[jira] [Resolved] (KNOX-1779) Add HTTP X-XSS-Protection response header support for WebAppSec Provider
[ https://issues.apache.org/jira/browse/KNOX-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Krishna Pandey resolved KNOX-1779. -- Resolution: Implemented > Add HTTP X-XSS-Protection response header support for WebAppSec Provider > > > Key: KNOX-1779 > URL: https://issues.apache.org/jira/browse/KNOX-1779 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.2.0 > Reporter: Krishna Pandey > Assignee: Krishna Pandey >Priority: Critical > Labels: security > Fix For: 1.3.0 > > Attachments: Screenshot 2019-02-20 at 4.24.18 PM.png > > Original Estimate: 168h > Remaining Estimate: 168h > > Support to add X-XSS-Protection HTTP response header in Knox's WebAppSec > Provider enabling modern web browsers to detect and thwart Cross-site > Scripting (XSS) attacks. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Comment Edited] (KNOX-1779) Add HTTP X-XSS-Protection response header support for WebAppSec Provider
[ https://issues.apache.org/jira/browse/KNOX-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772898#comment-16772898 ] Krishna Pandey edited comment on KNOX-1779 at 2/20/19 11:02 AM: [~krisden] As I started working on this issue, I realized that this header already exists in functionality but is missing in documentation. We can enable this by adding below in WebAppSec provider. {code:java} xss.protection.enabled true {code} See sample HTTP Response below with X-XSS-Protection Response Header set. !Screenshot 2019-02-20 at 4.24.18 PM.png|height=80%,width=80%! was (Author: kpandey): [~krisden] As I started working on this issue, I realized that this header already exists in functionality but is missing in documentation. We can enable this by adding below in WebAppSec provider. {code:java} xss.protection.enabled true {code} See sample HTTP Response below with X-XSS-Protection Response Header set. !Screenshot 2019-02-20 at 4.24.18 PM.png! > Add HTTP X-XSS-Protection response header support for WebAppSec Provider > > > Key: KNOX-1779 > URL: https://issues.apache.org/jira/browse/KNOX-1779 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.2.0 > Reporter: Krishna Pandey > Assignee: Krishna Pandey >Priority: Critical > Labels: security > Fix For: 1.3.0 > > Attachments: Screenshot 2019-02-20 at 4.24.18 PM.png > > Original Estimate: 168h > Remaining Estimate: 168h > > Support to add X-XSS-Protection HTTP response header in Knox's WebAppSec > Provider enabling modern web browsers to detect and thwart Cross-site > Scripting (XSS) attacks. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1779) Add HTTP X-XSS-Protection response header support for WebAppSec Provider
[ https://issues.apache.org/jira/browse/KNOX-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772898#comment-16772898 ] Krishna Pandey commented on KNOX-1779: -- [~krisden] As I started working on this issue, I realized that this header already exists in functionality but is missing in documentation. We can enable this by adding below in WebAppSec provider. {code:java} xss.protection.enabled true {code} See sample HTTP Response below with X-XSS-Protection Response Header set. !Screenshot 2019-02-20 at 4.24.18 PM.png! > Add HTTP X-XSS-Protection response header support for WebAppSec Provider > > > Key: KNOX-1779 > URL: https://issues.apache.org/jira/browse/KNOX-1779 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.2.0 > Reporter: Krishna Pandey > Assignee: Krishna Pandey >Priority: Critical > Labels: security > Fix For: 1.3.0 > > Attachments: Screenshot 2019-02-20 at 4.24.18 PM.png > > Original Estimate: 168h > Remaining Estimate: 168h > > Support to add X-XSS-Protection HTTP response header in Knox's WebAppSec > Provider enabling modern web browsers to detect and thwart Cross-site > Scripting (XSS) attacks. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Updated] (KNOX-1779) Add HTTP X-XSS-Protection response header support for WebAppSec Provider
[ https://issues.apache.org/jira/browse/KNOX-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Krishna Pandey updated KNOX-1779: - Attachment: Screenshot 2019-02-20 at 4.24.18 PM.png > Add HTTP X-XSS-Protection response header support for WebAppSec Provider > > > Key: KNOX-1779 > URL: https://issues.apache.org/jira/browse/KNOX-1779 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.2.0 > Reporter: Krishna Pandey > Assignee: Krishna Pandey >Priority: Critical > Labels: security > Fix For: 1.3.0 > > Attachments: Screenshot 2019-02-20 at 4.24.18 PM.png > > Original Estimate: 168h > Remaining Estimate: 168h > > Support to add X-XSS-Protection HTTP response header in Knox's WebAppSec > Provider enabling modern web browsers to detect and thwart Cross-site > Scripting (XSS) attacks. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Commented] (KNOX-1779) Add HTTP X-XSS-Protection response header support for WebAppSec Provider
[ https://issues.apache.org/jira/browse/KNOX-1779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16772542#comment-16772542 ] Krishna Pandey commented on KNOX-1779: -- [~krisden] I intend to provide a patch shortly. > Add HTTP X-XSS-Protection response header support for WebAppSec Provider > > > Key: KNOX-1779 > URL: https://issues.apache.org/jira/browse/KNOX-1779 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.2.0 > Reporter: Krishna Pandey > Assignee: Krishna Pandey >Priority: Critical > Labels: security > Fix For: 1.3.0 > > Original Estimate: 168h > Remaining Estimate: 168h > > Support to add X-XSS-Protection HTTP response header in Knox's WebAppSec > Provider enabling modern web browsers to detect and thwart Cross-site > Scripting (XSS) attacks. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
[jira] [Created] (KNOX-1779) Add HTTP X-XSS-Protection response header support for WebAppSec Provider
Krishna Pandey created KNOX-1779: Summary: Add HTTP X-XSS-Protection response header support for WebAppSec Provider Key: KNOX-1779 URL: https://issues.apache.org/jira/browse/KNOX-1779 Project: Apache Knox Issue Type: Improvement Components: Server Affects Versions: 1.2.0 Reporter: Krishna Pandey Assignee: Krishna Pandey Fix For: 1.3.0 Support to add X-XSS-Protection HTTP response header in Knox's WebAppSec Provider enabling modern web browsers to detect and thwart Cross-site Scripting (XSS) attacks. -- This message was sent by Atlassian JIRA (v7.6.3#76005)
Re: [ANNOUNCE] New committer and PMC member: Kevin Risden
Congrats, Kevin! On Tue, Apr 3, 2018 at 8:40 PM, Phil Zampinowrote: > Congrats! > > On Tue, Apr 3, 2018 at 10:39 AM, larry mccay wrote: > > > The Project Management Committee (PMC) for Apache Knox > > has invited Kevin Risden to become a committer and PMC member and > > we are pleased to announce that he has accepted. > > > > Kevin has been a contributor to Apache Knox with LDAP and Solr related > > contributions for a number of years. He has also provided tremendous > > assistance > > to others within the community on the dev@ and user@ lists. > > > > I am excited to have him on board as a committer and PMC member and look > > forward to his continued contributions to the project and its direction. > > > > Being a committer enables easier contribution to the > > project since there is no need to go via the patch > > submission process. This should enable better productivity. > > Being a PMC member enables assistance with the management > > and to guide the direction of the project. > > >
[jira] [Commented] (KNOX-1028) X-Frame-Options and other security headers are ineffective
[ https://issues.apache.org/jira/browse/KNOX-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16157883#comment-16157883 ] Krishna Pandey commented on KNOX-1028: -- Thanks [~lmc...@apache.org]. I tested this locally as suggested above and it works like charm. I am able to see the security Headers in force. Indeed this is minor error in documentation nothing much. > X-Frame-Options and other security headers are ineffective > -- > > Key: KNOX-1028 > URL: https://issues.apache.org/jira/browse/KNOX-1028 > Project: Apache Knox > Issue Type: Bug > Components: Site >Affects Versions: 0.13.0, 0.14.0 > Reporter: Krishna Pandey >Priority: Critical > Fix For: 0.14.0 > > Attachments: csrf enforcement.png, Screen Shot 2017-09-07 at 10.31.20 > PM.png, with xframe.options.enabled.png > > > When xframe-options.enabled param is set to true in WebAppSec provider, the > same is not reflecting in HTTP response header. See attached screenshot here. > !Screen Shot 2017-09-07 at 10.31.20 PM.png|width=70%!. > Also X-XSRF-Header param is not effective and curl calls without > X-XSRF-Header are also passing through. e.g. > > {code:java} > $ curl -iku admin:admin-password > https://localhost:8443/gateway/admin/api/v1/version > HTTP/1.1 200 OK > Date: Thu, 07 Sep 2017 16:57:27 GMT > Set-Cookie: > JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly > Expires: Thu, 01 Jan 1970 00:00:00 GMT > Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed, > 06-Sep-2017 16:57:27 GMT > Content-Type: application/xml > Content-Length: 167 > Server: Jetty(9.2.15.v20160210) > > >0.14.0-SNAPSHOT >6657f2fd9f52c8303fc9a2d1d72eef38be719288 > > {code} > Related topology config > {noformat} > > webappsec > WebAppSec > true > > csrf.enabled > true > > > csrf.customHeader > X-XSRF-Header > > > csrf.methodsToIgnore > GET,OPTIONS,HEAD > > > cors.enabled > true > > > xframe-options.enabled > true > > > {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Created] (KNOX-1028) X-Frame-Options and other security headers are ineffective
Krishna Pandey created KNOX-1028: Summary: X-Frame-Options and other security headers are ineffective Key: KNOX-1028 URL: https://issues.apache.org/jira/browse/KNOX-1028 Project: Apache Knox Issue Type: Bug Components: Server Affects Versions: 0.13.0, 0.14.0 Reporter: Krishna Pandey Priority: Critical Attachments: Screen Shot 2017-09-07 at 10.31.20 PM.png When xframe-options.enabled param is set to true in WebAppSec provider, the same is not reflecting in HTTP response header. See attached screenshot here !Screen Shot 2017-09-07 at 10.31.20 PM.png|thumbnail! . Also X-XSRF-Header param is not effective and curl calls without X-XSRF-Header are also passing through. e.g. {code:java} $ curl -iku admin:admin-password https://localhost:8443/gateway/admin/api/v1/version HTTP/1.1 200 OK Date: Thu, 07 Sep 2017 16:57:27 GMT Set-Cookie: JSESSIONID=169y7xds1o2ga3mvrbtly6t77;Path=/gateway/admin;Secure;HttpOnly Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: rememberMe=deleteMe; Path=/gateway/admin; Max-Age=0; Expires=Wed, 06-Sep-2017 16:57:27 GMT Content-Type: application/xml Content-Length: 167 Server: Jetty(9.2.15.v20160210) 0.14.0-SNAPSHOT 6657f2fd9f52c8303fc9a2d1d72eef38be719288 {code} Related topology config {noformat} webappsec WebAppSec true csrf.enabled true csrf.customHeader X-XSRF-Header csrf.methodsToIgnore GET,OPTIONS,HEAD cors.enabled true xframe-options.enabled true {noformat} -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KNOX-1017) Add support for enabling "Strict-Transport-Security" header in Knox responses
[ https://issues.apache.org/jira/browse/KNOX-1017?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Krishna Pandey updated KNOX-1017: - Component/s: Server > Add support for enabling "Strict-Transport-Security" header in Knox > responses > --- > > Key: KNOX-1017 > URL: https://issues.apache.org/jira/browse/KNOX-1017 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Reporter: Latha Appanna > Labels: headers > Fix For: 0.14.0 > > > The HTTP Strict-Transport-Security response header is a security feature that > lets a web site tell browsers that it should only be communicated with using > HTTPS, instead of using HTTP. Possible values are: > > * max-age= > * max-age=; includeSubDomains > * max-age=; preload -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KNOX-1017) Add support for enabling "Strict-Transport-Security" header in Knox responses
[ https://issues.apache.org/jira/browse/KNOX-1017?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Krishna Pandey updated KNOX-1017: - Description: The HTTP Strict-Transport-Security response header is a security feature that lets a web site tell browsers that it should only be communicated with using HTTPS, instead of using HTTP. Possible values are: * max-age= * max-age=; includeSubDomains * max-age=; preload > Add support for enabling "Strict-Transport-Security" header in Knox > responses > --- > > Key: KNOX-1017 > URL: https://issues.apache.org/jira/browse/KNOX-1017 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Reporter: Latha Appanna > Labels: headers > Fix For: 0.14.0 > > > The HTTP Strict-Transport-Security response header is a security feature that > lets a web site tell browsers that it should only be communicated with using > HTTPS, instead of using HTTP. Possible values are: > > * max-age= > * max-age=; includeSubDomains > * max-age=; preload -- This message was sent by Atlassian JIRA (v6.4.14#64029)
[jira] [Updated] (KNOX-1017) Add support for enabling "Strict-Transport-Security" header in Knox responses
[ https://issues.apache.org/jira/browse/KNOX-1017?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Krishna Pandey updated KNOX-1017: - Summary: Add support for enabling "Strict-Transport-Security" header in Knox responses (was: Add support for enabling "Strict-Transport-Security" header in knox reponses ) > Add support for enabling "Strict-Transport-Security" header in Knox > responses > --- > > Key: KNOX-1017 > URL: https://issues.apache.org/jira/browse/KNOX-1017 > Project: Apache Knox > Issue Type: Improvement >Reporter: Latha Appanna > Fix For: 0.14.0 > > -- This message was sent by Atlassian JIRA (v6.4.14#64029)
Re: KIP-8 Service Discovery and Topology Generation
> > As a result, I'm wondering if Knox should support provider configuration > references in topology.xml, rather than having to duplicate it across > descriptors. +1 to Phil's remark above. Adding to that as Knox provides multi-cluster support, can we have external provider config cluster-wise? Or we can define multiple external provider config in single "global" provider config file and refer them with some key? Also, when services are deployed in HA, we specify HaProvider and multiple Service URLs in the topology. Will it make sense to use Load balancer IP address / External URL for those services in topology instead of multiple service URLs and using HaProvider? Thanks, Krishna Pandey On Wed, Aug 30, 2017 at 10:05 PM, larry mccay <lmc...@apache.org> wrote: > Terrific, Phil! > > > On Wed, Aug 30, 2017 at 11:03 AM, Philip Zampino <pzamp...@gmail.com> > wrote: > > > After giving this KIP some thought, I would like to work on it. I've > added > > more detail to the wiki, and I'll create a JIRA for it. > > > > On Fri, Aug 25, 2017 at 10:03 AM, larry mccay <lmc...@apache.org> wrote: > > > > > Wonderful details, Phil! > > > > > > > > > On Fri, Aug 25, 2017 at 9:40 AM, Philip Zampino <pzamp...@gmail.com> > > > wrote: > > > > > > > Thanks! I've added the Ambari API details to the wiki. > > > > > > > > On Fri, Aug 25, 2017 at 8:27 AM, larry mccay <lmc...@apache.org> > > wrote: > > > > > > > > > HI Phil - > > > > > > > > > > Thank you for digging into this topic! > > > > > > > > > > I've added you as a contributor to the wiki and you should be able > to > > > > edit > > > > > the KIP now. > > > > > > > > > > thanks, > > > > > > > > > > --larry > > > > > > > > > > On Thu, Aug 24, 2017 at 3:45 PM, Philip Zampino < > pzamp...@gmail.com> > > > > > wrote: > > > > > > > > > > > I've put together a quick python POC targeting Ambari as the > > > discovery > > > > > > source, just to prove that we can indeed get the necessary > details > > > via > > > > > > Ambari's REST API. > > > > > > It generates a proper topology.xml descriptor based on a simple > > > > > descriptor > > > > > > (I chose YAML for this POC), which has a reference to what I've > > > called > > > > a > > > > > > policy descriptor (the portion of the topology > > > descriptor). > > > > > > > > > > > > I am currently unable to update the KIP, but I can share the REST > > > APIs > > > > > I've > > > > > > employed if there is interest. > > > > > > > > > > > > As a result, I'm wondering if Knox should support provider > > > > configuration > > > > > > references in topology.xml, rather than having to duplicate it > > across > > > > > > descriptors. > > > > > > So, instead of ... in each > > > topology.xml, > > > > > have > > > > > > a single element that points to an external provider config > (e.g., > > > > > > $GATEWAY_HOME/conf/policy/my-named-provider- > > > > > > config.xml). > > > > > > I've already externalized it for input to the POC, but I'm still > > > > copying > > > > > > the contents into the resulting topology descriptor; I think it > > would > > > > be > > > > > > better to copy only the reference. > > > > > > > > > > > > Thoughts? > > > > > > > > > > > > - Phil > > > > > > > > > > > > > > > > > > On Fri, Aug 18, 2017 at 1:55 PM, larry mccay <lmc...@apache.org> > > > > wrote: > > > > > > > > > > > > > Good to hear, Phil. > > > > > > > > > > > > > > Yes, I was looking to go back and add some of the API specifics > > and > > > > > > > investigation details for at least Ambari and ZK. > > > > > > > If others make sense to add such as Consul, etcd, etc that > would > > be > > > > > good > > > > > > as > > > > > > > well
[jira] [Updated] (KNOX-933) PicketLink Provider must set Secure and HTTPOnly flags on Cookie
[ https://issues.apache.org/jira/browse/KNOX-933?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Krishna Pandey updated KNOX-933: Attachment: KNOX-933_master_v2.patch > PicketLink Provider must set Secure and HTTPOnly flags on Cookie > > > Key: KNOX-933 > URL: https://issues.apache.org/jira/browse/KNOX-933 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Larry McCay > Assignee: Krishna Pandey > Labels: KIP-7 > Fix For: 0.13.0 > > Attachments: KNOX-933_master_v1.patch, KNOX-933_master_v2.patch > > > The provider creates a cookie in CaptureOriginalURLFilter.java at line 68, > but fails to set the HttpOnly and Secure flags to true. > This provider is not really supported anymore and isn't even documented but > we should make sure that all cookies have HttpOnly and Secure flags set. We > should separately consider deprecating and removing this provider. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (KNOX-933) PicketLink Provider must set Secure and HTTPOnly flags on Cookie
[ https://issues.apache.org/jira/browse/KNOX-933?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Krishna Pandey updated KNOX-933: Attachment: KNOX-933_master_v1.patch Attaching patch. > PicketLink Provider must set Secure and HTTPOnly flags on Cookie > > > Key: KNOX-933 > URL: https://issues.apache.org/jira/browse/KNOX-933 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Larry McCay > Labels: KIP-7 > Fix For: 0.13.0 > > Attachments: KNOX-933_master_v1.patch > > > The provider creates a cookie in CaptureOriginalURLFilter.java at line 68, > but fails to set the HttpOnly and Secure flags to true. > This provider is not really supported anymore and isn't even documented but > we should make sure that all cookies have HttpOnly and Secure flags set. We > should separately consider deprecating and removing this provider. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Assigned] (KNOX-933) PicketLink Provider must set Secure and HTTPOnly flags on Cookie
[ https://issues.apache.org/jira/browse/KNOX-933?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Krishna Pandey reassigned KNOX-933: --- Assignee: Krishna Pandey > PicketLink Provider must set Secure and HTTPOnly flags on Cookie > > > Key: KNOX-933 > URL: https://issues.apache.org/jira/browse/KNOX-933 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Larry McCay > Assignee: Krishna Pandey > Labels: KIP-7 > Fix For: 0.13.0 > > Attachments: KNOX-933_master_v1.patch > > > The provider creates a cookie in CaptureOriginalURLFilter.java at line 68, > but fails to set the HttpOnly and Secure flags to true. > This provider is not really supported anymore and isn't even documented but > we should make sure that all cookies have HttpOnly and Secure flags set. We > should separately consider deprecating and removing this provider. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Assigned] (KNOX-932) Option to remove the server-name from HTTP-header response
[ https://issues.apache.org/jira/browse/KNOX-932?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Krishna Pandey reassigned KNOX-932: --- Assignee: Krishna Pandey > Option to remove the server-name from HTTP-header response > --- > > Key: KNOX-932 > URL: https://issues.apache.org/jira/browse/KNOX-932 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kunal Rajguru > Assignee: Krishna Pandey > Labels: http-headers > > Option to remove the server name which is sent as HTTP-Header in the response > For example : > curl -i -k -u : -X GET > 'https://localhost:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS' > HTTP/1.1 200 OK > Set-Cookie: > JSESSIONID=fs2lu9w7jcgt1tshnfs1cqf8v;Path=/gateway/default;Secure;HttpOnly > Expires: Thu, 01 Jan 1970 00:00:00 GMT > Cache-Control: no-cache > Expires: Wed, 15 Mar 2017 12:49:24 GMT > Date: Wed, 15 Mar 2017 12:49:24 GMT > Pragma: no-cache > Expires: Wed, 15 Mar 2017 12:49:24 GMT > Date: Wed, 15 Mar 2017 12:49:24 GMT > Pragma: no-cache > Server: Jetty(6.1.26.hwx) > Content-Type: application/json > Content-Length: 2593 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (KNOX-932) Option to remove the server-name from HTTP-header response
[ https://issues.apache.org/jira/browse/KNOX-932?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15994657#comment-15994657 ] Krishna Pandey commented on KNOX-932: - It would be nice to have this as configurable property instead of entirely removing it. Removing it will cause more suspicion and push for resort to other fingerprinting techniques. > Option to remove the server-name from HTTP-header response > --- > > Key: KNOX-932 > URL: https://issues.apache.org/jira/browse/KNOX-932 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kunal Rajguru > Labels: http-headers > > Option to remove the server name which is sent as HTTP-Header in the response > For example : > curl -i -k -u : -X GET > 'https://localhost:8443/gateway/default/webhdfs/v1/?op=LISTSTATUS' > HTTP/1.1 200 OK > Set-Cookie: > JSESSIONID=fs2lu9w7jcgt1tshnfs1cqf8v;Path=/gateway/default;Secure;HttpOnly > Expires: Thu, 01 Jan 1970 00:00:00 GMT > Cache-Control: no-cache > Expires: Wed, 15 Mar 2017 12:49:24 GMT > Date: Wed, 15 Mar 2017 12:49:24 GMT > Pragma: no-cache > Expires: Wed, 15 Mar 2017 12:49:24 GMT > Date: Wed, 15 Mar 2017 12:49:24 GMT > Pragma: no-cache > Server: Jetty(6.1.26.hwx) > Content-Type: application/json > Content-Length: 2593 -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (KNOX-925) Configurable - Encryption Algorithm and it's key size, Salt and iteration count for PBKDF
[ https://issues.apache.org/jira/browse/KNOX-925?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Krishna Pandey updated KNOX-925: Priority: Minor (was: Major) > Configurable - Encryption Algorithm and it's key size, Salt and iteration > count for PBKDF > - > > Key: KNOX-925 > URL: https://issues.apache.org/jira/browse/KNOX-925 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 0.11.0 > Reporter: Krishna Pandey >Priority: Minor > > We can make key length configurable to be used with the RSA algorithm, so > that Users can set the value as per current cryptography guidelines. > Also, in a password-based key derivation function, the base key is a password > and the other parameters are a salt value and an iteration count. An > iteration count has traditionally served the purpose of increasing the cost > of generating keys from a password. We can keep the Scheme, Salt and > Iteration Count configurable for Users to fine tune as per their requirements. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Created] (KNOX-925) Configurable - Encryption Algorithm and it's key size, Salt and iteration count for PBKDF
Krishna Pandey created KNOX-925: --- Summary: Configurable - Encryption Algorithm and it's key size, Salt and iteration count for PBKDF Key: KNOX-925 URL: https://issues.apache.org/jira/browse/KNOX-925 Project: Apache Knox Issue Type: Improvement Components: Server Affects Versions: 0.11.0 Reporter: Krishna Pandey We can make key length configurable to be used with the RSA algorithm, so that Users can set the value as per current cryptography guidelines. Also, in a password-based key derivation function, the base key is a password and the other parameters are a salt value and an iteration count. An iteration count has traditionally served the purpose of increasing the cost of generating keys from a password. We can keep the Scheme, Salt and Iteration Count configurable for Users to fine tune as per their requirements. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Commented] (KNOX-915) Adding example PAM config for Ubuntu in Knox User Guide under PAM Based Authentication section
[ https://issues.apache.org/jira/browse/KNOX-915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15948465#comment-15948465 ] Krishna Pandey commented on KNOX-915: - I've created a new patch from location http://svn.apache.org/repos/asf/knox/trunk/ for all three versions of User's Guide - http://knox.apache.org/books/knox-0-10-0/user-guide.html#PAM+based+Authentication, http://knox.apache.org/books/knox-0-11-0/user-guide.html#PAM+based+Authentication and http://knox.apache.org/books/knox-0-12-0/user-guide.html#PAM+based+Authentication. > Adding example PAM config for Ubuntu in Knox User Guide under PAM Based > Authentication section > -- > > Key: KNOX-915 > URL: https://issues.apache.org/jira/browse/KNOX-915 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxCLI >Affects Versions: 0.11.0 > Environment: Ubuntu-16.04-64bit >Reporter: Krishna Pandey >Priority: Minor > Labels: documentation > Fix For: 0.13.0 > > Attachments: KNOX-915_v0.12.0_v1.patch, KNOX-915_v.0.12.0_v2.patch > > > Current documentation covers an example of PAM configuration on OSX. It will > be useful if we can add at least one linux variant example to help deploy > Knox in Linux environment configured for PAM based authentication. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Comment Edited] (KNOX-915) Adding example PAM config for Ubuntu in Knox User Guide under PAM Based Authentication section
[ https://issues.apache.org/jira/browse/KNOX-915?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=15948465#comment-15948465 ] Krishna Pandey edited comment on KNOX-915 at 3/30/17 5:56 AM: -- [~smore] I've created a new patch from location http://svn.apache.org/repos/asf/knox/trunk/ for all three versions of User's Guide - http://knox.apache.org/books/knox-0-10-0/user-guide.html#PAM+based+Authentication, http://knox.apache.org/books/knox-0-11-0/user-guide.html#PAM+based+Authentication and http://knox.apache.org/books/knox-0-12-0/user-guide.html#PAM+based+Authentication. was (Author: kpandey): I've created a new patch from location http://svn.apache.org/repos/asf/knox/trunk/ for all three versions of User's Guide - http://knox.apache.org/books/knox-0-10-0/user-guide.html#PAM+based+Authentication, http://knox.apache.org/books/knox-0-11-0/user-guide.html#PAM+based+Authentication and http://knox.apache.org/books/knox-0-12-0/user-guide.html#PAM+based+Authentication. > Adding example PAM config for Ubuntu in Knox User Guide under PAM Based > Authentication section > -- > > Key: KNOX-915 > URL: https://issues.apache.org/jira/browse/KNOX-915 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxCLI >Affects Versions: 0.11.0 > Environment: Ubuntu-16.04-64bit >Reporter: Krishna Pandey >Priority: Minor > Labels: documentation > Fix For: 0.13.0 > > Attachments: KNOX-915_v0.12.0_v1.patch, KNOX-915_v.0.12.0_v2.patch > > > Current documentation covers an example of PAM configuration on OSX. It will > be useful if we can add at least one linux variant example to help deploy > Knox in Linux environment configured for PAM based authentication. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (KNOX-915) Adding example PAM config for Ubuntu in Knox User Guide under PAM Based Authentication section
[ https://issues.apache.org/jira/browse/KNOX-915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Krishna Pandey updated KNOX-915: Attachment: KNOX-915_v.0.12.0_v2.patch > Adding example PAM config for Ubuntu in Knox User Guide under PAM Based > Authentication section > -- > > Key: KNOX-915 > URL: https://issues.apache.org/jira/browse/KNOX-915 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxCLI >Affects Versions: 0.11.0 > Environment: Ubuntu-16.04-64bit >Reporter: Krishna Pandey >Priority: Minor > Labels: documentation > Fix For: 0.13.0 > > Attachments: KNOX-915_v0.12.0_v1.patch, KNOX-915_v.0.12.0_v2.patch > > > Current documentation covers an example of PAM configuration on OSX. It will > be useful if we can add at least one linux variant example to help deploy > Knox in Linux environment configured for PAM based authentication. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (KNOX-915) Adding example PAM config for Ubuntu in Knox User Guide under PAM Based Authentication section
[ https://issues.apache.org/jira/browse/KNOX-915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Krishna Pandey updated KNOX-915: Attachment: KNOX-915_v0.12.0_v1.patch > Adding example PAM config for Ubuntu in Knox User Guide under PAM Based > Authentication section > -- > > Key: KNOX-915 > URL: https://issues.apache.org/jira/browse/KNOX-915 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxCLI >Affects Versions: 0.11.0 > Environment: Ubuntu-16.04-64bit >Reporter: Krishna Pandey >Priority: Minor > Labels: documentation > Attachments: KNOX-915_v0.12.0_v1.patch > > > Current documentation covers an example of PAM configuration on OSX. It will > be useful if we can add at least one linux variant example to help deploy > Knox in Linux environment configured for PAM based authentication. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Updated] (KNOX-915) Adding example PAM config for Ubuntu in Knox User Guide under PAM Based Authentication section
[ https://issues.apache.org/jira/browse/KNOX-915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Krishna Pandey updated KNOX-915: Status: Patch Available (was: Open) We need to have below entries in /etc/pam.d/login file in Ubuntu 16.04 system. Default entries in fresh-installed system was not working for me. This should also work for other versions of Ubuntu as well. {noformat} #%PAM-1.0 auth required pam_sepermit.so # pam_selinux.so close should be the first session rule sessionrequired pam_selinux.so close sessionrequired pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context sessionrequired pam_selinux.so open env_params sessionoptional pam_keyinit.so force revoke sessionrequired pam_env.so user_readenv=1 envfile=/etc/default/locale @include password-auth {noformat} > Adding example PAM config for Ubuntu in Knox User Guide under PAM Based > Authentication section > -- > > Key: KNOX-915 > URL: https://issues.apache.org/jira/browse/KNOX-915 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxCLI >Affects Versions: 0.11.0 > Environment: Ubuntu-16.04-64bit >Reporter: Krishna Pandey >Priority: Minor > Labels: documentation > > Current documentation covers an example of PAM configuration on OSX. It will > be useful if we can add at least one linux variant example to help deploy > Knox in Linux environment configured for PAM based authentication. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Created] (KNOX-915) Adding example PAM config for Ubuntu in Knox User Guide under PAM Based Authentication section
Krishna Pandey created KNOX-915: --- Summary: Adding example PAM config for Ubuntu in Knox User Guide under PAM Based Authentication section Key: KNOX-915 URL: https://issues.apache.org/jira/browse/KNOX-915 Project: Apache Knox Issue Type: Improvement Components: KnoxCLI Affects Versions: 0.11.0 Environment: Ubuntu-16.04-64bit Reporter: Krishna Pandey Priority: Minor Current documentation covers an example of PAM configuration on OSX. It will be useful if we can add at least one linux variant example to help deploy Knox in Linux environment configured for PAM based authentication. -- This message was sent by Atlassian JIRA (v6.3.15#6346)
[jira] [Created] (KNOX-722) Null Pointer Exception while accessing Services via Knox SSO configured for OKTA
Krishna Pandey created KNOX-722: --- Summary: Null Pointer Exception while accessing Services via Knox SSO configured for OKTA Key: KNOX-722 URL: https://issues.apache.org/jira/browse/KNOX-722 Project: Apache Knox Issue Type: Bug Components: Server Affects Versions: 0.9.0 Environment: All Reporter: Krishna Pandey Priority: Critical When trying to access services e.g. Ranger using Knox Single Sign-On configured for Okta, we are getting HTTP 500 Error. Error is caused due to Null Pointer Exception which can be seen in gateway.log, relevant log below: {noformat} 2016-07-12 21:24:11,131 ERROR hadoop.gateway (AbstractGatewayFilter.java:doFilter(69)) - Failed to execute filter: java.lang.NullPointerException 2016-07-12 21:24:11,132 ERROR hadoop.gateway (GatewayFilter.java:doFilter(145)) - Gateway processing failed: javax.servlet.ServletException: java.lang.NullPointerException javax.servlet.ServletException: java.lang.NullPointerException at org.apache.hadoop.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:70) at org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:332) at org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:232) at org.apache.hadoop.gateway.GatewayFilter.doFilter(GatewayFilter.java:139) at org.apache.hadoop.gateway.GatewayFilter.doFilter(GatewayFilter.java:91) at org.apache.hadoop.gateway.GatewayServlet.service(GatewayServlet.java:138) at org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:812) at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:587) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143) at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:577) at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:223) at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1127) at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:515) at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185) at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1061) at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141) at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:215) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) at org.apache.hadoop.gateway.trace.TraceHandler.handle(TraceHandler.java:51) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) at org.apache.hadoop.gateway.filter.CorrelationHandler.handle(CorrelationHandler.java:39) at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:110) at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:97) at org.eclipse.jetty.server.Server.handle(Server.java:499) at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:311) at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:257) at org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:544) at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635) at org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555) at java.lang.Thread.run(Thread.java:745) Caused by: java.lang.NullPointerException at org.apache.hadoop.gateway.pac4j.filter.Pac4jDispatcherFilter.doFilter(Pac4jDispatcherFilter.java:209) at org.apache.hadoop.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:332) at org.apache.hadoop.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:232) at org.apache.hadoop.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:30) {noformat} -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (KNOX-718) redirecting back after authentication, not valid according to the configured whitelist
[ https://issues.apache.org/jira/browse/KNOX-718?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Krishna Pandey updated KNOX-718: Description: User does not get any warning for rejection due to whitelist when logging through KnoxSSO form based authentication. Refer logs below from gateway.log "2016-06-21 18:26:02,074 WARN service.knoxsso (WebSSOResource.java:init(89)) - The SSO cookie SecureOnly flag is set to FALSE and is therefore insecure. 2016-06-21 18:26:02,076 INFO service.knoxsso (WebSSOResource.java:getCookieValue(265)) - Unable to find cookie with name: original-url 2016-06-21 18:26:02,077 ERROR service.knoxsso (WebSSOResource.java:getAuthenticationToken(159)) - The original URL: http://:6080/ for redirecting back after authentication is not valid according to the configured whitelist: ^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$. See documentation for KnoxSSO Whitelisting." was: User does not get any warning for rejection due to whitelist when logging through KnoxSSO form based authentication. Refer logs below from gateway.log "2016-06-21 18:26:02,074 WARN service.knoxsso (WebSSOResource.java:init(89)) - The SSO cookie SecureOnly flag is set to FALSE and is therefore insecure. 2016-06-21 18:26:02,076 INFO service.knoxsso (WebSSOResource.java:getCookieValue(265)) - Unable to find cookie with name: original-url 2016-06-21 18:26:02,077 ERROR service.knoxsso (WebSSOResource.java:getAuthenticationToken(159)) - The original URL: http://os-d7-larry-knox-bug59465-5.openstacklocal.com:6080/ for redirecting back after authentication is not valid according to the configured whitelist: ^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$. See documentation for KnoxSSO Whitelisting." > redirecting back after authentication, not valid according to the configured > whitelist > -- > > Key: KNOX-718 > URL: https://issues.apache.org/jira/browse/KNOX-718 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Krishna Pandey > Fix For: 0.10.0 > > > User does not get any warning for rejection due to whitelist when logging > through KnoxSSO form based authentication. Refer logs below from gateway.log > "2016-06-21 18:26:02,074 WARN service.knoxsso (WebSSOResource.java:init(89)) > - The SSO cookie SecureOnly flag is set to FALSE and is therefore insecure. > 2016-06-21 18:26:02,076 INFO service.knoxsso > (WebSSOResource.java:getCookieValue(265)) - Unable to find cookie with name: > original-url > 2016-06-21 18:26:02,077 ERROR service.knoxsso > (WebSSOResource.java:getAuthenticationToken(159)) - The original URL: > http://:6080/ for redirecting back after authentication is not > valid according to the configured whitelist: > ^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$. See > documentation for KnoxSSO Whitelisting." -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (KNOX-718) redirecting back after authentication, not valid according to the configured whitelist
[ https://issues.apache.org/jira/browse/KNOX-718?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Krishna Pandey updated KNOX-718: Summary: redirecting back after authentication, not valid according to the configured whitelist (was: redirecting back after authentication is not valid according to the configured whitelist) > redirecting back after authentication, not valid according to the configured > whitelist > -- > > Key: KNOX-718 > URL: https://issues.apache.org/jira/browse/KNOX-718 > Project: Apache Knox > Issue Type: Bug > Components: Server > Reporter: Krishna Pandey > Fix For: 0.10.0 > > > User does not get any warning for rejection due to whitelist when logging > through KnoxSSO form based authentication. Refer logs below from gateway.log > "2016-06-21 18:26:02,074 WARN service.knoxsso (WebSSOResource.java:init(89)) > - The SSO cookie SecureOnly flag is set to FALSE and is therefore insecure. > 2016-06-21 18:26:02,076 INFO service.knoxsso > (WebSSOResource.java:getCookieValue(265)) - Unable to find cookie with name: > original-url > 2016-06-21 18:26:02,077 ERROR service.knoxsso > (WebSSOResource.java:getAuthenticationToken(159)) - The original URL: > http://os-d7-larry-knox-bug59465-5.openstacklocal.com:6080/ for redirecting > back after authentication is not valid according to the configured whitelist: > ^https?:\/\/(localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$. See > documentation for KnoxSSO Whitelisting." -- This message was sent by Atlassian JIRA (v6.3.4#6332)