[jira] [Commented] (KNOX-3036) Add a Primary Group Function to Virtual Groups
[
https://issues.apache.org/jira/browse/KNOX-3036?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17843763#comment-17843763
]
ASF subversion and git services commented on KNOX-3036:
---
Commit 6c26ec6101b715d00219771997cd3b792893b6ee in knox's branch
refs/heads/master from Larry McCay
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=6c26ec610 ]
KNOX-3036 - Add Primary Group Virtual Group (#905)
* KNOX-3036 - Add Primary Group Virtual Group
> Add a Primary Group Function to Virtual Groups
> --
>
> Key: KNOX-3036
> URL: https://issues.apache.org/jira/browse/KNOX-3036
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> The virtual groups through predicate evaluations should include a means to
> dynamically add a group principal with the same name as the username.
> This will require intercepting the configured mapping key name which usually
> ends with the literal virtual group name that will be added upon matching of
> the predicate logic.
> For this, we will add an optional Logical Virtual Group which will need to be
> resolved rather than used as a literal. For this specific usecase, we can use
> syntax such as:
> {code}
>
> group.mapping.$PRIMARY_GROUP
> (not (member username))
>
> {code}
> This will add a primary group for all authenticated users that don't already
> have one in the current groups list.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3023) Extend the Hadoop proxyuser dispatch to optionally include groups in a header in addition to doAs
[ https://issues.apache.org/jira/browse/KNOX-3023?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17842655#comment-17842655 ] ASF subversion and git services commented on KNOX-3023: --- Commit b6ff0acdc326e54fd061b4b2f4e172cef24f5a5f in knox's branch refs/heads/master from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=b6ff0acdc ] KNOX-3023 - Include groups in a header in ConfigurableDispatch (#903) > Extend the Hadoop proxyuser dispatch to optionally include groups in a header > in addition to doAs > - > > Key: KNOX-3023 > URL: https://issues.apache.org/jira/browse/KNOX-3023 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Currently Hadoop proxyuser dispatch does not have a mechanism to relay user > groups. This JIRA tried to address this problem. This can be done similar to > what we have done in [Knox Auth > Service|https://knox.apache.org/books/knox-2-0-0/user-guide.html#Knox+Auth+Service] > `auth/api/v1/pre` endpoint where a header is added to the response (by > default X-Knox-Actor-ID) with the principal name to the response. In this > case these headers will be added to outgoing requests. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3032) Passcode token verification doesn't return error when TSS is disabled
[
https://issues.apache.org/jira/browse/KNOX-3032?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17842418#comment-17842418
]
ASF subversion and git services commented on KNOX-3032:
---
Commit e1a746879cedeaf4401a905328cd382bdbb4eb85 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=e1a746879 ]
KNOX-3032 - Passcode use without token state service returns 401 (#902)
> Passcode token verification doesn't return error when TSS is disabled
> -
>
> Key: KNOX-3032
> URL: https://issues.apache.org/jira/browse/KNOX-3032
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 2.0.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Attachments: proxy-token.xml
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> *Steps to reproduce:*
> * configure a new topology (e.g. proxy-token) with {{JWTProvider}} where
> {{knox.token.exp.server-managed}} is set to {{false}} (see an example in the
> attachment)
> * acquire a Knox Token using the Token Generation UI
> * use the {{Passcode}} field in a {{curl}} request against a service
> endpoint in the new topology
> *Current results:*
> Knox returns an HTTP response with 200 status code
> {noformat}
> $ curl -iku
> Passcode:TkdVd1l6VTBPR0l0TmpVMk9DMDBNRFl4TFdFelpHTXROakk1TURnd09EYzJOVEJoOjpNREV6T0dGaFpXUXRZMkV5WVMwME4yWXhMVGhsWkRndFpUQmpNemszTlRrMlpqazE=
> https://localhost:8443/gateway/proxy-token/health/v1/gateway-status
> HTTP/1.1 200 OK
> Date: Mon, 29 Apr 2024 08:33:06 GMT
> Content-Length: 0
> {noformat}
> *Expected results:*
> An HTTP response should have been received with 401 and the proper error
> message.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3030) SAXException occurs while parsing old topology on the descriptor handle path
[
https://issues.apache.org/jira/browse/KNOX-3030?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17839807#comment-17839807
]
ASF subversion and git services commented on KNOX-3030:
---
Commit 1018a3b29ca716b9fbdc5870b132238a9dcc7e91 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=1018a3b29 ]
KNOX-3030 - Make TopologyUtils.parse thread safe (#901)
Besides this, Knox logs the faulty generated content when it's about to be
peristed on the disk.
> SAXException occurs while parsing old topology on the descriptor handle path
>
>
> Key: KNOX-3030
> URL: https://issues.apache.org/jira/browse/KNOX-3030
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> In highly concurrent environments Knox may fail to parse the generated
> topology from descriptors/shared providers thus topology deployment fails
> with the following error:
> {noformat}
> 2024-01-26 10:35:25,173 ERROR topology.simple
> (SimpleDescriptorHandler.java:shouldPersistGeneratedTopology(682)) - Error
> comparing the generated cdp-proxy topology with the existing version:
> org.xml.sax.SAXParseException; lineNumber: 35; columnNumber: 20; Error at
> line 35 char 20: class org.apache.knox.gateway.topology.Provider cannot be
> cast to class org.apache.knox.gateway.topology.Param
> (org.apache.knox.gateway.topology.Provider and
> org.apache.knox.gateway.topology.Param are in unnamed module of loader
> java.net.URLClassLoader @668bc3d5)
> 2024-01-26 10:35:25,173 INFO topology.simple
> (SimpleDescriptorHandler.java:generateTopology(622)) - Skipping redeployment
> of the cdp-proxy topology because it already exists and has not changed.
> {noformat}
> This will lead to unreachable end-user endpoints.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17837388#comment-17837388
]
ASF subversion and git services commented on KNOX-3028:
---
Commit d74fb4f8492191d24ab556fbefd50bbf0ebc8ad8 in knox's branch
refs/heads/master from Larry McCay
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=d74fb4f84 ]
KNOX-3028 - add support for OAuth Token Exchange to KNOXTOKEN (#900)
* KNOX-3028 - add support for OAuth Token Exchange to KNOXTOKEN
> KnoxToken extension for OAuth Token Flows
> -
>
> Key: KNOX-3028
> URL: https://issues.apache.org/jira/browse/KNOX-3028
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 3h
> Remaining Estimate: 0h
>
> This change will extend the existing TokenResource for KNOXTOKEN service to
> include OAuth specifics such as expected URL, error messages and flows to
> support Token Exchange Flow and Token Refresh.
> This is being driven by a specific need to proxy access to the Iceberg REST
> Catalog API. In this specific usecase, we need to intercept the use of the
> following endpoint URLs and serve the token exchange flow for the
> authenticating user.
> {code}
> /v1/oauth/tokens
> {code}
> Details for these requirements can be found in the openapi description for
> the catalog API [1].
> In addition to this usecase, we should add generic support for the token
> exchange flow with more generic URL that better aligns with what others use.
> {code}
> /oauth/v1/token
> {code}
> We will support the use of the "oauth" service name within the existing
> KNOXTOKEN service with an extension of the TokenResource which adapts the
> existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
> In order to support both URLs, the deployment contributor will need to
> register a url pattern for each usecase and the resource path within the
> jersey service will need to accommodate the dynamic nature of the Iceberg
> REST Catalog API which will add the catalog API service name as well.
> {code}
> /icecli/v1/oauth/tokens/
> {code}
> Where "icecli" may be some configurable service name and need to match to the
> incoming URL.
> We will wildcard that by making it a regex matched path param.
> We will also need to accommodate a first-class Knox pattern and service name
> of "oauth" and only allow "token" or "oauth" after the v1 with the remaining
> path fragment being optional for the iceberg specific "tokens".
> Not pretty but it will work.
> 1.
> https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3014) Unauthenticated paths support for Shiro provider
[
https://issues.apache.org/jira/browse/KNOX-3014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17832873#comment-17832873
]
ASF subversion and git services commented on KNOX-3014:
---
Commit 1916717 from Sandeep More
[ https://svn.apache.org/r1916717 ]
KNOX-3015 KNOX-3014 - Document path based authorization feature and
Unauthenticated paths support for Shiro provider
> Unauthenticated paths support for Shiro provider
>
>
> Key: KNOX-3014
> URL: https://issues.apache.org/jira/browse/KNOX-3014
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Reporter: Sandeep More
>Assignee: Sandeep More
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Looks like we have only support unauthenticated paths for
> * JWTProvider
> * HadoopAuthProvider
> * SSOCookieProvider
> Shiro auth provider does not have support for unauthenticated path parameter.
> see KNOX-2582 and KNOX-2393
> This can be enabled by adding the following param to Shiro authentication
> provider
> {code:java}
>
> urls./knoxtoken/api/v1/jwks.json
> anon
>
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3015) Document path based authorization feature
[ https://issues.apache.org/jira/browse/KNOX-3015?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17832872#comment-17832872 ] ASF subversion and git services commented on KNOX-3015: --- Commit 1916717 from Sandeep More [ https://svn.apache.org/r1916717 ] KNOX-3015 KNOX-3014 - Document path based authorization feature and Unauthenticated paths support for Shiro provider > Document path based authorization feature > - > > Key: KNOX-3015 > URL: https://issues.apache.org/jira/browse/KNOX-3015 > Project: Apache Knox > Issue Type: Bug > Components: Document >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.1.0 > > > Document KNOX-2998 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3026) Exclude services/roles from being discovered
[ https://issues.apache.org/jira/browse/KNOX-3026?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17831824#comment-17831824 ] ASF subversion and git services commented on KNOX-3026: --- Commit af09c1d4e90941c9e545a6667af561c3b9c3a717 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=af09c1d4e ] KNOX-3026 - End-users can exclude certain services or roles from CM service discovery (#893) > Exclude services/roles from being discovered > > > Key: KNOX-3026 > URL: https://issues.apache.org/jira/browse/KNOX-3026 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 2.0.0, 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Critical > Fix For: 2.1.0 > > Time Spent: 40m > Remaining Estimate: 0h > > Currently, even after implementing KNOX-2899, CM service discovery is running > on the entire CM cluster and fetches information on all services and roles > that are available on that target cluster. We may want to revisit the > service-based discovery enablement (that is now disabled by KNOX-2899). > However, there is a need for end-users to be able to declare services and > roles that should be explicitly excluded during service discovery. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3024) Fix findJava in knox-functions.sh
[
https://issues.apache.org/jira/browse/KNOX-3024?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17829556#comment-17829556
]
ASF subversion and git services commented on KNOX-3024:
---
Commit 1e9a39b76b2da8d995f1201d9cf0ecf6b3d3d085 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=1e9a39b76 ]
KNOX-3024 - Fixed Java finding issues (#891)
> Fix findJava in knox-functions.sh
> -
>
> Key: KNOX-3024
> URL: https://issues.apache.org/jira/browse/KNOX-3024
> Project: Apache Knox
> Issue Type: Bug
> Components: Release
>Affects Versions: 1.4.0, 1.5.0, 2.0.0, 1.6.0, 1.6.1, 1.6.2
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Blocker
> Fix For: 2.1.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> 5 years ago, when I added {{shellcheck}} support to our build in the scope of
> KNOX-1816, I introduced a bug in the {{findJava}} function in
> {{{}knox-functions.sh{}}}: when $JAVA_HOME is not set, and Java is not
> available on the path, the function tries to find java executables under
> {{{}/usr{}}}. However, the current implementation is wrong:
> {noformat}
> $ which java
> /usr/bin/which: no java in
> (/usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
> $ echo $JAVA_HOME
> $ bin/knoxcli.sh export-cert --type JKS
> Warning: JAVA is not set and could not be found.
> ... {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3022) Possible NPE at CM cluster configuration monitor startup due to cluster configuration file issues
[
https://issues.apache.org/jira/browse/KNOX-3022?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17828477#comment-17828477
]
ASF subversion and git services commented on KNOX-3022:
---
Commit 3fed1e06041f8756dd50179f9764ac73da28ac01 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=3fed1e060 ]
KNOX-3022 - Handling the case when previously persisted CM cluster config file
is empty (#890)
> Possible NPE at CM cluster configuration monitor startup due to cluster
> configuration file issues
> -
>
> Key: KNOX-3022
> URL: https://issues.apache.org/jira/browse/KNOX-3022
> Project: Apache Knox
> Issue Type: Bug
> Components: cm-discovery
>Affects Versions: 2.0.0, 1.6.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> In KNOX-2869, we handled the case where
> {{$KNOX_DATA_DIR/cm-clusters/hCM_HOST_7183-Cluster_1.conf}} file was empty.
> However, it might be the same for the
> {{$KNOX_DATA_DIR/cm-clusters/hCM_HOST_7183-Cluster_1.ver}} file where
> previously persisted cluster configuration (with service/role details) is
> stored.
> If that file is empty, the following error is thrown:
> {noformat}
> 2024-03-18 19:01:34,840 ERROR discovery.cm
> (ClusterConfigurationFileStore.java:get(106)) - Failed to load persisted
> service configuration data for cluster monitor CM :
> com.fasterxml.jackson.databind.exc.MismatchedInputException: No content to
> map due to end-of-input
> at [Source: (sun.nio.ch.ChannelInputStream); line: 1, column: 0]
> 2024-03-18 19:01:34,841 FATAL knox.gateway (GatewayServer.java:main(193)) -
> Failed to start gateway: java.lang.NullPointerException
> java.lang.NullPointerException
> at
> org.apache.knox.gateway.topology.discovery.cm.monitor.ClouderaManagerClusterConfigurationMonitor.loadServiceConfiguration(ClouderaManagerClusterConfigurationMonitor.java:196)
> at
> org.apache.knox.gateway.topology.discovery.cm.monitor.ClouderaManagerClusterConfigurationMonitor.(ClouderaManagerClusterConfigurationMonitor.java:103)
> at
> org.apache.knox.gateway.topology.discovery.cm.monitor.ClouderaManagerClusterConfigurationMonitorProvider.newInstance(ClouderaManagerClusterConfigurationMonitorProvider.java:35)
> at
> org.apache.knox.gateway.services.topology.impl.DefaultClusterConfigurationMonitorService.init(DefaultClusterConfigurationMonitorService.java:44)
> at
> org.apache.knox.gateway.services.DefaultGatewayServices.init(DefaultGatewayServices.java:137)
> at org.apache.knox.gateway.GatewayServer.main(GatewayServer.java:184)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.apache.knox.gateway.launcher.Invoker.invokeMainMethod(Invoker.java:68)
> at org.apache.knox.gateway.launcher.Invoker.invoke(Invoker.java:39)
> at org.apache.knox.gateway.launcher.Command.run(Command.java:99)
> at org.apache.knox.gateway.launcher.Launcher.run(Launcher.java:75)
> at org.apache.knox.gateway.launcher.Launcher.main(Launcher.java:52)
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3020) Introduce type Knox Token metadata
[
https://issues.apache.org/jira/browse/KNOX-3020?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17827100#comment-17827100
]
ASF subversion and git services commented on KNOX-3020:
---
Commit 67ebe9ae9fffe73ca13c335b1aaa14446b343aa3 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=67ebe9ae9 ]
KNOX-3020 - Introducing the 'type' metadata for Knox Tokens (#881)
> Introduce type Knox Token metadata
> --
>
> Key: KNOX-3020
> URL: https://issues.apache.org/jira/browse/KNOX-3020
> Project: Apache Knox
> Issue Type: Task
>Affects Versions: 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> With KNOX-3016, there is a need to distinguish different Knox Token types as
> follows:
> * JWT (default)
> * KNOXSSO_COOKIE
> * CLIENT_ID
> This little refactor will allow us to handle every type-related decision
> within the scope of the\{{TokenMetadata}} class.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3014) Unauthenticated paths support for Shiro provider
[ https://issues.apache.org/jira/browse/KNOX-3014?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17826812#comment-17826812 ] ASF subversion and git services commented on KNOX-3014: --- Commit 84999b8e1851c381480b4827979166675f7971d4 in knox's branch refs/heads/master from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=84999b8e1 ] KNOX-3014 - Fix a bug where unauthenticated path configured in shiro provider throw exception (#879) * KNOX-3014 - Fix a bug where unauthenticated path configured in shiro provider throw exception * Formatting changes * Adding /knoxtoken/api/v1/jwks.json and v1 will be depreciated * Check at Knox level if the request is configured to be anonymous usign shiro configs. Add unit tests for better test coverage. > Unauthenticated paths support for Shiro provider > > > Key: KNOX-3014 > URL: https://issues.apache.org/jira/browse/KNOX-3014 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > Looks like we have only support unauthenticated paths for > * JWTProvider > * HadoopAuthProvider > * SSOCookieProvider > Shiro auth provider does not have support for unauthenticated path parameter. > see KNOX-2582 and KNOX-2393 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3019) Allow tokens to be renewed any times
[
https://issues.apache.org/jira/browse/KNOX-3019?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17826030#comment-17826030
]
ASF subversion and git services commented on KNOX-3019:
---
Commit c098afaec3a181d8a5d8d5f25a61526d4b608a8b in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=c098afaec ]
KNOX-3019 - Allow token renewal without upper bound for non-expired tokens
(#880)
> Allow tokens to be renewed any times
>
>
> Key: KNOX-3019
> URL: https://issues.apache.org/jira/browse/KNOX-3019
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server, TokenGenerationUI
>Affects Versions: 2.0.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Setting the TTL to {{-1}} results in tokens that never expire. If the TTL is
> configured to a positive number, renewing the token is the only way to extend
> its expiration time. By default, there is a cap on this event: a token cannot
> be renewed after it reaches the configured maximum lifetime (defaults to
> {{{}7 days{}}}).
> This task aims to provide end-users with a way to bypass this check and let
> tokens be renewed whenever they want. The logic would be similar to the
> {{Unlimited token}} handling: if the maximum lifetime is set to {{{}-1{}}},
> tokens would be subject to renewal without checking the maximum lifetime.
> Please note that token renewal still must be configured with a list of
> trusted users via the {{knox.token.renewer.whitelist}} configuration.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3016) Add Support for Client Credentials Flow with KnoxTokens
[ https://issues.apache.org/jira/browse/KNOX-3016?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17825846#comment-17825846 ] ASF subversion and git services commented on KNOX-3016: --- Commit 8f38723bb6b8111eb93b01697e89dd98fb6f59f2 in knox's branch refs/heads/master from Larry McCay [ https://gitbox.apache.org/repos/asf?p=knox.git;h=8f38723bb ] KNOX-3016 - add support for client credentials flow (#876) * KNOX-3016 - add support for client credentials flow > Add Support for Client Credentials Flow with KnoxTokens > --- > > Key: KNOX-3016 > URL: https://issues.apache.org/jira/browse/KNOX-3016 > Project: Apache Knox > Issue Type: Bug > Components: JWT >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > Adding support for integrations to Knox proxied services and APIs via OAuth > style cllient credentials flow. This allows an integration that is provided a > CLIENT_ID and CLIENT_SECRET to authenticate to Knox and directly access > proxied services with those or exchange those credentials for short lived JWT > based access, id and refresh tokens. > This change introduces only the acceptance of the Knox TokenID and Passcode > tokens as CLIENT_ID and CLIENT_SECRET in a standard OAuth 2.0 client > credentials flow request body. This body will contain the following params: > 1. grant_type and it will be "client_credentials" > 2. client_id which will be the KnoxToken tokenId or KnoxID > 3. client_secret which will be the passcode token for which we store the hash > Authentication using this flow will result in the effective user being what > is provided as the CLIENT_ID. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3018) Unlimited token generation - Wrong expiration time is shown
[
https://issues.apache.org/jira/browse/KNOX-3018?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17825637#comment-17825637
]
ASF subversion and git services commented on KNOX-3018:
---
Commit 37dc8a736507ecbd39eacfd206f8c05aa15e1745 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=37dc8a736 ]
KNOX-3018 - Tokens that never expire should not be evicted automatically and
their expiration should be displayed properly (#878)
> Unlimited token generation - Wrong expiration time is shown
> ---
>
> Key: KNOX-3018
> URL: https://issues.apache.org/jira/browse/KNOX-3018
> Project: Apache Knox
> Issue Type: Bug
> Components: TokenGenerationUI
>Affects Versions: 2.0.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Attachments: Screenshot 2024-03-11 at 14.25.04.png, Screenshot
> 2024-03-11 at 14.25.27.png
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> *Steps to reproduce*
> * set the {{knox.token.ttl}} to {{-1}} in the {{homepage}} topology for the
> {{KNOXTOKEN}} service
> * set {{knox.token.lifespan.input.enabled = false}} in the {{homepage}}
> topology for the {{KNOXTOKEN}} service
> *Actual results*
> With KNOX-3017 in place, the token is generated, but the expiration is wrong,
> see attached screenshots.
> In addition to this UI bug, the background reaper thread removes this token
> the next time it's triggered. This is also incorrect: unlimited tokens should
> never be removed automatically as they never expire.
> *Expected result*
> Token expiration should indicate an unlimited lifespan and unlimited tokens
> should not be revoked automatically.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3017) Unlimited token generation - invalid warning poopup
[
https://issues.apache.org/jira/browse/KNOX-3017?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17825581#comment-17825581
]
ASF subversion and git services commented on KNOX-3017:
---
Commit 0ec2ea8c1f17112c0ed9831933b1f4f85637bb5d in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=0ec2ea8c1 ]
KNOX-3017 - Avoid showing lifetime adjustment popup when TTL is set to -1 (#877)
> Unlimited token generation - invalid warning poopup
> ---
>
> Key: KNOX-3017
> URL: https://issues.apache.org/jira/browse/KNOX-3017
> Project: Apache Knox
> Issue Type: Bug
> Components: TokenGenerationUI
>Affects Versions: 2.0.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Attachments: Screenshot 2024-03-11 at 12.57.12.png, Screenshot
> 2024-03-11 at 12.57.35.png
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> *Steps to reproduce*
> * set the {{knox.token.ttl}} to {{-1}} in the {{homepage}} topology for the
> {{KNOXTOKEN}} service
> * go to the {{Token Generation UI}} and set the {{Lifetime}} to 365 days
> *Actual results*
> The lifespan adjusting warning popup says that 365 days is greater than the
> configured maximum lifetime. This is not true, because, as you can see in the
> screenshot, we are creating tokens with {{unlimited lifetime}}
> *Expected result*
> The popup should not be displayed in case of unlimited token lifetime
> configurations.
> *Note*
> After clicking the {{Generate token anyway}} button, the token was created
> with the correct expiration time (1 year from today).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2998) Path based authorization
[
https://issues.apache.org/jira/browse/KNOX-2998?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17824157#comment-17824157
]
ASF subversion and git services commented on KNOX-2998:
---
Commit c594fe79b9a40fba430c8baa856d93f2f258d1a8 in knox's branch
refs/heads/master from Sandeep Moré
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=c594fe79b ]
KNOX-2998 - Path based authorization provider (#875)
> Path based authorization
>
>
> Key: KNOX-2998
> URL: https://issues.apache.org/jira/browse/KNOX-2998
> Project: Apache Knox
> Issue Type: New Feature
> Components: Server
>Reporter: Sandeep More
>Assignee: Sandeep More
>Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> We will need a new acls extension (similar to AclsAuthz) to support this
> functionality. Following, is an example of how this might look.
>
> {code:java}
>
> path.KNOX-AUTH-SERVICE.acl
>/foo/* [,
> *|path...];username[,*|username...];group[,*|group...];ipaddr[,*|ipaddr...]
>
> {code}
> This new extension (`path` in the above example) will work with
> CompositeAuthz and follow the same pattern as AclsAuthz provider.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3013) Knox redirecting Yarn Node Manager URLs to http instead of https
[ https://issues.apache.org/jira/browse/KNOX-3013?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17823934#comment-17823934 ] ASF subversion and git services commented on KNOX-3013: --- Commit 5088d423a512b7bd98411e4b02071e3afc827802 in knox's branch refs/heads/master from K0K0V0K [ https://gitbox.apache.org/repos/asf?p=knox.git;h=5088d423a ] KNOX-3013 - Knox redirecting Yarn Node Manager URLs to http instead of https (#874) - YARNUI/yarn/outbound/node3 rule rewrites the https schemes to http - To fix the issue we skip this rule in case if the schema is https > Knox redirecting Yarn Node Manager URLs to http instead of https > > > Key: KNOX-3013 > URL: https://issues.apache.org/jira/browse/KNOX-3013 > Project: Apache Knox > Issue Type: Bug >Affects Versions: 1.3.0 >Reporter: Bence Kosztolnik >Priority: Major > Time Spent: 1h 10m > Remaining Estimate: 0h > > While viewing the yarn application logs on YARM RM UI via Knox, we can see > that Knox is redirecting the NM URL to HTTP instead of HTTPS, as the YARN is > running on TLS/SSL. > https:///gateway/cdp-proxy/yarn/nodemanager/node?scheme=http=some.url=8044 > We get the below error > HTTP ERROR 500 java.io.IOException: java.io.IOException: Service connectivity > error. URI: /gateway/cdp-proxy/yarn/nodemanager/node STATUS: 500 MESSAGE: > java.io.IOException: java.io.IOException: Service connectivity error. > SERVLET: cdp-proxy-knox-gateway-servlet CAUSED BY: java.io.IOException: > java.io.IOException: Service connectivity error. CAUSED BY: > java.io.IOException: Service connectivity error. > However when I change "scheme=https" the page loads without an issue. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2996) Add proxy for hdfs UI network topology
[ https://issues.apache.org/jira/browse/KNOX-2996?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17823579#comment-17823579 ] ASF subversion and git services commented on KNOX-2996: --- Commit 1b8fe408b73ad0a23d431d8e38367c1910cb2497 in knox's branch refs/heads/master from berylzsh [ https://gitbox.apache.org/repos/asf?p=knox.git;h=1b8fe408b ] KNOX-2996 - Add proxy for hdfs UI network topology (#829) Co-authored-by: zhaoshuaihua > Add proxy for hdfs UI network topology > --- > > Key: KNOX-2996 > URL: https://issues.apache.org/jira/browse/KNOX-2996 > Project: Apache Knox > Issue Type: Bug > Components: Release >Affects Versions: 2.0.0, 1.6.0 >Reporter: zhaoshuaihua >Priority: Major > Attachments: > KNOX-2996_-_Add_proxy_for_hdfs_UI_network_topology.patch, > image-2023-12-28-16-36-57-726.png, image-2023-12-28-16-37-10-631.png, > image-2023-12-28-16-37-15-888.png > > Time Spent: 1h 40m > Remaining Estimate: 0h > > Clicking the hdfs UI network topology proxy failed, the page should be > displayed and should not be Error. > !image-2023-12-28-16-36-57-726.png!!image-2023-12-28-16-37-10-631.png!!image-2023-12-28-16-37-15-888.png! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3012) Fix the DN links on the Ozone SCM UI
[
https://issues.apache.org/jira/browse/KNOX-3012?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17823198#comment-17823198
]
ASF subversion and git services commented on KNOX-3012:
---
Commit 95d5b6eba21ed0fd80551f40556de02318f22fe1 in knox's branch
refs/heads/master from Zita Dombi
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=95d5b6eba ]
KNOX-3012 - Fix the DN links on the Ozone SCM UI (#873)
* Fix outbound rule for DN links
* Fix filter path too
* Add new version directory for ozone-scm and add changes there
> Fix the DN links on the Ozone SCM UI
>
>
> Key: KNOX-3012
> URL: https://issues.apache.org/jira/browse/KNOX-3012
> Project: Apache Knox
> Issue Type: Bug
>Reporter: Zita Dombi
>Assignee: Zita Dombi
>Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> In HDDS-9732 we changed the datanode links on the SCM UI in Ozone, which we
> need to follow in Knox too.
> From this:
> {code:java}
> href="{{typestat.portval.toLowerCase()}}://{{typestat.hostname}}:{{typestat.portno}}"
> target="_blank">{{typestat.hostname}}
> {code}
> To this:
> {code:java}
> target="_blank">{{typestat.hostname}}
> {code}
> We didn't adjust this in Knox, it's still looking for the previous one:
> {code:java}
>
>
> pattern="{{typestat.portval.toLowerCase()}}://{{typestat.hostname}}:{{typestat.portno}}"/>
> template="{gateway.url}/ozone-scm/datanode/index.html?host={{typestat.portval.toLowerCase()}}://{{typestat.hostname}}:{{typestat.portno}}
> "/>
>
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2995) json contains NaN value parsing failed
[ https://issues.apache.org/jira/browse/KNOX-2995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17823147#comment-17823147 ] ASF subversion and git services commented on KNOX-2995: --- Commit bd3972d94b30a96d55035b93746e975bdd02d599 in knox's branch refs/heads/master from berylzsh [ https://gitbox.apache.org/repos/asf?p=knox.git;h=bd3972d94 ] KNOX-2995 - Support json parsing NaN values (#828) - Co-authored-by: zhaoshuaihua > json contains NaN value parsing failed > -- > > Key: KNOX-2995 > URL: https://issues.apache.org/jira/browse/KNOX-2995 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 2.0.0, 1.6.0 >Reporter: zhaoshuaihua >Priority: Major > Attachments: KNOX-2995.patch, screenshot-1.png, screenshot-2.png, > screenshot-3.png > > Time Spent: 1h 20m > Remaining Estimate: 0h > > If the proxy address returns JSON, which contains something similar to xxx: > NaN, then knox will fail to parse. Therefore, support for parsing NaN is > added. > I click on the page with return json and the content of Resopnse is empty. > like this : !screenshot-1.png! > > Checking the gateway.log log shows the following error message. > !screenshot-2.png! > The display results after my repair are as follows: > !screenshot-3.png! > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3011) Resolve duplicated SL4J on classpath issue
[
https://issues.apache.org/jira/browse/KNOX-3011?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821194#comment-17821194
]
ASF subversion and git services commented on KNOX-3011:
---
Commit e1d9bb729af006f45e70311ac5746277fe03760f in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=e1d9bb729 ]
KNOX-3011 - Excluded logback-[core|classic] as transitive dependencies pulled
in by Zookeeper (#861)
> Resolve duplicated SL4J on classpath issue
> --
>
> Key: KNOX-3011
> URL: https://issues.apache.org/jira/browse/KNOX-3011
> Project: Apache Knox
> Issue Type: Improvement
>Affects Versions: 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Any time I run a KnoxCLI command, it always starts with the following warning
> messages displayed on my terminal:
> {noformat}
> SLF4J: Class path contains multiple SLF4J bindings.
> SLF4J: Found binding in
> [jar:file:/Users/sandormolnar/test/knoxGateway/bin/../dep/log4j-slf4j-impl-2.17.1.jar!/org/slf4j/impl/StaticLoggerBinder.class]
> SLF4J: Found binding in
> [jar:file:/Users/sandormolnar/test/knoxGateway/bin/../dep/logback-classic-1.2.10.jar!/org/slf4j/impl/StaticLoggerBinder.class]
> SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an
> explanation.
> SLF4J: Actual binding is of type [org.apache.logging.slf4j.Log4jLoggerFactory]
> {noformat}
> The reason behind this warning is that Zookeeper pulls in outdated
> {{logback}} dependencies which we should exclude.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3009) KNOX-SESSION missing from Manager Topology and Admin UI
[ https://issues.apache.org/jira/browse/KNOX-3009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821176#comment-17821176 ] ASF subversion and git services commented on KNOX-3009: --- Commit 7aa217cae1d725ca3ab27bc65ff38f7943d19ffd in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=7aa217cae ] KNOX-3008 - Removing KNOX-SESSION as it was added by KNOX-3009 (#857) > KNOX-SESSION missing from Manager Topology and Admin UI > --- > > Key: KNOX-3009 > URL: https://issues.apache.org/jira/browse/KNOX-3009 > Project: Apache Knox > Issue Type: Bug > Components: Release >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > Time Spent: 40m > Remaining Estimate: 0h > > Due to KNOX-SESSION service missing from the default manager.xml topology, an > alert in the Admin UI is displayed while trying to retrieve the authenticated > user name and "dr. who" is displayed as the user. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3008) Add a new banner on the top of Knox UIs
[
https://issues.apache.org/jira/browse/KNOX-3008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821175#comment-17821175
]
ASF subversion and git services commented on KNOX-3008:
---
Commit 7aa217cae1d725ca3ab27bc65ff38f7943d19ffd in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=7aa217cae ]
KNOX-3008 - Removing KNOX-SESSION as it was added by KNOX-3009 (#857)
> Add a new banner on the top of Knox UIs
> ---
>
> Key: KNOX-3008
> URL: https://issues.apache.org/jira/browse/KNOX-3008
> Project: Apache Knox
> Issue Type: New Feature
> Components: AdminUI, Homepage, TokenGenerationUI, TokenManagementUI
>Affects Versions: 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> I got to know that Hue has a simple, but really cool feature: it can show a
> [custom HTML banner|https://gethue.com/add-a-top-banner-to-hue/] on the top
> of the Hue UI. Implementing a similar feature in Knox can help end-users to:
> # Share a message of the day like hints, tips, or planned outages.
> # Identify the cluster (e.g. Prod/Test/Dev) in case the URL is not clear
> enough.
> An additional improvement would be identifying which Knox gateway is in use,
> in case of HA deployments and if it's behind a load balancer, which can help
> with troubleshooting. This information fits perfectly into the existing
> {{General Proxy Information}} section on the Knox home page; we just need to
> add this new information as a new row in the table.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3008) Add a new banner on the top of Knox UIs
[
https://issues.apache.org/jira/browse/KNOX-3008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821163#comment-17821163
]
ASF subversion and git services commented on KNOX-3008:
---
Commit c41230bdeb64601235615447a3961570d6b1de08 in knox's branch
refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/ip-1.1.9 from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=c41230bde ]
KNOX-3008 - Displaying hostname and custom banner text on the Knox Home page
and other UIs (#842)
> Add a new banner on the top of Knox UIs
> ---
>
> Key: KNOX-3008
> URL: https://issues.apache.org/jira/browse/KNOX-3008
> Project: Apache Knox
> Issue Type: New Feature
> Components: AdminUI, Homepage, TokenGenerationUI, TokenManagementUI
>Affects Versions: 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> I got to know that Hue has a simple, but really cool feature: it can show a
> [custom HTML banner|https://gethue.com/add-a-top-banner-to-hue/] on the top
> of the Hue UI. Implementing a similar feature in Knox can help end-users to:
> # Share a message of the day like hints, tips, or planned outages.
> # Identify the cluster (e.g. Prod/Test/Dev) in case the URL is not clear
> enough.
> An additional improvement would be identifying which Knox gateway is in use,
> in case of HA deployments and if it's behind a load balancer, which can help
> with troubleshooting. This information fits perfectly into the existing
> {{General Proxy Information}} section on the Knox home page; we just need to
> add this new information as a new row in the table.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3008) Add a new banner on the top of Knox UIs
[
https://issues.apache.org/jira/browse/KNOX-3008?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821161#comment-17821161
]
ASF subversion and git services commented on KNOX-3008:
---
Commit c41230bdeb64601235615447a3961570d6b1de08 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=c41230bde ]
KNOX-3008 - Displaying hostname and custom banner text on the Knox Home page
and other UIs (#842)
> Add a new banner on the top of Knox UIs
> ---
>
> Key: KNOX-3008
> URL: https://issues.apache.org/jira/browse/KNOX-3008
> Project: Apache Knox
> Issue Type: New Feature
> Components: AdminUI, Homepage, TokenGenerationUI, TokenManagementUI
>Affects Versions: 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> I got to know that Hue has a simple, but really cool feature: it can show a
> [custom HTML banner|https://gethue.com/add-a-top-banner-to-hue/] on the top
> of the Hue UI. Implementing a similar feature in Knox can help end-users to:
> # Share a message of the day like hints, tips, or planned outages.
> # Identify the cluster (e.g. Prod/Test/Dev) in case the URL is not clear
> enough.
> An additional improvement would be identifying which Knox gateway is in use,
> in case of HA deployments and if it's behind a load balancer, which can help
> with troubleshooting. This information fits perfectly into the existing
> {{General Proxy Information}} section on the Knox home page; we just need to
> add this new information as a new row in the table.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3009) KNOX-SESSION missing from Manager Topology and Admin UI
[ https://issues.apache.org/jira/browse/KNOX-3009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821107#comment-17821107 ] ASF subversion and git services commented on KNOX-3009: --- Commit d60c67fa88ffa3c7fae1a35764dabe167a71c184 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Larry McCay [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d60c67fa8 ] KNOX-3009 - KNOX-SESSION missing from Manager Topology and Admin UI (#843) > KNOX-SESSION missing from Manager Topology and Admin UI > --- > > Key: KNOX-3009 > URL: https://issues.apache.org/jira/browse/KNOX-3009 > Project: Apache Knox > Issue Type: Bug > Components: Release >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > Time Spent: 40m > Remaining Estimate: 0h > > Due to KNOX-SESSION service missing from the default manager.xml topology, an > alert in the Admin UI is displayed while trying to retrieve the authenticated > user name and "dr. who" is displayed as the user. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2675) Oozie Console URL on the web UI should be a Knox URL
[
https://issues.apache.org/jira/browse/KNOX-2675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821092#comment-17821092
]
ASF subversion and git services commented on KNOX-2675:
---
Commit 7ee5c8c0dff655a426252da0a45bb2206b6eccaa in knox's branch
refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1
from Denes Bodo
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=7ee5c8c0d ]
KNOX-2991 - Sanitise Oozie rewrite rules (#824)
* KNOX-2675 Oozie Console URL on the web UI should be a Knox URL
* KNOX-2991 - Sanitise Oozie rewrite rules
-
Co-authored-by: Denes Bodo
> Oozie Console URL on the web UI should be a Knox URL
>
>
> Key: KNOX-2675
> URL: https://issues.apache.org/jira/browse/KNOX-2675
> Project: Apache Knox
> Issue Type: Improvement
>Affects Versions: 1.4.0
>Reporter: Dénes Bodó
>Assignee: Dénes Bodó
>Priority: Major
> Fix For: 1.6.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> When I open the Oozie web UI through Knox gateway and navigate to a
> workflow's action details then I see the Console URL field contains the
> cluster's internal hostname instead of a Knox gateway url. Here is an example
> json result from Oozie through Knox:
> {noformat}
> {
> "appName":"some_oozie_application",
> ...
> "actions":[
> {...},
> {
> ...
>
> "consoleUrl":"https://some_internal_domain_name:8090/proxy/application_1632125050865_0003/;,
> ...
> },
> {...}
> ],
> "status":"SUCCEEDED",
> "group":null
> } {noformat}
> The desired form should be for the consoleUrl field something like this:
> {noformat}
> https://externally_available_knox_domain_name:8443/gateway/cdp-proxy/yarn/cluster/app/application_1632125050865_0003/
> {noformat}
> The proposed solution contains Yarn UI v1 URL because the Yarn UI v2 contains
> a hash mark which cannot be used. See KNOX-2676
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3003) Group UI services of the same type
[ https://issues.apache.org/jira/browse/KNOX-3003?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821104#comment-17821104 ] ASF subversion and git services commented on KNOX-3003: --- Commit 20fa65948804a4ddedd246c61d896005c47b0104 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=20fa65948 ] KNOX-3003 - Services with more than one serviceUrl metadata are grouped on the Knox Home page (#838) > Group UI services of the same type > -- > > Key: KNOX-3003 > URL: https://issues.apache.org/jira/browse/KNOX-3003 > Project: Apache Knox > Issue Type: Improvement > Components: Homepage >Affects Versions: 2.0.0, 1.6.0, 1.6.1 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Critical > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Currently, if a UI service has multiple instances with different URLs in a > given topology, that UI service will be listed on the Knox Home page as many > times as the number of URLs it has. This makes the user experience a lot > worse if we are talking about hundreds of occurrences of this case. > We learned from some real-life use cases that IMPALA is one of these > services, and there are 1000+ node clusters out there with more than 100 > Impala Daemon roles. In that particular case, the Knox Home page was a mess. > To address this issue, the following UI improvement should be implemented: > * if a UI service has more than one URL in the given topology, individual > tiles should not be displayed. Instead, one "group" tile must be added with a > clear indication this is a group of URLs of the same service. > * clicking the group tile should open a modal window with separate tiles for > each service URL > * in this modal window, a search field will be added to give our end-users > the chance to narrow down results (by hostname for instance) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2991) Sanitise Oozie rewrite rules
[
https://issues.apache.org/jira/browse/KNOX-2991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821091#comment-17821091
]
ASF subversion and git services commented on KNOX-2991:
---
Commit 7ee5c8c0dff655a426252da0a45bb2206b6eccaa in knox's branch
refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1
from Denes Bodo
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=7ee5c8c0d ]
KNOX-2991 - Sanitise Oozie rewrite rules (#824)
* KNOX-2675 Oozie Console URL on the web UI should be a Knox URL
* KNOX-2991 - Sanitise Oozie rewrite rules
-
Co-authored-by: Denes Bodo
> Sanitise Oozie rewrite rules
>
>
> Key: KNOX-2991
> URL: https://issues.apache.org/jira/browse/KNOX-2991
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 1.6.0
>Reporter: Dénes Bodó
>Assignee: Dénes Bodó
>Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Testing Oozie through Knox proxy I found that there are some strange rewrite
> rule which seems outdated:
> {noformat}
>
>
>
>
>
>
> {noformat}
> This ticket is intended to track the work removing them.
> *inputDir* and *outputDir* are frequently used in Oozie's job.properties as a
> single directory name instead of a full HDFS path so in these cases the Oozie
> workflow fails running due to incorrect variable resolution:
> Configuration in job.properties:
> {noformat}
> nameNode=WILL_BE_UPDATED_BY_KNOX
> outputDir=my_custom_output_dir {noformat}
> workflow.xml:
> {code:xml}
>
> path="${nameNode}/user/${wf:user()}/examples/output-data/${outputDir}"/>
> {code}
> Error in Oozie launcher:
> {noformat}
> Launcher AM execution failed
> java.lang.IllegalArgumentException: java.net.URISyntaxException: Expected
> scheme-specific part at index 5: hdfs:
> at org.apache.hadoop.fs.Path.initialize(Path.java:259)
> at org.apache.hadoop.fs.Path.(Path.java:217)
> at org.apache.hadoop.fs.Path.(Path.java:125)
> at org.apache.hadoop.fs.Globber.doGlob(Globber.java:285)
> at org.apache.hadoop.fs.Globber.glob(Globber.java:202)
> at org.apache.hadoop.fs.FileSystem.globStatus(FileSystem.java:2107)
> at
> org.apache.oozie.action.hadoop.FSLauncherURIHandler.delete(FSLauncherURIHandler.java:59)
> at
> org.apache.oozie.action.hadoop.PrepareActionsHandler.execute(PrepareActionsHandler.java:83)
> at
> org.apache.oozie.action.hadoop.PrepareActionsHandler.prepareAction(PrepareActionsHandler.java:74)
> at
> org.apache.oozie.action.hadoop.LauncherAM.executePrepare(LauncherAM.java:378)
> at
> org.apache.oozie.action.hadoop.LauncherAM.access$100(LauncherAM.java:55)
> at org.apache.oozie.action.hadoop.LauncherAM$2.run(LauncherAM.java:229)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:422)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1899)
> at org.apache.oozie.action.hadoop.LauncherAM.run(LauncherAM.java:226)
> at org.apache.oozie.action.hadoop.LauncherAM$1.run(LauncherAM.java:156)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:422)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1899)
> at org.apache.oozie.action.hadoop.LauncherAM.main(LauncherAM.java:144)
> Caused by: java.net.URISyntaxException: Expected scheme-specific part at
> index 5: hdfs:
> at java.net.URI$Parser.fail(URI.java:2847)
> at java.net.URI$Parser.failExpecting(URI.java:2853)
> at java.net.URI$Parser.parse(URI.java:3056)
> at java.net.URI.(URI.java:746)
> at org.apache.hadoop.fs.Path.initialize(Path.java:256)
> ... 20 more {noformat}
>
> Found the real HDFS path after debugging the Oozie action:
> {noformat}
> hdfs://a.b.c.d:8020/user/test/examples/output-data/hdfs://a.b.c.d:8020/my_custom_output_dir{noformat}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3002) KnoxCLI command for generating descriptor for a role type from a list of hosts
[ https://issues.apache.org/jira/browse/KNOX-3002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821108#comment-17821108 ] ASF subversion and git services commented on KNOX-3002: --- Commit bb5d265d861489925f158faff761090d672205db in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=bb5d265d8 ] KNOX-3002 - KnoxCLI command for generating descriptor for a role type from a list of hosts (#835) > KnoxCLI command for generating descriptor for a role type from a list of hosts > -- > > Key: KNOX-3002 > URL: https://issues.apache.org/jira/browse/KNOX-3002 > Project: Apache Knox > Issue Type: New Feature > Components: KnoxCLI >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3006) PAM module occasionally generates garbage group names
[ https://issues.apache.org/jira/browse/KNOX-3006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821106#comment-17821106 ] ASF subversion and git services commented on KNOX-3006: --- Commit 58ae97fbf131777eef61b3d6ebfcca5d32a7a39b in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=58ae97fbf ] KNOX-3006 - PAM module occasionally generates garbage group names (#840) > PAM module occasionally generates garbage group names > - > > Key: KNOX-3006 > URL: https://issues.apache.org/jira/browse/KNOX-3006 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h 10m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3001) Avoid double XML escaping in SimpleDescriptorHandler
[
https://issues.apache.org/jira/browse/KNOX-3001?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821099#comment-17821099
]
ASF subversion and git services commented on KNOX-3001:
---
Commit 46cdc159342b6b637b96f8396c36c515f5b4943e in knox's branch
refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1
from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=46cdc1593 ]
KNOX-3001 - Avoid double XML-escaping during topology persistence from
descriptors (#834)
> Avoid double XML escaping in SimpleDescriptorHandler
>
>
> Key: KNOX-3001
> URL: https://issues.apache.org/jira/browse/KNOX-3001
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 1.5h
> Remaining Estimate: 0h
>
> KNOX-2804 added a beneficial improvement in Knox's logic when dealing with
> JSON files and turned them into XML topologies: before the generated topology
> persisted, the possible values are XML-escaped to avoid errors in SAXParser.
> However, this might cause backward-compatible issues in deployments, where
> the data in the given shared provider config or descriptor is already given
> in XML-friendy way.
> For instance, using the following shared provider config will result in a bad
> XML topology:
> {noformat}
> {
> "providers" : [ {
> "role" : "webappsec",
> "name" : "WebAppSec",
> "enabled" : true,
> "params" : {
> "xframe.options.enabled" : "true"
> }
> }, {
> "role" : "authentication",
> "name" : "ShiroProvider",
> "enabled" : true,
> "params" : {
> "main.ldapContextFactory" :
> "org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory",
> "main.ldapRealm" : "org.apache.knox.gateway.shirorealm.KnoxLdapRealm",
> "main.ldapRealm.authenticationCachingEnabled" : "false",
> "main.ldapRealm.contextFactory" : "$ldapContextFactory",
> "main.ldapRealm.contextFactory.authenticationMechanism" : "simple",
> "main.ldapRealm.contextFactory.url" : "ldap://localhost:33389;,
> "main.ldapRealm.userDnTemplate" :
> "uid=0ou=people,dc=hadoop,dc=apache,dc=org",
> "main.ldapRealm.userSearchFilter" :
> "(((objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)(memberOf=CN=SecXX-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)))",
> "redirectToUrl" : "/${GATEWAY_PATH}/knoxsso/knoxauth/login.html",
> "restrictedCookies" : "rememberme,WWW-Authenticate",
> "sessionTimeout" : "30",
> "urls./**" : "authcBasic"
> }
> }, {
> "role" : "identity-assertion",
> "name" : "Default",
> "enabled" : true,
> "params" : { }
> } ],
> "readOnly" : true
> } {noformat}
> The generated XML:
> {noformat}
>
>
>
>
>
> true
>
>
> webappsec
> WebAppSec
> true
>
> xframe.options.enabled
> true
>
>
>
> authentication
> ShiroProvider
> true
>
> main.ldapContextFactory
>
> org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory
>
>
> main.ldapRealm
>
> org.apache.knox.gateway.shirorealm.KnoxLdapRealm
>
>
> main.ldapRealm.authenticationCachingEnabled
> false
>
>
> main.ldapRealm.contextFactory
> $ldapContextFactory
>
>
>
> main.ldapRealm.contextFactory.authenticationMechanism
> simple
>
>
> main.ldapRealm.contextFactory.url
> ldap://localhost:33389
>
>
> main.ldapRealm.userDnTemplate
> uid=0ou=people,dc=hadoop,dc=apache,dc=org
>
>
> main.ldapRealm.userSearchFilter
>
> (amp;(amp;(objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)(memberOf=CN=SecXX-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)))
>
>
> redirectToUrl
> /${GATEWAY_PATH}/knoxsso/knoxauth/login.html
>
>
> restrictedCookies
> rememberme,WWW-Authenticate
>
>
> sessionTimeout
>
[jira] [Commented] (KNOX-3007) Make http client cookie spec parameter configurable
[
https://issues.apache.org/jira/browse/KNOX-3007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821109#comment-17821109
]
ASF subversion and git services commented on KNOX-3007:
---
Commit fcee4ecffd850cbb3f03ded84b0cdd0dc22578af in knox's branch
refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1
from Attila Magyar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=fcee4ecff ]
KNOX-3007 - Make http client cookie spec parameter configurable (#841)
> Make http client cookie spec parameter configurable
> ---
>
> Key: KNOX-3007
> URL: https://issues.apache.org/jira/browse/KNOX-3007
> Project: Apache Knox
> Issue Type: Improvement
>Reporter: Attila Magyar
>Assignee: Attila Magyar
>Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> The apache http client rejects cookies if the expiration date doesn't have
> the expected format (EEE, dd-MMM-yy HH:mm:ss z).
> {code}
> 2023-11-20 17:58:51,189 XXX WARN protocol.ResponseProcessCookies
> (ResponseProcessCookies.java:processCookies(130)) - Invalid cookie header:
> "Set-Cookie: sessionid=XXX; expires=Mon, 20 Nov 2023 23:03:51 GMT; HttpOnly;
> Max-Age=300; Path=/; SameSite=Lax; Secure". Invalid 'expires' attribute: Mon,
> 20 Nov 2023 23:03:51 GMT
> {code}
> This can be reconfigured by setting different cookiespec types:
> https://hc.apache.org/httpcomponents-client-4.5.x/current/httpclient/apidocs/org/apache/http/client/config/CookieSpecs.html
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3005) Implement Knox idle session time
[ https://issues.apache.org/jira/browse/KNOX-3005?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821105#comment-17821105 ] ASF subversion and git services commented on KNOX-3005: --- Commit d3f5a567ac25cf9f5045866cf14db03151e9f978 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d3f5a567a ] KNOX-3005 - Implemented KnoxSSO idle timeout (#839) > Implement Knox idle session time > > > Key: KNOX-3005 > URL: https://issues.apache.org/jira/browse/KNOX-3005 > Project: Apache Knox > Issue Type: New Feature > Components: KnoxSSO >Affects Versions: 2.1.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Critical > Fix For: 2.1.0 > > Time Spent: 2.5h > Remaining Estimate: 0h > > With the recent work of KNOX-2961, the new SSO token invalidation > functionality, Knox could provide idle session timeout behavior for UIs. > It will likely not include the usual UI pop-up approach (like when the > end-user is informed about being idle too long), but it would effectively > terminate idle SSO sessions and force an explicit login. > It's also worth mentioning the idleness measurement solely depends on backend > activities through the KnoxSSO Cookie federation filter. and will not take > any client-side action (such as scrolling on the page, client-side > pagination, etc..) into account. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2990) TokenStateService implementation cleanup
[
https://issues.apache.org/jira/browse/KNOX-2990?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821103#comment-17821103
]
ASF subversion and git services commented on KNOX-2990:
---
Commit afdb4cc3f20d4c295b58eb3709343ed4fe47d6b6 in knox's branch
refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1
from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=afdb4cc3f ]
KNOX-2990 - Using DerbyDatabaseTSS instead of AliasBasedTSS by default (#826)
In addition to the new implementation I deprecated the AliasBased, Zookeeper
and JournalBased TSS implementations in 2.1.0.
> TokenStateService implementation cleanup
>
>
> Key: KNOX-2990
> URL: https://issues.apache.org/jira/browse/KNOX-2990
> Project: Apache Knox
> Issue Type: Task
> Components: Server
>Affects Versions: 2.0.0, 1.6.0, 1.6.1
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 4h
> Remaining Estimate: 0h
>
> This issue is driven by a [DISCUSS] thread initiated on Knox's DEV mailing
> list [here|https://lists.apache.org/thread/fs9nkl6l45o330ttvgvqxj3jnxt63bcs].
> As a result of that discussion, the following needs to be implemented:
> * deprecate the following TSS implementations:
> ** AliasBasedTokenStateService
> ** ZookeeperTokenStateService
> ** JournalBasedTokenStateService
> * document the deprecation of these TSS implementations in v2.1.0 and
> highlight that they will be removed in the upcoming release (v2.2.0?).
> * implement a DerbyDB storage that will store tokens in
> {{$DATA_DIR/security/tokens}} (encrypted or not, it'll be decided later)
> * make sure appropriate file permissions are set on that folder
> * have the {{homepage}} topology configured with JDBC TSS pointing to this
> DerbyDB storage
> * implement a new KnoxCLI command that migrates existing tokens from
> credential stores to the DerbyDB storage
> * automate this new KnoxCLI command in a way such that it runs when Knox
> Gateway is started, token management is enabled, and DerbyDB storage is
> configured
> * ensure that the previous automated step can be controlled (E.g. in case of
> unforeseen errors it can be turned off)
> * document possible data replication scenarios when, in the case of HA
> deployments, existing tokens from one Knox node should be made available in
> other Knox node(s) and there is no other centralized RDBMS in use
> (PostgreSQL, MySQL for instance)
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2999) [Docker] Add public CA to Knox trust store
[ https://issues.apache.org/jira/browse/KNOX-2999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821101#comment-17821101 ] ASF subversion and git services commented on KNOX-2999: --- Commit 6047ea761112cf29f933d9dbc3e8c20ddb9d074e in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=6047ea761 ] KNOX-2999 - [Docker] Add public CA to Knox trust store (#836) > [Docker] Add public CA to Knox trust store > -- > > Key: KNOX-2999 > URL: https://issues.apache.org/jira/browse/KNOX-2999 > Project: Apache Knox > Issue Type: Bug > Components: docker >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.1.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > It appears that the truststore that Knox is using does not have root certs > for public CAs. This is needed for Knox to support JWKS endpoints (prod and > dev) which are signed by public CAs. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2994) Postpone CM configuration change monitoring until the Knox GW is up
[
https://issues.apache.org/jira/browse/KNOX-2994?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821097#comment-17821097
]
ASF subversion and git services commented on KNOX-2994:
---
Commit bb6719f3cad33cc89c990a2ab5bc61756c497d4f in knox's branch
refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1
from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=bb6719f3c ]
KNOX-2994 - PollingConfigurationAnalyzer starts after the Knox GW is up and
running (#831)
> Postpone CM configuration change monitoring until the Knox GW is up
> ---
>
> Key: KNOX-2994
> URL: https://issues.apache.org/jira/browse/KNOX-2994
> Project: Apache Knox
> Issue Type: Improvement
> Components: cm-discovery, Server
>Affects Versions: 1.5.0, 2.0.0, 1.6.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> As of now, Knox starts CM configuration change monitoring right away it
> starts the {{{}DefaultClusterConfigurationMonitorService{}}}. This action
> will trigger the {{PollingConfigurationAnalyzer}} even when descriptors with
> possible service discovery settings are not even initialized.
> My suggestion is to take advantage of the recently introduced
> {{GatewayStatusService}} and set the {{isActive}} flag to true based on the
> result of
> {{{}org.apache.knox.gateway.services.topology.impl.GatewayStatusService.status(){}}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3000) Add configurable socket / read timeout parameter to discovery client
[ https://issues.apache.org/jira/browse/KNOX-3000?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821100#comment-17821100 ] ASF subversion and git services commented on KNOX-3000: --- Commit 5e4741d20e23378aeb31896aedab073ae9408f3a in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=5e4741d20 ] KNOX-3000 - Add configurable socket / read timeout parameter to discovery client (#833) > Add configurable socket / read timeout parameter to discovery client > > > Key: KNOX-3000 > URL: https://issues.apache.org/jira/browse/KNOX-3000 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h 50m > Remaining Estimate: 0h > > We have an exposed retry parameter for the CM discovery client, but there is > no way to set socket timeout or read timeout parameters. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2982) Having one disabled one enabled identity-assertion provider in knoxsso doesn't work
[ https://issues.apache.org/jira/browse/KNOX-2982?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821098#comment-17821098 ] ASF subversion and git services commented on KNOX-2982: --- Commit 16daa62c46b4a213ff0dfbfa33ae678306c0e46d in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=16daa62c4 ] KNOX-2982 - Having one disabled one enabled identity-assertion provider in knoxsso doesn't work (#832) > Having one disabled one enabled identity-assertion provider in knoxsso > doesn't work > --- > > Key: KNOX-2982 > URL: https://issues.apache.org/jira/browse/KNOX-2982 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > If one has two identity-assertion providers, e.g.: HadoopGroupProvider and > Regexp, where the HadoopGroupProvider is disabled, then the Regex provider > doesn't work. > The workaround is to delete the HadoopGroupProvider altogether (instead of > just disabling it). > This is a bug in JerseyServiceDeploymentContributorBase>contributeService. > The addIdentityAssertionFilter is called with null provider names. > The same thing applies to addAuthenticationFilter, addAuthorizationFilter > too. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3004) Impala connection string should be a valid JDBC connection URL
[
https://issues.apache.org/jira/browse/KNOX-3004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821102#comment-17821102
]
ASF subversion and git services commented on KNOX-3004:
---
Commit b855e0f4bbe58724ffb0358edd246d5b52ed94fe in knox's branch
refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1
from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=b855e0f4b ]
KNOX-3004 - Building a valid JDBC URL for Impala (#837)
> Impala connection string should be a valid JDBC connection URL
> --
>
> Key: KNOX-3004
> URL: https://issues.apache.org/jira/browse/KNOX-3004
> Project: Apache Knox
> Issue Type: Task
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Currently, on the Knox Home page, the Impala URL is a simple {{http(s)}} URL
> that cannot be used as a JDBC connection string (like the one we provide for
> Hive).
> A sample valid URL looks like this:
> {code:java}
> jdbc:impala://sup-758082-datahub2-master0.repro-az.a465-9q4k.cloudera.site:443/;ssl=1;transportMode=http;httpPath=sup-758082-datahub2/cdp-proxy-api/impala;AuthMech=3;
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2993) Show error stack trace when simple descriptor handler fails to parse a descriptor
[
https://issues.apache.org/jira/browse/KNOX-2993?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821096#comment-17821096
]
ASF subversion and git services commented on KNOX-2993:
---
Commit 050e2ceaad399d71f00f6a8bd3c92d02f5f1dffa in knox's branch
refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1
from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=050e2ceaa ]
KNOX-2993 - Logging error stack trace at INFO level when failed to parse a
descriptor (#827)
> Show error stack trace when simple descriptor handler fails to parse a
> descriptor
> -
>
> Key: KNOX-2993
> URL: https://issues.apache.org/jira/browse/KNOX-2993
> Project: Apache Knox
> Issue Type: Task
> Components: Server
>Affects Versions: 2.0.0, 1.6.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Currently, the error stack trace is shown in gateway.log only, if the
> {{org.apache.knox.gateway}} log level is set to {{DEBUG}}:
> {noformat}
> @Message( level = MessageLevel.ERROR, text = "An error occurred while
> processing {0} : {1}" )
> void simpleDescriptorHandlingError(String simpleDesc,
> @StackTrace(level = MessageLevel.DEBUG)
> Exception e);
> {noformat}
> This makes our lives hard when dealing with errors related to events coming
> from CM configuration monitoring.
> I recommend showing this information even on {{INFO}} level.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2956) Refactor CM-specific advanced service discovery
[
https://issues.apache.org/jira/browse/KNOX-2956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821095#comment-17821095
]
ASF subversion and git services commented on KNOX-2956:
---
Commit 14954a0f1614ab6c4d4120bf701b8f6f5f414a40 in knox's branch
refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1
from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=14954a0f1 ]
KNOX-2956 - Removing CM-specific 'advanced service discovery' handler and have
everything process by the HXR parser (#821)
Change-Id: Ib1837610e4b82af7bef98fc6f27af5169e88
> Refactor CM-specific advanced service discovery
> ---
>
> Key: KNOX-2956
> URL: https://issues.apache.org/jira/browse/KNOX-2956
> Project: Apache Knox
> Issue Type: Bug
>Affects Versions: 2.0.0, 1.6.0, 1.6.1
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Knox's Hadoop XML resource parser is tightly coupled with another feature
> called Advanced Service Discovery configuration in Cloudera Manager.
> There are several issues with that extension:
> - makes the code much harder to read, understand, and maintain
> - occupies a separate thread to monitor other files (we already have many
> file watchers, it's always good if we can do some cleanup)
> - One should really oversee the correlation between them and make the right
> decision when touching one or the other (for instance, when changing the
> ordering of these services)
> - Since this is CM specific, lots of properties were added in the relevant
> Knox [CSD
> files|https://github.com/cloudera/cm_ext/wiki/Service-Descriptor-Language-Reference]
> to give the flexibility for our users to enable/disable services during CM
> service discovery. The management of those configurations is way too complex
> and has a really negative effect on user experience on Knox's configuration
> page within Cloudera Manager
> Therefore, I came up with an idea that will still allow us to keep the
> original idea of excluding/including certain services to be
> discovered/included in the generated topology files. I plan to implement the
> following:
> - Remove the entire {{AdvancedServiceDiscoveryConfig*}} code
> - Former {{gateway.auto.discovery.address}} and
> {{gateway.auto.discovery.cluster}} parameters are already taken care of in
> HXR parser where descriptors are handled (they need to be set in upstream
> configuration locations such as the Knox CSD)
> - By default, all services are disabled even if a service available service
> found in the given discovery address/cluster will be added to the descriptor.
> This is because of the nature of the existing logic in
> {{{}SimpleDescriptorHandler{}}}. I'll add a new parameter suffix for service
> called "{{{}services{}}}" which end-users can set to "{{{}a comma-separated
> list of services"{}}} to include services in the generated topology (this new
> HXR parameter is similar to the existing 'discoveryAddress' or
> 'providerConfigRef' configs)
> - since this is CM-specific, Cloudera Manager users need to make sure to
> adopt their CSD files accordingly
> As a result, the {{.hxr}} file(s) will be self-contained and can achieve the
> same functionality as we have now with the complementary
> {{auto-discovery-advanced-configuration-*}} files.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2992) Token impersonation config cleanup
[ https://issues.apache.org/jira/browse/KNOX-2992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821093#comment-17821093 ] ASF subversion and git services commented on KNOX-2992: --- Commit 3031669533d233f81c111e75e8773e4794581a5d in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=303166953 ] KNOX-2992 - Cleaned up impersonation configs (#825) > Token impersonation config cleanup > -- > > Key: KNOX-2992 > URL: https://issues.apache.org/jira/browse/KNOX-2992 > Project: Apache Knox > Issue Type: Task > Components: Server, TokenGenerationUI >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > We need to make some changes in the token impersonation config to be better > suited in Knox's existing configuration defaults. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2989) Enable support for multi-arch docer builds for Knox
[ https://issues.apache.org/jira/browse/KNOX-2989?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17821094#comment-17821094 ] ASF subversion and git services commented on KNOX-2989: --- Commit 6f89529f0ecec8b6021eecfb814d7d436b4251fa in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/http-cache-semantics-4.1.1 from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=6f89529f0 ] KNOX-2989 - Multi arch support for Knox images (#822) > Enable support for multi-arch docer builds for Knox > --- > > Key: KNOX-2989 > URL: https://issues.apache.org/jira/browse/KNOX-2989 > Project: Apache Knox > Issue Type: Bug > Components: docker >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3007) Make http client cookie spec parameter configurable
[
https://issues.apache.org/jira/browse/KNOX-3007?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17820645#comment-17820645
]
ASF subversion and git services commented on KNOX-3007:
---
Commit fcee4ecffd850cbb3f03ded84b0cdd0dc22578af in knox's branch
refs/heads/master from Attila Magyar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=fcee4ecff ]
KNOX-3007 - Make http client cookie spec parameter configurable (#841)
> Make http client cookie spec parameter configurable
> ---
>
> Key: KNOX-3007
> URL: https://issues.apache.org/jira/browse/KNOX-3007
> Project: Apache Knox
> Issue Type: Improvement
>Reporter: Attila Magyar
>Assignee: Attila Magyar
>Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> The apache http client rejects cookies if the expiration date doesn't have
> the expected format (EEE, dd-MMM-yy HH:mm:ss z).
> {code}
> 2023-11-20 17:58:51,189 XXX WARN protocol.ResponseProcessCookies
> (ResponseProcessCookies.java:processCookies(130)) - Invalid cookie header:
> "Set-Cookie: sessionid=XXX; expires=Mon, 20 Nov 2023 23:03:51 GMT; HttpOnly;
> Max-Age=300; Path=/; SameSite=Lax; Secure". Invalid 'expires' attribute: Mon,
> 20 Nov 2023 23:03:51 GMT
> {code}
> This can be reconfigured by setting different cookiespec types:
> https://hc.apache.org/httpcomponents-client-4.5.x/current/httpclient/apidocs/org/apache/http/client/config/CookieSpecs.html
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3002) KnoxCLI command for generating descriptor for a role type from a list of hosts
[ https://issues.apache.org/jira/browse/KNOX-3002?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17820644#comment-17820644 ] ASF subversion and git services commented on KNOX-3002: --- Commit bb5d265d861489925f158faff761090d672205db in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=bb5d265d8 ] KNOX-3002 - KnoxCLI command for generating descriptor for a role type from a list of hosts (#835) > KnoxCLI command for generating descriptor for a role type from a list of hosts > -- > > Key: KNOX-3002 > URL: https://issues.apache.org/jira/browse/KNOX-3002 > Project: Apache Knox > Issue Type: New Feature > Components: KnoxCLI >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3009) KNOX-SESSION missing from Manager Topology and Admin UI
[ https://issues.apache.org/jira/browse/KNOX-3009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17820429#comment-17820429 ] ASF subversion and git services commented on KNOX-3009: --- Commit d60c67fa88ffa3c7fae1a35764dabe167a71c184 in knox's branch refs/heads/master from Larry McCay [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d60c67fa8 ] KNOX-3009 - KNOX-SESSION missing from Manager Topology and Admin UI (#843) > KNOX-SESSION missing from Manager Topology and Admin UI > --- > > Key: KNOX-3009 > URL: https://issues.apache.org/jira/browse/KNOX-3009 > Project: Apache Knox > Issue Type: Bug > Components: Release >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Due to KNOX-SESSION service missing from the default manager.xml topology, an > alert in the Admin UI is displayed while trying to retrieve the authenticated > user name and "dr. who" is displayed as the user. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3006) PAM module occasionally generates garbage group names
[ https://issues.apache.org/jira/browse/KNOX-3006?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17817043#comment-17817043 ] ASF subversion and git services commented on KNOX-3006: --- Commit 58ae97fbf131777eef61b3d6ebfcca5d32a7a39b in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=58ae97fbf ] KNOX-3006 - PAM module occasionally generates garbage group names (#840) > PAM module occasionally generates garbage group names > - > > Key: KNOX-3006 > URL: https://issues.apache.org/jira/browse/KNOX-3006 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h 10m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2812) Document the new Rate Limiting filter in Knox's webappsec provider
[ https://issues.apache.org/jira/browse/KNOX-2812?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17815841#comment-17815841 ] ASF subversion and git services commented on KNOX-2812: --- Commit 1915671 from Sandeep More [ https://svn.apache.org/r1915671 ] KNOX-2812 - Document rate limiting options. > Document the new Rate Limiting filter in Knox's webappsec provider > -- > > Key: KNOX-2812 > URL: https://issues.apache.org/jira/browse/KNOX-2812 > Project: Apache Knox > Issue Type: Task > Components: Document >Affects Versions: 2.0.0 >Reporter: Sandor Molnar >Assignee: Marton Balázs >Priority: Critical > Fix For: 2.0.0 > > Attachments: KNOX-2832.patch > > > Hi [~MrtnBalazs], > please provide us with a document that explains the new security provider you > added recently (KNOX-2832). > Thanks! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3005) Implement Knox idle session time
[ https://issues.apache.org/jira/browse/KNOX-3005?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17814647#comment-17814647 ] ASF subversion and git services commented on KNOX-3005: --- Commit d3f5a567ac25cf9f5045866cf14db03151e9f978 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d3f5a567a ] KNOX-3005 - Implemented KnoxSSO idle timeout (#839) > Implement Knox idle session time > > > Key: KNOX-3005 > URL: https://issues.apache.org/jira/browse/KNOX-3005 > Project: Apache Knox > Issue Type: New Feature > Components: KnoxSSO >Affects Versions: 2.1.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Critical > Fix For: 2.1.0 > > Time Spent: 2.5h > Remaining Estimate: 0h > > With the recent work of KNOX-2961, the new SSO token invalidation > functionality, Knox could provide idle session timeout behavior for UIs. > It will likely not include the usual UI pop-up approach (like when the > end-user is informed about being idle too long), but it would effectively > terminate idle SSO sessions and force an explicit login. > It's also worth mentioning the idleness measurement solely depends on backend > activities through the KnoxSSO Cookie federation filter. and will not take > any client-side action (such as scrolling on the page, client-side > pagination, etc..) into account. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3003) Group UI services of the same type
[ https://issues.apache.org/jira/browse/KNOX-3003?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17813623#comment-17813623 ] ASF subversion and git services commented on KNOX-3003: --- Commit 20fa65948804a4ddedd246c61d896005c47b0104 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=20fa65948 ] KNOX-3003 - Services with more than one serviceUrl metadata are grouped on the Knox Home page (#838) > Group UI services of the same type > -- > > Key: KNOX-3003 > URL: https://issues.apache.org/jira/browse/KNOX-3003 > Project: Apache Knox > Issue Type: Improvement > Components: Homepage >Affects Versions: 2.0.0, 1.6.0, 1.6.1 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Critical > Time Spent: 20m > Remaining Estimate: 0h > > Currently, if a UI service has multiple instances with different URLs in a > given topology, that UI service will be listed on the Knox Home page as many > times as the number of URLs it has. This makes the user experience a lot > worse if we are talking about hundreds of occurrences of this case. > We learned from some real-life use cases that IMPALA is one of these > services, and there are 1000+ node clusters out there with more than 100 > Impala Daemon roles. In that particular case, the Knox Home page was a mess. > To address this issue, the following UI improvement should be implemented: > * if a UI service has more than one URL in the given topology, individual > tiles should not be displayed. Instead, one "group" tile must be added with a > clear indication this is a group of URLs of the same service. > * clicking the group tile should open a modal window with separate tiles for > each service URL > * in this modal window, a search field will be added to give our end-users > the chance to narrow down results (by hostname for instance) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2990) TokenStateService implementation cleanup
[
https://issues.apache.org/jira/browse/KNOX-2990?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17813525#comment-17813525
]
ASF subversion and git services commented on KNOX-2990:
---
Commit afdb4cc3f20d4c295b58eb3709343ed4fe47d6b6 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=afdb4cc3f ]
KNOX-2990 - Using DerbyDatabaseTSS instead of AliasBasedTSS by default (#826)
In addition to the new implementation I deprecated the AliasBased, Zookeeper
and JournalBased TSS implementations in 2.1.0.
> TokenStateService implementation cleanup
>
>
> Key: KNOX-2990
> URL: https://issues.apache.org/jira/browse/KNOX-2990
> Project: Apache Knox
> Issue Type: Task
> Components: Server
>Affects Versions: 2.0.0, 1.6.0, 1.6.1
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 4h
> Remaining Estimate: 0h
>
> This issue is driven by a [DISCUSS] thread initiated on Knox's DEV mailing
> list [here|https://lists.apache.org/thread/fs9nkl6l45o330ttvgvqxj3jnxt63bcs].
> As a result of that discussion, the following needs to be implemented:
> * deprecate the following TSS implementations:
> ** AliasBasedTokenStateService
> ** ZookeeperTokenStateService
> ** JournalBasedTokenStateService
> * document the deprecation of these TSS implementations in v2.1.0 and
> highlight that they will be removed in the upcoming release (v2.2.0?).
> * implement a DerbyDB storage that will store tokens in
> {{$DATA_DIR/security/tokens}} (encrypted or not, it'll be decided later)
> * make sure appropriate file permissions are set on that folder
> * have the {{homepage}} topology configured with JDBC TSS pointing to this
> DerbyDB storage
> * implement a new KnoxCLI command that migrates existing tokens from
> credential stores to the DerbyDB storage
> * automate this new KnoxCLI command in a way such that it runs when Knox
> Gateway is started, token management is enabled, and DerbyDB storage is
> configured
> * ensure that the previous automated step can be controlled (E.g. in case of
> unforeseen errors it can be turned off)
> * document possible data replication scenarios when, in the case of HA
> deployments, existing tokens from one Knox node should be made available in
> other Knox node(s) and there is no other centralized RDBMS in use
> (PostgreSQL, MySQL for instance)
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-3004) Impala connection string should be a valid JDBC connection URL
[
https://issues.apache.org/jira/browse/KNOX-3004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17811808#comment-17811808
]
ASF subversion and git services commented on KNOX-3004:
---
Commit b855e0f4bbe58724ffb0358edd246d5b52ed94fe in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=b855e0f4b ]
KNOX-3004 - Building a valid JDBC URL for Impala (#837)
> Impala connection string should be a valid JDBC connection URL
> --
>
> Key: KNOX-3004
> URL: https://issues.apache.org/jira/browse/KNOX-3004
> Project: Apache Knox
> Issue Type: Task
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Currently, on the Knox Home page, the Impala URL is a simple {{http(s)}} URL
> that cannot be used as a JDBC connection string (like the one we provide for
> Hive).
> A sample valid URL looks like this:
> {code:java}
> jdbc:impala://sup-758082-datahub2-master0.repro-az.a465-9q4k.cloudera.site:443/;ssl=1;transportMode=http;httpPath=sup-758082-datahub2/cdp-proxy-api/impala;AuthMech=3;
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2999) [Docker] Add public CA to Knox trust store
[ https://issues.apache.org/jira/browse/KNOX-2999?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17811414#comment-17811414 ] ASF subversion and git services commented on KNOX-2999: --- Commit 6047ea761112cf29f933d9dbc3e8c20ddb9d074e in knox's branch refs/heads/master from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=6047ea761 ] KNOX-2999 - [Docker] Add public CA to Knox trust store (#836) > [Docker] Add public CA to Knox trust store > -- > > Key: KNOX-2999 > URL: https://issues.apache.org/jira/browse/KNOX-2999 > Project: Apache Knox > Issue Type: Bug > Components: docker >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > It appears that the truststore that Knox is using does not have root certs > for public CAs. This is needed for Knox to support JWKS endpoints (prod and > dev) which are signed by public CAs. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3000) Add configurable socket / read timeout parameter to discovery client
[ https://issues.apache.org/jira/browse/KNOX-3000?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17808299#comment-17808299 ] ASF subversion and git services commented on KNOX-3000: --- Commit 5e4741d20e23378aeb31896aedab073ae9408f3a in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=5e4741d20 ] KNOX-3000 - Add configurable socket / read timeout parameter to discovery client (#833) > Add configurable socket / read timeout parameter to discovery client > > > Key: KNOX-3000 > URL: https://issues.apache.org/jira/browse/KNOX-3000 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h 50m > Remaining Estimate: 0h > > We have an exposed retry parameter for the CM discovery client, but there is > no way to set socket or read timeout parameters. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-3001) Avoid double XML escaping in SimpleDescriptorHandler
[
https://issues.apache.org/jira/browse/KNOX-3001?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17808137#comment-17808137
]
ASF subversion and git services commented on KNOX-3001:
---
Commit 46cdc159342b6b637b96f8396c36c515f5b4943e in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=46cdc1593 ]
KNOX-3001 - Avoid double XML-escaping during topology persistence from
descriptors (#834)
> Avoid double XML escaping in SimpleDescriptorHandler
>
>
> Key: KNOX-3001
> URL: https://issues.apache.org/jira/browse/KNOX-3001
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> KNOX-2804 added a beneficial improvement in Knox's logic when dealing with
> JSON files and turned them into XML topologies: before the generated topology
> persisted, the possible values are XML-escaped to avoid errors in SAXParser.
> However, this might cause backward-compatible issues in deployments, where
> the data in the given shared provider config or descriptor is already given
> in XML-friendy way.
> For instance, using the following shared provider config will result in a bad
> XML topology:
> {noformat}
> {
> "providers" : [ {
> "role" : "webappsec",
> "name" : "WebAppSec",
> "enabled" : true,
> "params" : {
> "xframe.options.enabled" : "true"
> }
> }, {
> "role" : "authentication",
> "name" : "ShiroProvider",
> "enabled" : true,
> "params" : {
> "main.ldapContextFactory" :
> "org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory",
> "main.ldapRealm" : "org.apache.knox.gateway.shirorealm.KnoxLdapRealm",
> "main.ldapRealm.authenticationCachingEnabled" : "false",
> "main.ldapRealm.contextFactory" : "$ldapContextFactory",
> "main.ldapRealm.contextFactory.authenticationMechanism" : "simple",
> "main.ldapRealm.contextFactory.url" : "ldap://localhost:33389;,
> "main.ldapRealm.userDnTemplate" :
> "uid=0ou=people,dc=hadoop,dc=apache,dc=org",
> "main.ldapRealm.userSearchFilter" :
> "(((objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)(memberOf=CN=SecXX-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)))",
> "redirectToUrl" : "/${GATEWAY_PATH}/knoxsso/knoxauth/login.html",
> "restrictedCookies" : "rememberme,WWW-Authenticate",
> "sessionTimeout" : "30",
> "urls./**" : "authcBasic"
> }
> }, {
> "role" : "identity-assertion",
> "name" : "Default",
> "enabled" : true,
> "params" : { }
> } ],
> "readOnly" : true
> } {noformat}
> The generated XML:
> {noformat}
>
>
>
>
>
> true
>
>
> webappsec
> WebAppSec
> true
>
> xframe.options.enabled
> true
>
>
>
> authentication
> ShiroProvider
> true
>
> main.ldapContextFactory
>
> org.apache.knox.gateway.shirorealm.KnoxLdapContextFactory
>
>
> main.ldapRealm
>
> org.apache.knox.gateway.shirorealm.KnoxLdapRealm
>
>
> main.ldapRealm.authenticationCachingEnabled
> false
>
>
> main.ldapRealm.contextFactory
> $ldapContextFactory
>
>
>
> main.ldapRealm.contextFactory.authenticationMechanism
> simple
>
>
> main.ldapRealm.contextFactory.url
> ldap://localhost:33389
>
>
> main.ldapRealm.userDnTemplate
> uid=0ou=people,dc=hadoop,dc=apache,dc=org
>
>
> main.ldapRealm.userSearchFilter
>
> (amp;(amp;(objectclass=person)(sAMAccountName={0}))(|(memberOf=CN=SecXX-users,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)(memberOf=CN=SecXX-rls-serviceuser,OU=ManagedGroups,OU=Groups,OU=XX,OU=xx,DC=xx,DC=int)))
>
>
> redirectToUrl
> /${GATEWAY_PATH}/knoxsso/knoxauth/login.html
>
>
> restrictedCookies
> rememberme,WWW-Authenticate
>
>
> sessionTimeout
> 30
>
>
> urls./**
>
[jira] [Commented] (KNOX-2982) Having one disabled one enabled identity-assertion provider in knoxsso doesn't work
[ https://issues.apache.org/jira/browse/KNOX-2982?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17807351#comment-17807351 ] ASF subversion and git services commented on KNOX-2982: --- Commit 16daa62c46b4a213ff0dfbfa33ae678306c0e46d in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=16daa62c4 ] KNOX-2982 - Having one disabled one enabled identity-assertion provider in knoxsso doesn't work (#832) > Having one disabled one enabled identity-assertion provider in knoxsso > doesn't work > --- > > Key: KNOX-2982 > URL: https://issues.apache.org/jira/browse/KNOX-2982 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > If one has two identity-assertion providers, e.g.: HadoopGroupProvider and > Regexp, where the HadoopGroupProvider is disabled, then the Regex provider > doesn't work. > The workaround is to delete the HadoopGroupProvider altogether (instead of > just disabling it). > This is a bug in JerseyServiceDeploymentContributorBase>contributeService. > The addIdentityAssertionFilter is called with null provider names. > The same thing applies to addAuthenticationFilter, addAuthorizationFilter > too. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2994) Postpone CM configuration change monitoring until the Knox GW is up
[
https://issues.apache.org/jira/browse/KNOX-2994?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17802501#comment-17802501
]
ASF subversion and git services commented on KNOX-2994:
---
Commit bb6719f3cad33cc89c990a2ab5bc61756c497d4f in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=bb6719f3c ]
KNOX-2994 - PollingConfigurationAnalyzer starts after the Knox GW is up and
running (#831)
> Postpone CM configuration change monitoring until the Knox GW is up
> ---
>
> Key: KNOX-2994
> URL: https://issues.apache.org/jira/browse/KNOX-2994
> Project: Apache Knox
> Issue Type: Improvement
> Components: cm-discovery, Server
>Affects Versions: 1.5.0, 2.0.0, 1.6.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> As of now, Knox starts CM configuration change monitoring right away it
> starts the {{{}DefaultClusterConfigurationMonitorService{}}}. This action
> will trigger the {{PollingConfigurationAnalyzer}} even when descriptors with
> possible service discovery settings are not even initialized.
> My suggestion is to take advantage of the recently introduced
> {{GatewayStatusService}} and set the {{isActive}} flag to true based on the
> result of
> {{{}org.apache.knox.gateway.services.topology.impl.GatewayStatusService.status(){}}}.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2993) Show error stack trace when simple descriptor handler fails to parse a descriptor
[
https://issues.apache.org/jira/browse/KNOX-2993?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17801804#comment-17801804
]
ASF subversion and git services commented on KNOX-2993:
---
Commit 050e2ceaad399d71f00f6a8bd3c92d02f5f1dffa in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=050e2ceaa ]
KNOX-2993 - Logging error stack trace at INFO level when failed to parse a
descriptor (#827)
> Show error stack trace when simple descriptor handler fails to parse a
> descriptor
> -
>
> Key: KNOX-2993
> URL: https://issues.apache.org/jira/browse/KNOX-2993
> Project: Apache Knox
> Issue Type: Task
> Components: Server
>Affects Versions: 2.0.0, 1.6.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Currently, the error stack trace is shown in gateway.log only, if the
> {{org.apache.knox.gateway}} log level is set to {{DEBUG}}:
> {noformat}
> @Message( level = MessageLevel.ERROR, text = "An error occurred while
> processing {0} : {1}" )
> void simpleDescriptorHandlingError(String simpleDesc,
> @StackTrace(level = MessageLevel.DEBUG)
> Exception e);
> {noformat}
> This makes our lives hard when dealing with errors related to events coming
> from CM configuration monitoring.
> I recommend showing this information even on {{INFO}} level.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2956) Refactor CM-specific advanced service discovery
[
https://issues.apache.org/jira/browse/KNOX-2956?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17795760#comment-17795760
]
ASF subversion and git services commented on KNOX-2956:
---
Commit 14954a0f1614ab6c4d4120bf701b8f6f5f414a40 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=14954a0f1 ]
KNOX-2956 - Removing CM-specific 'advanced service discovery' handler and have
everything process by the HXR parser (#821)
Change-Id: Ib1837610e4b82af7bef98fc6f27af5169e88
> Refactor CM-specific advanced service discovery
> ---
>
> Key: KNOX-2956
> URL: https://issues.apache.org/jira/browse/KNOX-2956
> Project: Apache Knox
> Issue Type: Bug
>Affects Versions: 2.0.0, 1.6.0, 1.6.1
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Knox's Hadoop XML resource parser is tightly coupled with another feature
> called Advanced Service Discovery configuration in Cloudera Manager.
> There are several issues with that extension:
> - makes the code much harder to read, understand, and maintain
> - occupies a separate thread to monitor other files (we already have many
> file watchers, it's always good if we can do some cleanup)
> - One should really oversee the correlation between them and make the right
> decision when touching one or the other (for instance, when changing the
> ordering of these services)
> - Since this is CM specific, lots of properties were added in the relevant
> Knox [CSD
> files|https://github.com/cloudera/cm_ext/wiki/Service-Descriptor-Language-Reference]
> to give the flexibility for our users to enable/disable services during CM
> service discovery. The management of those configurations is way too complex
> and has a really negative effect on user experience on Knox's configuration
> page within Cloudera Manager
> Therefore, I came up with an idea that will still allow us to keep the
> original idea of excluding/including certain services to be
> discovered/included in the generated topology files. I plan to implement the
> following:
> - Remove the entire {{AdvancedServiceDiscoveryConfig*}} code
> - Former {{gateway.auto.discovery.address}} and
> {{gateway.auto.discovery.cluster}} parameters are already taken care of in
> HXR parser where descriptors are handled (they need to be set in upstream
> configuration locations such as the Knox CSD)
> - By default, all services are disabled even if a service available service
> found in the given discovery address/cluster will be added to the descriptor.
> This is because of the nature of the existing logic in
> {{{}SimpleDescriptorHandler{}}}. I'll add a new parameter suffix for service
> called "{{{}services{}}}" which end-users can set to "{{{}a comma-separated
> list of services"{}}} to include services in the generated topology (this new
> HXR parameter is similar to the existing 'discoveryAddress' or
> 'providerConfigRef' configs)
> - since this is CM-specific, Cloudera Manager users need to make sure to
> adopt their CSD files accordingly
> As a result, the {{.hxr}} file(s) will be self-contained and can achieve the
> same functionality as we have now with the complementary
> {{auto-discovery-advanced-configuration-*}} files.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2989) Enable support for multi-arch docer builds for Knox
[ https://issues.apache.org/jira/browse/KNOX-2989?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17792439#comment-17792439 ] ASF subversion and git services commented on KNOX-2989: --- Commit 6f89529f0ecec8b6021eecfb814d7d436b4251fa in knox's branch refs/heads/master from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=6f89529f0 ] KNOX-2989 - Multi arch support for Knox images (#822) > Enable support for multi-arch docer builds for Knox > --- > > Key: KNOX-2989 > URL: https://issues.apache.org/jira/browse/KNOX-2989 > Project: Apache Knox > Issue Type: Bug > Components: docker >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2992) Token impersonation config cleanup
[ https://issues.apache.org/jira/browse/KNOX-2992?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17791686#comment-17791686 ] ASF subversion and git services commented on KNOX-2992: --- Commit 3031669533d233f81c111e75e8773e4794581a5d in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=303166953 ] KNOX-2992 - Cleaned up impersonation configs (#825) > Token impersonation config cleanup > -- > > Key: KNOX-2992 > URL: https://issues.apache.org/jira/browse/KNOX-2992 > Project: Apache Knox > Issue Type: Task > Components: Server, TokenGenerationUI >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > We need to make some changes in the token impersonation config to be better > suited in Knox's existing configuration defaults. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2991) Sanitise Oozie rewrite rules
[
https://issues.apache.org/jira/browse/KNOX-2991?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17791634#comment-17791634
]
ASF subversion and git services commented on KNOX-2991:
---
Commit 7ee5c8c0dff655a426252da0a45bb2206b6eccaa in knox's branch
refs/heads/master from Denes Bodo
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=7ee5c8c0d ]
KNOX-2991 - Sanitise Oozie rewrite rules (#824)
* KNOX-2675 Oozie Console URL on the web UI should be a Knox URL
* KNOX-2991 - Sanitise Oozie rewrite rules
-
Co-authored-by: Denes Bodo
> Sanitise Oozie rewrite rules
>
>
> Key: KNOX-2991
> URL: https://issues.apache.org/jira/browse/KNOX-2991
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 1.6.0
>Reporter: Dénes Bodó
>Assignee: Dénes Bodó
>Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Testing Oozie through Knox proxy I found that there are some strange rewrite
> rule which seems outdated:
> {noformat}
>
>
>
>
>
>
> {noformat}
> This ticket is intended to track the work removing them.
> *inputDir* and *outputDir* are frequently used in Oozie's job.properties as a
> single directory name instead of a full HDFS path so in these cases the Oozie
> workflow fails running due to incorrect variable resolution:
> Configuration in job.properties:
> {noformat}
> nameNode=WILL_BE_UPDATED_BY_KNOX
> outputDir=my_custom_output_dir {noformat}
> workflow.xml:
> {code:xml}
>
> path="${nameNode}/user/${wf:user()}/examples/output-data/${outputDir}"/>
> {code}
> Error in Oozie launcher:
> {noformat}
> Launcher AM execution failed
> java.lang.IllegalArgumentException: java.net.URISyntaxException: Expected
> scheme-specific part at index 5: hdfs:
> at org.apache.hadoop.fs.Path.initialize(Path.java:259)
> at org.apache.hadoop.fs.Path.(Path.java:217)
> at org.apache.hadoop.fs.Path.(Path.java:125)
> at org.apache.hadoop.fs.Globber.doGlob(Globber.java:285)
> at org.apache.hadoop.fs.Globber.glob(Globber.java:202)
> at org.apache.hadoop.fs.FileSystem.globStatus(FileSystem.java:2107)
> at
> org.apache.oozie.action.hadoop.FSLauncherURIHandler.delete(FSLauncherURIHandler.java:59)
> at
> org.apache.oozie.action.hadoop.PrepareActionsHandler.execute(PrepareActionsHandler.java:83)
> at
> org.apache.oozie.action.hadoop.PrepareActionsHandler.prepareAction(PrepareActionsHandler.java:74)
> at
> org.apache.oozie.action.hadoop.LauncherAM.executePrepare(LauncherAM.java:378)
> at
> org.apache.oozie.action.hadoop.LauncherAM.access$100(LauncherAM.java:55)
> at org.apache.oozie.action.hadoop.LauncherAM$2.run(LauncherAM.java:229)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:422)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1899)
> at org.apache.oozie.action.hadoop.LauncherAM.run(LauncherAM.java:226)
> at org.apache.oozie.action.hadoop.LauncherAM$1.run(LauncherAM.java:156)
> at java.security.AccessController.doPrivileged(Native Method)
> at javax.security.auth.Subject.doAs(Subject.java:422)
> at
> org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1899)
> at org.apache.oozie.action.hadoop.LauncherAM.main(LauncherAM.java:144)
> Caused by: java.net.URISyntaxException: Expected scheme-specific part at
> index 5: hdfs:
> at java.net.URI$Parser.fail(URI.java:2847)
> at java.net.URI$Parser.failExpecting(URI.java:2853)
> at java.net.URI$Parser.parse(URI.java:3056)
> at java.net.URI.(URI.java:746)
> at org.apache.hadoop.fs.Path.initialize(Path.java:256)
> ... 20 more {noformat}
>
> Found the real HDFS path after debugging the Oozie action:
> {noformat}
> hdfs://a.b.c.d:8020/user/test/examples/output-data/hdfs://a.b.c.d:8020/my_custom_output_dir{noformat}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2675) Oozie Console URL on the web UI should be a Knox URL
[
https://issues.apache.org/jira/browse/KNOX-2675?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17791635#comment-17791635
]
ASF subversion and git services commented on KNOX-2675:
---
Commit 7ee5c8c0dff655a426252da0a45bb2206b6eccaa in knox's branch
refs/heads/master from Denes Bodo
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=7ee5c8c0d ]
KNOX-2991 - Sanitise Oozie rewrite rules (#824)
* KNOX-2675 Oozie Console URL on the web UI should be a Knox URL
* KNOX-2991 - Sanitise Oozie rewrite rules
-
Co-authored-by: Denes Bodo
> Oozie Console URL on the web UI should be a Knox URL
>
>
> Key: KNOX-2675
> URL: https://issues.apache.org/jira/browse/KNOX-2675
> Project: Apache Knox
> Issue Type: Improvement
>Affects Versions: 1.4.0
>Reporter: Dénes Bodó
>Assignee: Dénes Bodó
>Priority: Major
> Fix For: 1.6.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> When I open the Oozie web UI through Knox gateway and navigate to a
> workflow's action details then I see the Console URL field contains the
> cluster's internal hostname instead of a Knox gateway url. Here is an example
> json result from Oozie through Knox:
> {noformat}
> {
> "appName":"some_oozie_application",
> ...
> "actions":[
> {...},
> {
> ...
>
> "consoleUrl":"https://some_internal_domain_name:8090/proxy/application_1632125050865_0003/;,
> ...
> },
> {...}
> ],
> "status":"SUCCEEDED",
> "group":null
> } {noformat}
> The desired form should be for the consoleUrl field something like this:
> {noformat}
> https://externally_available_knox_domain_name:8443/gateway/cdp-proxy/yarn/cluster/app/application_1632125050865_0003/
> {noformat}
> The proposed solution contains Yarn UI v1 URL because the Yarn UI v2 contains
> a hash mark which cannot be used. See KNOX-2676
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2983) Combine the functionality of different identity assertion providers
[
https://issues.apache.org/jira/browse/KNOX-2983?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17791512#comment-17791512
]
ASF subversion and git services commented on KNOX-2983:
---
Commit 1914229 from Attila Magyar
[ https://svn.apache.org/r1914229 ]
KNOX-2988 Documentation for KNOX-2983
> Combine the functionality of different identity assertion providers
> ---
>
> Key: KNOX-2983
> URL: https://issues.apache.org/jira/browse/KNOX-2983
> Project: Apache Knox
> Issue Type: Improvement
>Reporter: Attila Magyar
>Assignee: Attila Magyar
>Priority: Major
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> h2. Motivation
> Currently there is no way to add multiple identity assertion providers and
> combine the functionality of them. For example one might want to use the
> Concat identity assertion together with the Switch case provider. This is not
> possible due to a limitation of Knox which only allows having one identity
> assertion provider in the topology. Additionally, having a distinct provider
> for each functionality has its own limitations that prevents expressing
> complex mappings.
> h2. Expression-Based principal mapping
> The idea behind the Expression-Based principal mapping is that it leverages
> the language that was introduced by
> https://issues.apache.org/jira/browse/KNOX-2707.
> {code}
>
> identity-assertion
> HadoopGroupProvider
> true
>
> expression.principal.mapping
>
> ...
>
> [...]
>
> {code}
> The value of *expression.principal.mapping* must be a valid expression that
> evaluates to a string, which will be the new, mapped principal.
> For example, in the following example all authenticated users will be mapped
> to principal: 'bob'.
> {code}
>
> expression.principal.mapping
> 'bob'
>
> {code}
> By adding a conditional you can selectively apply the mapping to specific
> users.
> {code}
>
> expression.principal.mapping
>
>
> (if (or (= username 'sam')
> (= username 'tom'))
> 'bob')
>
>
> {code}
> When the expression returns *null*, the original principal will be unchanged.
> h2. Reference
> h3. if
> The *if* is an expression (rather than a statement), that has 2 or 3
> parameters. When you call it with 2 parameters it will behave like an
> *if-then*, when you call it with 3 parameters it will behave like an
> *if-then-else* expression.
> The first parameters is a conditional that must evaluate to either true or
> false. In case of true, the first branch is evaluated, otherwise the 2nd
> branch is evaluated. If the 2nd branch is omitted, and the conditional is
> false, then null is returned.
> Returns 1: {code}(if true 1){code}
> Returns null: {code}(if false 1){code}
> Returns 2: {code}(if false 1 2){code}
> Returns 1: {code}(if true 1 2){code}
> h4. concat
> The concat function takes variable number of arguments and concats them into
> one single string.
> {code}
> (concat 'The' 'sun' 'will' 'come' 'up' 'tomorrow.')
> {code}
> This can be used to concat/prepend a prefix or suffix to the usename.
> {code}
> (concat 'prefix_' username '_suffix')
> {code}
> h4. uppercase / lowercase
> Convert a string to upper case and lower case letters.
> {code}
> (uppercase 'sam')
> {code}
> returns 'SAM'
> {code}
> (lowercase 'SAM')
> {code}
> returns 'sam'
> The combination of uppercase/lowercase and concat can be used to capitalize a
> username
> {code}
> (concat
> (uppercase (substr username 0 1))
> (lowercase (substr username 1)))
> {code}
> h4. substr
> The substr function works the same way as Java's subString. It takes one or
> two parameters, where the first is the begin index, and the second is the end
> index.
> The substring begins with the character at the specified index and extends to
> the end of this string.
> {code}
> (substr 'unhappy' 2)
> {code}
> returns 'happy'
> The end index is exclusive. The substring begins at the specified beginIndex
> and extends to the character at index endIndex - 1.
> {code}
> (substr 'hamburger' 4 8)
> {code}
> returns 'urge'
> h4. strlen
> The strlen function returns the length of a string.
> {code}
> (strlen 'apple')
> {code}
> returns 5
> For example, a combination of substr and strlen can be used to cut the first
> and last characters of a username
> {code}
> (substr username 1 (- (strlen username) 1))
> {code}
>
> h4. contains
> Check if a string includes a substring.
> {code}
> (contains 'dm' 'admin')
> {code}
> returns true since 'admin' contains 'dm'
> h4. index-of
> Find a substring in the given string and return the (zero based) index.
> {code}
> (index-of 'ppl' 'apple')
> {code}
> returns 1
> {code}
> (index-of 'xx' 'apple')
> {code}
> If the given substring is not found, -1 is
[jira] [Commented] (KNOX-2988) Documentation for KNOX-2983
[ https://issues.apache.org/jira/browse/KNOX-2988?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17791511#comment-17791511 ] ASF subversion and git services commented on KNOX-2988: --- Commit 1914229 from Attila Magyar [ https://svn.apache.org/r1914229 ] KNOX-2988 Documentation for KNOX-2983 > Documentation for KNOX-2983 > --- > > Key: KNOX-2988 > URL: https://issues.apache.org/jira/browse/KNOX-2988 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Attachments: KNOX-2983.patch, KNOX-2983_2.patch, Screenshot > 2023-11-20 at 12.22.28.png > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2924) Add MariaDB support in JDBC TokenStateService
[ https://issues.apache.org/jira/browse/KNOX-2924?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17787168#comment-17787168 ] ASF subversion and git services commented on KNOX-2924: --- Commit 78278bf623b5cbc7d3c578d18f7c47e0e652c8b5 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=78278bf62 ] KNOX-2924 - Added MariaDB support in JDBCTokenStateService (#820) > Add MariaDB support in JDBC TokenStateService > - > > Key: KNOX-2924 > URL: https://issues.apache.org/jira/browse/KNOX-2924 > Project: Apache Knox > Issue Type: Improvement > Components: Server, TokenGenerationUI, TokenManagementUI >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Currently, Knox supports PostgreSQL and MySQL for storing Knox tokens in an > RDBMS. We should add MariaDB to the list to enable more end-users to use this > cool feature in PROD-ready way. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2983) Combine the functionality of different identity assertion providers
[ https://issues.apache.org/jira/browse/KNOX-2983?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17786971#comment-17786971 ] ASF subversion and git services commented on KNOX-2983: --- Commit 083dc8977fcae7e6669670412d62061a599b49cf in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=083dc8977 ] KNOX-2983 - Combine the functionality of different identity assertion providers (#817) > Combine the functionality of different identity assertion providers > --- > > Key: KNOX-2983 > URL: https://issues.apache.org/jira/browse/KNOX-2983 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > Currently there is no way to add multiple identity assertion provider and > combine the functionality of them. > For example one might want to use the Concat identity assertion filter > together with the Switch case provider. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2929) Add user information on all Knox UIs
[ https://issues.apache.org/jira/browse/KNOX-2929?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17786771#comment-17786771 ] ASF subversion and git services commented on KNOX-2929: --- Commit e888ec0cb71bd3ab5c02293639fa858025f9059a in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=e888ec0cb ] KNOX-2929 - Logged in user is shown on Knox UIs (#819) > Add user information on all Knox UIs > > > Key: KNOX-2929 > URL: https://issues.apache.org/jira/browse/KNOX-2929 > Project: Apache Knox > Issue Type: Improvement > Components: AdminUI, TokenGenerationUI, TokenManagementUI >Affects Versions: 2.0.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Attachments: Screenshot 2023-06-22 at 10.25.28.png, Screenshot > 2023-06-22 at 10.25.38.png, Screenshot 2023-06-22 at 10.25.49.png, Screenshot > 2023-06-22 at 10.25.59.png > > Time Spent: 20m > Remaining Estimate: 0h > > Currently, the user information block is displayed only on the Knox Home > page, but not on the rest of the UIs: > !Screenshot 2023-06-22 at 10.25.28.png|height=200! > !Screenshot 2023-06-22 at 10.25.38.png|height=200! > !Screenshot 2023-06-22 at 10.25.49.png|height=200! > !Screenshot 2023-06-22 at 10.25.59.png|height=200! > If you see, the Token Generation UI does not even have the Knox header, which > we also should add as part of this work. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2985) Deprecate KNOXTOKEN API v1
[
https://issues.apache.org/jira/browse/KNOX-2985?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17784699#comment-17784699
]
ASF subversion and git services commented on KNOX-2985:
---
Commit c4f77c9a23cbc839ca5da90b58e0c517377b7150 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=c4f77c9a2 ]
KNOX-2985 - Introduced KNOXTOKEN API v2 and deprecated v1 methods (#818)
> Deprecate KNOXTOKEN API v1
> --
>
> Key: KNOX-2985
> URL: https://issues.apache.org/jira/browse/KNOX-2985
> Project: Apache Knox
> Issue Type: Task
> Components: Server, TokenGenerationUI, TokenManagementUI
>Affects Versions: 2.0.0, 2.1.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> In KNOX-2661, the following REST API endpoint changes happened:
> * renew was updated from {{POST}} to {{PUT}}
> * revoke was updated from {{POST}} to {{DELETE}}
> Unfortunately, at that time I did not consider backward compatibility and I
> introduced a backward compatibility issue for clients using previous versions.
> The scope of this Jira is to revert that issue back in the following way:
> * change renew/revoke back to POST in '.../api/v1/token' in v1 (to fix the
> issue we introduced earlier)
> * introduce v2 that will match v1, except that v2 will match the above
> changes from KNOX-2661
> * mark v1 deprecated
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2980) Token id column in token management page is not word wrapped ,hence unable to view few characters in tokenid
[
https://issues.apache.org/jira/browse/KNOX-2980?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17781646#comment-17781646
]
ASF subversion and git services commented on KNOX-2980:
---
Commit 32a8efddc1b150ad2e23498debe246c676963d52 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=32a8efddc ]
KNOX-2980 - Applying word wrapping in various columns that can have 'long'
content. (#816)
> Token id column in token management page is not word wrapped ,hence unable to
> view few characters in tokenid
>
>
> Key: KNOX-2980
> URL: https://issues.apache.org/jira/browse/KNOX-2980
> Project: Apache Knox
> Issue Type: Bug
> Components: TokenManagementUI
>Affects Versions: 2.0.0
>Reporter: J.Andreina
>Assignee: Sandor Molnar
>Priority: Minor
> Fix For: 2.1.0
>
> Attachments: image-2023-10-31-22-56-22-082.png,
> image-2023-10-31-22-56-49-415.png
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> +*{color:#de350b}PROBLEM STATEMENT:{color}*+
> Token id column value is not text wrapped , hence unable to view few
> characters in tokenid
> +*BUILDS:*+
> 2.0.0
>
> +*STEPS TO REPRODUCE:*+
> - Generate JWT token from token generation page
> +*CURRENT BEHAVIOUR:*+
> Some tokens character are not completely visible on UI. for example in below
> first digit is 7 which is not visible
> !image-2023-10-31-22-56-22-082.png!
> !image-2023-10-31-22-56-49-415.png!
> +*EXPECTED BEHAVIOUR:*+
> Token id should be word wrapped
> +*OCCURRENCE:*+
> Reproducible
> +*IMPACT:*+
> Unable to view the complete token id
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2979) Remove redundant 'refresh' query parameter from logout.jsp
[
https://issues.apache.org/jira/browse/KNOX-2979?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17781379#comment-17781379
]
ASF subversion and git services commented on KNOX-2979:
---
Commit d569373582b800c6c0346cb25e5fe5ec06054050 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=d56937358 ]
KNOX-2979 - Removed redundant 'refresh' query parameter from the application
logout link after originalUrl (#815)
> Remove redundant 'refresh' query parameter from logout.jsp
> --
>
> Key: KNOX-2979
> URL: https://issues.apache.org/jira/browse/KNOX-2979
> Project: Apache Knox
> Issue Type: Task
> Components: Homepage, KnoxSSO
>Affects Versions: 2.0.0, 1.6.0, 1.6.1
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> KNOX-2625 introduced a new query parameter called {{refresh}} which is only
> used in the Knox Home page UI's {{handleError}} method. Because of the way,
> how Angular renders pages after issuing a {{sweetalert}} notification, which
> we do, followed by a {{{}Promise.reject(String){}}}, the {{refresh}} query
> parameter is redundant and not needed at all.
> Even worse, it might interfere with the profile/topology query parameters we
> added in KNOX-2972 in a way such that the topologies will not be displayed.
> Therefore, removing the {{refresh}} query parameter in the logout link is
> highly recommended.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2958) Few Service's API links for a topology on knox home page is incorrect
[ https://issues.apache.org/jira/browse/KNOX-2958?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17781324#comment-17781324 ] ASF subversion and git services commented on KNOX-2958: --- Commit 6ec81a08c0173fad1f25ecc53bd2a8cf3eec6f21 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=6ec81a08c ] KNOX-2958 - Fixed API samples for certain services (#814) Additionally, a general improvement is implemented that adds the missing slash at the beginning of the path element if it was missing from the service definition sample. > Few Service's API links for a topology on knox home page is incorrect > - > > Key: KNOX-2958 > URL: https://issues.apache.org/jira/browse/KNOX-2958 > Project: Apache Knox > Issue Type: Bug > Components: Homepage >Affects Versions: 2.0.0 >Reporter: J.Andreina >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > *PROBLEM STATEMENT:* > Service API links via knox in knox homepage is incorrect > *BUILDS:* > knox 2.0 > *STEPS TO REPRODUCE:* > 1. Create a topology1 with WEBHDFS,cm-api,OOZIE,RESOURCEMANAGER service > 2. Login to knox homepage > 3. go to topology1 > 4. Click on webhdfs api icon > 5. Fetch the sample api links > *CURRENT BEHAVIOUR:* > 1. cm api url is invalid on knox homepage > invalid url: > Fetch all CM-managed clusters > curl -iv -X GET "https://knox-host:/gateway/topology1/cm-apiclusters; > Fetches HDFS service details from cluster named 'c1' > curl -iv -X GET > "https://knox-host:/gateway/topology1/cm-apiclusters/c1/services/HDFS; > 2. webhdfs api link is incorrect > incorrect url > curl -iv -X GET > "https://knox-host:/gateway/topology1/webhdfsv1/testPath?op=LISTSTATUS; > 3. Oozie api link is incorrect . Should have "/" after oozie > incorrect url > curl -iv -X GET "https://knox-host:/gateway/topology1/oozieoozie/versions; > 4. Resource manager api link is invalid . Should not have ws in the url > incorrect url > curl -iv -X GET > "https://knox-host:/gateway/topology1/resourcemanagerws/v1/cluster/metrics; > *EXPECTED BEHAVIOUR:* > correct urls as follows > 1. cm valid url : should have "/" after webhdfs in the url as below > curl -iv -X GET "https://knox-host:/gateway/topology1/cm-api/v40/clusters; > 2. webhdfs valid url : > valid url : should have "/" after webhdfs in the url as below > curl -iv -X GET > "https://knox-host:/gateway/topology1/webhdfs/v1/testPath?op=LISTSTATUS; > 3. oozie url: > curl -iku hrt_qa:Password@123 -X GET > "https://knox-host:/gateway/topology1/oozie/oozie/versions; > 4. RM url : > curl -iv -X GET > "https://knox-host:/gateway/topology1/resourcemanager/v1/cluster/metrics; > *OCCURRENCE:* > Reproducible > *IMPACT:* > Not pointing to the appropriate api link , which causes the user to unable to > access the service api via knox. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2974) Add a new endpoint like 'pre' that supports other verbs and ignores paths
[ https://issues.apache.org/jira/browse/KNOX-2974?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17781023#comment-17781023 ] ASF subversion and git services commented on KNOX-2974: --- Commit 8e55969f3f85ac99925842744c143f7e916f784d in knox's branch refs/heads/master from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=8e55969f3 ] KNOX-2974 - Add a new endpoint 'extauthz' similar to pre that accepts HTTP verbs other than GET and if confgiured ignores additional context path params (#813) > Add a new endpoint like 'pre' that supports other verbs and ignores paths > - > > Key: KNOX-2974 > URL: https://issues.apache.org/jira/browse/KNOX-2974 > Project: Apache Knox > Issue Type: New Feature > Components: docker, Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Knox can be used as an [external authorizer for Istio > |https://istio.io/v1.10/blog/2021/better-external-authz/]. In this model > Istio forwards the request to the external authorizer and depending on the > results the request then either errors out with 401 or 403 OR proceeds to > it's intended destination after successful authentication and authorization > by Knox. > Here the request is getting forwarded and Knox acts as a "filter". This means > the "pre" endpoint should support all the HTTP verbs and it should have the > ability to ignore additional paths that may be appended by Istio. > This JIRA is to address these issues by creating a new service "extauthz" > that addresses these issues without changing existing "pre" service to > prevent breakage. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2975) [Usability] When one among selected tokens for batch operation is SSO token , should display text message on why revoke operation is not available for user
[
https://issues.apache.org/jira/browse/KNOX-2975?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17780944#comment-17780944
]
ASF subversion and git services commented on KNOX-2975:
---
Commit 7a5189a7c0c51f3e2c0b9cd2bf03b4df0415 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=7a5189a7c ]
KNOX-2975, KNOX-2976 - Expired tokens must not be enabled/disabled in batches
(#812)
Additionally, useful tips are shown on why batch operation actions are hidden
(e.g. KnoxSSO Cookies must not be revoked).
> [Usability] When one among selected tokens for batch operation is SSO token ,
> should display text message on why revoke operation is not available for user
> ---
>
> Key: KNOX-2975
> URL: https://issues.apache.org/jira/browse/KNOX-2975
> Project: Apache Knox
> Issue Type: Improvement
> Components: TokenManagementUI
>Affects Versions: 2.1.0
>Reporter: J.Andreina
>Assignee: Sandor Molnar
>Priority: Minor
> Attachments: image-2023-10-26-10-34-37-269.png
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> +*{color:#de350b}PROBLEM STATEMENT:{color}*+
> [Usability] When SSO token selected along with JWT token should display text
> message to user on why revoke operation is not available
> +*BUILDS:*+
> 2.1.0
>
> +*STEPS TO REPRODUCE:*+
> 1. Update below knox configurations
> knox.global.logout.page.url=https://
> knox.token.exp.server-managed=true
> gateway.knox.token.management.users.can.see.all.tokens = hrt_qa, hrt_1
> 2. browser1 - Login to knox home page as hrt_qa
> 3. disable hrt_qa SSO token
> 4. In loop perform above 2 steps 4 times (15 SSO token will be disabled)
> 5. Generate 5 jwt token from token gen page
> 6. Select multiple jwt token (enable/disable/revoke operation will be
> available for user)
> 7. Select one SS) token ( only enable and disable operation will be available
> for user)
> +*CURRENT BEHAVIOUR:*+
> When one SSO token is selected during batch revoke operation then revoke
> button will not be available for the user
> +*EXPECTED BEHAVIOUR:*+
> Should have text message on UI for user to let know that SSO token is
> selected as part of batch operation and revoke operation is not allowed
> +*OCCURRENCE:*+
> Reproducible
> +*IMPACT:*+
> User will not know why revoke button is not available when one among selected
> tokens have SSO token
> +*LOG ARTIFACTS:*+
> !image-2023-10-26-10-34-37-269.png!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2976) Expired JWT and SSO token should not be having disable and enable token batch operations exposed for user
[
https://issues.apache.org/jira/browse/KNOX-2976?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17780945#comment-17780945
]
ASF subversion and git services commented on KNOX-2976:
---
Commit 7a5189a7c0c51f3e2c0b9cd2bf03b4df0415 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=7a5189a7c ]
KNOX-2975, KNOX-2976 - Expired tokens must not be enabled/disabled in batches
(#812)
Additionally, useful tips are shown on why batch operation actions are hidden
(e.g. KnoxSSO Cookies must not be revoked).
> Expired JWT and SSO token should not be having disable and enable token batch
> operations exposed for user
> -
>
> Key: KNOX-2976
> URL: https://issues.apache.org/jira/browse/KNOX-2976
> Project: Apache Knox
> Issue Type: Bug
> Components: TokenManagementUI
>Affects Versions: 2.1.0
>Reporter: J.Andreina
>Assignee: Sandor Molnar
>Priority: Major
> Attachments: image-2023-10-26-10-38-33-481.png, screenshot-1.png
>
>
> +*{color:#de350b}PROBLEM STATEMENT:{color}*+
> Expired JWT and SSO token should not be having disable and enable token batch
> operations exposed for user
> +*BUILDS:*+
> 2.1.0
>
> +*STEPS TO REPRODUCE:*+
> 1. browser1 - Login to knox home page as hrt_qa
> 2. Update below knox-cm configurations
> knox.global.logout.page.url=https://
> knox.token.exp.server-managed=true
> gateway.knox.token.management.users.can.see.all.tokens = hrt_qa, hrt_1
> gateway.knox.token.eviction.grace.period=10 min
> knoxsso_token_ttl=12 (2 min)
> 3. browser2 - Login to knox home page as hrt_22
> 4. Generate hrt_22 JWT token with 1 mins
> 5. wait for above JWT token to expire
> 6. Wait for hrt_22 SSO token to expire
> +*CURRENT BEHAVIOUR:*+
> On token management page able to see below batch operation for :
> SSO token - disable and enable
> JWT token - enable,disable,revoke
> +*EXPECTED BEHAVIOUR:*+
> Both expired SSO token and JWT token should not have enable and disable
> operation as part of batch selection on expired tokens
> +*OCCURRENCE:*+
> Reproducible
> +*IMPACT:*+
> Expired token allows user to perform disable and enable operation , which
> doesnt have any effect
> +*LOG ARTIFACTS:*+
> !screenshot-1.png|width=952,height=193!
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2978) Race condition between Service Discovery and Polling Config Analyzer
[
https://issues.apache.org/jira/browse/KNOX-2978?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17780277#comment-17780277
]
ASF subversion and git services commented on KNOX-2978:
---
Commit bc4d5486bb1b60728a1c6376336a13c627c5aa5b in knox's branch
refs/heads/master from Attila Magyar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=bc4d5486b ]
KNOX-2978 - Race condition between Service Discovery and Polling Config
Analyzer (#811)
> Race condition between Service Discovery and Polling Config Analyzer
>
>
> Key: KNOX-2978
> URL: https://issues.apache.org/jira/browse/KNOX-2978
> Project: Apache Knox
> Issue Type: Improvement
>Reporter: Attila Magyar
>Assignee: Attila Magyar
>Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> When a config change is detected by the Polling Config Analyzer then then the
> cache used by the service discovery will be cleared. If this happens when
> discovery is in progress then a NullPointerException will happen.
> {code}
> private ServiceDetails getServiceDetails(ServiceDiscoveryConfig
> serviceDiscoveryConfig, ApiService service) {
> return getClusterServices(serviceDiscoveryConfig).getIfPresent(service);
> // <= NPE
> }
> {code}
> {code}
> @Override
> public void onConfigurationChange(String source, String clusterName) {
> log.clearServiceDiscoveryRepository();
> repository.clear(); // this will cause the NPE
> }
> {code}
> This was observed on a live cluster when certain cluster properties was
> changed during knox startup.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2977) Topology port mapping does not honour descriptors
[
https://issues.apache.org/jira/browse/KNOX-2977?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17779858#comment-17779858
]
ASF subversion and git services commented on KNOX-2977:
---
Commit 672b3cb94b93b9db256c460b8111a45c6b9a1422 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=672b3cb94 ]
KNOX-2977 - The 'conf/descriptors' folder should be considered too when
registering topology port mappings (#810)
> Topology port mapping does not honour descriptors
> -
>
> Key: KNOX-2977
> URL: https://issues.apache.org/jira/browse/KNOX-2977
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 1.4.0, 1.5.0, 2.0.0, 1.6.0, 1.6.1
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> In certain environments, such as in recent Cloudera offerings, XML-based
> topologies are not in use (and are removed every time Knox is (re)-started.
> Instead, topologies are produced using Knox's [Simplified Descriptor
> Files|https://knox.apache.org/books/knox-2-0-0/user-guide.html#Simplified+Descriptor+Files]).
> The problem is, that the current topology port mapping implementation ignores
> artifacts from the {{$KNOX_CONF_FOLDER/descriptors}} and only considers
> {{$KNOX_CONF_FOLDER/topologies}}. This needs to be fixed.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2972) Logout page URL may take query parameters
[
https://issues.apache.org/jira/browse/KNOX-2972?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17779187#comment-17779187
]
ASF subversion and git services commented on KNOX-2972:
---
Commit ad0ea7d4c7fafb5ecc4fa348aabb35f1221fbd19 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=ad0ea7d4c ]
KNOX-2972 - Session resource can generate application logout URL with
profile/topologies query parameters (#808)
> Logout page URL may take query parameters
> -
>
> Key: KNOX-2972
> URL: https://issues.apache.org/jira/browse/KNOX-2972
> Project: Apache Knox
> Issue Type: Improvement
> Components: Homepage
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> Currently, the logout page URL contains a hard-coded {{originalUrl}} that
> points to the Knox Home page without any {{profile}} or {{topologies}} query
> parameter. In some cases, it would be beneficial to pass any of those params
> when logging out from the application.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2973) HbaseUI>Table Details not accessible from Knox endpoint intermittently
[ https://issues.apache.org/jira/browse/KNOX-2973?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17779088#comment-17779088 ] ASF subversion and git services commented on KNOX-2973: --- Commit 03064bdbc6ae19b911f2b004778256f85df048df in knox's branch refs/heads/master from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=03064bdbc ] KNOX-2973 - Fix redirect URI when host and port are query params of originalUrl (#809) > HbaseUI>Table Details not accessible from Knox endpoint intermittently > -- > > Key: KNOX-2973 > URL: https://issues.apache.org/jira/browse/KNOX-2973 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > This is due to the [SSO logic that checks for > originalURL|https://github.com/apache/knox/blob/master/gateway-service-knoxsso/src/main/java/org/apache/knox/gateway/service/knoxsso/WebSSOResource.java#L365] > query param. > During the first login, this is the redirect URL: > https://local.site/gateway/knoxsso/api/v1/websso?originalUrl=https://local.site/gateway/proxy/hbase/webui/master?host=local.site=16010 > When this reaches WebSSOResource.getOriginalUrlFromQueryParams() > functionvalue of request.getParameter(ORIGINAL_URL_REQUEST_PARAM) is > https://local.site/gateway/proxy/hbase/webui/master?host=local.site > Note: port information is missing. This is because of the & query param which > treats port as a separate param and not part of original URL. > Also, because of the same reason '?' is added after the host, this is where > it is done > This is why additional ? gets added. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2970) During knox global logout , the corresponding SSO token should be either disabled or revoked
[
https://issues.apache.org/jira/browse/KNOX-2970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=1416#comment-1416
]
ASF subversion and git services commented on KNOX-2970:
---
Commit fbed6e7cf095f3e5f6328163de15e5925544372d in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=fbed6e7cf ]
KNOX-2970 - Removing KnoxSSO cookie from the token state service upon logout
(#806)
Additionally, the Token Management UI displays the 'current' KnoxSSO cookie row
in bold.
> During knox global logout , the corresponding SSO token should be either
> disabled or revoked
> -
>
> Key: KNOX-2970
> URL: https://issues.apache.org/jira/browse/KNOX-2970
> Project: Apache Knox
> Issue Type: Improvement
> Components: KnoxSSO
>Affects Versions: 2.0.0
>Reporter: J.Andreina
>Assignee: Sandor Molnar
>Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> +*{color:#de350b}PROBLEM STATEMENT:{color}*+
> During knox global logout , SSO token should be either disabled or removed
> +*BUILDS:*+
> 2.0
>
> +*STEPS TO REPRODUCE:*+
> - Enable logout "knox.homepage.logout.enabled" , configure
> "knox.global.logout.page.url" to "https://*;
> - Access knox home page
> - Click on global logout
> +*CURRENT BEHAVIOUR:*+
> the session will be removed and user if need to access knox home page again
> should relogin , but still the previous SSO token will be alive for default 1
> day which can cause security risk
> +*EXPECTED BEHAVIOUR:*+
> During knox global logout , the corresponding SSO token should be either
> disabled or revoked
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2971) Tokens generated with comment more than 27 char is not completely displayed on the token management page
[
https://issues.apache.org/jira/browse/KNOX-2971?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=1325#comment-1325
]
ASF subversion and git services commented on KNOX-2971:
---
Commit 34a76c39c0b27e48801715a87a2ff3376bef59e9 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=34a76c39c ]
KNOX-2971 - Applying word wrapping in the comment and metadata columns on the
Token Management UI (#807)
> Tokens generated with comment more than 27 char is not completely displayed
> on the token management page
>
>
> Key: KNOX-2971
> URL: https://issues.apache.org/jira/browse/KNOX-2971
> Project: Apache Knox
> Issue Type: Improvement
> Components: TokenManagementUI
>Affects Versions: 2.1.0
>Reporter: J.Andreina
>Assignee: Sandor Molnar
>Priority: Major
> Attachments: image-2023-10-18-18-53-37-777.png
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> +*{color:#de350b}PROBLEM STATEMENT:{color}*+
> Tokens generated with comment more than 27 char is not completely displayed
> on the token management page
> +*BUILDS:*+
> 2.1.0
>
> +*STEPS TO REPRODUCE:*+
> - Deploy ycloud cluster with above gbn.
> - Generate token with comment "hrt_qaforhrt_2andreina1andreina2mary"
> +*CURRENT BEHAVIOUR:*+
> comment is not completely displayed on UI
> !image-2023-10-18-18-53-37-777.png!
> +*EXPECTED BEHAVIOUR:*+
> Either text should be wrapped / scroll bar should be available to view the
> comment
> Note: While i can filter using the above token "mary" text
> +*OCCURRENCE:*+
> Reproducible
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2969) For user-limit to fetch token calculation includes enabled and disabled SSO token count as well, causing failure in generating the JWT token from token gen page
[
https://issues.apache.org/jira/browse/KNOX-2969?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17776724#comment-17776724
]
ASF subversion and git services commented on KNOX-2969:
---
Commit eef24f4ae652240360783fe9766e9161fd8bb4d5 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=eef24f4ae ]
KNOX-2969 - KnoxSSO Cookies should be ignored while calculating token limit per
user (#805)
> For user-limit to fetch token calculation includes enabled and disabled SSO
> token count as well, causing failure in generating the JWT token from token
> gen page
>
>
> Key: KNOX-2969
> URL: https://issues.apache.org/jira/browse/KNOX-2969
> Project: Apache Knox
> Issue Type: Bug
> Components: TokenGenerationUI
>Affects Versions: 2.1.0
>Reporter: J.Andreina
>Assignee: Sandor Molnar
>Priority: Major
> Attachments: image-2023-10-18-12-45-37-741.png,
> image-2023-10-18-12-45-47-121.png, image-2023-10-18-12-46-28-490.png
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> +*{color:#de350b}PROBLEM STATEMENT:\{color}*+
> For token limit on a user calculation includes enabled and disabled SSO token
> as well, causing failure in generating the JWT token from token gen page
> +*BUILDS:*+
> 2.1.0
>
> +*STEPS TO REPRODUCE:*+
> # Deploy ycloud cluster with above gbn.
> # Configure below from CM UI
> #
> knox.global.logout.page.url=[https://**,|https://%2A%2A%2A%2A%2A%2A%2A%2A%2A%2A%2C/]
> knoxsso_cookie_management_enabled - enable
> gateway.knox.token.management.users.can.see.all.tokens = hrt_qa, hrt_1
> # Access knox home page using hrt_22 user
> # Disable the hrt_22 SSO token from hrt_qa token management page
> # Repeat operation 4-5 for 15 times
> # Now login to token generation page using hrt_22 user
> # Generate the jwt token
> +*CURRENT BEHAVIOUR:*+
> Token generation fails saying user limit exceeded , though not even one
> non-sso token is generated by hrt_22 user
> !image-2023-10-18-12-45-47-121.png|width=1129,height=344!
> !image-2023-10-18-12-46-28-490.png|width=1009,height=285!
> +*EXPECTED BEHAVIOUR:*+
> SSO token should not be considered for per user limit to generate the token
> calculation .
> Even though we have 15+ SSO tokens (in enabled/disabled state) , user should
> be able to generate 10 tokens as "gateway.knox.token.limit.per.user" default
> value is 10
> +*OCCURRENCE:*+
> Reproducible
> +*IMPACT:*+
> If multiple SSO token for user is available then user will not be able to
> generate jwt token from token generation page
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2968) When multiple enabled tokens selected including a SSO token and perform "enable token" operation fails with invalid error mess
[
https://issues.apache.org/jira/browse/KNOX-2968?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17776617#comment-17776617
]
ASF subversion and git services commented on KNOX-2968:
---
Commit 01a422ebfbddbefe3beff4e8ae4d0169774f6211 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=01a422ebf ]
KNOX-2968 - Batch token enable action should succeed even if enabled KnoxSSO
cookies are selected (#804)
> When multiple enabled tokens selected including a SSO token and perform
> "enable token" operation fails with invalid error mess
> --
>
> Key: KNOX-2968
> URL: https://issues.apache.org/jira/browse/KNOX-2968
> Project: Apache Knox
> Issue Type: Bug
> Components: TokenManagementUI
>Affects Versions: 2.1.0
>Reporter: J.Andreina
>Assignee: Sandor Molnar
>Priority: Minor
> Attachments: image-2023-10-18-12-40-18-857.png
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> +*{color:#de350b}PROBLEM STATEMENT:{color}*+
> When multiple enabled tokens selected including a SSO token and perform
> "enable token" operation fails with invalid error mess
> +*BUILDS:*+
> knox 2.1
> feature reference doc :
> https://knox.apache.org/books/knox-2-1-0/user-guide.html#Token+Management
>
> +*STEPS TO REPRODUCE:*+
> - Deploy ycloud cluster with above gbn.
> - Create tokens from token gen page
> - Logged into token management page using multiple users so that we will have
> knox sso token
> - Select multiple jwt token and an knox sso token
> - Click on "Enable Selected Tokens" button
> +*CURRENT BEHAVIOUR:*+
> Fails with improper error mess saying "Disabled KnoxSSO Cookies cannot not be
> enabled" while the SSO token is still enabled .
> !image-2023-10-18-12-40-18-857.png!
> +*EXPECTED BEHAVIOUR:*+
> - During batch selection if any active knox sso token is selected and
> performed "Enable Selected Tokens" , then the batch operation should succeed
> +*OCCURRENCE:*+
> Reproducible
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2962) Knox readiness check gateway-status endpoint should return the list of topologies for which it is waiting for
[ https://issues.apache.org/jira/browse/KNOX-2962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17774131#comment-17774131 ] ASF subversion and git services commented on KNOX-2962: --- Commit 1eeaf7315372bd7f8592e828dcac61740ba64581 in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=1eeaf7315 ] Revert "KNOX-2962 - Knox readiness check gateway-status endpoint should return the list of topologies for which it is waiting for (#800)" (#803) This reverts commit ff6bcbcac5c5d0e8f00f4944207975f5b1bfeebf. > Knox readiness check gateway-status endpoint should return the list of > topologies for which it is waiting for > -- > > Key: KNOX-2962 > URL: https://issues.apache.org/jira/browse/KNOX-2962 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 2.0.0 >Reporter: J.Andreina >Assignee: Attila Magyar >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > Current behaviour : > Knox readiness api return only no/pending as the status . Hence when there is > any issue with any custom topology deployment > "https://localhost:8443/gateway/health/v1/gateway-status; is invoked , it > shows status as only PENDING . User have to check the gateway.log file to > understand what are topologies it is waiting for to be deployed > Expectation : > If "https://localhost:8443/gateway/health/v1/gateway-status; is PENDING > should return the list of topology for which it is waiting for . -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2962) Knox readiness check gateway-status endpoint should return the list of topologies for which it is waiting for
[ https://issues.apache.org/jira/browse/KNOX-2962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17774084#comment-17774084 ] ASF subversion and git services commented on KNOX-2962: --- Commit 9b5af7f28c559c54bdd5e3a707e1afce4ea8a87d in knox's branch refs/heads/revert-800-KNOX-2962-pend from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=9b5af7f28 ] Revert "KNOX-2962 - Knox readiness check gateway-status endpoint should return the list of topologies for which it is waiting for (#800)" This reverts commit ff6bcbcac5c5d0e8f00f4944207975f5b1bfeebf. > Knox readiness check gateway-status endpoint should return the list of > topologies for which it is waiting for > -- > > Key: KNOX-2962 > URL: https://issues.apache.org/jira/browse/KNOX-2962 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 2.0.0 >Reporter: J.Andreina >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Current behaviour : > Knox readiness api return only no/pending as the status . Hence when there is > any issue with any custom topology deployment > "https://localhost:8443/gateway/health/v1/gateway-status; is invoked , it > shows status as only PENDING . User have to check the gateway.log file to > understand what are topologies it is waiting for to be deployed > Expectation : > If "https://localhost:8443/gateway/health/v1/gateway-status; is PENDING > should return the list of topology for which it is waiting for . -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2963) CM service discovery should work when legacy mode is turned off
[ https://issues.apache.org/jira/browse/KNOX-2963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17773981#comment-17773981 ] ASF subversion and git services commented on KNOX-2963: --- Commit 838dcd837217d55c2568a715dc992ed53c6eac9a in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=838dcd837 ] KNOX-2963 - CM service discovery should work when legacy mode is turned off (#801) > CM service discovery should work when legacy mode is turned off > --- > > Key: KNOX-2963 > URL: https://issues.apache.org/jira/browse/KNOX-2963 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > If Legacy Cloudera Manager API Clients Compatibility is turned on then > certain HDFS configs are moved to CORE_SETTINGS. > When the service model generator fetches hdfs_hadoop_ssl_enabled it will find > a null value (since the real config is under CORE_SETTINGS) and it will > generate a non-ssl URL even despite SSL is enabled. > Service discovery should fetch CORE_SETTINGS configs so that the model > generators can look up configs values from there too. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2962) Knox readiness check gateway-status endpoint should return the list of topologies for which it is waiting for
[ https://issues.apache.org/jira/browse/KNOX-2962?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17773980#comment-17773980 ] ASF subversion and git services commented on KNOX-2962: --- Commit ff6bcbcac5c5d0e8f00f4944207975f5b1bfeebf in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=ff6bcbcac ] KNOX-2962 - Knox readiness check gateway-status endpoint should return the list of topologies for which it is waiting for (#800) > Knox readiness check gateway-status endpoint should return the list of > topologies for which it is waiting for > -- > > Key: KNOX-2962 > URL: https://issues.apache.org/jira/browse/KNOX-2962 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 2.0.0 >Reporter: J.Andreina >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Current behaviour : > Knox readiness api return only no/pending as the status . Hence when there is > any issue with any custom topology deployment > "https://localhost:8443/gateway/health/v1/gateway-status; is invoked , it > shows status as only PENDING . User have to check the gateway.log file to > understand what are topologies it is waiting for to be deployed > Expectation : > If "https://localhost:8443/gateway/health/v1/gateway-status; is PENDING > should return the list of topology for which it is waiting for . -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2966) Improve hadoop-jwt cookie logging
[
https://issues.apache.org/jira/browse/KNOX-2966?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17773661#comment-17773661
]
ASF subversion and git services commented on KNOX-2966:
---
Commit 895022c4539a81543f5f0e946550cfc3feff3275 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=895022c45 ]
KNOX-2966 - Improved logging around KnoxSSO cookie management (#802)
> Improve hadoop-jwt cookie logging
> -
>
> Key: KNOX-2966
> URL: https://issues.apache.org/jira/browse/KNOX-2966
> Project: Apache Knox
> Issue Type: Improvement
> Components: KnoxSSO
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Currently, the following log messages are displayed when the {{hadoop-jwt}}
> cookie is added to the response during the KnoxSSO flow:
> - DEBUG: {{Adding the following JWT token as a cookie: $ENTIRE_JWT}}
> - INFO: JWT cookie successfully added.
> - ERROR: {{Unable to add cookie to response. $ERROR_MSG: $ERROR_STACK}}
> Possible improvements:
> - use {{org.apache.knox.gateway.util.Tokens.getTokenDisplayText(String)}} to
> mask the entire JWT in the {{DEBUG}} message above
> - add the masked JWT info in the {{INFO}} message so that we'll have a better
> understanding of when a certain SSO cookie was issued/added in the response.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2965) Document KnoxSSO Cookie Invalidation
[ https://issues.apache.org/jira/browse/KNOX-2965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17773599#comment-17773599 ] ASF subversion and git services commented on KNOX-2965: --- Commit 1912854 from Sandor Molnar in branch 'knox/trunk' [ https://svn.apache.org/r1912854 ] KNOX-2965 - Fixed batch operations formatting > Document KnoxSSO Cookie Invalidation > > > Key: KNOX-2965 > URL: https://issues.apache.org/jira/browse/KNOX-2965 > Project: Apache Knox > Issue Type: Task > Components: Document >Affects Versions: 2.1.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > > Document the new feature and changes implemented in KNOX-2961. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2965) Document KnoxSSO Cookie Invalidation
[ https://issues.apache.org/jira/browse/KNOX-2965?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17773592#comment-17773592 ] ASF subversion and git services commented on KNOX-2965: --- Commit 1912852 from Sandor Molnar in branch 'knox/trunk' [ https://svn.apache.org/r1912852 ] KNOX-2965 - Document KNOXSSO Cookie Invalidation > Document KnoxSSO Cookie Invalidation > > > Key: KNOX-2965 > URL: https://issues.apache.org/jira/browse/KNOX-2965 > Project: Apache Knox > Issue Type: Task > Components: Document >Affects Versions: 2.1.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > > Document the new feature and changes implemented in KNOX-2961. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2950) Token generation should be reachable using the old URL
[
https://issues.apache.org/jira/browse/KNOX-2950?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17773471#comment-17773471
]
ASF subversion and git services commented on KNOX-2950:
---
Commit 01361812f852988681bda05565b9607ceb427b38 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=01361812f ]
KNOX-2950 - Handling application path aliases (#787)
> Token generation should be reachable using the old URL
> --
>
> Key: KNOX-2950
> URL: https://issues.apache.org/jira/browse/KNOX-2950
> Project: Apache Knox
> Issue Type: Bug
> Components: TokenGenerationUI
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 2h
> Remaining Estimate: 0h
>
> With KNOX-2811, the token generation UI's URL is changed from
> {{'.../tokengen/index.html'}} to {{'.../token-generation/index.html'}}. The
> idea was that clients will use the Knox Home page to go to that particular
> UI. However, it might be the case that other 3rd party tools have that link
> hard-coded.
> So it'd be nice to reach the same UI with an additional context with the old
> name ({{tokengen}}).
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2961) KnoxSSO Token Invalidation
[ https://issues.apache.org/jira/browse/KNOX-2961?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17773259#comment-17773259 ] ASF subversion and git services commented on KNOX-2961: --- Commit f91385662a09b1014f1e1935944fb55bcb47f0a0 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=f91385662 ] KNOX-2961 - Knox SSO cookie Invalidation - Phase II (#799) - Allow end-users to show/hide previously disabled KnoxSSO Cookies on the Token Management page. - Pre-configured users can see all tokens on the Token Management page. - End-users can execute batch operations on selected Knox Tokens. > KnoxSSO Token Invalidation > -- > > Key: KNOX-2961 > URL: https://issues.apache.org/jira/browse/KNOX-2961 > Project: Apache Knox > Issue Type: New Feature > Components: KnoxSSO, Server, TokenManagementUI >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 4h > Remaining Estimate: 0h > > There is a need for a new feature that would allow a pre-configured superuser > to invalidate previously issued Knox SSO tokens for (a) particular user(s) in > case there is a malicious attack in terms of one (or more) of those users' > SSO tokens got compromised. > In phase I, the following changes have to be implemented: > - Knox SSO cookie validation using PAM, LDAP, and Pac4j > authentication/federation > - The token Management page should be updated in a way such that it'll > contain only one compact table with all the information we need of a > generated token (is impersonated, is Knox SSO cookie, available actions) > - Knox SSO cookies on the new token management UI can be disabled > (invalidated), but not revoked. > - Disabled KnoxSSO cookies should be removed from the underlying token state > service within the configure eviction period even if they were not expired > In phase II, the token management page should be updated with the following > improvements: > * pre-configured superusers can view tokens of others and not only theirs > * batch operations should be able to be executed using the available actions > to make it easier for a superuser to disable one's tokens in a round -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2961) KnoxSSO Token Invalidation
[ https://issues.apache.org/jira/browse/KNOX-2961?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17772467#comment-17772467 ] ASF subversion and git services commented on KNOX-2961: --- Commit c49302a0f7ac27f92811d4d65cdc76da7077f5d2 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=c49302a0f ] KNOX-2961 - Knox SSO cookie Invalidation - Phase I (#797) > KnoxSSO Token Invalidation > -- > > Key: KNOX-2961 > URL: https://issues.apache.org/jira/browse/KNOX-2961 > Project: Apache Knox > Issue Type: New Feature > Components: KnoxSSO, Server, TokenManagementUI >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 2h > Remaining Estimate: 0h > > There is a need for a new feature that would allow a pre-configured superuser > to invalidate previously issued Knox SSO tokens for (a) particular user(s) in > case there is a malicious attack in terms of one (or more) of those users' > SSO tokens got compromised. > In phase I, the following changes have to be implemented: > - Knox SSO cookie validation using PAM, LDAP, and Pac4j > authentication/federation > - The token Management page should be updated in a way such that it'll > contain only one compact table with all the information we need of a > generated token (is impersonated, is Knox SSO cookie, available actions) > - Knox SSO cookies on the new token management UI can be disabled > (invalidated), but not revoked. > - Disabled KnoxSSO cookies should be removed from the underlying token state > service within the configure eviction period even if they were not expired > In phase II, the token management page should be updated with the following > improvements: > * pre-configured superusers can view tokens of others and not only theirs > * batch operations should be able to be executed using the available actions > to make it easier for a superuser to disable one's tokens in a round -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2960) DefaultDispatch doesn't forward inbound request headers in case of requestType=OPTIONS
[
https://issues.apache.org/jira/browse/KNOX-2960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17771873#comment-17771873
]
ASF subversion and git services commented on KNOX-2960:
---
Commit 8e7513a66c6576172840c89ef1c3e576bec0322f in knox's branch
refs/heads/master from Attila Magyar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=8e7513a66 ]
KNOX-2960 - DefaultDispatch doesn't forward inbound request headers in case of
requestType=OPTIONS (#798)
> DefaultDispatch doesn't forward inbound request headers in case of
> requestType=OPTIONS
> --
>
> Key: KNOX-2960
> URL: https://issues.apache.org/jira/browse/KNOX-2960
> Project: Apache Knox
> Issue Type: Bug
>Reporter: Attila Magyar
>Assignee: Attila Magyar
>Priority: Major
> Time Spent: 20m
> Remaining Estimate: 0h
>
> put/get/etc has copyRequestHeaderFields
> {code}
>@Override
>public void doPut(URI url, HttpServletRequest request, HttpServletResponse
> response)
> throws IOException, URISyntaxException {
> final HttpPut method = new HttpPut(url);
> copyRequestHeaderFields(method, request, addExpect100Continue);
> final HttpEntity entity = createRequestEntity(request,
> addExpect100Continue);
> method.setEntity(entity);
> executeRequestWrapper(method, request, response);
>}
> {code}
> but OPTIONS doesn't
> {code}
>@Override
>public void doOptions(URI url, HttpServletRequest request,
> HttpServletResponse response)
> throws IOException, URISyntaxException {
> HttpOptions method = new HttpOptions(url);
> executeRequestWrapper(method, request, response);
>}
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2959) Auto discovery to support scaling scenarios
[ https://issues.apache.org/jira/browse/KNOX-2959?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17771821#comment-17771821 ] ASF subversion and git services commented on KNOX-2959: --- Commit 1da5edc9f044a83262f485e2cdb767384a92038c in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=1da5edc9f ] KNOX-2959 - Auto discovery to support scaling scenarios (#796) > Auto discovery to support scaling scenarios > --- > > Key: KNOX-2959 > URL: https://issues.apache.org/jira/browse/KNOX-2959 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > After adding/removing a new component the service list in the topologies > should be regenerated to request the newly added component. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2896) Homepage - API services view switch
[ https://issues.apache.org/jira/browse/KNOX-2896?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17766763#comment-17766763 ] ASF subversion and git services commented on KNOX-2896: --- Commit 3af43b73cef94481679ec42157a0a07d227f586f in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=3af43b73c ] KNOX-2896 - API services view on Knox Home page can be selected (#795) The default view is the 'old' list view which belongs to v1. If end-users want the most recent modal-window style, they will need to use v2 as gateway.api.services.view.version in gateway-site.xml. > Homepage - API services view switch > --- > > Key: KNOX-2896 > URL: https://issues.apache.org/jira/browse/KNOX-2896 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 1.5.0, 2.0.0, 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > > With KNOX-2343, the API services on the Knox Home page are displayed > similarly to the UI services. This was a great improvement, but some > end-users may prefer to have the "old" view over the new one. > We should add an application or gateway-level property to support this > feature. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2955) Knox Readiness Awareness and Notification
[ https://issues.apache.org/jira/browse/KNOX-2955?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17763627#comment-17763627 ] ASF subversion and git services commented on KNOX-2955: --- Commit 3f3a65baddb58e4ad5d6bb0c0aa1d039fba688b5 in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=3f3a65bad ] KNOX-2955 - Knox Readiness Awareness and Notification (#792) > Knox Readiness Awareness and Notification > - > > Key: KNOX-2955 > URL: https://issues.apache.org/jira/browse/KNOX-2955 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > Currently, Knox is unable to accurately report its readiness to handle > requests (e.g., all topology deployments have completed). > Knox needs a more reliable means by which to know that all of the topologies > have been completely deployed before reporting that it is "ready". > Knox also needs a new built-in endpoint for querying this readiness, which > does not require authentication. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2948) Make encryptquerystring provision optional
[
https://issues.apache.org/jira/browse/KNOX-2948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17763614#comment-17763614
]
ASF subversion and git services commented on KNOX-2948:
---
Commit 550bcc401a6cfe84a88778ab13f1a22504c83abc in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=550bcc401 ]
KNOX-2948 - HXR parser can handle the new
'provisionEncryptQueryStringCredential' boolean field in SimpleDescriptor (#793)
> Make encryptquerystring provision optional
> --
>
> Key: KNOX-2948
> URL: https://issues.apache.org/jira/browse/KNOX-2948
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 0.14.0, 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 2.0.0,
> 1.6.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> Since KNOX-1136, Knox saves the {{encryptQueryString}} alias in the given
> topology's credential store when processing the descriptor.
> The problem with this approach is, that, in some cases, it may happen that
> 3rd party deployment tools (such as Cloudera Manager) persists that secret in
> a separate phase and
> * this makes the Knox call redundant
> * Knox will override the previously saved value silently
> Proposal:
> - introduce a new descriptor-level property called
> {{provision-encrypt-query-string-credential}} (defaults to {{true}}) which
> controls this behavior
> - if the descriptor is configured with
> {{provisionEncryptQueryStringCredential = false}}, no credential store
> operation should be done to save that alias.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
