[jira] [Commented] (KNOX-3036) Add a Primary Group Function to Virtual Groups
[ https://issues.apache.org/jira/browse/KNOX-3036?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17843763#comment-17843763 ] ASF subversion and git services commented on KNOX-3036: --- Commit 6c26ec6101b715d00219771997cd3b792893b6ee in knox's branch refs/heads/master from Larry McCay [ https://gitbox.apache.org/repos/asf?p=knox.git;h=6c26ec610 ] KNOX-3036 - Add Primary Group Virtual Group (#905) * KNOX-3036 - Add Primary Group Virtual Group > Add a Primary Group Function to Virtual Groups > -- > > Key: KNOX-3036 > URL: https://issues.apache.org/jira/browse/KNOX-3036 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > The virtual groups through predicate evaluations should include a means to > dynamically add a group principal with the same name as the username. > This will require intercepting the configured mapping key name which usually > ends with the literal virtual group name that will be added upon matching of > the predicate logic. > For this, we will add an optional Logical Virtual Group which will need to be > resolved rather than used as a literal. For this specific usecase, we can use > syntax such as: > {code} > > group.mapping.$PRIMARY_GROUP > (not (member username)) > > {code} > This will add a primary group for all authenticated users that don't already > have one in the current groups list. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3023) Extend the Hadoop proxyuser dispatch to optionally include groups in a header in addition to doAs
[ https://issues.apache.org/jira/browse/KNOX-3023?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17842655#comment-17842655 ] ASF subversion and git services commented on KNOX-3023: --- Commit b6ff0acdc326e54fd061b4b2f4e172cef24f5a5f in knox's branch refs/heads/master from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=b6ff0acdc ] KNOX-3023 - Include groups in a header in ConfigurableDispatch (#903) > Extend the Hadoop proxyuser dispatch to optionally include groups in a header > in addition to doAs > - > > Key: KNOX-3023 > URL: https://issues.apache.org/jira/browse/KNOX-3023 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Currently Hadoop proxyuser dispatch does not have a mechanism to relay user > groups. This JIRA tried to address this problem. This can be done similar to > what we have done in [Knox Auth > Service|https://knox.apache.org/books/knox-2-0-0/user-guide.html#Knox+Auth+Service] > `auth/api/v1/pre` endpoint where a header is added to the response (by > default X-Knox-Actor-ID) with the principal name to the response. In this > case these headers will be added to outgoing requests. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3032) Passcode token verification doesn't return error when TSS is disabled
[ https://issues.apache.org/jira/browse/KNOX-3032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17842418#comment-17842418 ] ASF subversion and git services commented on KNOX-3032: --- Commit e1a746879cedeaf4401a905328cd382bdbb4eb85 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=e1a746879 ] KNOX-3032 - Passcode use without token state service returns 401 (#902) > Passcode token verification doesn't return error when TSS is disabled > - > > Key: KNOX-3032 > URL: https://issues.apache.org/jira/browse/KNOX-3032 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 2.0.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Attachments: proxy-token.xml > > Time Spent: 1h > Remaining Estimate: 0h > > *Steps to reproduce:* > * configure a new topology (e.g. proxy-token) with {{JWTProvider}} where > {{knox.token.exp.server-managed}} is set to {{false}} (see an example in the > attachment) > * acquire a Knox Token using the Token Generation UI > * use the {{Passcode}} field in a {{curl}} request against a service > endpoint in the new topology > *Current results:* > Knox returns an HTTP response with 200 status code > {noformat} > $ curl -iku > Passcode:TkdVd1l6VTBPR0l0TmpVMk9DMDBNRFl4TFdFelpHTXROakk1TURnd09EYzJOVEJoOjpNREV6T0dGaFpXUXRZMkV5WVMwME4yWXhMVGhsWkRndFpUQmpNemszTlRrMlpqazE= > https://localhost:8443/gateway/proxy-token/health/v1/gateway-status > HTTP/1.1 200 OK > Date: Mon, 29 Apr 2024 08:33:06 GMT > Content-Length: 0 > {noformat} > *Expected results:* > An HTTP response should have been received with 401 and the proper error > message. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3030) SAXException occurs while parsing old topology on the descriptor handle path
[ https://issues.apache.org/jira/browse/KNOX-3030?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17839807#comment-17839807 ] ASF subversion and git services commented on KNOX-3030: --- Commit 1018a3b29ca716b9fbdc5870b132238a9dcc7e91 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=1018a3b29 ] KNOX-3030 - Make TopologyUtils.parse thread safe (#901) Besides this, Knox logs the faulty generated content when it's about to be peristed on the disk. > SAXException occurs while parsing old topology on the descriptor handle path > > > Key: KNOX-3030 > URL: https://issues.apache.org/jira/browse/KNOX-3030 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Critical > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > In highly concurrent environments Knox may fail to parse the generated > topology from descriptors/shared providers thus topology deployment fails > with the following error: > {noformat} > 2024-01-26 10:35:25,173 ERROR topology.simple > (SimpleDescriptorHandler.java:shouldPersistGeneratedTopology(682)) - Error > comparing the generated cdp-proxy topology with the existing version: > org.xml.sax.SAXParseException; lineNumber: 35; columnNumber: 20; Error at > line 35 char 20: class org.apache.knox.gateway.topology.Provider cannot be > cast to class org.apache.knox.gateway.topology.Param > (org.apache.knox.gateway.topology.Provider and > org.apache.knox.gateway.topology.Param are in unnamed module of loader > java.net.URLClassLoader @668bc3d5) > 2024-01-26 10:35:25,173 INFO topology.simple > (SimpleDescriptorHandler.java:generateTopology(622)) - Skipping redeployment > of the cdp-proxy topology because it already exists and has not changed. > {noformat} > This will lead to unreachable end-user endpoints. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[ https://issues.apache.org/jira/browse/KNOX-3028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17837388#comment-17837388 ] ASF subversion and git services commented on KNOX-3028: --- Commit d74fb4f8492191d24ab556fbefd50bbf0ebc8ad8 in knox's branch refs/heads/master from Larry McCay [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d74fb4f84 ] KNOX-3028 - add support for OAuth Token Exchange to KNOXTOKEN (#900) * KNOX-3028 - add support for OAuth Token Exchange to KNOXTOKEN > KnoxToken extension for OAuth Token Flows > - > > Key: KNOX-3028 > URL: https://issues.apache.org/jira/browse/KNOX-3028 > Project: Apache Knox > Issue Type: Bug > Components: JWT >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > Time Spent: 3h > Remaining Estimate: 0h > > This change will extend the existing TokenResource for KNOXTOKEN service to > include OAuth specifics such as expected URL, error messages and flows to > support Token Exchange Flow and Token Refresh. > This is being driven by a specific need to proxy access to the Iceberg REST > Catalog API. In this specific usecase, we need to intercept the use of the > following endpoint URLs and serve the token exchange flow for the > authenticating user. > {code} > /v1/oauth/tokens > {code} > Details for these requirements can be found in the openapi description for > the catalog API [1]. > In addition to this usecase, we should add generic support for the token > exchange flow with more generic URL that better aligns with what others use. > {code} > /oauth/v1/token > {code} > We will support the use of the "oauth" service name within the existing > KNOXTOKEN service with an extension of the TokenResource which adapts the > existing KNOXTOKEN behavior to the expectations of clients on OAuth responses. > In order to support both URLs, the deployment contributor will need to > register a url pattern for each usecase and the resource path within the > jersey service will need to accommodate the dynamic nature of the Iceberg > REST Catalog API which will add the catalog API service name as well. > {code} > /icecli/v1/oauth/tokens/ > {code} > Where "icecli" may be some configurable service name and need to match to the > incoming URL. > We will wildcard that by making it a regex matched path param. > We will also need to accommodate a first-class Knox pattern and service name > of "oauth" and only allow "token" or "oauth" after the v1 with the remaining > path fragment being optional for the iceberg specific "tokens". > Not pretty but it will work. > 1. > https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3014) Unauthenticated paths support for Shiro provider
[ https://issues.apache.org/jira/browse/KNOX-3014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17832873#comment-17832873 ] ASF subversion and git services commented on KNOX-3014: --- Commit 1916717 from Sandeep More [ https://svn.apache.org/r1916717 ] KNOX-3015 KNOX-3014 - Document path based authorization feature and Unauthenticated paths support for Shiro provider > Unauthenticated paths support for Shiro provider > > > Key: KNOX-3014 > URL: https://issues.apache.org/jira/browse/KNOX-3014 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.1.0 > > Time Spent: 40m > Remaining Estimate: 0h > > Looks like we have only support unauthenticated paths for > * JWTProvider > * HadoopAuthProvider > * SSOCookieProvider > Shiro auth provider does not have support for unauthenticated path parameter. > see KNOX-2582 and KNOX-2393 > This can be enabled by adding the following param to Shiro authentication > provider > {code:java} > > urls./knoxtoken/api/v1/jwks.json > anon > > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3015) Document path based authorization feature
[ https://issues.apache.org/jira/browse/KNOX-3015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17832872#comment-17832872 ] ASF subversion and git services commented on KNOX-3015: --- Commit 1916717 from Sandeep More [ https://svn.apache.org/r1916717 ] KNOX-3015 KNOX-3014 - Document path based authorization feature and Unauthenticated paths support for Shiro provider > Document path based authorization feature > - > > Key: KNOX-3015 > URL: https://issues.apache.org/jira/browse/KNOX-3015 > Project: Apache Knox > Issue Type: Bug > Components: Document >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.1.0 > > > Document KNOX-2998 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3026) Exclude services/roles from being discovered
[ https://issues.apache.org/jira/browse/KNOX-3026?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17831824#comment-17831824 ] ASF subversion and git services commented on KNOX-3026: --- Commit af09c1d4e90941c9e545a6667af561c3b9c3a717 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=af09c1d4e ] KNOX-3026 - End-users can exclude certain services or roles from CM service discovery (#893) > Exclude services/roles from being discovered > > > Key: KNOX-3026 > URL: https://issues.apache.org/jira/browse/KNOX-3026 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 2.0.0, 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Critical > Fix For: 2.1.0 > > Time Spent: 40m > Remaining Estimate: 0h > > Currently, even after implementing KNOX-2899, CM service discovery is running > on the entire CM cluster and fetches information on all services and roles > that are available on that target cluster. We may want to revisit the > service-based discovery enablement (that is now disabled by KNOX-2899). > However, there is a need for end-users to be able to declare services and > roles that should be explicitly excluded during service discovery. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3024) Fix findJava in knox-functions.sh
[ https://issues.apache.org/jira/browse/KNOX-3024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17829556#comment-17829556 ] ASF subversion and git services commented on KNOX-3024: --- Commit 1e9a39b76b2da8d995f1201d9cf0ecf6b3d3d085 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=1e9a39b76 ] KNOX-3024 - Fixed Java finding issues (#891) > Fix findJava in knox-functions.sh > - > > Key: KNOX-3024 > URL: https://issues.apache.org/jira/browse/KNOX-3024 > Project: Apache Knox > Issue Type: Bug > Components: Release >Affects Versions: 1.4.0, 1.5.0, 2.0.0, 1.6.0, 1.6.1, 1.6.2 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Blocker > Fix For: 2.1.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > 5 years ago, when I added {{shellcheck}} support to our build in the scope of > KNOX-1816, I introduced a bug in the {{findJava}} function in > {{{}knox-functions.sh{}}}: when $JAVA_HOME is not set, and Java is not > available on the path, the function tries to find java executables under > {{{}/usr{}}}. However, the current implementation is wrong: > {noformat} > $ which java > /usr/bin/which: no java in > (/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin) > $ echo $JAVA_HOME > $ bin/knoxcli.sh export-cert --type JKS > Warning: JAVA is not set and could not be found. > ... {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3022) Possible NPE at CM cluster configuration monitor startup due to cluster configuration file issues
[ https://issues.apache.org/jira/browse/KNOX-3022?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17828477#comment-17828477 ] ASF subversion and git services commented on KNOX-3022: --- Commit 3fed1e06041f8756dd50179f9764ac73da28ac01 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=3fed1e060 ] KNOX-3022 - Handling the case when previously persisted CM cluster config file is empty (#890) > Possible NPE at CM cluster configuration monitor startup due to cluster > configuration file issues > - > > Key: KNOX-3022 > URL: https://issues.apache.org/jira/browse/KNOX-3022 > Project: Apache Knox > Issue Type: Bug > Components: cm-discovery >Affects Versions: 2.0.0, 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Critical > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > In KNOX-2869, we handled the case where > {{$KNOX_DATA_DIR/cm-clusters/hCM_HOST_7183-Cluster_1.conf}} file was empty. > However, it might be the same for the > {{$KNOX_DATA_DIR/cm-clusters/hCM_HOST_7183-Cluster_1.ver}} file where > previously persisted cluster configuration (with service/role details) is > stored. > If that file is empty, the following error is thrown: > {noformat} > 2024-03-18 19:01:34,840 ERROR discovery.cm > (ClusterConfigurationFileStore.java:get(106)) - Failed to load persisted > service configuration data for cluster monitor CM : > com.fasterxml.jackson.databind.exc.MismatchedInputException: No content to > map due to end-of-input > at [Source: (sun.nio.ch.ChannelInputStream); line: 1, column: 0] > 2024-03-18 19:01:34,841 FATAL knox.gateway (GatewayServer.java:main(193)) - > Failed to start gateway: java.lang.NullPointerException > java.lang.NullPointerException > at > org.apache.knox.gateway.topology.discovery.cm.monitor.ClouderaManagerClusterConfigurationMonitor.loadServiceConfiguration(ClouderaManagerClusterConfigurationMonitor.java:196) > at > org.apache.knox.gateway.topology.discovery.cm.monitor.ClouderaManagerClusterConfigurationMonitor.(ClouderaManagerClusterConfigurationMonitor.java:103) > at > org.apache.knox.gateway.topology.discovery.cm.monitor.ClouderaManagerClusterConfigurationMonitorProvider.newInstance(ClouderaManagerClusterConfigurationMonitorProvider.java:35) > at > org.apache.knox.gateway.services.topology.impl.DefaultClusterConfigurationMonitorService.init(DefaultClusterConfigurationMonitorService.java:44) > at > org.apache.knox.gateway.services.DefaultGatewayServices.init(DefaultGatewayServices.java:137) > at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:184) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68) > at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39) > at org.apache.knox.gateway.launcher.Command.run(Command.java:99) > at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75) > at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52) > {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3020) Introduce type Knox Token metadata
[ https://issues.apache.org/jira/browse/KNOX-3020?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17827100#comment-17827100 ] ASF subversion and git services commented on KNOX-3020: --- Commit 67ebe9ae9fffe73ca13c335b1aaa14446b343aa3 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=67ebe9ae9 ] KNOX-3020 - Introducing the 'type' metadata for Knox Tokens (#881) > Introduce type Knox Token metadata > -- > > Key: KNOX-3020 > URL: https://issues.apache.org/jira/browse/KNOX-3020 > Project: Apache Knox > Issue Type: Task >Affects Versions: 2.1.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 50m > Remaining Estimate: 0h > > With KNOX-3016, there is a need to distinguish different Knox Token types as > follows: > * JWT (default) > * KNOXSSO_COOKIE > * CLIENT_ID > This little refactor will allow us to handle every type-related decision > within the scope of the\{{TokenMetadata}} class. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3014) Unauthenticated paths support for Shiro provider
[ https://issues.apache.org/jira/browse/KNOX-3014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17826812#comment-17826812 ] ASF subversion and git services commented on KNOX-3014: --- Commit 84999b8e1851c381480b4827979166675f7971d4 in knox's branch refs/heads/master from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=84999b8e1 ] KNOX-3014 - Fix a bug where unauthenticated path configured in shiro provider throw exception (#879) * KNOX-3014 - Fix a bug where unauthenticated path configured in shiro provider throw exception * Formatting changes * Adding /knoxtoken/api/v1/jwks.json and v1 will be depreciated * Check at Knox level if the request is configured to be anonymous usign shiro configs. Add unit tests for better test coverage. > Unauthenticated paths support for Shiro provider > > > Key: KNOX-3014 > URL: https://issues.apache.org/jira/browse/KNOX-3014 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > Looks like we have only support unauthenticated paths for > * JWTProvider > * HadoopAuthProvider > * SSOCookieProvider > Shiro auth provider does not have support for unauthenticated path parameter. > see KNOX-2582 and KNOX-2393 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3019) Allow tokens to be renewed any times
[ https://issues.apache.org/jira/browse/KNOX-3019?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17826030#comment-17826030 ] ASF subversion and git services commented on KNOX-3019: --- Commit c098afaec3a181d8a5d8d5f25a61526d4b608a8b in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=c098afaec ] KNOX-3019 - Allow token renewal without upper bound for non-expired tokens (#880) > Allow tokens to be renewed any times > > > Key: KNOX-3019 > URL: https://issues.apache.org/jira/browse/KNOX-3019 > Project: Apache Knox > Issue Type: Improvement > Components: Server, TokenGenerationUI >Affects Versions: 2.0.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Critical > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Setting the TTL to {{-1}} results in tokens that never expire. If the TTL is > configured to a positive number, renewing the token is the only way to extend > its expiration time. By default, there is a cap on this event: a token cannot > be renewed after it reaches the configured maximum lifetime (defaults to > {{{}7 days{}}}). > This task aims to provide end-users with a way to bypass this check and let > tokens be renewed whenever they want. The logic would be similar to the > {{Unlimited token}} handling: if the maximum lifetime is set to {{{}-1{}}}, > tokens would be subject to renewal without checking the maximum lifetime. > Please note that token renewal still must be configured with a list of > trusted users via the {{knox.token.renewer.whitelist}} configuration. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3016) Add Support for Client Credentials Flow with KnoxTokens
[ https://issues.apache.org/jira/browse/KNOX-3016?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17825846#comment-17825846 ] ASF subversion and git services commented on KNOX-3016: --- Commit 8f38723bb6b8111eb93b01697e89dd98fb6f59f2 in knox's branch refs/heads/master from Larry McCay [ https://gitbox.apache.org/repos/asf?p=knox.git;h=8f38723bb ] KNOX-3016 - add support for client credentials flow (#876) * KNOX-3016 - add support for client credentials flow > Add Support for Client Credentials Flow with KnoxTokens > --- > > Key: KNOX-3016 > URL: https://issues.apache.org/jira/browse/KNOX-3016 > Project: Apache Knox > Issue Type: Bug > Components: JWT >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > Adding support for integrations to Knox proxied services and APIs via OAuth > style cllient credentials flow. This allows an integration that is provided a > CLIENT_ID and CLIENT_SECRET to authenticate to Knox and directly access > proxied services with those or exchange those credentials for short lived JWT > based access, id and refresh tokens. > This change introduces only the acceptance of the Knox TokenID and Passcode > tokens as CLIENT_ID and CLIENT_SECRET in a standard OAuth 2.0 client > credentials flow request body. This body will contain the following params: > 1. grant_type and it will be "client_credentials" > 2. client_id which will be the KnoxToken tokenId or KnoxID > 3. client_secret which will be the passcode token for which we store the hash > Authentication using this flow will result in the effective user being what > is provided as the CLIENT_ID. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3018) Unlimited token generation - Wrong expiration time is shown
[ https://issues.apache.org/jira/browse/KNOX-3018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17825637#comment-17825637 ] ASF subversion and git services commented on KNOX-3018: --- Commit 37dc8a736507ecbd39eacfd206f8c05aa15e1745 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=37dc8a736 ] KNOX-3018 - Tokens that never expire should not be evicted automatically and their expiration should be displayed properly (#878) > Unlimited token generation - Wrong expiration time is shown > --- > > Key: KNOX-3018 > URL: https://issues.apache.org/jira/browse/KNOX-3018 > Project: Apache Knox > Issue Type: Bug > Components: TokenGenerationUI >Affects Versions: 2.0.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Attachments: Screenshot 2024-03-11 at 14.25.04.png, Screenshot > 2024-03-11 at 14.25.27.png > > Time Spent: 20m > Remaining Estimate: 0h > > *Steps to reproduce* > * set the {{knox.token.ttl}} to {{-1}} in the {{homepage}} topology for the > {{KNOXTOKEN}} service > * set {{knox.token.lifespan.input.enabled = false}} in the {{homepage}} > topology for the {{KNOXTOKEN}} service > *Actual results* > With KNOX-3017 in place, the token is generated, but the expiration is wrong, > see attached screenshots. > In addition to this UI bug, the background reaper thread removes this token > the next time it's triggered. This is also incorrect: unlimited tokens should > never be removed automatically as they never expire. > *Expected result* > Token expiration should indicate an unlimited lifespan and unlimited tokens > should not be revoked automatically. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3017) Unlimited token generation - invalid warning poopup
[ https://issues.apache.org/jira/browse/KNOX-3017?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17825581#comment-17825581 ] ASF subversion and git services commented on KNOX-3017: --- Commit 0ec2ea8c1f17112c0ed9831933b1f4f85637bb5d in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=0ec2ea8c1 ] KNOX-3017 - Avoid showing lifetime adjustment popup when TTL is set to -1 (#877) > Unlimited token generation - invalid warning poopup > --- > > Key: KNOX-3017 > URL: https://issues.apache.org/jira/browse/KNOX-3017 > Project: Apache Knox > Issue Type: Bug > Components: TokenGenerationUI >Affects Versions: 2.0.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Attachments: Screenshot 2024-03-11 at 12.57.12.png, Screenshot > 2024-03-11 at 12.57.35.png > > Time Spent: 20m > Remaining Estimate: 0h > > *Steps to reproduce* > * set the {{knox.token.ttl}} to {{-1}} in the {{homepage}} topology for the > {{KNOXTOKEN}} service > * go to the {{Token Generation UI}} and set the {{Lifetime}} to 365 days > *Actual results* > The lifespan adjusting warning popup says that 365 days is greater than the > configured maximum lifetime. This is not true, because, as you can see in the > screenshot, we are creating tokens with {{unlimited lifetime}} > *Expected result* > The popup should not be displayed in case of unlimited token lifetime > configurations. > *Note* > After clicking the {{Generate token anyway}} button, the token was created > with the correct expiration time (1 year from today). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2998) Path based authorization
[ https://issues.apache.org/jira/browse/KNOX-2998?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17824157#comment-17824157 ] ASF subversion and git services commented on KNOX-2998: --- Commit c594fe79b9a40fba430c8baa856d93f2f258d1a8 in knox's branch refs/heads/master from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=c594fe79b ] KNOX-2998 - Path based authorization provider (#875) > Path based authorization > > > Key: KNOX-2998 > URL: https://issues.apache.org/jira/browse/KNOX-2998 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > We will need a new acls extension (similar to AclsAuthz) to support this > functionality. Following, is an example of how this might look. > > {code:java} > > path.KNOX-AUTH-SERVICE.acl >/foo/* [, > *|path...];username[,*|username...];group[,*|group...];ipaddr[,*|ipaddr...] > > {code} > This new extension (`path` in the above example) will work with > CompositeAuthz and follow the same pattern as AclsAuthz provider. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3013) Knox redirecting Yarn Node Manager URLs to http instead of https
[ https://issues.apache.org/jira/browse/KNOX-3013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17823934#comment-17823934 ] ASF subversion and git services commented on KNOX-3013: --- Commit 5088d423a512b7bd98411e4b02071e3afc827802 in knox's branch refs/heads/master from K0K0V0K [ https://gitbox.apache.org/repos/asf?p=knox.git;h=5088d423a ] KNOX-3013 - Knox redirecting Yarn Node Manager URLs to http instead of https (#874) - YARNUI/yarn/outbound/node3 rule rewrites the https schemes to http - To fix the issue we skip this rule in case if the schema is https > Knox redirecting Yarn Node Manager URLs to http instead of https > > > Key: KNOX-3013 > URL: https://issues.apache.org/jira/browse/KNOX-3013 > Project: Apache Knox > Issue Type: Bug >Affects Versions: 1.3.0 >Reporter: Bence Kosztolnik >Priority: Major > Time Spent: 1h 10m > Remaining Estimate: 0h > > While viewing the yarn application logs on YARM RM UI via Knox, we can see > that Knox is redirecting the NM URL to HTTP instead of HTTPS, as the YARN is > running on TLS/SSL. > https:///gateway/cdp-proxy/yarn/nodemanager/node?scheme=http=some.url=8044 > We get the below error > HTTP ERROR 500 java.io.IOException: java.io.IOException: Service connectivity > error. URI: /gateway/cdp-proxy/yarn/nodemanager/node STATUS: 500 MESSAGE: > java.io.IOException: java.io.IOException: Service connectivity error. > SERVLET: cdp-proxy-knox-gateway-servlet CAUSED BY: java.io.IOException: > java.io.IOException: Service connectivity error. CAUSED BY: > java.io.IOException: Service connectivity error. > However when I change "scheme=https" the page loads without an issue. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2996) Add proxy for hdfs UI network topology
[ https://issues.apache.org/jira/browse/KNOX-2996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17823579#comment-17823579 ] ASF subversion and git services commented on KNOX-2996: --- Commit 1b8fe408b73ad0a23d431d8e38367c1910cb2497 in knox's branch refs/heads/master from berylzsh [ https://gitbox.apache.org/repos/asf?p=knox.git;h=1b8fe408b ] KNOX-2996 - Add proxy for hdfs UI network topology (#829) Co-authored-by: zhaoshuaihua > Add proxy for hdfs UI network topology > --- > > Key: KNOX-2996 > URL: https://issues.apache.org/jira/browse/KNOX-2996 > Project: Apache Knox > Issue Type: Bug > Components: Release >Affects Versions: 2.0.0, 1.6.0 >Reporter: zhaoshuaihua >Priority: Major > Attachments: > KNOX-2996_-_Add_proxy_for_hdfs_UI_network_topology.patch, > image-2023-12-28-16-36-57-726.png, image-2023-12-28-16-37-10-631.png, > image-2023-12-28-16-37-15-888.png > > Time Spent: 1h 40m > Remaining Estimate: 0h > > Clicking the hdfs UI network topology proxy failed, the page should be > displayed and should not be Error. > !image-2023-12-28-16-36-57-726.png!!image-2023-12-28-16-37-10-631.png!!image-2023-12-28-16-37-15-888.png! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3012) Fix the DN links on the Ozone SCM UI
[ https://issues.apache.org/jira/browse/KNOX-3012?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17823198#comment-17823198 ] ASF subversion and git services commented on KNOX-3012: --- Commit 95d5b6eba21ed0fd80551f40556de02318f22fe1 in knox's branch refs/heads/master from Zita Dombi [ https://gitbox.apache.org/repos/asf?p=knox.git;h=95d5b6eba ] KNOX-3012 - Fix the DN links on the Ozone SCM UI (#873) * Fix outbound rule for DN links * Fix filter path too * Add new version directory for ozone-scm and add changes there > Fix the DN links on the Ozone SCM UI > > > Key: KNOX-3012 > URL: https://issues.apache.org/jira/browse/KNOX-3012 > Project: Apache Knox > Issue Type: Bug >Reporter: Zita Dombi >Assignee: Zita Dombi >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > In HDDS-9732 we changed the datanode links on the SCM UI in Ozone, which we > need to follow in Knox too. > From this: > {code:java} > href="{{typestat.portval.toLowerCase()}}://{{typestat.hostname}}:{{typestat.portno}}" > target="_blank">{{typestat.hostname}} > {code} > To this: > {code:java} > target="_blank">{{typestat.hostname}} > {code} > We didn't adjust this in Knox, it's still looking for the previous one: > {code:java} > > > pattern="{{typestat.portval.toLowerCase()}}://{{typestat.hostname}}:{{typestat.portno}}"/> > template="{gateway.url}/ozone-scm/datanode/index.html?host={{typestat.portval.toLowerCase()}}://{{typestat.hostname}}:{{typestat.portno}} > "/> > > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2995) json contains NaN value parsing failed
[ https://issues.apache.org/jira/browse/KNOX-2995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17823147#comment-17823147 ] ASF subversion and git services commented on KNOX-2995: --- Commit bd3972d94b30a96d55035b93746e975bdd02d599 in knox's branch refs/heads/master from berylzsh [ https://gitbox.apache.org/repos/asf?p=knox.git;h=bd3972d94 ] KNOX-2995 - Support json parsing NaN values (#828) - Co-authored-by: zhaoshuaihua > json contains NaN value parsing failed > -- > > Key: KNOX-2995 > URL: https://issues.apache.org/jira/browse/KNOX-2995 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 2.0.0, 1.6.0 >Reporter: zhaoshuaihua >Priority: Major > Attachments: KNOX-2995.patch, screenshot-1.png, screenshot-2.png, > screenshot-3.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > If the proxy address returns JSON, which contains something similar to xxx: > NaN, then knox will fail to parse. Therefore, support for parsing NaN is > added. > I click on the page with return json and the content of Resopnse is empty. > like this : !screenshot-1.png! > > Checking the gateway.log log shows the following error message. > !screenshot-2.png! > The display results after my repair are as follows: > !screenshot-3.png! > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3011) Resolve duplicated SL4J on classpath issue
[ https://issues.apache.org/jira/browse/KNOX-3011?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821194#comment-17821194 ] ASF subversion and git services commented on KNOX-3011: --- Commit e1d9bb729af006f45e70311ac5746277fe03760f in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=e1d9bb729 ] KNOX-3011 - Excluded logback-[core|classic] as transitive dependencies pulled in by Zookeeper (#861) > Resolve duplicated SL4J on classpath issue > -- > > Key: KNOX-3011 > URL: https://issues.apache.org/jira/browse/KNOX-3011 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 2.1.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Any time I run a KnoxCLI command, it always starts with the following warning > messages displayed on my terminal: > {noformat} > SLF4J: Class path contains multiple SLF4J bindings. > SLF4J: Found binding in > [jar:file:/Users/sandormolnar/test/knoxGateway/bin/../dep/log4j-slf4j-impl-2.17.1.jar!/org/slf4j/impl/StaticLoggerBinder.class] > SLF4J: Found binding in > [jar:file:/Users/sandormolnar/test/knoxGateway/bin/../dep/logback-classic-1.2.10.jar!/org/slf4j/impl/StaticLoggerBinder.class] > SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an > explanation. > SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory] > {noformat} > The reason behind this warning is that Zookeeper pulls in outdated > {{logback}} dependencies which we should exclude. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3009) KNOX-SESSION missing from Manager Topology and Admin UI
[ https://issues.apache.org/jira/browse/KNOX-3009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821176#comment-17821176 ] ASF subversion and git services commented on KNOX-3009: --- Commit 7aa217cae1d725ca3ab27bc65ff38f7943d19ffd in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=7aa217cae ] KNOX-3008 - Removing KNOX-SESSION as it was added by KNOX-3009 (#857) > KNOX-SESSION missing from Manager Topology and Admin UI > --- > > Key: KNOX-3009 > URL: https://issues.apache.org/jira/browse/KNOX-3009 > Project: Apache Knox > Issue Type: Bug > Components: Release >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > Time Spent: 40m > Remaining Estimate: 0h > > Due to KNOX-SESSION service missing from the default manager.xml topology, an > alert in the Admin UI is displayed while trying to retrieve the authenticated > user name and "dr. who" is displayed as the user. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3008) Add a new banner on the top of Knox UIs
[ https://issues.apache.org/jira/browse/KNOX-3008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821175#comment-17821175 ] ASF subversion and git services commented on KNOX-3008: --- Commit 7aa217cae1d725ca3ab27bc65ff38f7943d19ffd in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=7aa217cae ] KNOX-3008 - Removing KNOX-SESSION as it was added by KNOX-3009 (#857) > Add a new banner on the top of Knox UIs > --- > > Key: KNOX-3008 > URL: https://issues.apache.org/jira/browse/KNOX-3008 > Project: Apache Knox > Issue Type: New Feature > Components: AdminUI, Homepage, TokenGenerationUI, TokenManagementUI >Affects Versions: 2.1.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 1.5h > Remaining Estimate: 0h > > I got to know that Hue has a simple, but really cool feature: it can show a > [custom HTML banner|https://gethue.com/add-a-top-banner-to-hue/] on the top > of the Hue UI. Implementing a similar feature in Knox can help end-users to: > # Share a message of the day like hints, tips, or planned outages. > # Identify the cluster (e.g. Prod/Test/Dev) in case the URL is not clear > enough. > An additional improvement would be identifying which Knox gateway is in use, > in case of HA deployments and if it's behind a load balancer, which can help > with troubleshooting. This information fits perfectly into the existing > {{General Proxy Information}} section on the Knox home page; we just need to > add this new information as a new row in the table. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3008) Add a new banner on the top of Knox UIs
[ https://issues.apache.org/jira/browse/KNOX-3008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821163#comment-17821163 ] ASF subversion and git services commented on KNOX-3008: --- Commit c41230bdeb64601235615447a3961570d6b1de08 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/ip-1.1.9 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=c41230bde ] KNOX-3008 - Displaying hostname and custom banner text on the Knox Home page and other UIs (#842) > Add a new banner on the top of Knox UIs > --- > > Key: KNOX-3008 > URL: https://issues.apache.org/jira/browse/KNOX-3008 > Project: Apache Knox > Issue Type: New Feature > Components: AdminUI, Homepage, TokenGenerationUI, TokenManagementUI >Affects Versions: 2.1.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 1h 20m > Remaining Estimate: 0h > > I got to know that Hue has a simple, but really cool feature: it can show a > [custom HTML banner|https://gethue.com/add-a-top-banner-to-hue/] on the top > of the Hue UI. Implementing a similar feature in Knox can help end-users to: > # Share a message of the day like hints, tips, or planned outages. > # Identify the cluster (e.g. Prod/Test/Dev) in case the URL is not clear > enough. > An additional improvement would be identifying which Knox gateway is in use, > in case of HA deployments and if it's behind a load balancer, which can help > with troubleshooting. This information fits perfectly into the existing > {{General Proxy Information}} section on the Knox home page; we just need to > add this new information as a new row in the table. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3008) Add a new banner on the top of Knox UIs
[ https://issues.apache.org/jira/browse/KNOX-3008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821161#comment-17821161 ] ASF subversion and git services commented on KNOX-3008: --- Commit c41230bdeb64601235615447a3961570d6b1de08 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=c41230bde ] KNOX-3008 - Displaying hostname and custom banner text on the Knox Home page and other UIs (#842) > Add a new banner on the top of Knox UIs > --- > > Key: KNOX-3008 > URL: https://issues.apache.org/jira/browse/KNOX-3008 > Project: Apache Knox > Issue Type: New Feature > Components: AdminUI, Homepage, TokenGenerationUI, TokenManagementUI >Affects Versions: 2.1.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > I got to know that Hue has a simple, but really cool feature: it can show a > [custom HTML banner|https://gethue.com/add-a-top-banner-to-hue/] on the top > of the Hue UI. Implementing a similar feature in Knox can help end-users to: > # Share a message of the day like hints, tips, or planned outages. > # Identify the cluster (e.g. Prod/Test/Dev) in case the URL is not clear > enough. > An additional improvement would be identifying which Knox gateway is in use, > in case of HA deployments and if it's behind a load balancer, which can help > with troubleshooting. This information fits perfectly into the existing > {{General Proxy Information}} section on the Knox home page; we just need to > add this new information as a new row in the table. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3009) KNOX-SESSION missing from Manager Topology and Admin UI
[ https://issues.apache.org/jira/browse/KNOX-3009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821107#comment-17821107 ] ASF subversion and git services commented on KNOX-3009: --- Commit d60c67fa88ffa3c7fae1a35764dabe167a71c184 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Larry McCay [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d60c67fa8 ] KNOX-3009 - KNOX-SESSION missing from Manager Topology and Admin UI (#843) > KNOX-SESSION missing from Manager Topology and Admin UI > --- > > Key: KNOX-3009 > URL: https://issues.apache.org/jira/browse/KNOX-3009 > Project: Apache Knox > Issue Type: Bug > Components: Release >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > Time Spent: 40m > Remaining Estimate: 0h > > Due to KNOX-SESSION service missing from the default manager.xml topology, an > alert in the Admin UI is displayed while trying to retrieve the authenticated > user name and "dr. who" is displayed as the user. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2675) Oozie Console URL on the web UI should be a Knox URL
[ https://issues.apache.org/jira/browse/KNOX-2675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821092#comment-17821092 ] ASF subversion and git services commented on KNOX-2675: --- Commit 7ee5c8c0dff655a426252da0a45bb2206b6eccaa in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Denes Bodo [ https://gitbox.apache.org/repos/asf?p=knox.git;h=7ee5c8c0d ] KNOX-2991 - Sanitise Oozie rewrite rules (#824) * KNOX-2675 Oozie Console URL on the web UI should be a Knox URL * KNOX-2991 - Sanitise Oozie rewrite rules - Co-authored-by: Denes Bodo > Oozie Console URL on the web UI should be a Knox URL > > > Key: KNOX-2675 > URL: https://issues.apache.org/jira/browse/KNOX-2675 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 1.4.0 >Reporter: Dénes Bodó >Assignee: Dénes Bodó >Priority: Major > Fix For: 1.6.0 > > Time Spent: 20m > Remaining Estimate: 0h > > When I open the Oozie web UI through Knox gateway and navigate to a > workflow's action details then I see the Console URL field contains the > cluster's internal hostname instead of a Knox gateway url. Here is an example > json result from Oozie through Knox: > {noformat} > { > "appName":"some_oozie_application", > ... > "actions":[ > {...}, > { > ... > > "consoleUrl":"https://some_internal_domain_name:8090/proxy/application_1632125050865_0003/;, > ... > }, > {...} > ], > "status":"SUCCEEDED", > "group":null > } {noformat} > The desired form should be for the consoleUrl field something like this: > {noformat} > https://externally_available_knox_domain_name:8443/gateway/cdp-proxy/yarn/cluster/app/application_1632125050865_0003/ > {noformat} > The proposed solution contains Yarn UI v1 URL because the Yarn UI v2 contains > a hash mark which cannot be used. See KNOX-2676 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3003) Group UI services of the same type
[ https://issues.apache.org/jira/browse/KNOX-3003?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821104#comment-17821104 ] ASF subversion and git services commented on KNOX-3003: --- Commit 20fa65948804a4ddedd246c61d896005c47b0104 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=20fa65948 ] KNOX-3003 - Services with more than one serviceUrl metadata are grouped on the Knox Home page (#838) > Group UI services of the same type > -- > > Key: KNOX-3003 > URL: https://issues.apache.org/jira/browse/KNOX-3003 > Project: Apache Knox > Issue Type: Improvement > Components: Homepage >Affects Versions: 2.0.0, 1.6.0, 1.6.1 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Critical > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Currently, if a UI service has multiple instances with different URLs in a > given topology, that UI service will be listed on the Knox Home page as many > times as the number of URLs it has. This makes the user experience a lot > worse if we are talking about hundreds of occurrences of this case. > We learned from some real-life use cases that IMPALA is one of these > services, and there are 1000+ node clusters out there with more than 100 > Impala Daemon roles. In that particular case, the Knox Home page was a mess. > To address this issue, the following UI improvement should be implemented: > * if a UI service has more than one URL in the given topology, individual > tiles should not be displayed. Instead, one "group" tile must be added with a > clear indication this is a group of URLs of the same service. > * clicking the group tile should open a modal window with separate tiles for > each service URL > * in this modal window, a search field will be added to give our end-users > the chance to narrow down results (by hostname for instance) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2991) Sanitise Oozie rewrite rules
[ https://issues.apache.org/jira/browse/KNOX-2991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821091#comment-17821091 ] ASF subversion and git services commented on KNOX-2991: --- Commit 7ee5c8c0dff655a426252da0a45bb2206b6eccaa in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Denes Bodo [ https://gitbox.apache.org/repos/asf?p=knox.git;h=7ee5c8c0d ] KNOX-2991 - Sanitise Oozie rewrite rules (#824) * KNOX-2675 Oozie Console URL on the web UI should be a Knox URL * KNOX-2991 - Sanitise Oozie rewrite rules - Co-authored-by: Denes Bodo > Sanitise Oozie rewrite rules > > > Key: KNOX-2991 > URL: https://issues.apache.org/jira/browse/KNOX-2991 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Dénes Bodó >Assignee: Dénes Bodó >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > Testing Oozie through Knox proxy I found that there are some strange rewrite > rule which seems outdated: > {noformat} > > > > > > > {noformat} > This ticket is intended to track the work removing them. > *inputDir* and *outputDir* are frequently used in Oozie's job.properties as a > single directory name instead of a full HDFS path so in these cases the Oozie > workflow fails running due to incorrect variable resolution: > Configuration in job.properties: > {noformat} > nameNode=WILL_BE_UPDATED_BY_KNOX > outputDir=my_custom_output_dir {noformat} > workflow.xml: > {code:xml} > > path="${nameNode}/user/${wf:user()}/examples/output-data/${outputDir}"/> > {code} > Error in Oozie launcher: > {noformat} > Launcher AM execution failed > java.lang.IllegalArgumentException: java.net.URISyntaxException: Expected > scheme-specific part at index 5: hdfs: > at org.apache.hadoop.fs.Path.initialize(Path.java:259) > at org.apache.hadoop.fs.Path.(Path.java:217) > at org.apache.hadoop.fs.Path.(Path.java:125) > at org.apache.hadoop.fs.Globber.doGlob(Globber.java:285) > at org.apache.hadoop.fs.Globber.glob(Globber.java:202) > at org.apache.hadoop.fs.FileSystem.globStatus(FileSystem.java:2107) > at > org.apache.oozie.action.hadoop.FSLauncherURIHandler.delete(FSLauncherURIHandler.java:59) > at > org.apache.oozie.action.hadoop.PrepareActionsHandler.execute(PrepareActionsHandler.java:83) > at > org.apache.oozie.action.hadoop.PrepareActionsHandler.prepareAction(PrepareActionsHandler.java:74) > at > org.apache.oozie.action.hadoop.LauncherAM.executePrepare(LauncherAM.java:378) > at > org.apache.oozie.action.hadoop.LauncherAM.access$100(LauncherAM.java:55) > at org.apache.oozie.action.hadoop.LauncherAM$2.run(LauncherAM.java:229) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1899) > at org.apache.oozie.action.hadoop.LauncherAM.run(LauncherAM.java:226) > at org.apache.oozie.action.hadoop.LauncherAM$1.run(LauncherAM.java:156) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1899) > at org.apache.oozie.action.hadoop.LauncherAM.main(LauncherAM.java:144) > Caused by: java.net.URISyntaxException: Expected scheme-specific part at > index 5: hdfs: > at java.net.URI$Parser.fail(URI.java:2847) > at java.net.URI$Parser.failExpecting(URI.java:2853) > at java.net.URI$Parser.parse(URI.java:3056) > at java.net.URI.(URI.java:746) > at org.apache.hadoop.fs.Path.initialize(Path.java:256) > ... 20 more {noformat} > > Found the real HDFS path after debugging the Oozie action: > {noformat} > hdfs://a.b.c.d:8020/user/test/examples/output-data/hdfs://a.b.c.d:8020/my_custom_output_dir{noformat} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3002) KnoxCLI command for generating descriptor for a role type from a list of hosts
[ https://issues.apache.org/jira/browse/KNOX-3002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821108#comment-17821108 ] ASF subversion and git services commented on KNOX-3002: --- Commit bb5d265d861489925f158faff761090d672205db in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=bb5d265d8 ] KNOX-3002 - KnoxCLI command for generating descriptor for a role type from a list of hosts (#835) > KnoxCLI command for generating descriptor for a role type from a list of hosts > -- > > Key: KNOX-3002 > URL: https://issues.apache.org/jira/browse/KNOX-3002 > Project: Apache Knox > Issue Type: New Feature > Components: KnoxCLI >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3006) PAM module occasionally generates garbage group names
[ https://issues.apache.org/jira/browse/KNOX-3006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821106#comment-17821106 ] ASF subversion and git services commented on KNOX-3006: --- Commit 58ae97fbf131777eef61b3d6ebfcca5d32a7a39b in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=58ae97fbf ] KNOX-3006 - PAM module occasionally generates garbage group names (#840) > PAM module occasionally generates garbage group names > - > > Key: KNOX-3006 > URL: https://issues.apache.org/jira/browse/KNOX-3006 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h 10m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3001) Avoid double XML escaping in SimpleDescriptorHandler
[ https://issues.apache.org/jira/browse/KNOX-3001?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821099#comment-17821099 ] ASF subversion and git services commented on KNOX-3001: --- Commit 46cdc159342b6b637b96f8396c36c515f5b4943e in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=46cdc1593 ] KNOX-3001 - Avoid double XML-escaping during topology persistence from descriptors (#834) > Avoid double XML escaping in SimpleDescriptorHandler > > > Key: KNOX-3001 > URL: https://issues.apache.org/jira/browse/KNOX-3001 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 2.1.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 1.5h > Remaining Estimate: 0h > > KNOX-2804 added a beneficial improvement in Knox's logic when dealing with > JSON files and turned them into XML topologies: before the generated topology > persisted, the possible values are XML-escaped to avoid errors in SAXParser. > However, this might cause backward-compatible issues in deployments, where > the data in the given shared provider config or descriptor is already given > in XML-friendy way. > For instance, using the following shared provider config will result in a bad > XML topology: > {noformat} > { > "providers" : [ { > "role" : "webappsec", > "name" : "WebAppSec", > "enabled" : true, > "params" : { > "xframe.options.enabled" : "true" > } > }, { > "role" : "authentication", > "name" : "ShiroProvider", > "enabled" : true, > "params" : { > "main.ldapContextFactory" : > "org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory", > "main.ldapRealm" : "org.apache.knox.gateway.shirorealm.KnoxLdapRealm", > "main.ldapRealm.authenticationCachingEnabled" : "false", > "main.ldapRealm.contextFactory" : "$ldapContextFactory", > "main.ldapRealm.contextFactory.authenticationMechanism" : "simple", > "main.ldapRealm.contextFactory.url" : "ldap://localhost:33389;, > "main.ldapRealm.userDnTemplate" : > "uid=0ou=people,dc=hadoop,dc=apache,dc=org", > "main.ldapRealm.userSearchFilter" : > "(((objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)(memberOf=CN=SecXX-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)))", > "redirectToUrl" : "/${GATEWAY_PATH}/knoxsso/knoxauth/login.html", > "restrictedCookies" : "rememberme,WWW-Authenticate", > "sessionTimeout" : "30", > "urls./**" : "authcBasic" > } > }, { > "role" : "identity-assertion", > "name" : "Default", > "enabled" : true, > "params" : { } > } ], > "readOnly" : true > } {noformat} > The generated XML: > {noformat} > > > > > > true > > > webappsec > WebAppSec > true > > xframe.options.enabled > true > > > > authentication > ShiroProvider > true > > main.ldapContextFactory > > org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory > > > main.ldapRealm > > org.apache.knox.gateway.shirorealm.KnoxLdapRealm > > > main.ldapRealm.authenticationCachingEnabled > false > > > main.ldapRealm.contextFactory > $ldapContextFactory > > > > main.ldapRealm.contextFactory.authenticationMechanism > simple > > > main.ldapRealm.contextFactory.url > ldap://localhost:33389 > > > main.ldapRealm.userDnTemplate > uid=0ou=people,dc=hadoop,dc=apache,dc=org > > > main.ldapRealm.userSearchFilter > > (amp;(amp;(objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)(memberOf=CN=SecXX-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int))) > > > redirectToUrl > /${GATEWAY_PATH}/knoxsso/knoxauth/login.html > > > restrictedCookies > rememberme,WWW-Authenticate > > > sessionTimeout >
[jira] [Commented] (KNOX-3007) Make http client cookie spec parameter configurable
[ https://issues.apache.org/jira/browse/KNOX-3007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821109#comment-17821109 ] ASF subversion and git services commented on KNOX-3007: --- Commit fcee4ecffd850cbb3f03ded84b0cdd0dc22578af in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=fcee4ecff ] KNOX-3007 - Make http client cookie spec parameter configurable (#841) > Make http client cookie spec parameter configurable > --- > > Key: KNOX-3007 > URL: https://issues.apache.org/jira/browse/KNOX-3007 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > The apache http client rejects cookies if the expiration date doesn't have > the expected format (EEE, dd-MMM-yy HH:mm:ss z). > {code} > 2023-11-20 17:58:51,189 XXX WARN protocol.ResponseProcessCookies > (ResponseProcessCookies.java:processCookies(130)) - Invalid cookie header: > "Set-Cookie: sessionid=XXX; expires=Mon, 20 Nov 2023 23:03:51 GMT; HttpOnly; > Max-Age=300; Path=/; SameSite=Lax; Secure". Invalid 'expires' attribute: Mon, > 20 Nov 2023 23:03:51 GMT > {code} > This can be reconfigured by setting different cookiespec types: > https://hc.apache.org/httpcomponents-client-4.5.x/current/httpclient/apidocs/org/apache/http/client/config/CookieSpecs.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3005) Implement Knox idle session time
[ https://issues.apache.org/jira/browse/KNOX-3005?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821105#comment-17821105 ] ASF subversion and git services commented on KNOX-3005: --- Commit d3f5a567ac25cf9f5045866cf14db03151e9f978 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d3f5a567a ] KNOX-3005 - Implemented KnoxSSO idle timeout (#839) > Implement Knox idle session time > > > Key: KNOX-3005 > URL: https://issues.apache.org/jira/browse/KNOX-3005 > Project: Apache Knox > Issue Type: New Feature > Components: KnoxSSO >Affects Versions: 2.1.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Critical > Fix For: 2.1.0 > > Time Spent: 2.5h > Remaining Estimate: 0h > > With the recent work of KNOX-2961, the new SSO token invalidation > functionality, Knox could provide idle session timeout behavior for UIs. > It will likely not include the usual UI pop-up approach (like when the > end-user is informed about being idle too long), but it would effectively > terminate idle SSO sessions and force an explicit login. > It's also worth mentioning the idleness measurement solely depends on backend > activities through the KnoxSSO Cookie federation filter. and will not take > any client-side action (such as scrolling on the page, client-side > pagination, etc..) into account. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2990) TokenStateService implementation cleanup
[ https://issues.apache.org/jira/browse/KNOX-2990?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821103#comment-17821103 ] ASF subversion and git services commented on KNOX-2990: --- Commit afdb4cc3f20d4c295b58eb3709343ed4fe47d6b6 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=afdb4cc3f ] KNOX-2990 - Using DerbyDatabaseTSS instead of AliasBasedTSS by default (#826) In addition to the new implementation I deprecated the AliasBased, Zookeeper and JournalBased TSS implementations in 2.1.0. > TokenStateService implementation cleanup > > > Key: KNOX-2990 > URL: https://issues.apache.org/jira/browse/KNOX-2990 > Project: Apache Knox > Issue Type: Task > Components: Server >Affects Versions: 2.0.0, 1.6.0, 1.6.1 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Critical > Fix For: 2.1.0 > > Time Spent: 4h > Remaining Estimate: 0h > > This issue is driven by a [DISCUSS] thread initiated on Knox's DEV mailing > list [here|https://lists.apache.org/thread/fs9nkl6l45o330ttvgvqxj3jnxt63bcs]. > As a result of that discussion, the following needs to be implemented: > * deprecate the following TSS implementations: > ** AliasBasedTokenStateService > ** ZookeeperTokenStateService > ** JournalBasedTokenStateService > * document the deprecation of these TSS implementations in v2.1.0 and > highlight that they will be removed in the upcoming release (v2.2.0?). > * implement a DerbyDB storage that will store tokens in > {{$DATA_DIR/security/tokens}} (encrypted or not, it'll be decided later) > * make sure appropriate file permissions are set on that folder > * have the {{homepage}} topology configured with JDBC TSS pointing to this > DerbyDB storage > * implement a new KnoxCLI command that migrates existing tokens from > credential stores to the DerbyDB storage > * automate this new KnoxCLI command in a way such that it runs when Knox > Gateway is started, token management is enabled, and DerbyDB storage is > configured > * ensure that the previous automated step can be controlled (E.g. in case of > unforeseen errors it can be turned off) > * document possible data replication scenarios when, in the case of HA > deployments, existing tokens from one Knox node should be made available in > other Knox node(s) and there is no other centralized RDBMS in use > (PostgreSQL, MySQL for instance) > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2999) [Docker] Add public CA to Knox trust store
[ https://issues.apache.org/jira/browse/KNOX-2999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821101#comment-17821101 ] ASF subversion and git services commented on KNOX-2999: --- Commit 6047ea761112cf29f933d9dbc3e8c20ddb9d074e in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=6047ea761 ] KNOX-2999 - [Docker] Add public CA to Knox trust store (#836) > [Docker] Add public CA to Knox trust store > -- > > Key: KNOX-2999 > URL: https://issues.apache.org/jira/browse/KNOX-2999 > Project: Apache Knox > Issue Type: Bug > Components: docker >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.1.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > It appears that the truststore that Knox is using does not have root certs > for public CAs. This is needed for Knox to support JWKS endpoints (prod and > dev) which are signed by public CAs. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2994) Postpone CM configuration change monitoring until the Knox GW is up
[ https://issues.apache.org/jira/browse/KNOX-2994?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821097#comment-17821097 ] ASF subversion and git services commented on KNOX-2994: --- Commit bb6719f3cad33cc89c990a2ab5bc61756c497d4f in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=bb6719f3c ] KNOX-2994 - PollingConfigurationAnalyzer starts after the Knox GW is up and running (#831) > Postpone CM configuration change monitoring until the Knox GW is up > --- > > Key: KNOX-2994 > URL: https://issues.apache.org/jira/browse/KNOX-2994 > Project: Apache Knox > Issue Type: Improvement > Components: cm-discovery, Server >Affects Versions: 1.5.0, 2.0.0, 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > As of now, Knox starts CM configuration change monitoring right away it > starts the {{{}DefaultClusterConfigurationMonitorService{}}}. This action > will trigger the {{PollingConfigurationAnalyzer}} even when descriptors with > possible service discovery settings are not even initialized. > My suggestion is to take advantage of the recently introduced > {{GatewayStatusService}} and set the {{isActive}} flag to true based on the > result of > {{{}org.apache.knox.gateway.services.topology.impl.GatewayStatusService.status(){}}}. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3000) Add configurable socket / read timeout parameter to discovery client
[ https://issues.apache.org/jira/browse/KNOX-3000?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821100#comment-17821100 ] ASF subversion and git services commented on KNOX-3000: --- Commit 5e4741d20e23378aeb31896aedab073ae9408f3a in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=5e4741d20 ] KNOX-3000 - Add configurable socket / read timeout parameter to discovery client (#833) > Add configurable socket / read timeout parameter to discovery client > > > Key: KNOX-3000 > URL: https://issues.apache.org/jira/browse/KNOX-3000 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h 50m > Remaining Estimate: 0h > > We have an exposed retry parameter for the CM discovery client, but there is > no way to set socket timeout or read timeout parameters. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2982) Having one disabled one enabled identity-assertion provider in knoxsso doesn't work
[ https://issues.apache.org/jira/browse/KNOX-2982?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821098#comment-17821098 ] ASF subversion and git services commented on KNOX-2982: --- Commit 16daa62c46b4a213ff0dfbfa33ae678306c0e46d in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=16daa62c4 ] KNOX-2982 - Having one disabled one enabled identity-assertion provider in knoxsso doesn't work (#832) > Having one disabled one enabled identity-assertion provider in knoxsso > doesn't work > --- > > Key: KNOX-2982 > URL: https://issues.apache.org/jira/browse/KNOX-2982 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > If one has two identity-assertion providers, e.g.: HadoopGroupProvider and > Regexp, where the HadoopGroupProvider is disabled, then the Regex provider > doesn't work. > The workaround is to delete the HadoopGroupProvider altogether (instead of > just disabling it). > This is a bug in JerseyServiceDeploymentContributorBase>contributeService. > The addIdentityAssertionFilter is called with null provider names. > The same thing applies to addAuthenticationFilter, addAuthorizationFilter > too. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3004) Impala connection string should be a valid JDBC connection URL
[ https://issues.apache.org/jira/browse/KNOX-3004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821102#comment-17821102 ] ASF subversion and git services commented on KNOX-3004: --- Commit b855e0f4bbe58724ffb0358edd246d5b52ed94fe in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=b855e0f4b ] KNOX-3004 - Building a valid JDBC URL for Impala (#837) > Impala connection string should be a valid JDBC connection URL > -- > > Key: KNOX-3004 > URL: https://issues.apache.org/jira/browse/KNOX-3004 > Project: Apache Knox > Issue Type: Task >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Currently, on the Knox Home page, the Impala URL is a simple {{http(s)}} URL > that cannot be used as a JDBC connection string (like the one we provide for > Hive). > A sample valid URL looks like this: > {code:java} > jdbc:impala://sup-758082-datahub2-master0.repro-az.a465-9q4k.cloudera.site:443/;ssl=1;transportMode=http;httpPath=sup-758082-datahub2/cdp-proxy-api/impala;AuthMech=3; > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2993) Show error stack trace when simple descriptor handler fails to parse a descriptor
[ https://issues.apache.org/jira/browse/KNOX-2993?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821096#comment-17821096 ] ASF subversion and git services commented on KNOX-2993: --- Commit 050e2ceaad399d71f00f6a8bd3c92d02f5f1dffa in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=050e2ceaa ] KNOX-2993 - Logging error stack trace at INFO level when failed to parse a descriptor (#827) > Show error stack trace when simple descriptor handler fails to parse a > descriptor > - > > Key: KNOX-2993 > URL: https://issues.apache.org/jira/browse/KNOX-2993 > Project: Apache Knox > Issue Type: Task > Components: Server >Affects Versions: 2.0.0, 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Currently, the error stack trace is shown in gateway.log only, if the > {{org.apache.knox.gateway}} log level is set to {{DEBUG}}: > {noformat} > @Message( level = MessageLevel.ERROR, text = "An error occurred while > processing {0} : {1}" ) > void simpleDescriptorHandlingError(String simpleDesc, > @StackTrace(level = MessageLevel.DEBUG) > Exception e); > {noformat} > This makes our lives hard when dealing with errors related to events coming > from CM configuration monitoring. > I recommend showing this information even on {{INFO}} level. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2956) Refactor CM-specific advanced service discovery
[ https://issues.apache.org/jira/browse/KNOX-2956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821095#comment-17821095 ] ASF subversion and git services commented on KNOX-2956: --- Commit 14954a0f1614ab6c4d4120bf701b8f6f5f414a40 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=14954a0f1 ] KNOX-2956 - Removing CM-specific 'advanced service discovery' handler and have everything process by the HXR parser (#821) Change-Id: Ib1837610e4b82af7bef98fc6f27af5169e88 > Refactor CM-specific advanced service discovery > --- > > Key: KNOX-2956 > URL: https://issues.apache.org/jira/browse/KNOX-2956 > Project: Apache Knox > Issue Type: Bug >Affects Versions: 2.0.0, 1.6.0, 1.6.1 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Critical > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Knox's Hadoop XML resource parser is tightly coupled with another feature > called Advanced Service Discovery configuration in Cloudera Manager. > There are several issues with that extension: > - makes the code much harder to read, understand, and maintain > - occupies a separate thread to monitor other files (we already have many > file watchers, it's always good if we can do some cleanup) > - One should really oversee the correlation between them and make the right > decision when touching one or the other (for instance, when changing the > ordering of these services) > - Since this is CM specific, lots of properties were added in the relevant > Knox [CSD > files|https://github.com/cloudera/cm_ext/wiki/Service-Descriptor-Language-Reference] > to give the flexibility for our users to enable/disable services during CM > service discovery. The management of those configurations is way too complex > and has a really negative effect on user experience on Knox's configuration > page within Cloudera Manager > Therefore, I came up with an idea that will still allow us to keep the > original idea of excluding/including certain services to be > discovered/included in the generated topology files. I plan to implement the > following: > - Remove the entire {{AdvancedServiceDiscoveryConfig*}} code > - Former {{gateway.auto.discovery.address}} and > {{gateway.auto.discovery.cluster}} parameters are already taken care of in > HXR parser where descriptors are handled (they need to be set in upstream > configuration locations such as the Knox CSD) > - By default, all services are disabled even if a service available service > found in the given discovery address/cluster will be added to the descriptor. > This is because of the nature of the existing logic in > {{{}SimpleDescriptorHandler{}}}. I'll add a new parameter suffix for service > called "{{{}services{}}}" which end-users can set to "{{{}a comma-separated > list of services"{}}} to include services in the generated topology (this new > HXR parameter is similar to the existing 'discoveryAddress' or > 'providerConfigRef' configs) > - since this is CM-specific, Cloudera Manager users need to make sure to > adopt their CSD files accordingly > As a result, the {{.hxr}} file(s) will be self-contained and can achieve the > same functionality as we have now with the complementary > {{auto-discovery-advanced-configuration-*}} files. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2992) Token impersonation config cleanup
[ https://issues.apache.org/jira/browse/KNOX-2992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821093#comment-17821093 ] ASF subversion and git services commented on KNOX-2992: --- Commit 3031669533d233f81c111e75e8773e4794581a5d in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=303166953 ] KNOX-2992 - Cleaned up impersonation configs (#825) > Token impersonation config cleanup > -- > > Key: KNOX-2992 > URL: https://issues.apache.org/jira/browse/KNOX-2992 > Project: Apache Knox > Issue Type: Task > Components: Server, TokenGenerationUI >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > We need to make some changes in the token impersonation config to be better > suited in Knox's existing configuration defaults. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2989) Enable support for multi-arch docer builds for Knox
[ https://issues.apache.org/jira/browse/KNOX-2989?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821094#comment-17821094 ] ASF subversion and git services commented on KNOX-2989: --- Commit 6f89529f0ecec8b6021eecfb814d7d436b4251fa in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=6f89529f0 ] KNOX-2989 - Multi arch support for Knox images (#822) > Enable support for multi-arch docer builds for Knox > --- > > Key: KNOX-2989 > URL: https://issues.apache.org/jira/browse/KNOX-2989 > Project: Apache Knox > Issue Type: Bug > Components: docker >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3007) Make http client cookie spec parameter configurable
[ https://issues.apache.org/jira/browse/KNOX-3007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17820645#comment-17820645 ] ASF subversion and git services commented on KNOX-3007: --- Commit fcee4ecffd850cbb3f03ded84b0cdd0dc22578af in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=fcee4ecff ] KNOX-3007 - Make http client cookie spec parameter configurable (#841) > Make http client cookie spec parameter configurable > --- > > Key: KNOX-3007 > URL: https://issues.apache.org/jira/browse/KNOX-3007 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > The apache http client rejects cookies if the expiration date doesn't have > the expected format (EEE, dd-MMM-yy HH:mm:ss z). > {code} > 2023-11-20 17:58:51,189 XXX WARN protocol.ResponseProcessCookies > (ResponseProcessCookies.java:processCookies(130)) - Invalid cookie header: > "Set-Cookie: sessionid=XXX; expires=Mon, 20 Nov 2023 23:03:51 GMT; HttpOnly; > Max-Age=300; Path=/; SameSite=Lax; Secure". Invalid 'expires' attribute: Mon, > 20 Nov 2023 23:03:51 GMT > {code} > This can be reconfigured by setting different cookiespec types: > https://hc.apache.org/httpcomponents-client-4.5.x/current/httpclient/apidocs/org/apache/http/client/config/CookieSpecs.html -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3002) KnoxCLI command for generating descriptor for a role type from a list of hosts
[ https://issues.apache.org/jira/browse/KNOX-3002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17820644#comment-17820644 ] ASF subversion and git services commented on KNOX-3002: --- Commit bb5d265d861489925f158faff761090d672205db in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=bb5d265d8 ] KNOX-3002 - KnoxCLI command for generating descriptor for a role type from a list of hosts (#835) > KnoxCLI command for generating descriptor for a role type from a list of hosts > -- > > Key: KNOX-3002 > URL: https://issues.apache.org/jira/browse/KNOX-3002 > Project: Apache Knox > Issue Type: New Feature > Components: KnoxCLI >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3009) KNOX-SESSION missing from Manager Topology and Admin UI
[ https://issues.apache.org/jira/browse/KNOX-3009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17820429#comment-17820429 ] ASF subversion and git services commented on KNOX-3009: --- Commit d60c67fa88ffa3c7fae1a35764dabe167a71c184 in knox's branch refs/heads/master from Larry McCay [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d60c67fa8 ] KNOX-3009 - KNOX-SESSION missing from Manager Topology and Admin UI (#843) > KNOX-SESSION missing from Manager Topology and Admin UI > --- > > Key: KNOX-3009 > URL: https://issues.apache.org/jira/browse/KNOX-3009 > Project: Apache Knox > Issue Type: Bug > Components: Release >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Due to KNOX-SESSION service missing from the default manager.xml topology, an > alert in the Admin UI is displayed while trying to retrieve the authenticated > user name and "dr. who" is displayed as the user. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3006) PAM module occasionally generates garbage group names
[ https://issues.apache.org/jira/browse/KNOX-3006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17817043#comment-17817043 ] ASF subversion and git services commented on KNOX-3006: --- Commit 58ae97fbf131777eef61b3d6ebfcca5d32a7a39b in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=58ae97fbf ] KNOX-3006 - PAM module occasionally generates garbage group names (#840) > PAM module occasionally generates garbage group names > - > > Key: KNOX-3006 > URL: https://issues.apache.org/jira/browse/KNOX-3006 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h 10m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2812) Document the new Rate Limiting filter in Knox's webappsec provider
[ https://issues.apache.org/jira/browse/KNOX-2812?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17815841#comment-17815841 ] ASF subversion and git services commented on KNOX-2812: --- Commit 1915671 from Sandeep More [ https://svn.apache.org/r1915671 ] KNOX-2812 - Document rate limiting options. > Document the new Rate Limiting filter in Knox's webappsec provider > -- > > Key: KNOX-2812 > URL: https://issues.apache.org/jira/browse/KNOX-2812 > Project: Apache Knox > Issue Type: Task > Components: Document >Affects Versions: 2.0.0 >Reporter: Sandor Molnar >Assignee: Marton Balázs >Priority: Critical > Fix For: 2.0.0 > > Attachments: KNOX-2832.patch > > > Hi [~MrtnBalazs], > please provide us with a document that explains the new security provider you > added recently (KNOX-2832). > Thanks! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3005) Implement Knox idle session time
[ https://issues.apache.org/jira/browse/KNOX-3005?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17814647#comment-17814647 ] ASF subversion and git services commented on KNOX-3005: --- Commit d3f5a567ac25cf9f5045866cf14db03151e9f978 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d3f5a567a ] KNOX-3005 - Implemented KnoxSSO idle timeout (#839) > Implement Knox idle session time > > > Key: KNOX-3005 > URL: https://issues.apache.org/jira/browse/KNOX-3005 > Project: Apache Knox > Issue Type: New Feature > Components: KnoxSSO >Affects Versions: 2.1.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Critical > Fix For: 2.1.0 > > Time Spent: 2.5h > Remaining Estimate: 0h > > With the recent work of KNOX-2961, the new SSO token invalidation > functionality, Knox could provide idle session timeout behavior for UIs. > It will likely not include the usual UI pop-up approach (like when the > end-user is informed about being idle too long), but it would effectively > terminate idle SSO sessions and force an explicit login. > It's also worth mentioning the idleness measurement solely depends on backend > activities through the KnoxSSO Cookie federation filter. and will not take > any client-side action (such as scrolling on the page, client-side > pagination, etc..) into account. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3003) Group UI services of the same type
[ https://issues.apache.org/jira/browse/KNOX-3003?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17813623#comment-17813623 ] ASF subversion and git services commented on KNOX-3003: --- Commit 20fa65948804a4ddedd246c61d896005c47b0104 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=20fa65948 ] KNOX-3003 - Services with more than one serviceUrl metadata are grouped on the Knox Home page (#838) > Group UI services of the same type > -- > > Key: KNOX-3003 > URL: https://issues.apache.org/jira/browse/KNOX-3003 > Project: Apache Knox > Issue Type: Improvement > Components: Homepage >Affects Versions: 2.0.0, 1.6.0, 1.6.1 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Critical > Time Spent: 20m > Remaining Estimate: 0h > > Currently, if a UI service has multiple instances with different URLs in a > given topology, that UI service will be listed on the Knox Home page as many > times as the number of URLs it has. This makes the user experience a lot > worse if we are talking about hundreds of occurrences of this case. > We learned from some real-life use cases that IMPALA is one of these > services, and there are 1000+ node clusters out there with more than 100 > Impala Daemon roles. In that particular case, the Knox Home page was a mess. > To address this issue, the following UI improvement should be implemented: > * if a UI service has more than one URL in the given topology, individual > tiles should not be displayed. Instead, one "group" tile must be added with a > clear indication this is a group of URLs of the same service. > * clicking the group tile should open a modal window with separate tiles for > each service URL > * in this modal window, a search field will be added to give our end-users > the chance to narrow down results (by hostname for instance) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2990) TokenStateService implementation cleanup
[ https://issues.apache.org/jira/browse/KNOX-2990?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17813525#comment-17813525 ] ASF subversion and git services commented on KNOX-2990: --- Commit afdb4cc3f20d4c295b58eb3709343ed4fe47d6b6 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=afdb4cc3f ] KNOX-2990 - Using DerbyDatabaseTSS instead of AliasBasedTSS by default (#826) In addition to the new implementation I deprecated the AliasBased, Zookeeper and JournalBased TSS implementations in 2.1.0. > TokenStateService implementation cleanup > > > Key: KNOX-2990 > URL: https://issues.apache.org/jira/browse/KNOX-2990 > Project: Apache Knox > Issue Type: Task > Components: Server >Affects Versions: 2.0.0, 1.6.0, 1.6.1 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Critical > Fix For: 2.1.0 > > Time Spent: 4h > Remaining Estimate: 0h > > This issue is driven by a [DISCUSS] thread initiated on Knox's DEV mailing > list [here|https://lists.apache.org/thread/fs9nkl6l45o330ttvgvqxj3jnxt63bcs]. > As a result of that discussion, the following needs to be implemented: > * deprecate the following TSS implementations: > ** AliasBasedTokenStateService > ** ZookeeperTokenStateService > ** JournalBasedTokenStateService > * document the deprecation of these TSS implementations in v2.1.0 and > highlight that they will be removed in the upcoming release (v2.2.0?). > * implement a DerbyDB storage that will store tokens in > {{$DATA_DIR/security/tokens}} (encrypted or not, it'll be decided later) > * make sure appropriate file permissions are set on that folder > * have the {{homepage}} topology configured with JDBC TSS pointing to this > DerbyDB storage > * implement a new KnoxCLI command that migrates existing tokens from > credential stores to the DerbyDB storage > * automate this new KnoxCLI command in a way such that it runs when Knox > Gateway is started, token management is enabled, and DerbyDB storage is > configured > * ensure that the previous automated step can be controlled (E.g. in case of > unforeseen errors it can be turned off) > * document possible data replication scenarios when, in the case of HA > deployments, existing tokens from one Knox node should be made available in > other Knox node(s) and there is no other centralized RDBMS in use > (PostgreSQL, MySQL for instance) > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3004) Impala connection string should be a valid JDBC connection URL
[ https://issues.apache.org/jira/browse/KNOX-3004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17811808#comment-17811808 ] ASF subversion and git services commented on KNOX-3004: --- Commit b855e0f4bbe58724ffb0358edd246d5b52ed94fe in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=b855e0f4b ] KNOX-3004 - Building a valid JDBC URL for Impala (#837) > Impala connection string should be a valid JDBC connection URL > -- > > Key: KNOX-3004 > URL: https://issues.apache.org/jira/browse/KNOX-3004 > Project: Apache Knox > Issue Type: Task >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Currently, on the Knox Home page, the Impala URL is a simple {{http(s)}} URL > that cannot be used as a JDBC connection string (like the one we provide for > Hive). > A sample valid URL looks like this: > {code:java} > jdbc:impala://sup-758082-datahub2-master0.repro-az.a465-9q4k.cloudera.site:443/;ssl=1;transportMode=http;httpPath=sup-758082-datahub2/cdp-proxy-api/impala;AuthMech=3; > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2999) [Docker] Add public CA to Knox trust store
[ https://issues.apache.org/jira/browse/KNOX-2999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17811414#comment-17811414 ] ASF subversion and git services commented on KNOX-2999: --- Commit 6047ea761112cf29f933d9dbc3e8c20ddb9d074e in knox's branch refs/heads/master from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=6047ea761 ] KNOX-2999 - [Docker] Add public CA to Knox trust store (#836) > [Docker] Add public CA to Knox trust store > -- > > Key: KNOX-2999 > URL: https://issues.apache.org/jira/browse/KNOX-2999 > Project: Apache Knox > Issue Type: Bug > Components: docker >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > It appears that the truststore that Knox is using does not have root certs > for public CAs. This is needed for Knox to support JWKS endpoints (prod and > dev) which are signed by public CAs. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3000) Add configurable socket / read timeout parameter to discovery client
[ https://issues.apache.org/jira/browse/KNOX-3000?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17808299#comment-17808299 ] ASF subversion and git services commented on KNOX-3000: --- Commit 5e4741d20e23378aeb31896aedab073ae9408f3a in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=5e4741d20 ] KNOX-3000 - Add configurable socket / read timeout parameter to discovery client (#833) > Add configurable socket / read timeout parameter to discovery client > > > Key: KNOX-3000 > URL: https://issues.apache.org/jira/browse/KNOX-3000 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h 50m > Remaining Estimate: 0h > > We have an exposed retry parameter for the CM discovery client, but there is > no way to set socket or read timeout parameters. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3001) Avoid double XML escaping in SimpleDescriptorHandler
[ https://issues.apache.org/jira/browse/KNOX-3001?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17808137#comment-17808137 ] ASF subversion and git services commented on KNOX-3001: --- Commit 46cdc159342b6b637b96f8396c36c515f5b4943e in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=46cdc1593 ] KNOX-3001 - Avoid double XML-escaping during topology persistence from descriptors (#834) > Avoid double XML escaping in SimpleDescriptorHandler > > > Key: KNOX-3001 > URL: https://issues.apache.org/jira/browse/KNOX-3001 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 2.1.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 1h > Remaining Estimate: 0h > > KNOX-2804 added a beneficial improvement in Knox's logic when dealing with > JSON files and turned them into XML topologies: before the generated topology > persisted, the possible values are XML-escaped to avoid errors in SAXParser. > However, this might cause backward-compatible issues in deployments, where > the data in the given shared provider config or descriptor is already given > in XML-friendy way. > For instance, using the following shared provider config will result in a bad > XML topology: > {noformat} > { > "providers" : [ { > "role" : "webappsec", > "name" : "WebAppSec", > "enabled" : true, > "params" : { > "xframe.options.enabled" : "true" > } > }, { > "role" : "authentication", > "name" : "ShiroProvider", > "enabled" : true, > "params" : { > "main.ldapContextFactory" : > "org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory", > "main.ldapRealm" : "org.apache.knox.gateway.shirorealm.KnoxLdapRealm", > "main.ldapRealm.authenticationCachingEnabled" : "false", > "main.ldapRealm.contextFactory" : "$ldapContextFactory", > "main.ldapRealm.contextFactory.authenticationMechanism" : "simple", > "main.ldapRealm.contextFactory.url" : "ldap://localhost:33389;, > "main.ldapRealm.userDnTemplate" : > "uid=0ou=people,dc=hadoop,dc=apache,dc=org", > "main.ldapRealm.userSearchFilter" : > "(((objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)(memberOf=CN=SecXX-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)))", > "redirectToUrl" : "/${GATEWAY_PATH}/knoxsso/knoxauth/login.html", > "restrictedCookies" : "rememberme,WWW-Authenticate", > "sessionTimeout" : "30", > "urls./**" : "authcBasic" > } > }, { > "role" : "identity-assertion", > "name" : "Default", > "enabled" : true, > "params" : { } > } ], > "readOnly" : true > } {noformat} > The generated XML: > {noformat} > > > > > > true > > > webappsec > WebAppSec > true > > xframe.options.enabled > true > > > > authentication > ShiroProvider > true > > main.ldapContextFactory > > org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory > > > main.ldapRealm > > org.apache.knox.gateway.shirorealm.KnoxLdapRealm > > > main.ldapRealm.authenticationCachingEnabled > false > > > main.ldapRealm.contextFactory > $ldapContextFactory > > > > main.ldapRealm.contextFactory.authenticationMechanism > simple > > > main.ldapRealm.contextFactory.url > ldap://localhost:33389 > > > main.ldapRealm.userDnTemplate > uid=0ou=people,dc=hadoop,dc=apache,dc=org > > > main.ldapRealm.userSearchFilter > > (amp;(amp;(objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)(memberOf=CN=SecXX-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int))) > > > redirectToUrl > /${GATEWAY_PATH}/knoxsso/knoxauth/login.html > > > restrictedCookies > rememberme,WWW-Authenticate > > > sessionTimeout > 30 > > > urls./** >
[jira] [Commented] (KNOX-2982) Having one disabled one enabled identity-assertion provider in knoxsso doesn't work
[ https://issues.apache.org/jira/browse/KNOX-2982?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17807351#comment-17807351 ] ASF subversion and git services commented on KNOX-2982: --- Commit 16daa62c46b4a213ff0dfbfa33ae678306c0e46d in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=16daa62c4 ] KNOX-2982 - Having one disabled one enabled identity-assertion provider in knoxsso doesn't work (#832) > Having one disabled one enabled identity-assertion provider in knoxsso > doesn't work > --- > > Key: KNOX-2982 > URL: https://issues.apache.org/jira/browse/KNOX-2982 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > If one has two identity-assertion providers, e.g.: HadoopGroupProvider and > Regexp, where the HadoopGroupProvider is disabled, then the Regex provider > doesn't work. > The workaround is to delete the HadoopGroupProvider altogether (instead of > just disabling it). > This is a bug in JerseyServiceDeploymentContributorBase>contributeService. > The addIdentityAssertionFilter is called with null provider names. > The same thing applies to addAuthenticationFilter, addAuthorizationFilter > too. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2994) Postpone CM configuration change monitoring until the Knox GW is up
[ https://issues.apache.org/jira/browse/KNOX-2994?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17802501#comment-17802501 ] ASF subversion and git services commented on KNOX-2994: --- Commit bb6719f3cad33cc89c990a2ab5bc61756c497d4f in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=bb6719f3c ] KNOX-2994 - PollingConfigurationAnalyzer starts after the Knox GW is up and running (#831) > Postpone CM configuration change monitoring until the Knox GW is up > --- > > Key: KNOX-2994 > URL: https://issues.apache.org/jira/browse/KNOX-2994 > Project: Apache Knox > Issue Type: Improvement > Components: cm-discovery, Server >Affects Versions: 1.5.0, 2.0.0, 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > As of now, Knox starts CM configuration change monitoring right away it > starts the {{{}DefaultClusterConfigurationMonitorService{}}}. This action > will trigger the {{PollingConfigurationAnalyzer}} even when descriptors with > possible service discovery settings are not even initialized. > My suggestion is to take advantage of the recently introduced > {{GatewayStatusService}} and set the {{isActive}} flag to true based on the > result of > {{{}org.apache.knox.gateway.services.topology.impl.GatewayStatusService.status(){}}}. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2993) Show error stack trace when simple descriptor handler fails to parse a descriptor
[ https://issues.apache.org/jira/browse/KNOX-2993?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17801804#comment-17801804 ] ASF subversion and git services commented on KNOX-2993: --- Commit 050e2ceaad399d71f00f6a8bd3c92d02f5f1dffa in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=050e2ceaa ] KNOX-2993 - Logging error stack trace at INFO level when failed to parse a descriptor (#827) > Show error stack trace when simple descriptor handler fails to parse a > descriptor > - > > Key: KNOX-2993 > URL: https://issues.apache.org/jira/browse/KNOX-2993 > Project: Apache Knox > Issue Type: Task > Components: Server >Affects Versions: 2.0.0, 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Currently, the error stack trace is shown in gateway.log only, if the > {{org.apache.knox.gateway}} log level is set to {{DEBUG}}: > {noformat} > @Message( level = MessageLevel.ERROR, text = "An error occurred while > processing {0} : {1}" ) > void simpleDescriptorHandlingError(String simpleDesc, > @StackTrace(level = MessageLevel.DEBUG) > Exception e); > {noformat} > This makes our lives hard when dealing with errors related to events coming > from CM configuration monitoring. > I recommend showing this information even on {{INFO}} level. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2956) Refactor CM-specific advanced service discovery
[ https://issues.apache.org/jira/browse/KNOX-2956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17795760#comment-17795760 ] ASF subversion and git services commented on KNOX-2956: --- Commit 14954a0f1614ab6c4d4120bf701b8f6f5f414a40 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=14954a0f1 ] KNOX-2956 - Removing CM-specific 'advanced service discovery' handler and have everything process by the HXR parser (#821) Change-Id: Ib1837610e4b82af7bef98fc6f27af5169e88 > Refactor CM-specific advanced service discovery > --- > > Key: KNOX-2956 > URL: https://issues.apache.org/jira/browse/KNOX-2956 > Project: Apache Knox > Issue Type: Bug >Affects Versions: 2.0.0, 1.6.0, 1.6.1 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Critical > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Knox's Hadoop XML resource parser is tightly coupled with another feature > called Advanced Service Discovery configuration in Cloudera Manager. > There are several issues with that extension: > - makes the code much harder to read, understand, and maintain > - occupies a separate thread to monitor other files (we already have many > file watchers, it's always good if we can do some cleanup) > - One should really oversee the correlation between them and make the right > decision when touching one or the other (for instance, when changing the > ordering of these services) > - Since this is CM specific, lots of properties were added in the relevant > Knox [CSD > files|https://github.com/cloudera/cm_ext/wiki/Service-Descriptor-Language-Reference] > to give the flexibility for our users to enable/disable services during CM > service discovery. The management of those configurations is way too complex > and has a really negative effect on user experience on Knox's configuration > page within Cloudera Manager > Therefore, I came up with an idea that will still allow us to keep the > original idea of excluding/including certain services to be > discovered/included in the generated topology files. I plan to implement the > following: > - Remove the entire {{AdvancedServiceDiscoveryConfig*}} code > - Former {{gateway.auto.discovery.address}} and > {{gateway.auto.discovery.cluster}} parameters are already taken care of in > HXR parser where descriptors are handled (they need to be set in upstream > configuration locations such as the Knox CSD) > - By default, all services are disabled even if a service available service > found in the given discovery address/cluster will be added to the descriptor. > This is because of the nature of the existing logic in > {{{}SimpleDescriptorHandler{}}}. I'll add a new parameter suffix for service > called "{{{}services{}}}" which end-users can set to "{{{}a comma-separated > list of services"{}}} to include services in the generated topology (this new > HXR parameter is similar to the existing 'discoveryAddress' or > 'providerConfigRef' configs) > - since this is CM-specific, Cloudera Manager users need to make sure to > adopt their CSD files accordingly > As a result, the {{.hxr}} file(s) will be self-contained and can achieve the > same functionality as we have now with the complementary > {{auto-discovery-advanced-configuration-*}} files. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2989) Enable support for multi-arch docer builds for Knox
[ https://issues.apache.org/jira/browse/KNOX-2989?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17792439#comment-17792439 ] ASF subversion and git services commented on KNOX-2989: --- Commit 6f89529f0ecec8b6021eecfb814d7d436b4251fa in knox's branch refs/heads/master from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=6f89529f0 ] KNOX-2989 - Multi arch support for Knox images (#822) > Enable support for multi-arch docer builds for Knox > --- > > Key: KNOX-2989 > URL: https://issues.apache.org/jira/browse/KNOX-2989 > Project: Apache Knox > Issue Type: Bug > Components: docker >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2992) Token impersonation config cleanup
[ https://issues.apache.org/jira/browse/KNOX-2992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17791686#comment-17791686 ] ASF subversion and git services commented on KNOX-2992: --- Commit 3031669533d233f81c111e75e8773e4794581a5d in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=303166953 ] KNOX-2992 - Cleaned up impersonation configs (#825) > Token impersonation config cleanup > -- > > Key: KNOX-2992 > URL: https://issues.apache.org/jira/browse/KNOX-2992 > Project: Apache Knox > Issue Type: Task > Components: Server, TokenGenerationUI >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > We need to make some changes in the token impersonation config to be better > suited in Knox's existing configuration defaults. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2991) Sanitise Oozie rewrite rules
[ https://issues.apache.org/jira/browse/KNOX-2991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17791634#comment-17791634 ] ASF subversion and git services commented on KNOX-2991: --- Commit 7ee5c8c0dff655a426252da0a45bb2206b6eccaa in knox's branch refs/heads/master from Denes Bodo [ https://gitbox.apache.org/repos/asf?p=knox.git;h=7ee5c8c0d ] KNOX-2991 - Sanitise Oozie rewrite rules (#824) * KNOX-2675 Oozie Console URL on the web UI should be a Knox URL * KNOX-2991 - Sanitise Oozie rewrite rules - Co-authored-by: Denes Bodo > Sanitise Oozie rewrite rules > > > Key: KNOX-2991 > URL: https://issues.apache.org/jira/browse/KNOX-2991 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Dénes Bodó >Assignee: Dénes Bodó >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > Testing Oozie through Knox proxy I found that there are some strange rewrite > rule which seems outdated: > {noformat} > > > > > > > {noformat} > This ticket is intended to track the work removing them. > *inputDir* and *outputDir* are frequently used in Oozie's job.properties as a > single directory name instead of a full HDFS path so in these cases the Oozie > workflow fails running due to incorrect variable resolution: > Configuration in job.properties: > {noformat} > nameNode=WILL_BE_UPDATED_BY_KNOX > outputDir=my_custom_output_dir {noformat} > workflow.xml: > {code:xml} > > path="${nameNode}/user/${wf:user()}/examples/output-data/${outputDir}"/> > {code} > Error in Oozie launcher: > {noformat} > Launcher AM execution failed > java.lang.IllegalArgumentException: java.net.URISyntaxException: Expected > scheme-specific part at index 5: hdfs: > at org.apache.hadoop.fs.Path.initialize(Path.java:259) > at org.apache.hadoop.fs.Path.(Path.java:217) > at org.apache.hadoop.fs.Path.(Path.java:125) > at org.apache.hadoop.fs.Globber.doGlob(Globber.java:285) > at org.apache.hadoop.fs.Globber.glob(Globber.java:202) > at org.apache.hadoop.fs.FileSystem.globStatus(FileSystem.java:2107) > at > org.apache.oozie.action.hadoop.FSLauncherURIHandler.delete(FSLauncherURIHandler.java:59) > at > org.apache.oozie.action.hadoop.PrepareActionsHandler.execute(PrepareActionsHandler.java:83) > at > org.apache.oozie.action.hadoop.PrepareActionsHandler.prepareAction(PrepareActionsHandler.java:74) > at > org.apache.oozie.action.hadoop.LauncherAM.executePrepare(LauncherAM.java:378) > at > org.apache.oozie.action.hadoop.LauncherAM.access$100(LauncherAM.java:55) > at org.apache.oozie.action.hadoop.LauncherAM$2.run(LauncherAM.java:229) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1899) > at org.apache.oozie.action.hadoop.LauncherAM.run(LauncherAM.java:226) > at org.apache.oozie.action.hadoop.LauncherAM$1.run(LauncherAM.java:156) > at java.security.AccessController.doPrivileged(Native Method) > at javax.security.auth.Subject.doAs(Subject.java:422) > at > org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1899) > at org.apache.oozie.action.hadoop.LauncherAM.main(LauncherAM.java:144) > Caused by: java.net.URISyntaxException: Expected scheme-specific part at > index 5: hdfs: > at java.net.URI$Parser.fail(URI.java:2847) > at java.net.URI$Parser.failExpecting(URI.java:2853) > at java.net.URI$Parser.parse(URI.java:3056) > at java.net.URI.(URI.java:746) > at org.apache.hadoop.fs.Path.initialize(Path.java:256) > ... 20 more {noformat} > > Found the real HDFS path after debugging the Oozie action: > {noformat} > hdfs://a.b.c.d:8020/user/test/examples/output-data/hdfs://a.b.c.d:8020/my_custom_output_dir{noformat} > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2675) Oozie Console URL on the web UI should be a Knox URL
[ https://issues.apache.org/jira/browse/KNOX-2675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17791635#comment-17791635 ] ASF subversion and git services commented on KNOX-2675: --- Commit 7ee5c8c0dff655a426252da0a45bb2206b6eccaa in knox's branch refs/heads/master from Denes Bodo [ https://gitbox.apache.org/repos/asf?p=knox.git;h=7ee5c8c0d ] KNOX-2991 - Sanitise Oozie rewrite rules (#824) * KNOX-2675 Oozie Console URL on the web UI should be a Knox URL * KNOX-2991 - Sanitise Oozie rewrite rules - Co-authored-by: Denes Bodo > Oozie Console URL on the web UI should be a Knox URL > > > Key: KNOX-2675 > URL: https://issues.apache.org/jira/browse/KNOX-2675 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 1.4.0 >Reporter: Dénes Bodó >Assignee: Dénes Bodó >Priority: Major > Fix For: 1.6.0 > > Time Spent: 20m > Remaining Estimate: 0h > > When I open the Oozie web UI through Knox gateway and navigate to a > workflow's action details then I see the Console URL field contains the > cluster's internal hostname instead of a Knox gateway url. Here is an example > json result from Oozie through Knox: > {noformat} > { > "appName":"some_oozie_application", > ... > "actions":[ > {...}, > { > ... > > "consoleUrl":"https://some_internal_domain_name:8090/proxy/application_1632125050865_0003/;, > ... > }, > {...} > ], > "status":"SUCCEEDED", > "group":null > } {noformat} > The desired form should be for the consoleUrl field something like this: > {noformat} > https://externally_available_knox_domain_name:8443/gateway/cdp-proxy/yarn/cluster/app/application_1632125050865_0003/ > {noformat} > The proposed solution contains Yarn UI v1 URL because the Yarn UI v2 contains > a hash mark which cannot be used. See KNOX-2676 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2983) Combine the functionality of different identity assertion providers
[ https://issues.apache.org/jira/browse/KNOX-2983?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17791512#comment-17791512 ] ASF subversion and git services commented on KNOX-2983: --- Commit 1914229 from Attila Magyar [ https://svn.apache.org/r1914229 ] KNOX-2988 Documentation for KNOX-2983 > Combine the functionality of different identity assertion providers > --- > > Key: KNOX-2983 > URL: https://issues.apache.org/jira/browse/KNOX-2983 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > h2. Motivation > Currently there is no way to add multiple identity assertion providers and > combine the functionality of them. For example one might want to use the > Concat identity assertion together with the Switch case provider. This is not > possible due to a limitation of Knox which only allows having one identity > assertion provider in the topology. Additionally, having a distinct provider > for each functionality has its own limitations that prevents expressing > complex mappings. > h2. Expression-Based principal mapping > The idea behind the Expression-Based principal mapping is that it leverages > the language that was introduced by > https://issues.apache.org/jira/browse/KNOX-2707. > {code} > > identity-assertion > HadoopGroupProvider > true > > expression.principal.mapping > > ... > > [...] > > {code} > The value of *expression.principal.mapping* must be a valid expression that > evaluates to a string, which will be the new, mapped principal. > For example, in the following example all authenticated users will be mapped > to principal: 'bob'. > {code} > > expression.principal.mapping > 'bob' > > {code} > By adding a conditional you can selectively apply the mapping to specific > users. > {code} > > expression.principal.mapping > > > (if (or (= username 'sam') > (= username 'tom')) > 'bob') > > > {code} > When the expression returns *null*, the original principal will be unchanged. > h2. Reference > h3. if > The *if* is an expression (rather than a statement), that has 2 or 3 > parameters. When you call it with 2 parameters it will behave like an > *if-then*, when you call it with 3 parameters it will behave like an > *if-then-else* expression. > The first parameters is a conditional that must evaluate to either true or > false. In case of true, the first branch is evaluated, otherwise the 2nd > branch is evaluated. If the 2nd branch is omitted, and the conditional is > false, then null is returned. > Returns 1: {code}(if true 1){code} > Returns null: {code}(if false 1){code} > Returns 2: {code}(if false 1 2){code} > Returns 1: {code}(if true 1 2){code} > h4. concat > The concat function takes variable number of arguments and concats them into > one single string. > {code} > (concat 'The' 'sun' 'will' 'come' 'up' 'tomorrow.') > {code} > This can be used to concat/prepend a prefix or suffix to the usename. > {code} > (concat 'prefix_' username '_suffix') > {code} > h4. uppercase / lowercase > Convert a string to upper case and lower case letters. > {code} > (uppercase 'sam') > {code} > returns 'SAM' > {code} > (lowercase 'SAM') > {code} > returns 'sam' > The combination of uppercase/lowercase and concat can be used to capitalize a > username > {code} > (concat > (uppercase (substr username 0 1)) > (lowercase (substr username 1))) > {code} > h4. substr > The substr function works the same way as Java's subString. It takes one or > two parameters, where the first is the begin index, and the second is the end > index. > The substring begins with the character at the specified index and extends to > the end of this string. > {code} > (substr 'unhappy' 2) > {code} > returns 'happy' > The end index is exclusive. The substring begins at the specified beginIndex > and extends to the character at index endIndex - 1. > {code} > (substr 'hamburger' 4 8) > {code} > returns 'urge' > h4. strlen > The strlen function returns the length of a string. > {code} > (strlen 'apple') > {code} > returns 5 > For example, a combination of substr and strlen can be used to cut the first > and last characters of a username > {code} > (substr username 1 (- (strlen username) 1)) > {code} > > h4. contains > Check if a string includes a substring. > {code} > (contains 'dm' 'admin') > {code} > returns true since 'admin' contains 'dm' > h4. index-of > Find a substring in the given string and return the (zero based) index. > {code} > (index-of 'ppl' 'apple') > {code} > returns 1 > {code} > (index-of 'xx' 'apple') > {code} > If the given substring is not found, -1 is
[jira] [Commented] (KNOX-2988) Documentation for KNOX-2983
[ https://issues.apache.org/jira/browse/KNOX-2988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17791511#comment-17791511 ] ASF subversion and git services commented on KNOX-2988: --- Commit 1914229 from Attila Magyar [ https://svn.apache.org/r1914229 ] KNOX-2988 Documentation for KNOX-2983 > Documentation for KNOX-2983 > --- > > Key: KNOX-2988 > URL: https://issues.apache.org/jira/browse/KNOX-2988 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Attachments: KNOX-2983.patch, KNOX-2983_2.patch, Screenshot > 2023-11-20 at 12.22.28.png > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2924) Add MariaDB support in JDBC TokenStateService
[ https://issues.apache.org/jira/browse/KNOX-2924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17787168#comment-17787168 ] ASF subversion and git services commented on KNOX-2924: --- Commit 78278bf623b5cbc7d3c578d18f7c47e0e652c8b5 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=78278bf62 ] KNOX-2924 - Added MariaDB support in JDBCTokenStateService (#820) > Add MariaDB support in JDBC TokenStateService > - > > Key: KNOX-2924 > URL: https://issues.apache.org/jira/browse/KNOX-2924 > Project: Apache Knox > Issue Type: Improvement > Components: Server, TokenGenerationUI, TokenManagementUI >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Currently, Knox supports PostgreSQL and MySQL for storing Knox tokens in an > RDBMS. We should add MariaDB to the list to enable more end-users to use this > cool feature in PROD-ready way. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2983) Combine the functionality of different identity assertion providers
[ https://issues.apache.org/jira/browse/KNOX-2983?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17786971#comment-17786971 ] ASF subversion and git services commented on KNOX-2983: --- Commit 083dc8977fcae7e6669670412d62061a599b49cf in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=083dc8977 ] KNOX-2983 - Combine the functionality of different identity assertion providers (#817) > Combine the functionality of different identity assertion providers > --- > > Key: KNOX-2983 > URL: https://issues.apache.org/jira/browse/KNOX-2983 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > Currently there is no way to add multiple identity assertion provider and > combine the functionality of them. > For example one might want to use the Concat identity assertion filter > together with the Switch case provider. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2929) Add user information on all Knox UIs
[ https://issues.apache.org/jira/browse/KNOX-2929?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17786771#comment-17786771 ] ASF subversion and git services commented on KNOX-2929: --- Commit e888ec0cb71bd3ab5c02293639fa858025f9059a in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=e888ec0cb ] KNOX-2929 - Logged in user is shown on Knox UIs (#819) > Add user information on all Knox UIs > > > Key: KNOX-2929 > URL: https://issues.apache.org/jira/browse/KNOX-2929 > Project: Apache Knox > Issue Type: Improvement > Components: AdminUI, TokenGenerationUI, TokenManagementUI >Affects Versions: 2.0.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Attachments: Screenshot 2023-06-22 at 10.25.28.png, Screenshot > 2023-06-22 at 10.25.38.png, Screenshot 2023-06-22 at 10.25.49.png, Screenshot > 2023-06-22 at 10.25.59.png > > Time Spent: 20m > Remaining Estimate: 0h > > Currently, the user information block is displayed only on the Knox Home > page, but not on the rest of the UIs: > !Screenshot 2023-06-22 at 10.25.28.png|height=200! > !Screenshot 2023-06-22 at 10.25.38.png|height=200! > !Screenshot 2023-06-22 at 10.25.49.png|height=200! > !Screenshot 2023-06-22 at 10.25.59.png|height=200! > If you see, the Token Generation UI does not even have the Knox header, which > we also should add as part of this work. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2985) Deprecate KNOXTOKEN API v1
[ https://issues.apache.org/jira/browse/KNOX-2985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17784699#comment-17784699 ] ASF subversion and git services commented on KNOX-2985: --- Commit c4f77c9a23cbc839ca5da90b58e0c517377b7150 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=c4f77c9a2 ] KNOX-2985 - Introduced KNOXTOKEN API v2 and deprecated v1 methods (#818) > Deprecate KNOXTOKEN API v1 > -- > > Key: KNOX-2985 > URL: https://issues.apache.org/jira/browse/KNOX-2985 > Project: Apache Knox > Issue Type: Task > Components: Server, TokenGenerationUI, TokenManagementUI >Affects Versions: 2.0.0, 2.1.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 50m > Remaining Estimate: 0h > > In KNOX-2661, the following REST API endpoint changes happened: > * renew was updated from {{POST}} to {{PUT}} > * revoke was updated from {{POST}} to {{DELETE}} > Unfortunately, at that time I did not consider backward compatibility and I > introduced a backward compatibility issue for clients using previous versions. > The scope of this Jira is to revert that issue back in the following way: > * change renew/revoke back to POST in '.../api/v1/token' in v1 (to fix the > issue we introduced earlier) > * introduce v2 that will match v1, except that v2 will match the above > changes from KNOX-2661 > * mark v1 deprecated > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2980) Token id column in token management page is not word wrapped ,hence unable to view few characters in tokenid
[ https://issues.apache.org/jira/browse/KNOX-2980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17781646#comment-17781646 ] ASF subversion and git services commented on KNOX-2980: --- Commit 32a8efddc1b150ad2e23498debe246c676963d52 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=32a8efddc ] KNOX-2980 - Applying word wrapping in various columns that can have 'long' content. (#816) > Token id column in token management page is not word wrapped ,hence unable to > view few characters in tokenid > > > Key: KNOX-2980 > URL: https://issues.apache.org/jira/browse/KNOX-2980 > Project: Apache Knox > Issue Type: Bug > Components: TokenManagementUI >Affects Versions: 2.0.0 >Reporter: J.Andreina >Assignee: Sandor Molnar >Priority: Minor > Fix For: 2.1.0 > > Attachments: image-2023-10-31-22-56-22-082.png, > image-2023-10-31-22-56-49-415.png > > Time Spent: 20m > Remaining Estimate: 0h > > +*{color:#de350b}PROBLEM STATEMENT:{color}*+ > Token id column value is not text wrapped , hence unable to view few > characters in tokenid > +*BUILDS:*+ > 2.0.0 > > +*STEPS TO REPRODUCE:*+ > - Generate JWT token from token generation page > +*CURRENT BEHAVIOUR:*+ > Some tokens character are not completely visible on UI. for example in below > first digit is 7 which is not visible > !image-2023-10-31-22-56-22-082.png! > !image-2023-10-31-22-56-49-415.png! > +*EXPECTED BEHAVIOUR:*+ > Token id should be word wrapped > +*OCCURRENCE:*+ > Reproducible > +*IMPACT:*+ > Unable to view the complete token id -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2979) Remove redundant 'refresh' query parameter from logout.jsp
[ https://issues.apache.org/jira/browse/KNOX-2979?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17781379#comment-17781379 ] ASF subversion and git services commented on KNOX-2979: --- Commit d569373582b800c6c0346cb25e5fe5ec06054050 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d56937358 ] KNOX-2979 - Removed redundant 'refresh' query parameter from the application logout link after originalUrl (#815) > Remove redundant 'refresh' query parameter from logout.jsp > -- > > Key: KNOX-2979 > URL: https://issues.apache.org/jira/browse/KNOX-2979 > Project: Apache Knox > Issue Type: Task > Components: Homepage, KnoxSSO >Affects Versions: 2.0.0, 1.6.0, 1.6.1 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Critical > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > KNOX-2625 introduced a new query parameter called {{refresh}} which is only > used in the Knox Home page UI's {{handleError}} method. Because of the way, > how Angular renders pages after issuing a {{sweetalert}} notification, which > we do, followed by a {{{}Promise.reject(String){}}}, the {{refresh}} query > parameter is redundant and not needed at all. > Even worse, it might interfere with the profile/topology query parameters we > added in KNOX-2972 in a way such that the topologies will not be displayed. > Therefore, removing the {{refresh}} query parameter in the logout link is > highly recommended. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2958) Few Service's API links for a topology on knox home page is incorrect
[ https://issues.apache.org/jira/browse/KNOX-2958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17781324#comment-17781324 ] ASF subversion and git services commented on KNOX-2958: --- Commit 6ec81a08c0173fad1f25ecc53bd2a8cf3eec6f21 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=6ec81a08c ] KNOX-2958 - Fixed API samples for certain services (#814) Additionally, a general improvement is implemented that adds the missing slash at the beginning of the path element if it was missing from the service definition sample. > Few Service's API links for a topology on knox home page is incorrect > - > > Key: KNOX-2958 > URL: https://issues.apache.org/jira/browse/KNOX-2958 > Project: Apache Knox > Issue Type: Bug > Components: Homepage >Affects Versions: 2.0.0 >Reporter: J.Andreina >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > *PROBLEM STATEMENT:* > Service API links via knox in knox homepage is incorrect > *BUILDS:* > knox 2.0 > *STEPS TO REPRODUCE:* > 1. Create a topology1 with WEBHDFS,cm-api,OOZIE,RESOURCEMANAGER service > 2. Login to knox homepage > 3. go to topology1 > 4. Click on webhdfs api icon > 5. Fetch the sample api links > *CURRENT BEHAVIOUR:* > 1. cm api url is invalid on knox homepage > invalid url: > Fetch all CM-managed clusters > curl -iv -X GET "https://knox-host:/gateway/topology1/cm-apiclusters; > Fetches HDFS service details from cluster named 'c1' > curl -iv -X GET > "https://knox-host:/gateway/topology1/cm-apiclusters/c1/services/HDFS; > 2. webhdfs api link is incorrect > incorrect url > curl -iv -X GET > "https://knox-host:/gateway/topology1/webhdfsv1/testPath?op=LISTSTATUS; > 3. Oozie api link is incorrect . Should have "/" after oozie > incorrect url > curl -iv -X GET "https://knox-host:/gateway/topology1/oozieoozie/versions; > 4. Resource manager api link is invalid . Should not have ws in the url > incorrect url > curl -iv -X GET > "https://knox-host:/gateway/topology1/resourcemanagerws/v1/cluster/metrics; > *EXPECTED BEHAVIOUR:* > correct urls as follows > 1. cm valid url : should have "/" after webhdfs in the url as below > curl -iv -X GET "https://knox-host:/gateway/topology1/cm-api/v40/clusters; > 2. webhdfs valid url : > valid url : should have "/" after webhdfs in the url as below > curl -iv -X GET > "https://knox-host:/gateway/topology1/webhdfs/v1/testPath?op=LISTSTATUS; > 3. oozie url: > curl -iku hrt_qa:Password@123 -X GET > "https://knox-host:/gateway/topology1/oozie/oozie/versions; > 4. RM url : > curl -iv -X GET > "https://knox-host:/gateway/topology1/resourcemanager/v1/cluster/metrics; > *OCCURRENCE:* > Reproducible > *IMPACT:* > Not pointing to the appropriate api link , which causes the user to unable to > access the service api via knox. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2974) Add a new endpoint like 'pre' that supports other verbs and ignores paths
[ https://issues.apache.org/jira/browse/KNOX-2974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17781023#comment-17781023 ] ASF subversion and git services commented on KNOX-2974: --- Commit 8e55969f3f85ac99925842744c143f7e916f784d in knox's branch refs/heads/master from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=8e55969f3 ] KNOX-2974 - Add a new endpoint 'extauthz' similar to pre that accepts HTTP verbs other than GET and if confgiured ignores additional context path params (#813) > Add a new endpoint like 'pre' that supports other verbs and ignores paths > - > > Key: KNOX-2974 > URL: https://issues.apache.org/jira/browse/KNOX-2974 > Project: Apache Knox > Issue Type: New Feature > Components: docker, Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Knox can be used as an [external authorizer for Istio > |https://istio.io/v1.10/blog/2021/better-external-authz/]. In this model > Istio forwards the request to the external authorizer and depending on the > results the request then either errors out with 401 or 403 OR proceeds to > it's intended destination after successful authentication and authorization > by Knox. > Here the request is getting forwarded and Knox acts as a "filter". This means > the "pre" endpoint should support all the HTTP verbs and it should have the > ability to ignore additional paths that may be appended by Istio. > This JIRA is to address these issues by creating a new service "extauthz" > that addresses these issues without changing existing "pre" service to > prevent breakage. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2975) [Usability] When one among selected tokens for batch operation is SSO token , should display text message on why revoke operation is not available for user
[ https://issues.apache.org/jira/browse/KNOX-2975?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17780944#comment-17780944 ] ASF subversion and git services commented on KNOX-2975: --- Commit 7a5189a7c0c51f3e2c0b9cd2bf03b4df0415 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=7a5189a7c ] KNOX-2975, KNOX-2976 - Expired tokens must not be enabled/disabled in batches (#812) Additionally, useful tips are shown on why batch operation actions are hidden (e.g. KnoxSSO Cookies must not be revoked). > [Usability] When one among selected tokens for batch operation is SSO token , > should display text message on why revoke operation is not available for user > --- > > Key: KNOX-2975 > URL: https://issues.apache.org/jira/browse/KNOX-2975 > Project: Apache Knox > Issue Type: Improvement > Components: TokenManagementUI >Affects Versions: 2.1.0 >Reporter: J.Andreina >Assignee: Sandor Molnar >Priority: Minor > Attachments: image-2023-10-26-10-34-37-269.png > > Time Spent: 20m > Remaining Estimate: 0h > > +*{color:#de350b}PROBLEM STATEMENT:{color}*+ > [Usability] When SSO token selected along with JWT token should display text > message to user on why revoke operation is not available > +*BUILDS:*+ > 2.1.0 > > +*STEPS TO REPRODUCE:*+ > 1. Update below knox configurations > knox.global.logout.page.url=https:// > knox.token.exp.server-managed=true > gateway.knox.token.management.users.can.see.all.tokens = hrt_qa, hrt_1 > 2. browser1 - Login to knox home page as hrt_qa > 3. disable hrt_qa SSO token > 4. In loop perform above 2 steps 4 times (15 SSO token will be disabled) > 5. Generate 5 jwt token from token gen page > 6. Select multiple jwt token (enable/disable/revoke operation will be > available for user) > 7. Select one SS) token ( only enable and disable operation will be available > for user) > +*CURRENT BEHAVIOUR:*+ > When one SSO token is selected during batch revoke operation then revoke > button will not be available for the user > +*EXPECTED BEHAVIOUR:*+ > Should have text message on UI for user to let know that SSO token is > selected as part of batch operation and revoke operation is not allowed > +*OCCURRENCE:*+ > Reproducible > +*IMPACT:*+ > User will not know why revoke button is not available when one among selected > tokens have SSO token > +*LOG ARTIFACTS:*+ > !image-2023-10-26-10-34-37-269.png! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2976) Expired JWT and SSO token should not be having disable and enable token batch operations exposed for user
[ https://issues.apache.org/jira/browse/KNOX-2976?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17780945#comment-17780945 ] ASF subversion and git services commented on KNOX-2976: --- Commit 7a5189a7c0c51f3e2c0b9cd2bf03b4df0415 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=7a5189a7c ] KNOX-2975, KNOX-2976 - Expired tokens must not be enabled/disabled in batches (#812) Additionally, useful tips are shown on why batch operation actions are hidden (e.g. KnoxSSO Cookies must not be revoked). > Expired JWT and SSO token should not be having disable and enable token batch > operations exposed for user > - > > Key: KNOX-2976 > URL: https://issues.apache.org/jira/browse/KNOX-2976 > Project: Apache Knox > Issue Type: Bug > Components: TokenManagementUI >Affects Versions: 2.1.0 >Reporter: J.Andreina >Assignee: Sandor Molnar >Priority: Major > Attachments: image-2023-10-26-10-38-33-481.png, screenshot-1.png > > > +*{color:#de350b}PROBLEM STATEMENT:{color}*+ > Expired JWT and SSO token should not be having disable and enable token batch > operations exposed for user > +*BUILDS:*+ > 2.1.0 > > +*STEPS TO REPRODUCE:*+ > 1. browser1 - Login to knox home page as hrt_qa > 2. Update below knox-cm configurations > knox.global.logout.page.url=https:// > knox.token.exp.server-managed=true > gateway.knox.token.management.users.can.see.all.tokens = hrt_qa, hrt_1 > gateway.knox.token.eviction.grace.period=10 min > knoxsso_token_ttl=12 (2 min) > 3. browser2 - Login to knox home page as hrt_22 > 4. Generate hrt_22 JWT token with 1 mins > 5. wait for above JWT token to expire > 6. Wait for hrt_22 SSO token to expire > +*CURRENT BEHAVIOUR:*+ > On token management page able to see below batch operation for : > SSO token - disable and enable > JWT token - enable,disable,revoke > +*EXPECTED BEHAVIOUR:*+ > Both expired SSO token and JWT token should not have enable and disable > operation as part of batch selection on expired tokens > +*OCCURRENCE:*+ > Reproducible > +*IMPACT:*+ > Expired token allows user to perform disable and enable operation , which > doesnt have any effect > +*LOG ARTIFACTS:*+ > !screenshot-1.png|width=952,height=193! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2978) Race condition between Service Discovery and Polling Config Analyzer
[ https://issues.apache.org/jira/browse/KNOX-2978?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17780277#comment-17780277 ] ASF subversion and git services commented on KNOX-2978: --- Commit bc4d5486bb1b60728a1c6376336a13c627c5aa5b in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=bc4d5486b ] KNOX-2978 - Race condition between Service Discovery and Polling Config Analyzer (#811) > Race condition between Service Discovery and Polling Config Analyzer > > > Key: KNOX-2978 > URL: https://issues.apache.org/jira/browse/KNOX-2978 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > When a config change is detected by the Polling Config Analyzer then then the > cache used by the service discovery will be cleared. If this happens when > discovery is in progress then a NullPointerException will happen. > {code} > private ServiceDetails getServiceDetails(ServiceDiscoveryConfig > serviceDiscoveryConfig, ApiService service) { > return getClusterServices(serviceDiscoveryConfig).getIfPresent(service); > // <= NPE > } > {code} > {code} > @Override > public void onConfigurationChange(String source, String clusterName) { > log.clearServiceDiscoveryRepository(); > repository.clear(); // this will cause the NPE > } > {code} > This was observed on a live cluster when certain cluster properties was > changed during knox startup. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2977) Topology port mapping does not honour descriptors
[ https://issues.apache.org/jira/browse/KNOX-2977?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17779858#comment-17779858 ] ASF subversion and git services commented on KNOX-2977: --- Commit 672b3cb94b93b9db256c460b8111a45c6b9a1422 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=672b3cb94 ] KNOX-2977 - The 'conf/descriptors' folder should be considered too when registering topology port mappings (#810) > Topology port mapping does not honour descriptors > - > > Key: KNOX-2977 > URL: https://issues.apache.org/jira/browse/KNOX-2977 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.4.0, 1.5.0, 2.0.0, 1.6.0, 1.6.1 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > In certain environments, such as in recent Cloudera offerings, XML-based > topologies are not in use (and are removed every time Knox is (re)-started. > Instead, topologies are produced using Knox's [Simplified Descriptor > Files|https://knox.apache.org/books/knox-2-0-0/user-guide.html#Simplified+Descriptor+Files]). > The problem is, that the current topology port mapping implementation ignores > artifacts from the {{$KNOX_CONF_FOLDER/descriptors}} and only considers > {{$KNOX_CONF_FOLDER/topologies}}. This needs to be fixed. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2972) Logout page URL may take query parameters
[ https://issues.apache.org/jira/browse/KNOX-2972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17779187#comment-17779187 ] ASF subversion and git services commented on KNOX-2972: --- Commit ad0ea7d4c7fafb5ecc4fa348aabb35f1221fbd19 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=ad0ea7d4c ] KNOX-2972 - Session resource can generate application logout URL with profile/topologies query parameters (#808) > Logout page URL may take query parameters > - > > Key: KNOX-2972 > URL: https://issues.apache.org/jira/browse/KNOX-2972 > Project: Apache Knox > Issue Type: Improvement > Components: Homepage >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 40m > Remaining Estimate: 0h > > Currently, the logout page URL contains a hard-coded {{originalUrl}} that > points to the Knox Home page without any {{profile}} or {{topologies}} query > parameter. In some cases, it would be beneficial to pass any of those params > when logging out from the application. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2973) HbaseUI>Table Details not accessible from Knox endpoint intermittently
[ https://issues.apache.org/jira/browse/KNOX-2973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17779088#comment-17779088 ] ASF subversion and git services commented on KNOX-2973: --- Commit 03064bdbc6ae19b911f2b004778256f85df048df in knox's branch refs/heads/master from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=03064bdbc ] KNOX-2973 - Fix redirect URI when host and port are query params of originalUrl (#809) > HbaseUI>Table Details not accessible from Knox endpoint intermittently > -- > > Key: KNOX-2973 > URL: https://issues.apache.org/jira/browse/KNOX-2973 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > This is due to the [SSO logic that checks for > originalURL|https://github.com/apache/knox/blob/master/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java#L365] > query param. > During the first login, this is the redirect URL: > https://local.site/gateway/knoxsso/api/v1/websso?originalUrl=https://local.site/gateway/proxy/hbase/webui/master?host=local.site=16010 > When this reaches WebSSOResource.getOriginalUrlFromQueryParams() > functionvalue of request.getParameter(ORIGINAL_URL_REQUEST_PARAM) is > https://local.site/gateway/proxy/hbase/webui/master?host=local.site > Note: port information is missing. This is because of the & query param which > treats port as a separate param and not part of original URL. > Also, because of the same reason '?' is added after the host, this is where > it is done > This is why additional ? gets added. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2970) During knox global logout , the corresponding SSO token should be either disabled or revoked
[ https://issues.apache.org/jira/browse/KNOX-2970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=1416#comment-1416 ] ASF subversion and git services commented on KNOX-2970: --- Commit fbed6e7cf095f3e5f6328163de15e5925544372d in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=fbed6e7cf ] KNOX-2970 - Removing KnoxSSO cookie from the token state service upon logout (#806) Additionally, the Token Management UI displays the 'current' KnoxSSO cookie row in bold. > During knox global logout , the corresponding SSO token should be either > disabled or revoked > - > > Key: KNOX-2970 > URL: https://issues.apache.org/jira/browse/KNOX-2970 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxSSO >Affects Versions: 2.0.0 >Reporter: J.Andreina >Assignee: Sandor Molnar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > +*{color:#de350b}PROBLEM STATEMENT:{color}*+ > During knox global logout , SSO token should be either disabled or removed > +*BUILDS:*+ > 2.0 > > +*STEPS TO REPRODUCE:*+ > - Enable logout "knox.homepage.logout.enabled" , configure > "knox.global.logout.page.url" to "https://*; > - Access knox home page > - Click on global logout > +*CURRENT BEHAVIOUR:*+ > the session will be removed and user if need to access knox home page again > should relogin , but still the previous SSO token will be alive for default 1 > day which can cause security risk > +*EXPECTED BEHAVIOUR:*+ > During knox global logout , the corresponding SSO token should be either > disabled or revoked -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2971) Tokens generated with comment more than 27 char is not completely displayed on the token management page
[ https://issues.apache.org/jira/browse/KNOX-2971?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=1325#comment-1325 ] ASF subversion and git services commented on KNOX-2971: --- Commit 34a76c39c0b27e48801715a87a2ff3376bef59e9 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=34a76c39c ] KNOX-2971 - Applying word wrapping in the comment and metadata columns on the Token Management UI (#807) > Tokens generated with comment more than 27 char is not completely displayed > on the token management page > > > Key: KNOX-2971 > URL: https://issues.apache.org/jira/browse/KNOX-2971 > Project: Apache Knox > Issue Type: Improvement > Components: TokenManagementUI >Affects Versions: 2.1.0 >Reporter: J.Andreina >Assignee: Sandor Molnar >Priority: Major > Attachments: image-2023-10-18-18-53-37-777.png > > Time Spent: 20m > Remaining Estimate: 0h > > +*{color:#de350b}PROBLEM STATEMENT:{color}*+ > Tokens generated with comment more than 27 char is not completely displayed > on the token management page > +*BUILDS:*+ > 2.1.0 > > +*STEPS TO REPRODUCE:*+ > - Deploy ycloud cluster with above gbn. > - Generate token with comment "hrt_qaforhrt_2andreina1andreina2mary" > +*CURRENT BEHAVIOUR:*+ > comment is not completely displayed on UI > !image-2023-10-18-18-53-37-777.png! > +*EXPECTED BEHAVIOUR:*+ > Either text should be wrapped / scroll bar should be available to view the > comment > Note: While i can filter using the above token "mary" text > +*OCCURRENCE:*+ > Reproducible -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2969) For user-limit to fetch token calculation includes enabled and disabled SSO token count as well, causing failure in generating the JWT token from token gen page
[ https://issues.apache.org/jira/browse/KNOX-2969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17776724#comment-17776724 ] ASF subversion and git services commented on KNOX-2969: --- Commit eef24f4ae652240360783fe9766e9161fd8bb4d5 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=eef24f4ae ] KNOX-2969 - KnoxSSO Cookies should be ignored while calculating token limit per user (#805) > For user-limit to fetch token calculation includes enabled and disabled SSO > token count as well, causing failure in generating the JWT token from token > gen page > > > Key: KNOX-2969 > URL: https://issues.apache.org/jira/browse/KNOX-2969 > Project: Apache Knox > Issue Type: Bug > Components: TokenGenerationUI >Affects Versions: 2.1.0 >Reporter: J.Andreina >Assignee: Sandor Molnar >Priority: Major > Attachments: image-2023-10-18-12-45-37-741.png, > image-2023-10-18-12-45-47-121.png, image-2023-10-18-12-46-28-490.png > > Time Spent: 20m > Remaining Estimate: 0h > > +*{color:#de350b}PROBLEM STATEMENT:\{color}*+ > For token limit on a user calculation includes enabled and disabled SSO token > as well, causing failure in generating the JWT token from token gen page > +*BUILDS:*+ > 2.1.0 > > +*STEPS TO REPRODUCE:*+ > # Deploy ycloud cluster with above gbn. > # Configure below from CM UI > # > knox.global.logout.page.url=[https://**,|https://%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2C/] > knoxsso_cookie_management_enabled - enable > gateway.knox.token.management.users.can.see.all.tokens = hrt_qa, hrt_1 > # Access knox home page using hrt_22 user > # Disable the hrt_22 SSO token from hrt_qa token management page > # Repeat operation 4-5 for 15 times > # Now login to token generation page using hrt_22 user > # Generate the jwt token > +*CURRENT BEHAVIOUR:*+ > Token generation fails saying user limit exceeded , though not even one > non-sso token is generated by hrt_22 user > !image-2023-10-18-12-45-47-121.png|width=1129,height=344! > !image-2023-10-18-12-46-28-490.png|width=1009,height=285! > +*EXPECTED BEHAVIOUR:*+ > SSO token should not be considered for per user limit to generate the token > calculation . > Even though we have 15+ SSO tokens (in enabled/disabled state) , user should > be able to generate 10 tokens as "gateway.knox.token.limit.per.user" default > value is 10 > +*OCCURRENCE:*+ > Reproducible > +*IMPACT:*+ > If multiple SSO token for user is available then user will not be able to > generate jwt token from token generation page -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2968) When multiple enabled tokens selected including a SSO token and perform "enable token" operation fails with invalid error mess
[ https://issues.apache.org/jira/browse/KNOX-2968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17776617#comment-17776617 ] ASF subversion and git services commented on KNOX-2968: --- Commit 01a422ebfbddbefe3beff4e8ae4d0169774f6211 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=01a422ebf ] KNOX-2968 - Batch token enable action should succeed even if enabled KnoxSSO cookies are selected (#804) > When multiple enabled tokens selected including a SSO token and perform > "enable token" operation fails with invalid error mess > -- > > Key: KNOX-2968 > URL: https://issues.apache.org/jira/browse/KNOX-2968 > Project: Apache Knox > Issue Type: Bug > Components: TokenManagementUI >Affects Versions: 2.1.0 >Reporter: J.Andreina >Assignee: Sandor Molnar >Priority: Minor > Attachments: image-2023-10-18-12-40-18-857.png > > Time Spent: 20m > Remaining Estimate: 0h > > +*{color:#de350b}PROBLEM STATEMENT:{color}*+ > When multiple enabled tokens selected including a SSO token and perform > "enable token" operation fails with invalid error mess > +*BUILDS:*+ > knox 2.1 > feature reference doc : > https://knox.apache.org/books/knox-2-1-0/user-guide.html#Token+Management > > +*STEPS TO REPRODUCE:*+ > - Deploy ycloud cluster with above gbn. > - Create tokens from token gen page > - Logged into token management page using multiple users so that we will have > knox sso token > - Select multiple jwt token and an knox sso token > - Click on "Enable Selected Tokens" button > +*CURRENT BEHAVIOUR:*+ > Fails with improper error mess saying "Disabled KnoxSSO Cookies cannot not be > enabled" while the SSO token is still enabled . > !image-2023-10-18-12-40-18-857.png! > +*EXPECTED BEHAVIOUR:*+ > - During batch selection if any active knox sso token is selected and > performed "Enable Selected Tokens" , then the batch operation should succeed > +*OCCURRENCE:*+ > Reproducible -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2962) Knox readiness check gateway-status endpoint should return the list of topologies for which it is waiting for
[ https://issues.apache.org/jira/browse/KNOX-2962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17774131#comment-17774131 ] ASF subversion and git services commented on KNOX-2962: --- Commit 1eeaf7315372bd7f8592e828dcac61740ba64581 in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=1eeaf7315 ] Revert "KNOX-2962 - Knox readiness check gateway-status endpoint should return the list of topologies for which it is waiting for (#800)" (#803) This reverts commit ff6bcbcac5c5d0e8f00f4944207975f5b1bfeebf. > Knox readiness check gateway-status endpoint should return the list of > topologies for which it is waiting for > -- > > Key: KNOX-2962 > URL: https://issues.apache.org/jira/browse/KNOX-2962 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 2.0.0 >Reporter: J.Andreina >Assignee: Attila Magyar >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > Current behaviour : > Knox readiness api return only no/pending as the status . Hence when there is > any issue with any custom topology deployment > "https://localhost:8443/gateway/health/v1/gateway-status; is invoked , it > shows status as only PENDING . User have to check the gateway.log file to > understand what are topologies it is waiting for to be deployed > Expectation : > If "https://localhost:8443/gateway/health/v1/gateway-status; is PENDING > should return the list of topology for which it is waiting for . -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2962) Knox readiness check gateway-status endpoint should return the list of topologies for which it is waiting for
[ https://issues.apache.org/jira/browse/KNOX-2962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17774084#comment-17774084 ] ASF subversion and git services commented on KNOX-2962: --- Commit 9b5af7f28c559c54bdd5e3a707e1afce4ea8a87d in knox's branch refs/heads/revert-800-KNOX-2962-pend from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=9b5af7f28 ] Revert "KNOX-2962 - Knox readiness check gateway-status endpoint should return the list of topologies for which it is waiting for (#800)" This reverts commit ff6bcbcac5c5d0e8f00f4944207975f5b1bfeebf. > Knox readiness check gateway-status endpoint should return the list of > topologies for which it is waiting for > -- > > Key: KNOX-2962 > URL: https://issues.apache.org/jira/browse/KNOX-2962 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 2.0.0 >Reporter: J.Andreina >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Current behaviour : > Knox readiness api return only no/pending as the status . Hence when there is > any issue with any custom topology deployment > "https://localhost:8443/gateway/health/v1/gateway-status; is invoked , it > shows status as only PENDING . User have to check the gateway.log file to > understand what are topologies it is waiting for to be deployed > Expectation : > If "https://localhost:8443/gateway/health/v1/gateway-status; is PENDING > should return the list of topology for which it is waiting for . -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2963) CM service discovery should work when legacy mode is turned off
[ https://issues.apache.org/jira/browse/KNOX-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17773981#comment-17773981 ] ASF subversion and git services commented on KNOX-2963: --- Commit 838dcd837217d55c2568a715dc992ed53c6eac9a in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=838dcd837 ] KNOX-2963 - CM service discovery should work when legacy mode is turned off (#801) > CM service discovery should work when legacy mode is turned off > --- > > Key: KNOX-2963 > URL: https://issues.apache.org/jira/browse/KNOX-2963 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > If Legacy Cloudera Manager API Clients Compatibility is turned on then > certain HDFS configs are moved to CORE_SETTINGS. > When the service model generator fetches hdfs_hadoop_ssl_enabled it will find > a null value (since the real config is under CORE_SETTINGS) and it will > generate a non-ssl URL even despite SSL is enabled. > Service discovery should fetch CORE_SETTINGS configs so that the model > generators can look up configs values from there too. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2962) Knox readiness check gateway-status endpoint should return the list of topologies for which it is waiting for
[ https://issues.apache.org/jira/browse/KNOX-2962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17773980#comment-17773980 ] ASF subversion and git services commented on KNOX-2962: --- Commit ff6bcbcac5c5d0e8f00f4944207975f5b1bfeebf in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=ff6bcbcac ] KNOX-2962 - Knox readiness check gateway-status endpoint should return the list of topologies for which it is waiting for (#800) > Knox readiness check gateway-status endpoint should return the list of > topologies for which it is waiting for > -- > > Key: KNOX-2962 > URL: https://issues.apache.org/jira/browse/KNOX-2962 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 2.0.0 >Reporter: J.Andreina >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Current behaviour : > Knox readiness api return only no/pending as the status . Hence when there is > any issue with any custom topology deployment > "https://localhost:8443/gateway/health/v1/gateway-status; is invoked , it > shows status as only PENDING . User have to check the gateway.log file to > understand what are topologies it is waiting for to be deployed > Expectation : > If "https://localhost:8443/gateway/health/v1/gateway-status; is PENDING > should return the list of topology for which it is waiting for . -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2966) Improve hadoop-jwt cookie logging
[ https://issues.apache.org/jira/browse/KNOX-2966?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17773661#comment-17773661 ] ASF subversion and git services commented on KNOX-2966: --- Commit 895022c4539a81543f5f0e946550cfc3feff3275 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=895022c45 ] KNOX-2966 - Improved logging around KnoxSSO cookie management (#802) > Improve hadoop-jwt cookie logging > - > > Key: KNOX-2966 > URL: https://issues.apache.org/jira/browse/KNOX-2966 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxSSO >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Currently, the following log messages are displayed when the {{hadoop-jwt}} > cookie is added to the response during the KnoxSSO flow: > - DEBUG: {{Adding the following JWT token as a cookie: $ENTIRE_JWT}} > - INFO: JWT cookie successfully added. > - ERROR: {{Unable to add cookie to response. $ERROR_MSG: $ERROR_STACK}} > Possible improvements: > - use {{org.apache.knox.gateway.util.Tokens.getTokenDisplayText(String)}} to > mask the entire JWT in the {{DEBUG}} message above > - add the masked JWT info in the {{INFO}} message so that we'll have a better > understanding of when a certain SSO cookie was issued/added in the response. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2965) Document KnoxSSO Cookie Invalidation
[ https://issues.apache.org/jira/browse/KNOX-2965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17773599#comment-17773599 ] ASF subversion and git services commented on KNOX-2965: --- Commit 1912854 from Sandor Molnar in branch 'knox/trunk' [ https://svn.apache.org/r1912854 ] KNOX-2965 - Fixed batch operations formatting > Document KnoxSSO Cookie Invalidation > > > Key: KNOX-2965 > URL: https://issues.apache.org/jira/browse/KNOX-2965 > Project: Apache Knox > Issue Type: Task > Components: Document >Affects Versions: 2.1.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > > Document the new feature and changes implemented in KNOX-2961. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2965) Document KnoxSSO Cookie Invalidation
[ https://issues.apache.org/jira/browse/KNOX-2965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17773592#comment-17773592 ] ASF subversion and git services commented on KNOX-2965: --- Commit 1912852 from Sandor Molnar in branch 'knox/trunk' [ https://svn.apache.org/r1912852 ] KNOX-2965 - Document KNOXSSO Cookie Invalidation > Document KnoxSSO Cookie Invalidation > > > Key: KNOX-2965 > URL: https://issues.apache.org/jira/browse/KNOX-2965 > Project: Apache Knox > Issue Type: Task > Components: Document >Affects Versions: 2.1.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > > Document the new feature and changes implemented in KNOX-2961. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2950) Token generation should be reachable using the old URL
[ https://issues.apache.org/jira/browse/KNOX-2950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17773471#comment-17773471 ] ASF subversion and git services commented on KNOX-2950: --- Commit 01361812f852988681bda05565b9607ceb427b38 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=01361812f ] KNOX-2950 - Handling application path aliases (#787) > Token generation should be reachable using the old URL > -- > > Key: KNOX-2950 > URL: https://issues.apache.org/jira/browse/KNOX-2950 > Project: Apache Knox > Issue Type: Bug > Components: TokenGenerationUI >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 2h > Remaining Estimate: 0h > > With KNOX-2811, the token generation UI's URL is changed from > {{'.../tokengen/index.html'}} to {{'.../token-generation/index.html'}}. The > idea was that clients will use the Knox Home page to go to that particular > UI. However, it might be the case that other 3rd party tools have that link > hard-coded. > So it'd be nice to reach the same UI with an additional context with the old > name ({{tokengen}}). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2961) KnoxSSO Token Invalidation
[ https://issues.apache.org/jira/browse/KNOX-2961?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17773259#comment-17773259 ] ASF subversion and git services commented on KNOX-2961: --- Commit f91385662a09b1014f1e1935944fb55bcb47f0a0 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=f91385662 ] KNOX-2961 - Knox SSO cookie Invalidation - Phase II (#799) - Allow end-users to show/hide previously disabled KnoxSSO Cookies on the Token Management page. - Pre-configured users can see all tokens on the Token Management page. - End-users can execute batch operations on selected Knox Tokens. > KnoxSSO Token Invalidation > -- > > Key: KNOX-2961 > URL: https://issues.apache.org/jira/browse/KNOX-2961 > Project: Apache Knox > Issue Type: New Feature > Components: KnoxSSO, Server, TokenManagementUI >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 4h > Remaining Estimate: 0h > > There is a need for a new feature that would allow a pre-configured superuser > to invalidate previously issued Knox SSO tokens for (a) particular user(s) in > case there is a malicious attack in terms of one (or more) of those users' > SSO tokens got compromised. > In phase I, the following changes have to be implemented: > - Knox SSO cookie validation using PAM, LDAP, and Pac4j > authentication/federation > - The token Management page should be updated in a way such that it'll > contain only one compact table with all the information we need of a > generated token (is impersonated, is Knox SSO cookie, available actions) > - Knox SSO cookies on the new token management UI can be disabled > (invalidated), but not revoked. > - Disabled KnoxSSO cookies should be removed from the underlying token state > service within the configure eviction period even if they were not expired > In phase II, the token management page should be updated with the following > improvements: > * pre-configured superusers can view tokens of others and not only theirs > * batch operations should be able to be executed using the available actions > to make it easier for a superuser to disable one's tokens in a round -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2961) KnoxSSO Token Invalidation
[ https://issues.apache.org/jira/browse/KNOX-2961?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17772467#comment-17772467 ] ASF subversion and git services commented on KNOX-2961: --- Commit c49302a0f7ac27f92811d4d65cdc76da7077f5d2 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=c49302a0f ] KNOX-2961 - Knox SSO cookie Invalidation - Phase I (#797) > KnoxSSO Token Invalidation > -- > > Key: KNOX-2961 > URL: https://issues.apache.org/jira/browse/KNOX-2961 > Project: Apache Knox > Issue Type: New Feature > Components: KnoxSSO, Server, TokenManagementUI >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 2h > Remaining Estimate: 0h > > There is a need for a new feature that would allow a pre-configured superuser > to invalidate previously issued Knox SSO tokens for (a) particular user(s) in > case there is a malicious attack in terms of one (or more) of those users' > SSO tokens got compromised. > In phase I, the following changes have to be implemented: > - Knox SSO cookie validation using PAM, LDAP, and Pac4j > authentication/federation > - The token Management page should be updated in a way such that it'll > contain only one compact table with all the information we need of a > generated token (is impersonated, is Knox SSO cookie, available actions) > - Knox SSO cookies on the new token management UI can be disabled > (invalidated), but not revoked. > - Disabled KnoxSSO cookies should be removed from the underlying token state > service within the configure eviction period even if they were not expired > In phase II, the token management page should be updated with the following > improvements: > * pre-configured superusers can view tokens of others and not only theirs > * batch operations should be able to be executed using the available actions > to make it easier for a superuser to disable one's tokens in a round -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2960) DefaultDispatch doesn't forward inbound request headers in case of requestType=OPTIONS
[ https://issues.apache.org/jira/browse/KNOX-2960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17771873#comment-17771873 ] ASF subversion and git services commented on KNOX-2960: --- Commit 8e7513a66c6576172840c89ef1c3e576bec0322f in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=8e7513a66 ] KNOX-2960 - DefaultDispatch doesn't forward inbound request headers in case of requestType=OPTIONS (#798) > DefaultDispatch doesn't forward inbound request headers in case of > requestType=OPTIONS > -- > > Key: KNOX-2960 > URL: https://issues.apache.org/jira/browse/KNOX-2960 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > put/get/etc has copyRequestHeaderFields > {code} >@Override >public void doPut(URI url, HttpServletRequest request, HttpServletResponse > response) > throws IOException, URISyntaxException { > final HttpPut method = new HttpPut(url); > copyRequestHeaderFields(method, request, addExpect100Continue); > final HttpEntity entity = createRequestEntity(request, > addExpect100Continue); > method.setEntity(entity); > executeRequestWrapper(method, request, response); >} > {code} > but OPTIONS doesn't > {code} >@Override >public void doOptions(URI url, HttpServletRequest request, > HttpServletResponse response) > throws IOException, URISyntaxException { > HttpOptions method = new HttpOptions(url); > executeRequestWrapper(method, request, response); >} > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2959) Auto discovery to support scaling scenarios
[ https://issues.apache.org/jira/browse/KNOX-2959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17771821#comment-17771821 ] ASF subversion and git services commented on KNOX-2959: --- Commit 1da5edc9f044a83262f485e2cdb767384a92038c in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=1da5edc9f ] KNOX-2959 - Auto discovery to support scaling scenarios (#796) > Auto discovery to support scaling scenarios > --- > > Key: KNOX-2959 > URL: https://issues.apache.org/jira/browse/KNOX-2959 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > After adding/removing a new component the service list in the topologies > should be regenerated to request the newly added component. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2896) Homepage - API services view switch
[ https://issues.apache.org/jira/browse/KNOX-2896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17766763#comment-17766763 ] ASF subversion and git services commented on KNOX-2896: --- Commit 3af43b73cef94481679ec42157a0a07d227f586f in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=3af43b73c ] KNOX-2896 - API services view on Knox Home page can be selected (#795) The default view is the 'old' list view which belongs to v1. If end-users want the most recent modal-window style, they will need to use v2 as gateway.api.services.view.version in gateway-site.xml. > Homepage - API services view switch > --- > > Key: KNOX-2896 > URL: https://issues.apache.org/jira/browse/KNOX-2896 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 1.5.0, 2.0.0, 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > > With KNOX-2343, the API services on the Knox Home page are displayed > similarly to the UI services. This was a great improvement, but some > end-users may prefer to have the "old" view over the new one. > We should add an application or gateway-level property to support this > feature. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2955) Knox Readiness Awareness and Notification
[ https://issues.apache.org/jira/browse/KNOX-2955?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17763627#comment-17763627 ] ASF subversion and git services commented on KNOX-2955: --- Commit 3f3a65baddb58e4ad5d6bb0c0aa1d039fba688b5 in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=3f3a65bad ] KNOX-2955 - Knox Readiness Awareness and Notification (#792) > Knox Readiness Awareness and Notification > - > > Key: KNOX-2955 > URL: https://issues.apache.org/jira/browse/KNOX-2955 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > Currently, Knox is unable to accurately report its readiness to handle > requests (e.g., all topology deployments have completed). > Knox needs a more reliable means by which to know that all of the topologies > have been completely deployed before reporting that it is "ready". > Knox also needs a new built-in endpoint for querying this readiness, which > does not require authentication. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2948) Make encryptquerystring provision optional
[ https://issues.apache.org/jira/browse/KNOX-2948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17763614#comment-17763614 ] ASF subversion and git services commented on KNOX-2948: --- Commit 550bcc401a6cfe84a88778ab13f1a22504c83abc in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=550bcc401 ] KNOX-2948 - HXR parser can handle the new 'provisionEncryptQueryStringCredential' boolean field in SimpleDescriptor (#793) > Make encryptquerystring provision optional > -- > > Key: KNOX-2948 > URL: https://issues.apache.org/jira/browse/KNOX-2948 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 0.14.0, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 2.0.0, > 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 1h > Remaining Estimate: 0h > > Since KNOX-1136, Knox saves the {{encryptQueryString}} alias in the given > topology's credential store when processing the descriptor. > The problem with this approach is, that, in some cases, it may happen that > 3rd party deployment tools (such as Cloudera Manager) persists that secret in > a separate phase and > * this makes the Knox call redundant > * Knox will override the previously saved value silently > Proposal: > - introduce a new descriptor-level property called > {{provision-encrypt-query-string-credential}} (defaults to {{true}}) which > controls this behavior > - if the descriptor is configured with > {{provisionEncryptQueryStringCredential = false}}, no credential store > operation should be done to save that alias. -- This message was sent by Atlassian Jira (v8.20.10#820010)