox code unless we had specific APIs or UI or something
that leverages this generic capability in such a vertical specific context. I'm
thinking that for now this is just a convention that needs to be followed for
this usecase. Do you have some other suggestion?
Issue Time Tracking
---
Worklog Id: (was: 909233)
Time Spent: 40m (was: 0.5h)
> Add Support for Client Credentials Flow with KnoxTokens
> ---
>
> Key: KNOX-3016
> URL: https://issues.apache.org/jira/browse/KNOX-3016
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Adding support for integrations to Knox proxied services and APIs via OAuth
> style cllient credentials flow. This allows an integration that is provided a
> CLIENT_ID and CLIENT_SECRET to authenticate to Knox and directly access
> proxied services with those or exchange those credentials for short lived JWT
> based access, id and refresh tokens.
> This change introduces only the acceptance of the Knox TokenID and Passcode
> tokens as CLIENT_ID and CLIENT_SECRET in a standard OAuth 2.0 client
> credentials flow request body. This body will contain the following params:
> 1. grant_type and it will be "client_credentials"
> 2. client_id which will be the KnoxToken tokenId or KnoxID
> 3. client_secret which will be the passcode token for which we store the hash
> Authentication using this flow will result in the effective user being what
> is provided as the CLIENT_ID.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3016) Add Support for Client Credentials Flow with KnoxTokens
[
https://issues.apache.org/jira/browse/KNOX-3016?focusedWorklogId=909231=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909231
]
ASF GitHub Bot logged work on KNOX-3016:
Author: ASF GitHub Bot
Created on: 11/Mar/24 15:19
Start Date: 11/Mar/24 15:19
Worklog Time Spent: 10m
Work Description: lmccay commented on code in PR #876:
URL: https://github.com/apache/knox/pull/876#discussion_r1519901421
##
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java:
##
@@ -300,8 +302,23 @@ protected Subject createSubjectFromToken(final JWT token)
throws UnknownTokenExc
public Subject createSubjectFromTokenIdentifier(final String tokenId) throws
UnknownTokenException {
TokenMetadata metadata = tokenStateService.getTokenMetadata(tokenId);
+String username = null;
if (metadata != null) {
- return createSubjectFromTokenData(metadata.getUserName(), null);
+ String type = metadata.getMetadata(TYPE);
+ // using tokenID and passcode as CLIENT_ID and CLIENT_SECRET will
+ // result in a metadata item called "type". If the valid is set
Review Comment:
ahh - yeah, I meant value actually.
Issue Time Tracking
---
Worklog Id: (was: 909231)
Time Spent: 0.5h (was: 20m)
> Add Support for Client Credentials Flow with KnoxTokens
> ---
>
> Key: KNOX-3016
> URL: https://issues.apache.org/jira/browse/KNOX-3016
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Adding support for integrations to Knox proxied services and APIs via OAuth
> style cllient credentials flow. This allows an integration that is provided a
> CLIENT_ID and CLIENT_SECRET to authenticate to Knox and directly access
> proxied services with those or exchange those credentials for short lived JWT
> based access, id and refresh tokens.
> This change introduces only the acceptance of the Knox TokenID and Passcode
> tokens as CLIENT_ID and CLIENT_SECRET in a standard OAuth 2.0 client
> credentials flow request body. This body will contain the following params:
> 1. grant_type and it will be "client_credentials"
> 2. client_id which will be the KnoxToken tokenId or KnoxID
> 3. client_secret which will be the passcode token for which we store the hash
> Authentication using this flow will result in the effective user being what
> is provided as the CLIENT_ID.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3017) Unlimited token generation - invalid warning poopup
[
https://issues.apache.org/jira/browse/KNOX-3017?focusedWorklogId=909196=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909196
]
ASF GitHub Bot logged work on KNOX-3017:
Author: ASF GitHub Bot
Created on: 11/Mar/24 13:13
Start Date: 11/Mar/24 13:13
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #877:
URL: https://github.com/apache/knox/pull/877
## What changes were proposed in this pull request?
Two changes on the `Token Generation UI`:
- if the `homepage` topology is configured with `Unlimited token lifetime`,
the lifetime adjustment popup will not shown. The logic was there before, this
was a casting issue between strings and numbers in the JS code.
- added an `exclamation` icon to better emphasize the `Unlimited lifetime`
setting on the UI.
## How was this patch tested?
Manually tested and confirmed that the popup is no longer displayed when
creating a 1-year token with `Unlimited lifetime` settings. The new exclamation
mark is shown as expected (tested with and without the `-1` TTL).
https://github.com/apache/knox/assets/34065904/79a33228-617b-4afe-9503-590112b98e83;>
Issue Time Tracking
---
Worklog Id: (was: 909196)
Remaining Estimate: 0h
Time Spent: 10m
> Unlimited token generation - invalid warning poopup
> ---
>
> Key: KNOX-3017
> URL: https://issues.apache.org/jira/browse/KNOX-3017
> Project: Apache Knox
> Issue Type: Bug
>Affects Versions: 2.0.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Attachments: Screenshot 2024-03-11 at 12.57.12.png, Screenshot
> 2024-03-11 at 12.57.35.png
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> *Steps to reproduce*
> * set the {{knox.token.ttl}} to {{-1}} in the {{homepage}} topology for the
> {{KNOXTOKEN}} service
> * go to the {{Token Generation UI}} and set the {{Lifetime}} to 365 days
> *Actual results*
> The lifespan adjusting warning popup says that 365 days is greater than the
> configured maximum lifetime. This is not true, because, as you can see in the
> screenshot, we are creating tokens with {{unlimited lifetime}}
> *Expected result*
> The popup should not be displayed in case of unlimited token lifetime
> configurations.
> *Note*
> After clicking the {{Generate token anyway}} button, the token was created
> with the correct expiration time (1 year from today).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3016) Add Support for Client Credentials Flow with KnoxTokens
[
https://issues.apache.org/jira/browse/KNOX-3016?focusedWorklogId=909154=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909154
]
ASF GitHub Bot logged work on KNOX-3016:
Author: ASF GitHub Bot
Created on: 11/Mar/24 10:58
Start Date: 11/Mar/24 10:58
Worklog Time Spent: 10m
Work Description: smolnar82 commented on code in PR #876:
URL: https://github.com/apache/knox/pull/876#discussion_r1519517586
##
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/JWTFederationFilter.java:
##
@@ -238,10 +241,33 @@ public Pair getWireToken(final
ServletRequest request) {
}
}
+ /*
+ POST /{tenant}/oauth2/v2.0/token HTTP/1.1
+ Host: login.microsoftonline.com:443
+ Content-Type: application/x-www-form-urlencoded
+
+ client_id=535fb089-9ff3-47b6-9bfb-4f1264799865
+ =https%3A%2F%2Fgraph.microsoft.com%2F.default
+ _secret=sampleCredentials
+ _type=client_credentials
+ */
+
+ // Let's check whether this is a client credentials oauth request or
whether
+ // the token has been configured for another usecase specific header
if (parsed == null) {
- token = request.getParameter(this.paramName);
- if (token != null) {
-parsed = Pair.of(TokenType.JWT, token);
+ String grantType = request.getParameter(GRANT_TYPE);
+ if (CLIENT_CREDENTIALS.equals(grantType)) {
+// this is indeed a client credentials flow client_id and
+// client_secret are expected now the client_id will be in
+// the token as the token_id so we will get that later
+token = request.getParameter(CLIENT_SECRET);
+parsed = Pair.of(TokenType.Passcode, token);
+ }
Review Comment:
I think this code - along with the above comment that explains the different
query parameters in a client credentials flow request - deserves to be in a
private method and can be added before the original `parsed == null` check.
This way it's easier to read, IMO.
For instance:
```
// Let's check whether this is a client credentials oauth request
parsed = parsed == null ? parseOauthRequestClientCredentials(request) :
parsed;
// Finally, whether the token has been configured for another usecase
specific header
if (parsed == null) {
...
```
##
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java:
##
@@ -300,8 +302,23 @@ protected Subject createSubjectFromToken(final JWT token)
throws UnknownTokenExc
public Subject createSubjectFromTokenIdentifier(final String tokenId) throws
UnknownTokenException {
TokenMetadata metadata = tokenStateService.getTokenMetadata(tokenId);
+String username = null;
if (metadata != null) {
- return createSubjectFromTokenData(metadata.getUserName(), null);
+ String type = metadata.getMetadata(TYPE);
Review Comment:
As you indicated in the PR's description,
> This change introduces only the acceptance of the Knox TokenID and
Passcode tokens as CLIENT_ID and CLIENT_SECRET in a standard OAuth 2.0 client
credentials flow request body
Based on this, I've to ask if there is going to be a separate PR where the
`type` metadata is created when OAuth clients get a new token (and replay the
`tokenId` and `passcode` fields as `CLIENT_ID` and `CLIENT_SECRET`)?
##
gateway-provider-security-jwt/src/main/java/org/apache/knox/gateway/provider/federation/jwt/filter/AbstractJWTFilter.java:
##
@@ -300,8 +302,23 @@ protected Subject createSubjectFromToken(final JWT token)
throws UnknownTokenExc
public Subject createSubjectFromTokenIdentifier(final String tokenId) throws
UnknownTokenException {
TokenMetadata metadata = tokenStateService.getTokenMetadata(tokenId);
+String username = null;
if (metadata != null) {
- return createSubjectFromTokenData(metadata.getUserName(), null);
+ String type = metadata.getMetadata(TYPE);
+ // using tokenID and passcode as CLIENT_ID and CLIENT_SECRET will
+ // result in a metadata item called "type". If the valid is set
Review Comment:
I'm not sure I understand this sentence. Did you mean "if the `type` is set
to CLIENT_ID"?
Issue Time Tracking
---
Worklog Id: (was: 909154)
Time Spent: 20m (was: 10m)
> Add Support for Client Credentials Flow with KnoxTokens
> ---
>
> Key: KNOX-3016
> URL: https://issues.apache.org/jira/browse/KNOX-3016
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority:
[jira] [Work logged] (KNOX-3016) Add Support for Client Credentials Flow with KnoxTokens
[ https://issues.apache.org/jira/browse/KNOX-3016?focusedWorklogId=909019=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-909019 ] ASF GitHub Bot logged work on KNOX-3016: Author: ASF GitHub Bot Created on: 08/Mar/24 22:04 Start Date: 08/Mar/24 22:04 Worklog Time Spent: 10m Work Description: lmccay opened a new pull request, #876: URL: https://github.com/apache/knox/pull/876 (It is very **important** that you created an Apache Knox JIRA for this change and that the PR title/commit message includes the Apache Knox JIRA ID!) ## What changes were proposed in this pull request? Adding support for integrations to Knox proxied services and APIs via OAuth style cllient credentials flow. This allows an integration that is provided a CLIENT_ID and CLIENT_SECRET to authenticate to Knox and directly access proxied services with those or exchange those credentials for short lived JWT based access, id and refresh tokens. This change introduces only the acceptance of the Knox TokenID and Passcode tokens as CLIENT_ID and CLIENT_SECRET in a standard OAuth 2.0 client credentials flow request body. This body will contain the following params: 1. grant_type and it will be "client_credentials" 2. client_id which will be the KnoxToken tokenId or KnoxID 3. client_secret which will be the passcode token for which we store the hash Authentication using this flow will result in the effective user being what is provided as the CLIENT_ID. ## How was this patch tested? Ran existing tests and added new unit tests Please review [Knox Contributing Process](https://cwiki.apache.org/confluence/display/KNOX/Contribution+Process#ContributionProcess-GithubWorkflow) before opening a pull request. Issue Time Tracking --- Worklog Id: (was: 909019) Remaining Estimate: 0h Time Spent: 10m > Add Support for Client Credentials Flow with KnoxTokens > --- > > Key: KNOX-3016 > URL: https://issues.apache.org/jira/browse/KNOX-3016 > Project: Apache Knox > Issue Type: Bug > Components: JWT >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > Time Spent: 10m > Remaining Estimate: 0h > > Adding support for integrations to Knox proxied services and APIs via OAuth > style cllient credentials flow. This allows an integration that is provided a > CLIENT_ID and CLIENT_SECRET to authenticate to Knox and directly access > proxied services with those or exchange those credentials for short lived JWT > based access, id and refresh tokens. > This change introduces only the acceptance of the Knox TokenID and Passcode > tokens as CLIENT_ID and CLIENT_SECRET in a standard OAuth 2.0 client > credentials flow request body. This body will contain the following params: > 1. grant_type and it will be "client_credentials" > 2. client_id which will be the KnoxToken tokenId or KnoxID > 3. client_secret which will be the passcode token for which we store the hash > Authentication using this flow will result in the effective user being what > is provided as the CLIENT_ID. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-2998) Path based authorization
[
https://issues.apache.org/jira/browse/KNOX-2998?focusedWorklogId=908613=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908613
]
ASF GitHub Bot logged work on KNOX-2998:
Author: ASF GitHub Bot
Created on: 06/Mar/24 19:44
Start Date: 06/Mar/24 19:44
Worklog Time Spent: 10m
Work Description: moresandeep merged PR #875:
URL: https://github.com/apache/knox/pull/875
Issue Time Tracking
---
Worklog Id: (was: 908613)
Time Spent: 20m (was: 10m)
> Path based authorization
>
>
> Key: KNOX-2998
> URL: https://issues.apache.org/jira/browse/KNOX-2998
> Project: Apache Knox
> Issue Type: New Feature
> Components: Server
>Reporter: Sandeep More
>Assignee: Sandeep More
>Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> We will need a new acls extension (similar to AclsAuthz) to support this
> functionality. Following, is an example of how this might look.
>
> {code:java}
>
> path.KNOX-AUTH-SERVICE.acl
>/foo/* [,
> *|path...];username[,*|username...];group[,*|group...];ipaddr[,*|ipaddr...]
>
> {code}
> This new extension (`path` in the above example) will work with
> CompositeAuthz and follow the same pattern as AclsAuthz provider.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3013) Knox redirecting Yarn Node Manager URLs to http instead of https
[ https://issues.apache.org/jira/browse/KNOX-3013?focusedWorklogId=908529=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908529 ] ASF GitHub Bot logged work on KNOX-3013: Author: ASF GitHub Bot Created on: 06/Mar/24 09:27 Start Date: 06/Mar/24 09:27 Worklog Time Spent: 10m Work Description: smolnar82 merged PR #874: URL: https://github.com/apache/knox/pull/874 Issue Time Tracking --- Worklog Id: (was: 908529) Time Spent: 1h 10m (was: 1h) > Knox redirecting Yarn Node Manager URLs to http instead of https > > > Key: KNOX-3013 > URL: https://issues.apache.org/jira/browse/KNOX-3013 > Project: Apache Knox > Issue Type: Bug >Affects Versions: 1.3.0 >Reporter: Bence Kosztolnik >Priority: Major > Time Spent: 1h 10m > Remaining Estimate: 0h > > While viewing the yarn application logs on YARM RM UI via Knox, we can see > that Knox is redirecting the NM URL to HTTP instead of HTTPS, as the YARN is > running on TLS/SSL. > https:///gateway/cdp-proxy/yarn/nodemanager/node?scheme=http=some.url=8044 > We get the below error > HTTP ERROR 500 java.io.IOException: java.io.IOException: Service connectivity > error. URI: /gateway/cdp-proxy/yarn/nodemanager/node STATUS: 500 MESSAGE: > java.io.IOException: java.io.IOException: Service connectivity error. > SERVLET: cdp-proxy-knox-gateway-servlet CAUSED BY: java.io.IOException: > java.io.IOException: Service connectivity error. CAUSED BY: > java.io.IOException: Service connectivity error. > However when I change "scheme=https" the page loads without an issue. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-3013) Knox redirecting Yarn Node Manager URLs to http instead of https
[ https://issues.apache.org/jira/browse/KNOX-3013?focusedWorklogId=908526=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908526 ] ASF GitHub Bot logged work on KNOX-3013: Author: ASF GitHub Bot Created on: 06/Mar/24 09:23 Start Date: 06/Mar/24 09:23 Worklog Time Spent: 10m Work Description: K0K0V0K commented on PR #874: URL: https://github.com/apache/knox/pull/874#issuecomment-1980429238 Hi @smolnar82 ! I am done with it, no issues were found. Thanks for the review! Issue Time Tracking --- Worklog Id: (was: 908526) Time Spent: 1h (was: 50m) > Knox redirecting Yarn Node Manager URLs to http instead of https > > > Key: KNOX-3013 > URL: https://issues.apache.org/jira/browse/KNOX-3013 > Project: Apache Knox > Issue Type: Bug >Affects Versions: 1.3.0 >Reporter: Bence Kosztolnik >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > > While viewing the yarn application logs on YARM RM UI via Knox, we can see > that Knox is redirecting the NM URL to HTTP instead of HTTPS, as the YARN is > running on TLS/SSL. > https:///gateway/cdp-proxy/yarn/nodemanager/node?scheme=http=some.url=8044 > We get the below error > HTTP ERROR 500 java.io.IOException: java.io.IOException: Service connectivity > error. URI: /gateway/cdp-proxy/yarn/nodemanager/node STATUS: 500 MESSAGE: > java.io.IOException: java.io.IOException: Service connectivity error. > SERVLET: cdp-proxy-knox-gateway-servlet CAUSED BY: java.io.IOException: > java.io.IOException: Service connectivity error. CAUSED BY: > java.io.IOException: Service connectivity error. > However when I change "scheme=https" the page loads without an issue. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-3013) Knox redirecting Yarn Node Manager URLs to http instead of https
[ https://issues.apache.org/jira/browse/KNOX-3013?focusedWorklogId=908514=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908514 ] ASF GitHub Bot logged work on KNOX-3013: Author: ASF GitHub Bot Created on: 06/Mar/24 08:31 Start Date: 06/Mar/24 08:31 Worklog Time Spent: 10m Work Description: smolnar82 commented on PR #874: URL: https://github.com/apache/knox/pull/874#issuecomment-1980332553 @K0K0V0K - Please let me know when your investigation is done and we can proceed with the merge. Thanks! Issue Time Tracking --- Worklog Id: (was: 908514) Time Spent: 50m (was: 40m) > Knox redirecting Yarn Node Manager URLs to http instead of https > > > Key: KNOX-3013 > URL: https://issues.apache.org/jira/browse/KNOX-3013 > Project: Apache Knox > Issue Type: Bug >Affects Versions: 1.3.0 >Reporter: Bence Kosztolnik >Priority: Major > Time Spent: 50m > Remaining Estimate: 0h > > While viewing the yarn application logs on YARM RM UI via Knox, we can see > that Knox is redirecting the NM URL to HTTP instead of HTTPS, as the YARN is > running on TLS/SSL. > https:///gateway/cdp-proxy/yarn/nodemanager/node?scheme=http=some.url=8044 > We get the below error > HTTP ERROR 500 java.io.IOException: java.io.IOException: Service connectivity > error. URI: /gateway/cdp-proxy/yarn/nodemanager/node STATUS: 500 MESSAGE: > java.io.IOException: java.io.IOException: Service connectivity error. > SERVLET: cdp-proxy-knox-gateway-servlet CAUSED BY: java.io.IOException: > java.io.IOException: Service connectivity error. CAUSED BY: > java.io.IOException: Service connectivity error. > However when I change "scheme=https" the page loads without an issue. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-3013) Knox redirecting Yarn Node Manager URLs to http instead of https
[ https://issues.apache.org/jira/browse/KNOX-3013?focusedWorklogId=908508=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908508 ] ASF GitHub Bot logged work on KNOX-3013: Author: ASF GitHub Bot Created on: 06/Mar/24 08:08 Start Date: 06/Mar/24 08:08 Worklog Time Spent: 10m Work Description: K0K0V0K commented on PR #874: URL: https://github.com/apache/knox/pull/874#issuecomment-1980296697 Hi @smolnar82 ! I updated the description with the screenshot. May I ask for a review of it? Thanks! Issue Time Tracking --- Worklog Id: (was: 908508) Time Spent: 40m (was: 0.5h) > Knox redirecting Yarn Node Manager URLs to http instead of https > > > Key: KNOX-3013 > URL: https://issues.apache.org/jira/browse/KNOX-3013 > Project: Apache Knox > Issue Type: Bug >Affects Versions: 1.3.0 >Reporter: Bence Kosztolnik >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > While viewing the yarn application logs on YARM RM UI via Knox, we can see > that Knox is redirecting the NM URL to HTTP instead of HTTPS, as the YARN is > running on TLS/SSL. > https:///gateway/cdp-proxy/yarn/nodemanager/node?scheme=http=some.url=8044 > We get the below error > HTTP ERROR 500 java.io.IOException: java.io.IOException: Service connectivity > error. URI: /gateway/cdp-proxy/yarn/nodemanager/node STATUS: 500 MESSAGE: > java.io.IOException: java.io.IOException: Service connectivity error. > SERVLET: cdp-proxy-knox-gateway-servlet CAUSED BY: java.io.IOException: > java.io.IOException: Service connectivity error. CAUSED BY: > java.io.IOException: Service connectivity error. > However when I change "scheme=https" the page loads without an issue. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-2998) Path based authorization
[
https://issues.apache.org/jira/browse/KNOX-2998?focusedWorklogId=908420=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908420
]
ASF GitHub Bot logged work on KNOX-2998:
Author: ASF GitHub Bot
Created on: 05/Mar/24 20:49
Start Date: 05/Mar/24 20:49
Worklog Time Spent: 10m
Work Description: moresandeep opened a new pull request, #875:
URL: https://github.com/apache/knox/pull/875
## What changes were proposed in this pull request?
This change proposes a new authorization provider `PathAclsAuthz` that
authorized based on request path. Authorization is done based on path matching
similar to rewrite rules.
Format is very similar to AclsAuthz provider with an addition of path. The
format is
`{path};{users};{groups}:{ips}`
One important thing to note here is that the path is not plural, there has
to be one and only one path defined.
In case one wants multiple paths they can define multiple rules with rule
name as a parameter e.g.
KNOXTOKEN.{rule_name}.path.acl
_These are special cases for rule names_
This rule will be applied to ALL services defined in the topology
```
path.acl
https://*:*/**/knoxtoken/api/**;admin;*;*
```
This rule will be applied to only the service {service_name}
```
{service_name}.path.acl
https://*:*/**/knoxtoken/api/**;admin;*;*
```
ALL of these rules will be applied to service {service_name}.
_NOTE_: {rule_1} and {rule_2} can be any unique names.
```
{service_name}.{rule_1}.path.acl
https://*:*/**/knoxtoken/api/**;admin;*;*
{service_name}.{rule_2}.path.acl
https://*:*/**/knoxtoken/api/**;admin;*;*
```
Following are concrete examples of the the above rules:
1. This rule will be applied to ALL services defined in the topology
```
authorization
PathAclsAuthz
true
path.acl
https://*:*/**/knoxtoken/api/**;admin;*;*
```
2. This rule will be applied to only to KNOXTOKEN service
```
authorization
PathAclsAuthz
true
KNOXTOKEN.path.acl
https://*:*/**/knoxtoken/api/**;admin;*;*
```
3. All of these rules will be applied to only to KNOXTOKEN service
```
authorization
PathAclsAuthz
true
KNOXTOKEN.rule_1.path.acl
https://*:*/**/knoxtoken/api/**;admin;*;*
KNOXTOKEN.rule_2.path.acl
https://*:*/**/knoxtoken/foo/**;knox;*;*
KNOXTOKEN.rule_3.path.acl
https://*:*/**/knoxtoken/bar/**;sam;admin;*
```
## How was this patch tested?
This patch was tested locally
```
curl -ivku admin:admin-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token
* Trying 127.0.0.1:8443...
* Connected to localhost (127.0.0.1) port 8443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server did not agree on a protocol. Uses default.
* Server certificate:
* subject: C=US; ST=Test; L=Test; O=Hadoop; OU=Test; CN=localhost
* start date: Mar 5 19:59:57 2024 GMT
* expire date: Mar 5 19:59:57 2025 GMT
* issuer: C=US; ST=Test; L=Test; O=Hadoop; OU=Test; CN=localhost
* SSL certificate verify result: self signed certificate (18), continuing
anyway.
* using HTTP/1.x
* Server auth using Basic with user 'admin'
> GET /gateway/sandbox/knoxtoken/api/v1/token HTTP/1.1
> Host: localhost:8443
> Authorization: Basic YWRtaW46YWRtaW4tcGFzc3dvcmQ=
> User-Agent: curl/7.88.1
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Date: Tue, 05 Mar 2024 20:30:59 GMT
Date: Tue, 05 Mar 2024 20:30:59 GMT
< Set-Cookie:
[jira] [Work logged] (KNOX-2996) Add proxy for hdfs UI network topology
[ https://issues.apache.org/jira/browse/KNOX-2996?focusedWorklogId=908305=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908305 ] ASF GitHub Bot logged work on KNOX-2996: Author: ASF GitHub Bot Created on: 05/Mar/24 11:59 Start Date: 05/Mar/24 11:59 Worklog Time Spent: 10m Work Description: moresandeep merged PR #829: URL: https://github.com/apache/knox/pull/829 Issue Time Tracking --- Worklog Id: (was: 908305) Time Spent: 1h 40m (was: 1.5h) > Add proxy for hdfs UI network topology > --- > > Key: KNOX-2996 > URL: https://issues.apache.org/jira/browse/KNOX-2996 > Project: Apache Knox > Issue Type: Bug > Components: Release >Affects Versions: 2.0.0, 1.6.0 >Reporter: zhaoshuaihua >Priority: Major > Attachments: > KNOX-2996_-_Add_proxy_for_hdfs_UI_network_topology.patch, > image-2023-12-28-16-36-57-726.png, image-2023-12-28-16-37-10-631.png, > image-2023-12-28-16-37-15-888.png > > Time Spent: 1h 40m > Remaining Estimate: 0h > > Clicking the hdfs UI network topology proxy failed, the page should be > displayed and should not be Error. > !image-2023-12-28-16-36-57-726.png!!image-2023-12-28-16-37-10-631.png!!image-2023-12-28-16-37-15-888.png! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-2996) Add proxy for hdfs UI network topology
[ https://issues.apache.org/jira/browse/KNOX-2996?focusedWorklogId=908304=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908304 ] ASF GitHub Bot logged work on KNOX-2996: Author: ASF GitHub Bot Created on: 05/Mar/24 11:59 Start Date: 05/Mar/24 11:59 Worklog Time Spent: 10m Work Description: moresandeep commented on code in PR #829: URL: https://github.com/apache/knox/pull/829#discussion_r1512702584 ## gateway-service-definitions/src/main/resources/services/hdfsui/3.0.0/rewrite.xml: ## @@ -155,6 +155,9 @@ + Review Comment: I see, thank you for your input. Issue Time Tracking --- Worklog Id: (was: 908304) Time Spent: 1.5h (was: 1h 20m) > Add proxy for hdfs UI network topology > --- > > Key: KNOX-2996 > URL: https://issues.apache.org/jira/browse/KNOX-2996 > Project: Apache Knox > Issue Type: Bug > Components: Release >Affects Versions: 2.0.0, 1.6.0 >Reporter: zhaoshuaihua >Priority: Major > Attachments: > KNOX-2996_-_Add_proxy_for_hdfs_UI_network_topology.patch, > image-2023-12-28-16-36-57-726.png, image-2023-12-28-16-37-10-631.png, > image-2023-12-28-16-37-15-888.png > > Time Spent: 1.5h > Remaining Estimate: 0h > > Clicking the hdfs UI network topology proxy failed, the page should be > displayed and should not be Error. > !image-2023-12-28-16-36-57-726.png!!image-2023-12-28-16-37-10-631.png!!image-2023-12-28-16-37-15-888.png! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-2996) Add proxy for hdfs UI network topology
[
https://issues.apache.org/jira/browse/KNOX-2996?focusedWorklogId=908270=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908270
]
ASF GitHub Bot logged work on KNOX-2996:
Author: ASF GitHub Bot
Created on: 05/Mar/24 09:10
Start Date: 05/Mar/24 09:10
Worklog Time Spent: 10m
Work Description: upczsh commented on code in PR #829:
URL: https://github.com/apache/knox/pull/829#discussion_r1512424584
##
gateway-service-definitions/src/main/resources/services/hdfsui/3.0.0/rewrite.xml:
##
@@ -155,6 +155,9 @@
+
Review Comment:
If the URL is similar to http://xxx:port/xxx/topology, you can only use
pattern="topology" to proxy. If it is http://xxx:port/xxx/topology/xxx, you can
use pattern="topology/{\*\*}"
this is my test :
use pattern="topology/{\*\*}"
Report an error:
Therefore, I refer to the current writing method in hdfs rewrite.xml.
like this : `
`
Issue Time Tracking
---
Worklog Id: (was: 908270)
Time Spent: 1h 20m (was: 1h 10m)
> Add proxy for hdfs UI network topology
> ---
>
> Key: KNOX-2996
> URL: https://issues.apache.org/jira/browse/KNOX-2996
> Project: Apache Knox
> Issue Type: Bug
> Components: Release
>Affects Versions: 2.0.0, 1.6.0
>Reporter: zhaoshuaihua
>Priority: Major
> Attachments:
> KNOX-2996_-_Add_proxy_for_hdfs_UI_network_topology.patch,
> image-2023-12-28-16-36-57-726.png, image-2023-12-28-16-37-10-631.png,
> image-2023-12-28-16-37-15-888.png
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> Clicking the hdfs UI network topology proxy failed, the page should be
> displayed and should not be Error.
> !image-2023-12-28-16-36-57-726.png!!image-2023-12-28-16-37-10-631.png!!image-2023-12-28-16-37-15-888.png!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-2996) Add proxy for hdfs UI network topology
[ https://issues.apache.org/jira/browse/KNOX-2996?focusedWorklogId=908120=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908120 ] ASF GitHub Bot logged work on KNOX-2996: Author: ASF GitHub Bot Created on: 04/Mar/24 16:47 Start Date: 04/Mar/24 16:47 Worklog Time Spent: 10m Work Description: moresandeep commented on code in PR #829: URL: https://github.com/apache/knox/pull/829#discussion_r1511466933 ## gateway-service-definitions/src/main/resources/services/hdfsui/3.0.0/rewrite.xml: ## @@ -155,6 +155,9 @@ + Review Comment: @upczsh Shouldn't this be `/topology/**`? `topology` looks too broad to me. Issue Time Tracking --- Worklog Id: (was: 908120) Time Spent: 1h 10m (was: 1h) > Add proxy for hdfs UI network topology > --- > > Key: KNOX-2996 > URL: https://issues.apache.org/jira/browse/KNOX-2996 > Project: Apache Knox > Issue Type: Bug > Components: Release >Affects Versions: 2.0.0, 1.6.0 >Reporter: zhaoshuaihua >Priority: Major > Attachments: > KNOX-2996_-_Add_proxy_for_hdfs_UI_network_topology.patch, > image-2023-12-28-16-36-57-726.png, image-2023-12-28-16-37-10-631.png, > image-2023-12-28-16-37-15-888.png > > Time Spent: 1h 10m > Remaining Estimate: 0h > > Clicking the hdfs UI network topology proxy failed, the page should be > displayed and should not be Error. > !image-2023-12-28-16-36-57-726.png!!image-2023-12-28-16-37-10-631.png!!image-2023-12-28-16-37-15-888.png! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-3012) Fix the DN links on the Ozone SCM UI
[
https://issues.apache.org/jira/browse/KNOX-3012?focusedWorklogId=908070=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908070
]
ASF GitHub Bot logged work on KNOX-3012:
Author: ASF GitHub Bot
Created on: 04/Mar/24 13:50
Start Date: 04/Mar/24 13:50
Worklog Time Spent: 10m
Work Description: smolnar82 merged PR #873:
URL: https://github.com/apache/knox/pull/873
Issue Time Tracking
---
Worklog Id: (was: 908070)
Time Spent: 20m (was: 10m)
> Fix the DN links on the Ozone SCM UI
>
>
> Key: KNOX-3012
> URL: https://issues.apache.org/jira/browse/KNOX-3012
> Project: Apache Knox
> Issue Type: Bug
>Reporter: Zita Dombi
>Assignee: Zita Dombi
>Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> In HDDS-9732 we changed the datanode links on the SCM UI in Ozone, which we
> need to follow in Knox too.
> From this:
> {code:java}
> href="{{typestat.portval.toLowerCase()}}://{{typestat.hostname}}:{{typestat.portno}}"
> target="_blank">{{typestat.hostname}}
> {code}
> To this:
> {code:java}
> target="_blank">{{typestat.hostname}}
> {code}
> We didn't adjust this in Knox, it's still looking for the previous one:
> {code:java}
>
>
> pattern="{{typestat.portval.toLowerCase()}}://{{typestat.hostname}}:{{typestat.portno}}"/>
> template="{gateway.url}/ozone-scm/datanode/index.html?host={{typestat.portval.toLowerCase()}}://{{typestat.hostname}}:{{typestat.portno}}
> "/>
>
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-2996) Add proxy for hdfs UI network topology
[ https://issues.apache.org/jira/browse/KNOX-2996?focusedWorklogId=908055=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908055 ] ASF GitHub Bot logged work on KNOX-2996: Author: ASF GitHub Bot Created on: 04/Mar/24 12:23 Start Date: 04/Mar/24 12:23 Worklog Time Spent: 10m Work Description: upczsh opened a new pull request, #829: URL: https://github.com/apache/knox/pull/829 (It is very **important** that you created an Apache Knox JIRA for this change and that the PR title/commit message includes the Apache Knox JIRA ID!) ## What changes were proposed in this pull request? Add proxy for hdfs UI network topology, Clicking the hdfs UI network topology proxy failed, the page should be displayed and should not be Error. issues: [knox-2996](https://issues.apache.org/jira/browse/KNOX-2996) Issue Time Tracking --- Worklog Id: (was: 908055) Time Spent: 1h (was: 50m) > Add proxy for hdfs UI network topology > --- > > Key: KNOX-2996 > URL: https://issues.apache.org/jira/browse/KNOX-2996 > Project: Apache Knox > Issue Type: Bug > Components: Release >Affects Versions: 2.0.0, 1.6.0 >Reporter: zhaoshuaihua >Priority: Major > Attachments: > KNOX-2996_-_Add_proxy_for_hdfs_UI_network_topology.patch, > image-2023-12-28-16-36-57-726.png, image-2023-12-28-16-37-10-631.png, > image-2023-12-28-16-37-15-888.png > > Time Spent: 1h > Remaining Estimate: 0h > > Clicking the hdfs UI network topology proxy failed, the page should be > displayed and should not be Error. > !image-2023-12-28-16-36-57-726.png!!image-2023-12-28-16-37-10-631.png!!image-2023-12-28-16-37-15-888.png! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-2996) Add proxy for hdfs UI network topology
[ https://issues.apache.org/jira/browse/KNOX-2996?focusedWorklogId=908053=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908053 ] ASF GitHub Bot logged work on KNOX-2996: Author: ASF GitHub Bot Created on: 04/Mar/24 12:23 Start Date: 04/Mar/24 12:23 Worklog Time Spent: 10m Work Description: smolnar82 closed pull request #829: KNOX-2996 - Add proxy for hdfs UI network topology URL: https://github.com/apache/knox/pull/829 Issue Time Tracking --- Worklog Id: (was: 908053) Time Spent: 50m (was: 40m) > Add proxy for hdfs UI network topology > --- > > Key: KNOX-2996 > URL: https://issues.apache.org/jira/browse/KNOX-2996 > Project: Apache Knox > Issue Type: Bug > Components: Release >Affects Versions: 2.0.0, 1.6.0 >Reporter: zhaoshuaihua >Priority: Major > Attachments: > KNOX-2996_-_Add_proxy_for_hdfs_UI_network_topology.patch, > image-2023-12-28-16-36-57-726.png, image-2023-12-28-16-37-10-631.png, > image-2023-12-28-16-37-15-888.png > > Time Spent: 50m > Remaining Estimate: 0h > > Clicking the hdfs UI network topology proxy failed, the page should be > displayed and should not be Error. > !image-2023-12-28-16-36-57-726.png!!image-2023-12-28-16-37-10-631.png!!image-2023-12-28-16-37-15-888.png! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-2995) json contains NaN value parsing failed
[ https://issues.apache.org/jira/browse/KNOX-2995?focusedWorklogId=908052=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908052 ] ASF GitHub Bot logged work on KNOX-2995: Author: ASF GitHub Bot Created on: 04/Mar/24 12:20 Start Date: 04/Mar/24 12:20 Worklog Time Spent: 10m Work Description: smolnar82 merged PR #828: URL: https://github.com/apache/knox/pull/828 Issue Time Tracking --- Worklog Id: (was: 908052) Time Spent: 1h 20m (was: 1h 10m) > json contains NaN value parsing failed > -- > > Key: KNOX-2995 > URL: https://issues.apache.org/jira/browse/KNOX-2995 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 2.0.0, 1.6.0 >Reporter: zhaoshuaihua >Priority: Major > Attachments: KNOX-2995.patch, screenshot-1.png, screenshot-2.png, > screenshot-3.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > If the proxy address returns JSON, which contains something similar to xxx: > NaN, then knox will fail to parse. Therefore, support for parsing NaN is > added. > I click on the page with return json and the content of Resopnse is empty. > like this : !screenshot-1.png! > > Checking the gateway.log log shows the following error message. > !screenshot-2.png! > The display results after my repair are as follows: > !screenshot-3.png! > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-2996) Add proxy for hdfs UI network topology
[ https://issues.apache.org/jira/browse/KNOX-2996?focusedWorklogId=908046=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908046 ] ASF GitHub Bot logged work on KNOX-2996: Author: ASF GitHub Bot Created on: 04/Mar/24 11:38 Start Date: 04/Mar/24 11:38 Worklog Time Spent: 10m Work Description: upczsh commented on PR #829: URL: https://github.com/apache/knox/pull/829#issuecomment-1976387037 @smolnar82 hello ,Please could you tell me why the CI failed? I just change the rewrite.xml file. Issue Time Tracking --- Worklog Id: (was: 908046) Time Spent: 40m (was: 0.5h) > Add proxy for hdfs UI network topology > --- > > Key: KNOX-2996 > URL: https://issues.apache.org/jira/browse/KNOX-2996 > Project: Apache Knox > Issue Type: Bug > Components: Release >Affects Versions: 2.0.0, 1.6.0 >Reporter: zhaoshuaihua >Priority: Major > Attachments: > KNOX-2996_-_Add_proxy_for_hdfs_UI_network_topology.patch, > image-2023-12-28-16-36-57-726.png, image-2023-12-28-16-37-10-631.png, > image-2023-12-28-16-37-15-888.png > > Time Spent: 40m > Remaining Estimate: 0h > > Clicking the hdfs UI network topology proxy failed, the page should be > displayed and should not be Error. > !image-2023-12-28-16-36-57-726.png!!image-2023-12-28-16-37-10-631.png!!image-2023-12-28-16-37-15-888.png! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-2995) json contains NaN value parsing failed
[ https://issues.apache.org/jira/browse/KNOX-2995?focusedWorklogId=908045=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908045 ] ASF GitHub Bot logged work on KNOX-2995: Author: ASF GitHub Bot Created on: 04/Mar/24 11:22 Start Date: 04/Mar/24 11:22 Worklog Time Spent: 10m Work Description: upczsh commented on PR #828: URL: https://github.com/apache/knox/pull/828#issuecomment-1976358576 > @upczsh - We are about to release Knox v2.1.0 and I'd like to include your change. However, I cannot merge it until you update the PR description as requested above. Thanks! terribly sorry!!! I have updated the PR description.It's my honor to contribute! Issue Time Tracking --- Worklog Id: (was: 908045) Time Spent: 1h 10m (was: 1h) > json contains NaN value parsing failed > -- > > Key: KNOX-2995 > URL: https://issues.apache.org/jira/browse/KNOX-2995 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 2.0.0, 1.6.0 >Reporter: zhaoshuaihua >Priority: Major > Attachments: KNOX-2995.patch, screenshot-1.png, screenshot-2.png, > screenshot-3.png > > Time Spent: 1h 10m > Remaining Estimate: 0h > > If the proxy address returns JSON, which contains something similar to xxx: > NaN, then knox will fail to parse. Therefore, support for parsing NaN is > added. > I click on the page with return json and the content of Resopnse is empty. > like this : !screenshot-1.png! > > Checking the gateway.log log shows the following error message. > !screenshot-2.png! > The display results after my repair are as follows: > !screenshot-3.png! > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-3013) Knox redirecting Yarn Node Manager URLs to http instead of https
[ https://issues.apache.org/jira/browse/KNOX-3013?focusedWorklogId=908021=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908021 ] ASF GitHub Bot logged work on KNOX-3013: Author: ASF GitHub Bot Created on: 04/Mar/24 09:00 Start Date: 04/Mar/24 09:00 Worklog Time Spent: 10m Work Description: smolnar82 commented on PR #874: URL: https://github.com/apache/knox/pull/874#issuecomment-1976056567 Thanks, @K0K0V0K , for submitting the PR. May I ask you to provide at least a screenshot of your tests that your fix as actually working? Thanks! Issue Time Tracking --- Worklog Id: (was: 908021) Time Spent: 0.5h (was: 20m) > Knox redirecting Yarn Node Manager URLs to http instead of https > > > Key: KNOX-3013 > URL: https://issues.apache.org/jira/browse/KNOX-3013 > Project: Apache Knox > Issue Type: Bug >Affects Versions: 1.3.0 >Reporter: Bence Kosztolnik >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > While viewing the yarn application logs on YARM RM UI via Knox, we can see > that Knox is redirecting the NM URL to HTTP instead of HTTPS, as the YARN is > running on TLS/SSL. > https:///gateway/cdp-proxy/yarn/nodemanager/node?scheme=http=some.url=8044 > We get the below error > HTTP ERROR 500 java.io.IOException: java.io.IOException: Service connectivity > error. URI: /gateway/cdp-proxy/yarn/nodemanager/node STATUS: 500 MESSAGE: > java.io.IOException: java.io.IOException: Service connectivity error. > SERVLET: cdp-proxy-knox-gateway-servlet CAUSED BY: java.io.IOException: > java.io.IOException: Service connectivity error. CAUSED BY: > java.io.IOException: Service connectivity error. > However when I change "scheme=https" the page loads without an issue. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-3013) Knox redirecting Yarn Node Manager URLs to http instead of https
[ https://issues.apache.org/jira/browse/KNOX-3013?focusedWorklogId=908007=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908007 ] ASF GitHub Bot logged work on KNOX-3013: Author: ASF GitHub Bot Created on: 04/Mar/24 08:24 Start Date: 04/Mar/24 08:24 Worklog Time Spent: 10m Work Description: K0K0V0K commented on PR #874: URL: https://github.com/apache/knox/pull/874#issuecomment-1975984535 Hi @smolnar82 ! May I ask for a review on this, please? Thanks in advance! Issue Time Tracking --- Worklog Id: (was: 908007) Time Spent: 20m (was: 10m) > Knox redirecting Yarn Node Manager URLs to http instead of https > > > Key: KNOX-3013 > URL: https://issues.apache.org/jira/browse/KNOX-3013 > Project: Apache Knox > Issue Type: Bug >Affects Versions: 1.3.0 >Reporter: Bence Kosztolnik >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > While viewing the yarn application logs on YARM RM UI via Knox, we can see > that Knox is redirecting the NM URL to HTTP instead of HTTPS, as the YARN is > running on TLS/SSL. > https:///gateway/cdp-proxy/yarn/nodemanager/node?scheme=http=some.url=8044 > We get the below error > HTTP ERROR 500 java.io.IOException: java.io.IOException: Service connectivity > error. URI: /gateway/cdp-proxy/yarn/nodemanager/node STATUS: 500 MESSAGE: > java.io.IOException: java.io.IOException: Service connectivity error. > SERVLET: cdp-proxy-knox-gateway-servlet CAUSED BY: java.io.IOException: > java.io.IOException: Service connectivity error. CAUSED BY: > java.io.IOException: Service connectivity error. > However when I change "scheme=https" the page loads without an issue. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-3013) Knox redirecting Yarn Node Manager URLs to http instead of https
[ https://issues.apache.org/jira/browse/KNOX-3013?focusedWorklogId=908006=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-908006 ] ASF GitHub Bot logged work on KNOX-3013: Author: ASF GitHub Bot Created on: 04/Mar/24 08:23 Start Date: 04/Mar/24 08:23 Worklog Time Spent: 10m Work Description: K0K0V0K opened a new pull request, #874: URL: https://github.com/apache/knox/pull/874 ## What changes were proposed in this pull request? - YARNUI/yarn/outbound/node3 rule rewrites the https schemes to http - To fix the issue we skip this rule in case if the schema is https ## How was this patch tested? - unit tests - manually deployed a cluster and verified the url stays https Issue Time Tracking --- Worklog Id: (was: 908006) Remaining Estimate: 0h Time Spent: 10m > Knox redirecting Yarn Node Manager URLs to http instead of https > > > Key: KNOX-3013 > URL: https://issues.apache.org/jira/browse/KNOX-3013 > Project: Apache Knox > Issue Type: Bug >Affects Versions: 1.3.0 >Reporter: Bence Kosztolnik >Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > While viewing the yarn application logs on YARM RM UI via Knox, we can see > that Knox is redirecting the NM URL to HTTP instead of HTTPS, as the YARN is > running on TLS/SSL. > https:///gateway/cdp-proxy/yarn/nodemanager/node?scheme=http=some.url=8044 > We get the below error > HTTP ERROR 500 java.io.IOException: java.io.IOException: Service connectivity > error. URI: /gateway/cdp-proxy/yarn/nodemanager/node STATUS: 500 MESSAGE: > java.io.IOException: java.io.IOException: Service connectivity error. > SERVLET: cdp-proxy-knox-gateway-servlet CAUSED BY: java.io.IOException: > java.io.IOException: Service connectivity error. CAUSED BY: > java.io.IOException: Service connectivity error. > However when I change "scheme=https" the page loads without an issue. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-2995) json contains NaN value parsing failed
[ https://issues.apache.org/jira/browse/KNOX-2995?focusedWorklogId=907523=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-907523 ] ASF GitHub Bot logged work on KNOX-2995: Author: ASF GitHub Bot Created on: 29/Feb/24 09:03 Start Date: 29/Feb/24 09:03 Worklog Time Spent: 10m Work Description: smolnar82 commented on PR #828: URL: https://github.com/apache/knox/pull/828#issuecomment-1970698389 @upczsh - We are about to release Knox v2.1.0 and I'd like to include your change. However, I cannot merge it until you update the PR description as requested above. Thanks! Issue Time Tracking --- Worklog Id: (was: 907523) Time Spent: 1h (was: 50m) > json contains NaN value parsing failed > -- > > Key: KNOX-2995 > URL: https://issues.apache.org/jira/browse/KNOX-2995 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 2.0.0, 1.6.0 >Reporter: zhaoshuaihua >Priority: Major > Attachments: KNOX-2995.patch, screenshot-1.png, screenshot-2.png, > screenshot-3.png > > Time Spent: 1h > Remaining Estimate: 0h > > If the proxy address returns JSON, which contains something similar to xxx: > NaN, then knox will fail to parse. Therefore, support for parsing NaN is > added. > I click on the page with return json and the content of Resopnse is empty. > like this : !screenshot-1.png! > > Checking the gateway.log log shows the following error message. > !screenshot-2.png! > The display results after my repair are as follows: > !screenshot-3.png! > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-3012) Fix the DN links on the Ozone SCM UI
[
https://issues.apache.org/jira/browse/KNOX-3012?focusedWorklogId=907434=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-907434
]
ASF GitHub Bot logged work on KNOX-3012:
Author: ASF GitHub Bot
Created on: 28/Feb/24 22:45
Start Date: 28/Feb/24 22:45
Worklog Time Spent: 10m
Work Description: dombizita opened a new pull request, #873:
URL: https://github.com/apache/knox/pull/873
## What changes were proposed in this pull request?
In Ozone in [HDDS-9732](https://issues.apache.org/jira/browse/HDDS-9732) the
datanode links were changed on the SCM UI. We need to reflect these changes in
Knox.
## How was this patch tested?
I'll update this section with screenshots.
Issue Time Tracking
---
Worklog Id: (was: 907434)
Remaining Estimate: 0h
Time Spent: 10m
> Fix the DN links on the Ozone SCM UI
>
>
> Key: KNOX-3012
> URL: https://issues.apache.org/jira/browse/KNOX-3012
> Project: Apache Knox
> Issue Type: Bug
>Reporter: Zita Dombi
>Assignee: Zita Dombi
>Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> In HDDS-9732 we changed the datanode links on the SCM UI in Ozone, which we
> need to follow in Knox too.
> From this:
> {code:java}
> href="{{typestat.portval.toLowerCase()}}://{{typestat.hostname}}:{{typestat.portno}}"
> target="_blank">{{typestat.hostname}}
> {code}
> To this:
> {code:java}
> target="_blank">{{typestat.hostname}}
> {code}
> We didn't adjust this in Knox, it's still looking for the previous one:
> {code:java}
>
>
> pattern="{{typestat.portval.toLowerCase()}}://{{typestat.hostname}}:{{typestat.portno}}"/>
> template="{gateway.url}/ozone-scm/datanode/index.html?host={{typestat.portval.toLowerCase()}}://{{typestat.hostname}}:{{typestat.portno}}
> "/>
>
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3011) Resolve duplicated SL4J on classpath issue
[
https://issues.apache.org/jira/browse/KNOX-3011?focusedWorklogId=907151=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-907151
]
ASF GitHub Bot logged work on KNOX-3011:
Author: ASF GitHub Bot
Created on: 27/Feb/24 11:44
Start Date: 27/Feb/24 11:44
Worklog Time Spent: 10m
Work Description: smolnar82 merged PR #861:
URL: https://github.com/apache/knox/pull/861
Issue Time Tracking
---
Worklog Id: (was: 907151)
Time Spent: 20m (was: 10m)
> Resolve duplicated SL4J on classpath issue
> --
>
> Key: KNOX-3011
> URL: https://issues.apache.org/jira/browse/KNOX-3011
> Project: Apache Knox
> Issue Type: Improvement
>Affects Versions: 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Any time I run a KnoxCLI command, it always starts with the following warning
> messages displayed on my terminal:
> {noformat}
> SLF4J: Class path contains multiple SLF4J bindings.
> SLF4J: Found binding in
> [jar:file:/Users/sandormolnar/test/knoxGateway/bin/../dep/log4j-slf4j-impl-2.17.1.jar!/org/slf4j/impl/StaticLoggerBinder.class]
> SLF4J: Found binding in
> [jar:file:/Users/sandormolnar/test/knoxGateway/bin/../dep/logback-classic-1.2.10.jar!/org/slf4j/impl/StaticLoggerBinder.class]
> SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an
> explanation.
> SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
> {noformat}
> The reason behind this warning is that Zookeeper pulls in outdated
> {{logback}} dependencies which we should exclude.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3011) Resolve duplicated SL4J on classpath issue
[
https://issues.apache.org/jira/browse/KNOX-3011?focusedWorklogId=907147=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-907147
]
ASF GitHub Bot logged work on KNOX-3011:
Author: ASF GitHub Bot
Created on: 27/Feb/24 11:18
Start Date: 27/Feb/24 11:18
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #861:
URL: https://github.com/apache/knox/pull/861
## What changes were proposed in this pull request?
Before my change, any time I ran a KnoxCLI command I saw the following
warning messages wrt. there are multiple SLF4J bindings on the classpath:
```
$ bin/knoxcli.sh create-master --master gateway
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in
[jar:file:/Users/sandormolnar/test/knoxGateway/bin/../dep/log4j-slf4j-impl-2.17.1.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in
[jar:file:/Users/sandormolnar/test/knoxGateway/bin/../dep/logback-classic-1.2.10.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an
explanation.
SLF4J: Actual binding is of type
[org.apache.logging.slf4j.Log4jLoggerFactory]
Master secret has been persisted to disk.
```
I also confirmed that we have had
`ch.qos.logback:logback-[core-classic]:jar:1.2.10` on Maven's dependency tree
multiple times.
```
$ mvn dependency:tree | grep '^.*logback.*1.2.10.*$' | wc -l
66
```
## How was this patch tested?
1. Running the previous `mvn:dependencyTree` command:
```
$ mvn dependency:tree | grep '^.*logback.*1.2.10.*$' | wc -l
0
```
2. Rebuilt and redeployed Knox, then ran the `create-master` command:
```
$ bin/knoxcli.sh create-master --master gateway
Master secret has been persisted to disk.
```
Issue Time Tracking
---
Worklog Id: (was: 907147)
Remaining Estimate: 0h
Time Spent: 10m
> Resolve duplicated SL4J on classpath issue
> --
>
> Key: KNOX-3011
> URL: https://issues.apache.org/jira/browse/KNOX-3011
> Project: Apache Knox
> Issue Type: Improvement
>Affects Versions: 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Any time I run a KnoxCLI command, it always starts with the following warning
> messages displayed on my terminal:
> {noformat}
> SLF4J: Class path contains multiple SLF4J bindings.
> SLF4J: Found binding in
> [jar:file:/Users/sandormolnar/test/knoxGateway/bin/../dep/log4j-slf4j-impl-2.17.1.jar!/org/slf4j/impl/StaticLoggerBinder.class]
> SLF4J: Found binding in
> [jar:file:/Users/sandormolnar/test/knoxGateway/bin/../dep/logback-classic-1.2.10.jar!/org/slf4j/impl/StaticLoggerBinder.class]
> SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an
> explanation.
> SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
> {noformat}
> The reason behind this warning is that Zookeeper pulls in outdated
> {{logback}} dependencies which we should exclude.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3008) Add a new banner on the top of Knox UIs
[
https://issues.apache.org/jira/browse/KNOX-3008?focusedWorklogId=907139=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-907139
]
ASF GitHub Bot logged work on KNOX-3008:
Author: ASF GitHub Bot
Created on: 27/Feb/24 11:07
Start Date: 27/Feb/24 11:07
Worklog Time Spent: 10m
Work Description: smolnar82 merged PR #857:
URL: https://github.com/apache/knox/pull/857
Issue Time Tracking
---
Worklog Id: (was: 907139)
Time Spent: 1.5h (was: 1h 20m)
> Add a new banner on the top of Knox UIs
> ---
>
> Key: KNOX-3008
> URL: https://issues.apache.org/jira/browse/KNOX-3008
> Project: Apache Knox
> Issue Type: New Feature
> Components: AdminUI, Homepage, TokenGenerationUI, TokenManagementUI
>Affects Versions: 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> I got to know that Hue has a simple, but really cool feature: it can show a
> [custom HTML banner|https://gethue.com/add-a-top-banner-to-hue/] on the top
> of the Hue UI. Implementing a similar feature in Knox can help end-users to:
> # Share a message of the day like hints, tips, or planned outages.
> # Identify the cluster (e.g. Prod/Test/Dev) in case the URL is not clear
> enough.
> An additional improvement would be identifying which Knox gateway is in use,
> in case of HA deployments and if it's behind a load balancer, which can help
> with troubleshooting. This information fits perfectly into the existing
> {{General Proxy Information}} section on the Knox home page; we just need to
> add this new information as a new row in the table.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3008) Add a new banner on the top of Knox UIs
[
https://issues.apache.org/jira/browse/KNOX-3008?focusedWorklogId=907133=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-907133
]
ASF GitHub Bot logged work on KNOX-3008:
Author: ASF GitHub Bot
Created on: 27/Feb/24 10:32
Start Date: 27/Feb/24 10:32
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #857:
URL: https://github.com/apache/knox/pull/857
## What changes were proposed in this pull request?
Accidentally added the `KNOX-SESSION` service twice after it was added by
#843 .
## How was this patch tested?
Verified on FS.
Issue Time Tracking
---
Worklog Id: (was: 907133)
Time Spent: 1h 20m (was: 1h 10m)
> Add a new banner on the top of Knox UIs
> ---
>
> Key: KNOX-3008
> URL: https://issues.apache.org/jira/browse/KNOX-3008
> Project: Apache Knox
> Issue Type: New Feature
> Components: AdminUI, Homepage, TokenGenerationUI, TokenManagementUI
>Affects Versions: 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> I got to know that Hue has a simple, but really cool feature: it can show a
> [custom HTML banner|https://gethue.com/add-a-top-banner-to-hue/] on the top
> of the Hue UI. Implementing a similar feature in Knox can help end-users to:
> # Share a message of the day like hints, tips, or planned outages.
> # Identify the cluster (e.g. Prod/Test/Dev) in case the URL is not clear
> enough.
> An additional improvement would be identifying which Knox gateway is in use,
> in case of HA deployments and if it's behind a load balancer, which can help
> with troubleshooting. This information fits perfectly into the existing
> {{General Proxy Information}} section on the Knox home page; we just need to
> add this new information as a new row in the table.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3008) Add a new banner on the top of Knox UIs
[
https://issues.apache.org/jira/browse/KNOX-3008?focusedWorklogId=907131=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-907131
]
ASF GitHub Bot logged work on KNOX-3008:
Author: ASF GitHub Bot
Created on: 27/Feb/24 10:26
Start Date: 27/Feb/24 10:26
Worklog Time Spent: 10m
Work Description: smolnar82 merged PR #842:
URL: https://github.com/apache/knox/pull/842
Issue Time Tracking
---
Worklog Id: (was: 907131)
Time Spent: 1h 10m (was: 1h)
> Add a new banner on the top of Knox UIs
> ---
>
> Key: KNOX-3008
> URL: https://issues.apache.org/jira/browse/KNOX-3008
> Project: Apache Knox
> Issue Type: New Feature
> Components: AdminUI, Homepage, TokenGenerationUI, TokenManagementUI
>Affects Versions: 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> I got to know that Hue has a simple, but really cool feature: it can show a
> [custom HTML banner|https://gethue.com/add-a-top-banner-to-hue/] on the top
> of the Hue UI. Implementing a similar feature in Knox can help end-users to:
> # Share a message of the day like hints, tips, or planned outages.
> # Identify the cluster (e.g. Prod/Test/Dev) in case the URL is not clear
> enough.
> An additional improvement would be identifying which Knox gateway is in use,
> in case of HA deployments and if it's behind a load balancer, which can help
> with troubleshooting. This information fits perfectly into the existing
> {{General Proxy Information}} section on the Knox home page; we just need to
> add this new information as a new row in the table.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3008) Add a new banner on the top of Knox UIs
[
https://issues.apache.org/jira/browse/KNOX-3008?focusedWorklogId=907082=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-907082
]
ASF GitHub Bot logged work on KNOX-3008:
Author: ASF GitHub Bot
Created on: 27/Feb/24 08:38
Start Date: 27/Feb/24 08:38
Worklog Time Spent: 10m
Work Description: smolnar82 commented on code in PR #842:
URL: https://github.com/apache/knox/pull/842#discussion_r1503837852
##
gateway-service-metadata/src/main/java/org/apache/knox/gateway/service/metadata/KnoxMetadataResource.java:
##
@@ -101,6 +103,7 @@ public GeneralProxyInformation getGeneralProxyInformation()
{
final ServerInfoService serviceInfoService =
gatewayServices.getService(ServiceType.SERVER_INFO_SERVICE);
final String versionInfo = serviceInfoService.getBuildVersion() + "
(hash=" + serviceInfoService.getBuildHash() + ")";
proxyInfo.setVersion(versionInfo);
+ proxyInfo.setHostname(Hostname.getHostname());
Review Comment:
> I wonder how critical is to have the real hostname in cases like this.
In the case of troubleshooting in a real cluster, this can be critical.
I agree, we may revisit the current usage of `InetAddress.getLocalHost()`
and replace them, if needed, with this new library.
WRT. the CVE concern, I also had that in my mind, but at the end of the day,
this new dependency does nothing special but delegate the `gethostname` call to
the OS-native layer using JNA. This is a 1-class dependency, I cannot see any
reported vulnerabilities so far.
https://github.com/apache/knox/assets/34065904/d4b08953-c677-400c-a77c-19361df82a6a;>
Issue Time Tracking
---
Worklog Id: (was: 907082)
Time Spent: 1h (was: 50m)
> Add a new banner on the top of Knox UIs
> ---
>
> Key: KNOX-3008
> URL: https://issues.apache.org/jira/browse/KNOX-3008
> Project: Apache Knox
> Issue Type: New Feature
> Components: AdminUI, Homepage, TokenGenerationUI, TokenManagementUI
>Affects Versions: 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> I got to know that Hue has a simple, but really cool feature: it can show a
> [custom HTML banner|https://gethue.com/add-a-top-banner-to-hue/] on the top
> of the Hue UI. Implementing a similar feature in Knox can help end-users to:
> # Share a message of the day like hints, tips, or planned outages.
> # Identify the cluster (e.g. Prod/Test/Dev) in case the URL is not clear
> enough.
> An additional improvement would be identifying which Knox gateway is in use,
> in case of HA deployments and if it's behind a load balancer, which can help
> with troubleshooting. This information fits perfectly into the existing
> {{General Proxy Information}} section on the Knox home page; we just need to
> add this new information as a new row in the table.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3008) Add a new banner on the top of Knox UIs
[
https://issues.apache.org/jira/browse/KNOX-3008?focusedWorklogId=906977=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-906977
]
ASF GitHub Bot logged work on KNOX-3008:
Author: ASF GitHub Bot
Created on: 26/Feb/24 15:27
Start Date: 26/Feb/24 15:27
Worklog Time Spent: 10m
Work Description: zeroflag commented on code in PR #842:
URL: https://github.com/apache/knox/pull/842#discussion_r1502803074
##
gateway-service-metadata/src/main/java/org/apache/knox/gateway/service/metadata/KnoxMetadataResource.java:
##
@@ -101,6 +103,7 @@ public GeneralProxyInformation getGeneralProxyInformation()
{
final ServerInfoService serviceInfoService =
gatewayServices.getService(ServiceType.SERVER_INFO_SERVICE);
final String versionInfo = serviceInfoService.getBuildVersion() + "
(hash=" + serviceInfoService.getBuildHash() + ")";
proxyInfo.setVersion(versionInfo);
+ proxyInfo.setHostname(Hostname.getHostname());
Review Comment:
We've been already using `InetAddress.getLocalHost().getHostName()` and
`InetAddress.getLocalHost().getCanonicalHostName()` at a couple of places in
the project.
I wonder how critical is to have the real hostname in cases like this. If
this is better we might need to consider replacing the existing references of
these `InetAddress` calls.
Otherwise if this is just a nice to have information, we mightneed to
think about using the existing idom, instead of introducing a new dependency.
Since adding a new dependency is always a liability, for future maintenance
and possible CVE point of view.
Issue Time Tracking
---
Worklog Id: (was: 906977)
Time Spent: 50m (was: 40m)
> Add a new banner on the top of Knox UIs
> ---
>
> Key: KNOX-3008
> URL: https://issues.apache.org/jira/browse/KNOX-3008
> Project: Apache Knox
> Issue Type: New Feature
> Components: AdminUI, Homepage, TokenGenerationUI, TokenManagementUI
>Affects Versions: 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> I got to know that Hue has a simple, but really cool feature: it can show a
> [custom HTML banner|https://gethue.com/add-a-top-banner-to-hue/] on the top
> of the Hue UI. Implementing a similar feature in Knox can help end-users to:
> # Share a message of the day like hints, tips, or planned outages.
> # Identify the cluster (e.g. Prod/Test/Dev) in case the URL is not clear
> enough.
> An additional improvement would be identifying which Knox gateway is in use,
> in case of HA deployments and if it's behind a load balancer, which can help
> with troubleshooting. This information fits perfectly into the existing
> {{General Proxy Information}} section on the Knox home page; we just need to
> add this new information as a new row in the table.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3008) Add a new banner on the top of Knox UIs
[
https://issues.apache.org/jira/browse/KNOX-3008?focusedWorklogId=906976=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-906976
]
ASF GitHub Bot logged work on KNOX-3008:
Author: ASF GitHub Bot
Created on: 26/Feb/24 15:25
Start Date: 26/Feb/24 15:25
Worklog Time Spent: 10m
Work Description: zeroflag commented on code in PR #842:
URL: https://github.com/apache/knox/pull/842#discussion_r1502803074
##
gateway-service-metadata/src/main/java/org/apache/knox/gateway/service/metadata/KnoxMetadataResource.java:
##
@@ -101,6 +103,7 @@ public GeneralProxyInformation getGeneralProxyInformation()
{
final ServerInfoService serviceInfoService =
gatewayServices.getService(ServiceType.SERVER_INFO_SERVICE);
final String versionInfo = serviceInfoService.getBuildVersion() + "
(hash=" + serviceInfoService.getBuildHash() + ")";
proxyInfo.setVersion(versionInfo);
+ proxyInfo.setHostname(Hostname.getHostname());
Review Comment:
We've been already using `InetAddress.getLocalHost().getHostName()` and
`InetAddress.getLocalHost().getCanonicalHostName()` at a couple of places in
the project.
I wonder how critical is to have the real hostname in cases like this. If
this is better we might need to consider replacing the existing references to
these `InetAddress` calls.
Otherwise if this is just a nice to have information, we mightneed to
think about using the existing idom, instead of introducing a new dependency.
Since adding a new dependency is always a liability, for future maintenance
and possible CVE point of view.
Issue Time Tracking
---
Worklog Id: (was: 906976)
Time Spent: 40m (was: 0.5h)
> Add a new banner on the top of Knox UIs
> ---
>
> Key: KNOX-3008
> URL: https://issues.apache.org/jira/browse/KNOX-3008
> Project: Apache Knox
> Issue Type: New Feature
> Components: AdminUI, Homepage, TokenGenerationUI, TokenManagementUI
>Affects Versions: 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> I got to know that Hue has a simple, but really cool feature: it can show a
> [custom HTML banner|https://gethue.com/add-a-top-banner-to-hue/] on the top
> of the Hue UI. Implementing a similar feature in Knox can help end-users to:
> # Share a message of the day like hints, tips, or planned outages.
> # Identify the cluster (e.g. Prod/Test/Dev) in case the URL is not clear
> enough.
> An additional improvement would be identifying which Knox gateway is in use,
> in case of HA deployments and if it's behind a load balancer, which can help
> with troubleshooting. This information fits perfectly into the existing
> {{General Proxy Information}} section on the Knox home page; we just need to
> add this new information as a new row in the table.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Work logged] (KNOX-3009) KNOX-SESSION missing from Manager Topology and Admin UI
[ https://issues.apache.org/jira/browse/KNOX-3009?focusedWorklogId=906966=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-906966 ] ASF GitHub Bot logged work on KNOX-3009: Author: ASF GitHub Bot Created on: 26/Feb/24 14:47 Start Date: 26/Feb/24 14:47 Worklog Time Spent: 10m Work Description: lmccay commented on PR #843: URL: https://github.com/apache/knox/pull/843#issuecomment-1964320884 > Hehe...I also added the missing service in #842 Great minds! Although, I guess if mine were great, I'd see that it wasn't needed anymore? Issue Time Tracking --- Worklog Id: (was: 906966) Time Spent: 40m (was: 0.5h) > KNOX-SESSION missing from Manager Topology and Admin UI > --- > > Key: KNOX-3009 > URL: https://issues.apache.org/jira/browse/KNOX-3009 > Project: Apache Knox > Issue Type: Bug > Components: Release >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > Time Spent: 40m > Remaining Estimate: 0h > > Due to KNOX-SESSION service missing from the default manager.xml topology, an > alert in the Admin UI is displayed while trying to retrieve the authenticated > user name and "dr. who" is displayed as the user. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-3002) KnoxCLI command for generating descriptor for a role type from a list of hosts
[ https://issues.apache.org/jira/browse/KNOX-3002?focusedWorklogId=906907=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-906907 ] ASF GitHub Bot logged work on KNOX-3002: Author: ASF GitHub Bot Created on: 26/Feb/24 09:37 Start Date: 26/Feb/24 09:37 Worklog Time Spent: 10m Work Description: zeroflag merged PR #835: URL: https://github.com/apache/knox/pull/835 Issue Time Tracking --- Worklog Id: (was: 906907) Time Spent: 1h (was: 50m) > KnoxCLI command for generating descriptor for a role type from a list of hosts > -- > > Key: KNOX-3002 > URL: https://issues.apache.org/jira/browse/KNOX-3002 > Project: Apache Knox > Issue Type: New Feature > Components: KnoxCLI >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Work logged] (KNOX-3007) Make http client cookie spec parameter configurable
[
https://issues.apache.org/jira/browse/KNOX-3007?focusedWorklogId=906908=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-906908
]
ASF GitHub Bot logged work on KNOX-3007:
Author: ASF GitHub Bot
Created on: 26/Feb/24 09:37
Start Date: 26/Feb/24 09:37
Worklog Time Spent: 10m
Work Description: zeroflag merged PR #841:
URL: https://github.com/apache/knox/pull/841
Issue Time Tracking
---
Worklog Id: (was: 906908)
Time Spent: 40m (was: 0.5h)
> Make http client cookie spec parameter configurable
> ---
>
> Key: KNOX-3007
> URL: https://issues.apache.org/jira/browse/KNOX-3007
> Project: Apache Knox
> Issue Type: Improvement
>Reporter: Attila Magyar
>Assignee: Attila Magyar
>Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> The apache http client rejects cookies if the expiration date doesn't have
> the expected format (EEE, dd-MMM-yy HH:mm:ss z).
> {code}
> 2023-11-20 17:58:51,189 XXX WARN protocol.ResponseProcessCookies
> (ResponseProcessCookies.java:processCookies(130)) - Invalid cookie header:
> "Set-Cookie: sessionid=XXX; expires=Mon, 20 Nov 2023 23:03:51 GMT; HttpOnly;
> Max-Age=300; Path=/; SameSite=Lax; Secure". Invalid 'expires' attribute: Mon,
> 20 Nov 2023 23:03:51 GMT
> {code}
> This can be reconfigured by setting different cookiespec types:
> https://hc.apache.org/httpcomponents-client-4.5.x/current/httpclient/apidocs/org/apache/http/client/config/CookieSpecs.html
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
