[jira] [Commented] (KNOX-3023) Extend the Hadoop proxyuser dispatch to optionally include groups in a header in addition to doAs
[ https://issues.apache.org/jira/browse/KNOX-3023?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17839381#comment-17839381 ] Larry McCay commented on KNOX-3023: --- [~smore] - are you working on this? Can you add a description and planned Fix Version? > Extend the Hadoop proxyuser dispatch to optionally include groups in a header > in addition to doAs > - > > Key: KNOX-3023 > URL: https://issues.apache.org/jira/browse/KNOX-3023 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-3031) CLIENT_ID and CLIENT_SECRET without Token Managed set results in 200 inappropriately
[ https://issues.apache.org/jira/browse/KNOX-3031?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-3031: -- Description: Noticed that use of CLIENT_ID and SECRET for OAuth flows with knox.token.exp.server-managed not set to true results in a 200 response code and no body when attempting to use token exchange flow with the KNOXTOKEN service. Note that the same is true for Passcode token based authentication which is what is used by the OAuth client credentials support. Have to change this to return a 401 since the client id cannot be verified without the state store. See AbstractJWTFilter(line 436). was: Noticed that use of CLIENT_ID and SECRET for OAuth flows with knox.token.exp.server-managed not set to true results in a 200 response code and no body when attempting to use token exchange flow with the KNOXTOKEN service. Have to change this to return a 401 since the client id cannot be verified without the state store. See AbstractJWTFilter(line 436). > CLIENT_ID and CLIENT_SECRET without Token Managed set results in 200 > inappropriately > > > Key: KNOX-3031 > URL: https://issues.apache.org/jira/browse/KNOX-3031 > Project: Apache Knox > Issue Type: Bug > Components: JWT >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > > Noticed that use of CLIENT_ID and SECRET for OAuth flows with > knox.token.exp.server-managed not set to true results in a 200 response code > and no body when attempting to use token exchange flow with the KNOXTOKEN > service. > Note that the same is true for Passcode token based authentication which is > what is used by the OAuth client credentials support. > Have to change this to return a 401 since the client id cannot be verified > without the state store. See AbstractJWTFilter(line 436). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (KNOX-3031) CLIENT_ID and CLIENT_SECRET without Token Managed set results in 200 inappropriately
Larry McCay created KNOX-3031: - Summary: CLIENT_ID and CLIENT_SECRET without Token Managed set results in 200 inappropriately Key: KNOX-3031 URL: https://issues.apache.org/jira/browse/KNOX-3031 Project: Apache Knox Issue Type: Bug Components: JWT Reporter: Larry McCay Assignee: Larry McCay Fix For: 2.1.0 Noticed that use of CLIENT_ID and SECRET for OAuth flows with knox.token.exp.server-managed not set to true results in a 200 response code and no body when attempting to use token exchange flow with the KNOXTOKEN service. Have to change this to return a 401 since the client id cannot be verified without the state store. See AbstractJWTFilter(line 436). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Resolved] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay resolved KNOX-3028.
---
Resolution: Fixed
> KnoxToken extension for OAuth Token Flows
> -
>
> Key: KNOX-3028
> URL: https://issues.apache.org/jira/browse/KNOX-3028
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
> Time Spent: 3h
> Remaining Estimate: 0h
>
> This change will extend the existing TokenResource for KNOXTOKEN service to
> include OAuth specifics such as expected URL, error messages and flows to
> support Token Exchange Flow and Token Refresh.
> This is being driven by a specific need to proxy access to the Iceberg REST
> Catalog API. In this specific usecase, we need to intercept the use of the
> following endpoint URLs and serve the token exchange flow for the
> authenticating user.
> {code}
> /v1/oauth/tokens
> {code}
> Details for these requirements can be found in the openapi description for
> the catalog API [1].
> In addition to this usecase, we should add generic support for the token
> exchange flow with more generic URL that better aligns with what others use.
> {code}
> /oauth/v1/token
> {code}
> We will support the use of the "oauth" service name within the existing
> KNOXTOKEN service with an extension of the TokenResource which adapts the
> existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
> In order to support both URLs, the deployment contributor will need to
> register a url pattern for each usecase and the resource path within the
> jersey service will need to accommodate the dynamic nature of the Iceberg
> REST Catalog API which will add the catalog API service name as well.
> {code}
> /icecli/v1/oauth/tokens/
> {code}
> Where "icecli" may be some configurable service name and need to match to the
> incoming URL.
> We will wildcard that by making it a regex matched path param.
> We will also need to accommodate a first-class Knox pattern and service name
> of "oauth" and only allow "token" or "oauth" after the v1 with the remaining
> path fragment being optional for the iceberg specific "tokens".
> Not pretty but it will work.
> 1.
> https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-3028:
--
Description:
This change will extend the existing TokenResource for KNOXTOKEN service to
include OAuth specifics such as expected URL, error messages and flows to
support Token Exchange Flow and Token Refresh.
This is being driven by a specific need to proxy access to the Iceberg REST
Catalog API. In this specific usecase, we need to intercept the use of the
following endpoint URLs and serve the token exchange flow for the
authenticating user.
{code}
/v1/oauth/tokens
{code}
Details for these requirements can be found in the openapi description for the
catalog API [1].
In addition to this usecase, we should add generic support for the token
exchange flow with more generic URL that better aligns with what others use.
{code}
/oauth/v1/token
{code}
We will support the use of the "oauth" service name within the existing
KNOXTOKEN service with an extension of the TokenResource which adapts the
existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
In order to support both URLs, the deployment contributor will need to register
a url pattern for each usecase and the resource path within the jersey service
will need to accommodate the dynamic nature of the Iceberg REST Catalog API
which will add the catalog API service name as well.
{code}
/icecli/v1/oauth/tokens/
{code}
Where "icecli" may be some configurable service name and need to match to the
incoming URL.
We will wildcard that by making it a regex matched path param.
We will also need to accommodate a first-class Knox pattern and service name of
"oauth" and only allow "token" or "oauth" after the v1 with the remaining path
fragment being optional for the iceberg specific "tokens".
Not pretty but it will work.
1.
https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml
was:
This change will extend the existing TokenResource for KNOXTOKEN service to
include OAuth specifics such as expected URL, error messages and flows to
support Token Exchange Flow and Token Refresh.
This is being driven by a specific need to proxy access to the Iceberg REST
Catalog API. In this specific usecase, we need to intercept the use of the
following endpoint URLs and serve the token exchange flow for the
authenticating user.
{code}
/v1/oauth/tokens
{code}
Details for these requirements can be found in the openapi description for the
catalog API [1].
In addition to this usecase, we should add generic support for the token
exchange flow with more generic URL that better aligns with what others use.
{code}
/oauth/v1/token
{code}
We will support the use of the "oauth" service name within the existing
KNOXTOKEN service with an extension of the TokenResource which adapts the
existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
In order to support both URLs, the deployment contributor will need to register
a url pattern for each usecase and the resource path within the jersey service
will need to accommodate the dynamic nature of the Iceberg REST Catalog API
which will add the catalog API service name as well.
{code}
/icecli/v1/oauth/tokens/
{code}
Where "icecli" may be some configurable service name and need to match to the
incoming URL.
We will wildcard that by making it a regex matched path param.
1.
https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml
> KnoxToken extension for OAuth Token Flows
> -
>
> Key: KNOX-3028
> URL: https://issues.apache.org/jira/browse/KNOX-3028
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
>
> This change will extend the existing TokenResource for KNOXTOKEN service to
> include OAuth specifics such as expected URL, error messages and flows to
> support Token Exchange Flow and Token Refresh.
> This is being driven by a specific need to proxy access to the Iceberg REST
> Catalog API. In this specific usecase, we need to intercept the use of the
> following endpoint URLs and serve the token exchange flow for the
> authenticating user.
> {code}
> /v1/oauth/tokens
> {code}
> Details for these requirements can be found in the openapi description for
> the catalog API [1].
> In addition to this usecase, we should add generic support for the token
> exchange flow with more generic URL that better aligns with what others use.
> {code}
> /oauth/v1/token
> {code}
> We will support the use of the "oauth" service name within the existing
> KNOXTOKEN service with an extension of the TokenResource which adapts the
> existing KNOXTOKEN behavior to the expectations of clients on
[jira] [Updated] (KNOX-3028) KnoxToken extension for OAuth Token Flows
[
https://issues.apache.org/jira/browse/KNOX-3028?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-3028:
--
Description:
This change will extend the existing TokenResource for KNOXTOKEN service to
include OAuth specifics such as expected URL, error messages and flows to
support Token Exchange Flow and Token Refresh.
This is being driven by a specific need to proxy access to the Iceberg REST
Catalog API. In this specific usecase, we need to intercept the use of the
following endpoint URLs and serve the token exchange flow for the
authenticating user.
{code}
/v1/oauth/tokens
{code}
Details for these requirements can be found in the openapi description for the
catalog API [1].
In addition to this usecase, we should add generic support for the token
exchange flow with more generic URL that better aligns with what others use.
{code}
/oauth/v1/token
{code}
We will support the use of the "oauth" service name within the existing
KNOXTOKEN service with an extension of the TokenResource which adapts the
existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
In order to support both URLs, the deployment contributor will need to register
a url pattern for each usecase and the resource path within the jersey service
will need to accommodate the dynamic nature of the Iceberg REST Catalog API
which will add the catalog API service name as well.
{code}
/icecli/v1/oauth/tokens/
{code}
Where "icecli" may be some configurable service name and need to match to the
incoming URL.
We will wildcard that by making it a regex matched path param.
1.
https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml
was:
This change will extend the existing TokenResource for KNOXTOKEN service to
include OAuth specifics such as expected URL, error messages and flows to
support Token Exchange Flow and Token Refresh.
> KnoxToken extension for OAuth Token Flows
> -
>
> Key: KNOX-3028
> URL: https://issues.apache.org/jira/browse/KNOX-3028
> Project: Apache Knox
> Issue Type: Bug
> Components: JWT
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Fix For: 2.1.0
>
>
> This change will extend the existing TokenResource for KNOXTOKEN service to
> include OAuth specifics such as expected URL, error messages and flows to
> support Token Exchange Flow and Token Refresh.
> This is being driven by a specific need to proxy access to the Iceberg REST
> Catalog API. In this specific usecase, we need to intercept the use of the
> following endpoint URLs and serve the token exchange flow for the
> authenticating user.
> {code}
> /v1/oauth/tokens
> {code}
> Details for these requirements can be found in the openapi description for
> the catalog API [1].
> In addition to this usecase, we should add generic support for the token
> exchange flow with more generic URL that better aligns with what others use.
> {code}
> /oauth/v1/token
> {code}
> We will support the use of the "oauth" service name within the existing
> KNOXTOKEN service with an extension of the TokenResource which adapts the
> existing KNOXTOKEN behavior to the expectations of clients on OAuth responses.
> In order to support both URLs, the deployment contributor will need to
> register a url pattern for each usecase and the resource path within the
> jersey service will need to accommodate the dynamic nature of the Iceberg
> REST Catalog API which will add the catalog API service name as well.
> {code}
> /icecli/v1/oauth/tokens/
> {code}
> Where "icecli" may be some configurable service name and need to match to the
> incoming URL.
> We will wildcard that by making it a regex matched path param.
> 1.
> https://github.com/apache/iceberg/blob/main/open-api/rest-catalog-open-api.yaml
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Created] (KNOX-3028) KnoxToken extension for OAuth Token Flows
Larry McCay created KNOX-3028: - Summary: KnoxToken extension for OAuth Token Flows Key: KNOX-3028 URL: https://issues.apache.org/jira/browse/KNOX-3028 Project: Apache Knox Issue Type: Bug Components: JWT Reporter: Larry McCay Assignee: Larry McCay Fix For: 2.1.0 This change will extend the existing TokenResource for KNOXTOKEN service to include OAuth specifics such as expected URL, error messages and flows to support Token Exchange Flow and Token Refresh. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Resolved] (KNOX-3016) Add Support for Client Credentials Flow with KnoxTokens
[ https://issues.apache.org/jira/browse/KNOX-3016?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay resolved KNOX-3016. --- Resolution: Fixed > Add Support for Client Credentials Flow with KnoxTokens > --- > > Key: KNOX-3016 > URL: https://issues.apache.org/jira/browse/KNOX-3016 > Project: Apache Knox > Issue Type: Bug > Components: JWT >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > Adding support for integrations to Knox proxied services and APIs via OAuth > style cllient credentials flow. This allows an integration that is provided a > CLIENT_ID and CLIENT_SECRET to authenticate to Knox and directly access > proxied services with those or exchange those credentials for short lived JWT > based access, id and refresh tokens. > This change introduces only the acceptance of the Knox TokenID and Passcode > tokens as CLIENT_ID and CLIENT_SECRET in a standard OAuth 2.0 client > credentials flow request body. This body will contain the following params: > 1. grant_type and it will be "client_credentials" > 2. client_id which will be the KnoxToken tokenId or KnoxID > 3. client_secret which will be the passcode token for which we store the hash > Authentication using this flow will result in the effective user being what > is provided as the CLIENT_ID. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (KNOX-3016) Add Support for Client Credentials Flow with KnoxTokens
Larry McCay created KNOX-3016: - Summary: Add Support for Client Credentials Flow with KnoxTokens Key: KNOX-3016 URL: https://issues.apache.org/jira/browse/KNOX-3016 Project: Apache Knox Issue Type: Bug Components: JWT Reporter: Larry McCay Assignee: Larry McCay Fix For: 2.1.0 Adding support for integrations to Knox proxied services and APIs via OAuth style cllient credentials flow. This allows an integration that is provided a CLIENT_ID and CLIENT_SECRET to authenticate to Knox and directly access proxied services with those or exchange those credentials for short lived JWT based access, id and refresh tokens. This change introduces only the acceptance of the Knox TokenID and Passcode tokens as CLIENT_ID and CLIENT_SECRET in a standard OAuth 2.0 client credentials flow request body. This body will contain the following params: 1. grant_type and it will be "client_credentials" 2. client_id which will be the KnoxToken tokenId or KnoxID 3. client_secret which will be the passcode token for which we store the hash Authentication using this flow will result in the effective user being what is provided as the CLIENT_ID. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-3010) User Guide Docs for Token Management typos
[
https://issues.apache.org/jira/browse/KNOX-3010?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-3010:
--
Description:
The following docs are incorrect and need some correction:
{code}
h5. Creating the token hash key
[!https://knox.apache.org/books/knox-2-1-0/markbook-section-link.png!|https://knox.apache.org/books/knox-2-1-0/user-guide.html#Creating+the+token+hash+key]
As explained, if you would like to use Knox’s token generation features, you
will have to create a gateway-level alias with a 256, 384, or 512-bit length
JWK. You can do it in - at least - two different ways:
# You generate your own MAC (using [this online
tool|https://8gwifi.org/jwkfunctions.jsp] for instance) and save it as an alias
using Knox CLI.
# You do it running the following Knox CLI command:
{{generate-jwk --saveAlias knox.token.hash.key}}
The second option involves a newly created Knox CLI command called
{{{}generate-jwk{}}}:
h5. Token state service implementations
[!https://knox.apache.org/books/knox-2-1-0/markbook-section-link.png!|https://knox.apache.org/books/knox-2-1-0/user-guide.html#Token+state+service+implementations]
{code}
I assume the command example that starts with generate-jwk should be knoxcli.sh
and the example command for generate-jwk should be after the mention of the
second option.
was:
The following docs are incorrect and need some correction:
{code}
h5. Creating the token hash key
[!https://knox.apache.org/books/knox-2-1-0/markbook-section-link.png!|https://knox.apache.org/books/knox-2-1-0/user-guide.html#Creating+the+token+hash+key]
As explained, if you would like to use Knox’s token generation features, you
will have to create a gateway-level alias with a 256, 384, or 512-bit length
JWK. You can do it in - at least - two different ways:
# You generate your own MAC (using [this online
tool|https://8gwifi.org/jwkfunctions.jsp] for instance) and save it as an alias
using Knox CLI.
# You do it running the following Knox CLI command:
{{generate-jwk --saveAlias knox.token.hash.key}}
The second option involves a newly created Knox CLI command called
{{{}generate-jwk{}}}:
h5. Token state service implementations
[!https://knox.apache.org/books/knox-2-1-0/markbook-section-link.png!|https://knox.apache.org/books/knox-2-1-0/user-guide.html#Token+state+service+implementations]
{code}
I assume the comman example that starts with generate-jwk should be knoxcli.sh
and the example command for generate-jwk should be after the mention of the
second option.
> User Guide Docs for Token Management typos
> --
>
> Key: KNOX-3010
> URL: https://issues.apache.org/jira/browse/KNOX-3010
> Project: Apache Knox
> Issue Type: Bug
> Components: Document
>Reporter: Larry McCay
>Priority: Major
>
> The following docs are incorrect and need some correction:
> {code}
> h5. Creating the token hash key
> [!https://knox.apache.org/books/knox-2-1-0/markbook-section-link.png!|https://knox.apache.org/books/knox-2-1-0/user-guide.html#Creating+the+token+hash+key]
> As explained, if you would like to use Knox’s token generation features, you
> will have to create a gateway-level alias with a 256, 384, or 512-bit length
> JWK. You can do it in - at least - two different ways:
> # You generate your own MAC (using [this online
> tool|https://8gwifi.org/jwkfunctions.jsp] for instance) and save it as an
> alias using Knox CLI.
> # You do it running the following Knox CLI command:
> {{generate-jwk --saveAlias knox.token.hash.key}}
> The second option involves a newly created Knox CLI command called
> {{{}generate-jwk{}}}:
> h5. Token state service implementations
> [!https://knox.apache.org/books/knox-2-1-0/markbook-section-link.png!|https://knox.apache.org/books/knox-2-1-0/user-guide.html#Token+state+service+implementations]
> {code}
> I assume the command example that starts with generate-jwk should be
> knoxcli.sh and the example command for generate-jwk should be after the
> mention of the second option.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Created] (KNOX-3010) User Guide Docs for Token Management typos
Larry McCay created KNOX-3010:
-
Summary: User Guide Docs for Token Management typos
Key: KNOX-3010
URL: https://issues.apache.org/jira/browse/KNOX-3010
Project: Apache Knox
Issue Type: Bug
Components: Document
Reporter: Larry McCay
The following docs are incorrect and need some correction:
{code}
h5. Creating the token hash key
[!https://knox.apache.org/books/knox-2-1-0/markbook-section-link.png!|https://knox.apache.org/books/knox-2-1-0/user-guide.html#Creating+the+token+hash+key]
As explained, if you would like to use Knox’s token generation features, you
will have to create a gateway-level alias with a 256, 384, or 512-bit length
JWK. You can do it in - at least - two different ways:
# You generate your own MAC (using [this online
tool|https://8gwifi.org/jwkfunctions.jsp] for instance) and save it as an alias
using Knox CLI.
# You do it running the following Knox CLI command:
{{generate-jwk --saveAlias knox.token.hash.key}}
The second option involves a newly created Knox CLI command called
{{{}generate-jwk{}}}:
h5. Token state service implementations
[!https://knox.apache.org/books/knox-2-1-0/markbook-section-link.png!|https://knox.apache.org/books/knox-2-1-0/user-guide.html#Token+state+service+implementations]
{code}
I assume the comman example that starts with generate-jwk should be knoxcli.sh
and the example command for generate-jwk should be after the mention of the
second option.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Resolved] (KNOX-3009) KNOX-SESSION missing from Manager Topology and Admin UI
[ https://issues.apache.org/jira/browse/KNOX-3009?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay resolved KNOX-3009. --- Resolution: Fixed > KNOX-SESSION missing from Manager Topology and Admin UI > --- > > Key: KNOX-3009 > URL: https://issues.apache.org/jira/browse/KNOX-3009 > Project: Apache Knox > Issue Type: Bug > Components: Release >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Due to KNOX-SESSION service missing from the default manager.xml topology, an > alert in the Admin UI is displayed while trying to retrieve the authenticated > user name and "dr. who" is displayed as the user. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Created] (KNOX-3009) KNOX-SESSION missing from Manager Topology and Admin UI
Larry McCay created KNOX-3009: - Summary: KNOX-SESSION missing from Manager Topology and Admin UI Key: KNOX-3009 URL: https://issues.apache.org/jira/browse/KNOX-3009 Project: Apache Knox Issue Type: Bug Components: Release Reporter: Larry McCay Assignee: Larry McCay Fix For: 2.1.0 Due to KNOX-SESSION service missing from the default manager.xml topology, an alert in the Admin UI is displayed while trying to retrieve the authenticated user name and "dr. who" is displayed as the user. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2995) json contains null value parsing failed
[ https://issues.apache.org/jira/browse/KNOX-2995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17801224#comment-17801224 ] Larry McCay commented on KNOX-2995: --- [~beryl_zsh] - thank you for the additional information. We will also need actual tests modified or added to test this scenario programmatically. There should be existing rewrite tests that you can add this to. > json contains null value parsing failed > --- > > Key: KNOX-2995 > URL: https://issues.apache.org/jira/browse/KNOX-2995 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 2.0.0, 1.6.0 >Reporter: zhaoshuaihua >Priority: Major > Attachments: KNOX-2995.patch, screenshot-1.png, screenshot-2.png, > screenshot-3.png > > Time Spent: 10m > Remaining Estimate: 0h > > If the proxy address returns JSON, which contains something similar to xxx: > NaN, then knox will fail to parse. Therefore, support for parsing NaN is > added. > I click on the page with return json and the content of Resopnse is empty. > like this : !screenshot-1.png! > > Checking the gateway.log log shows the following error message. > !screenshot-2.png! > The display results after my repair are as follows: > !screenshot-3.png! > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2995) json contains null value parsing failed
[ https://issues.apache.org/jira/browse/KNOX-2995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17801040#comment-17801040 ] Larry McCay commented on KNOX-2995: --- I see that you did provide a pull request - that's great. Let's address the other comments above too. Thanks! > json contains null value parsing failed > --- > > Key: KNOX-2995 > URL: https://issues.apache.org/jira/browse/KNOX-2995 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 2.0.0, 1.6.0 >Reporter: zhaoshuaihua >Priority: Major > Attachments: KNOX-2995.patch > > > If the proxy address returns JSON, which contains something similar to xxx: > NaN, then knox will fail to parse. Therefore, support for parsing NaN is > added. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2995) json contains null value parsing failed
[ https://issues.apache.org/jira/browse/KNOX-2995?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17801039#comment-17801039 ] Larry McCay commented on KNOX-2995: --- Hi [~beryl_zsh] - thank you for your patch. Could you edit the description to provide more specifics? We will also need tests to be added or modified to show the issue and that it is now fixed so that the support doesn't regress by some other change. Lastly, we use github pull requests for patches these days - can you move this to a PR there? Again, thank you for your contribution! > json contains null value parsing failed > --- > > Key: KNOX-2995 > URL: https://issues.apache.org/jira/browse/KNOX-2995 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 2.0.0, 1.6.0 >Reporter: zhaoshuaihua >Priority: Major > Attachments: KNOX-2995.patch > > > If the proxy address returns JSON, which contains something similar to xxx: > NaN, then knox will fail to parse. Therefore, support for parsing NaN is > added. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Resolved] (KNOX-2824) Make SameSite attribute on KnoxSSO Cookie Configurable
[ https://issues.apache.org/jira/browse/KNOX-2824?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay resolved KNOX-2824. --- Resolution: Fixed > Make SameSite attribute on KnoxSSO Cookie Configurable > -- > > Key: KNOX-2824 > URL: https://issues.apache.org/jira/browse/KNOX-2824 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxSSO >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > The attribute for KnoxSSO cookie is currently hardocded. > This improvement will make its value configurable to better accommodate > various deployment scenarios. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2828) Token generation maximum token ttl unlimited not working when lifespan input is disabled
[
https://issues.apache.org/jira/browse/KNOX-2828?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-2828:
--
Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part
of a bulk update. If there is a specific reason to pull this back into the
2.0.0 release and you intend to provide a PR in the next few days please
provide justification and reset the Fix Version to 2.0.0.
> Token generation maximum token ttl unlimited not working when lifespan input
> is disabled
>
>
> Key: KNOX-2828
> URL: https://issues.apache.org/jira/browse/KNOX-2828
> Project: Apache Knox
> Issue Type: Bug
> Components: Homepage, Server
>Reporter: Balazs Marton
>Priority: Minor
> Fix For: 2.1.0
>
>
> Even though there's no documentation about this feature, when the _KNOXTOKEN_
> service param _knox.token.ttl_ is set to _-1_ in the _homepage_ topology, the
> token generation site indicates that the generated token lifetime can be
> {_}unlimited{_}. Combining this with configuring the
> _knox.token.lifespan.input.enabled_ param of the _KNOXTOKEN_ service to
> _false_ and generating a token, result in generating a token which expiry
> date is: _01/01/1970, 00:59:59._
> Configurations for recreation of the problem:
> In homepage topology KNOXTOKEN service
> {code:java}
>
> knox.token.ttl
> -1
>
>
> knox.token.lifespan.input.enabled
> false
>
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (KNOX-1785) Inject tag to simplify rewrite rules
[ https://issues.apache.org/jira/browse/KNOX-1785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1785: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Inject tag to simplify rewrite rules > --- > > Key: KNOX-1785 > URL: https://issues.apache.org/jira/browse/KNOX-1785 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Labels: kip-9 > Fix For: 2.1.0 > > > By inserting the [ tag|https://www.w3schools.com/tags/tag_base.asp] (or > rewriting the existing one if present) will simplify a lot of rewrite rules, > we won't have to rewrite relative URLs then which can be significant number > of rules for doing the same thing again and again. tag would simplify > a lot of things when it comes to rewriting. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1991) Rewrite websocket data
[ https://issues.apache.org/jira/browse/KNOX-1991?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1991: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Rewrite websocket data > -- > > Key: KNOX-1991 > URL: https://issues.apache.org/jira/browse/KNOX-1991 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Affects Versions: 1.4.0 >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.1.0 > > > Currently Knox does not rewrite Websocket data, we need to explore a way to > do it. > Current rewrite engine is filter based so cannot be directly applied to > Websocket traffic. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2361) Fix SQL History in KnoxShell knoxline
[ https://issues.apache.org/jira/browse/KNOX-2361?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-2361: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Fix SQL History in KnoxShell knoxline > - > > Key: KNOX-2361 > URL: https://issues.apache.org/jira/browse/KNOX-2361 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > > There is currently no CLI or SQL history in the SQL shell builtin to > KnoxShell. > This needs to be fixed to make this really useful. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1790) Docker - Handle custom Knox master secret
[ https://issues.apache.org/jira/browse/KNOX-1790?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1790: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Docker - Handle custom Knox master secret > - > > Key: KNOX-1790 > URL: https://issues.apache.org/jira/browse/KNOX-1790 > Project: Apache Knox > Issue Type: Sub-task >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1953) Figure out how to publish Knox Docker image
[ https://issues.apache.org/jira/browse/KNOX-1953?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1953: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Figure out how to publish Knox Docker image > --- > > Key: KNOX-1953 > URL: https://issues.apache.org/jira/browse/KNOX-1953 > Project: Apache Knox > Issue Type: Sub-task > Components: Build >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > > Currently we provide the ability to build a Knox Docker image. It would be > helpful if we could publish it. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1299) Admin API does not serialize older deployed topology file with identity-assertion provider
[ https://issues.apache.org/jira/browse/KNOX-1299?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1299: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Admin API does not serialize older deployed topology file with > identity-assertion provider > -- > > Key: KNOX-1299 > URL: https://issues.apache.org/jira/browse/KNOX-1299 > Project: Apache Knox > Issue Type: Bug > Components: AdminUI >Affects Versions: 0.14.0 >Reporter: J.Andreina >Priority: Critical > Fix For: 2.1.0 > > > Step 1: Create a shared provider file from admin-UI "descriptor1" with only > one provider "hostmap" > Step 2: Create a descriptor file "file1" pointing to "descriptor1" with any > one service > Deployed topology "file1.xml" will have 2 providers when viewed from > admin-ui "hostmap" and "identity-assertion" > Step 3: Create a shared provider file from admin-UI "descriptor2" with only > one provider "hostmap" > Step 4: Create a descriptor file "file2" pointing to "descriptor2" with any > one service > Expected: > Both file1.xml and file2.xml generated topology should have 2 descriptors > "hostmap" and "identity-assertion" > Issue: > file1.xml doesnt have "identity-assertion" provider when viewed from admin-ui -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1729) Add support for proxying Grafana
[ https://issues.apache.org/jira/browse/KNOX-1729?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1729: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Add support for proxying Grafana > > > Key: KNOX-1729 > URL: https://issues.apache.org/jira/browse/KNOX-1729 > Project: Apache Knox > Issue Type: New Feature >Reporter: Papirkovskyy Myroslav >Priority: Major > Fix For: 2.1.0 > > > Provide UI proxy support for the Grafana UI -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2528) Tracking URL link in YARN for Killed applications broken
[ https://issues.apache.org/jira/browse/KNOX-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-2528: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Tracking URL link in YARN for Killed applications broken > > > Key: KNOX-2528 > URL: https://issues.apache.org/jira/browse/KNOX-2528 > Project: Apache Knox > Issue Type: Bug >Affects Versions: 1.4.0 >Reporter: Iain Buclaw >Priority: Major > Fix For: 2.1.0 > > Attachments: image-2021-01-11-11-53-33-672.png > > > The Tracking UI History link for all jobs under /yarn/cluster/apps/KILLED are > broken. > > The service port and path suggest that it's a link intended for the Timeline > Server UI, which is currently unimplemented, see KNOX-1032. > > Steps to reproduce are: > # Start a mid-to-long running spark job, I picked > `org.apache.spark.examples.SparkPi` with an argument of `10`. > # Kill the running job: `yarn application -kill > application_1610360301299_0002` > # In YARN, navigate to Applications/KILLED, and see the link at the end of > the row. It'll be in the form of > [http://dataproc-m:8188/applicationhistory/app/application_1610360301299_0002] > > !image-2021-01-11-11-53-33-672.png! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1204) KIP-11 - S3 Access through Knox API
[ https://issues.apache.org/jira/browse/KNOX-1204?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1204: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > KIP-11 - S3 Access through Knox API > --- > > Key: KNOX-1204 > URL: https://issues.apache.org/jira/browse/KNOX-1204 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > > h1. UC-5: S3 Integration > While the Knox WebHDFS integration may still work for many cloud deployments, > it does seem like a gap that there is no way to move files in and out of S3 > or other cloud storage mechanisms through Knox. > We can actually combine UC-2 above to acquire temporary credentials on behalf > of the authenticated users. We would request the IAM role and permissions > that are appropriate for the user and their group memberships in order to > access buckets protected with IAM roles. We could also combine with UC-4 > above to have encrypted files put into S3 that will only be able to be > decrypted on-prem. > It would require Knox to be granted permission in a given cloud deployment to > make STS calls and may require AWS credentials for the Knox user to be an IAM > role. We may also be able to assumeRole to the needed role for STS access. > It will also require a Jersey service hosted in Knox to put files into S3 > (KnoxS3?) or we can create a pluggable backend and make it a more generic > object store API. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2580) Adding a token in TokenStateService should work with token metadata
[
https://issues.apache.org/jira/browse/KNOX-2580?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-2580:
--
Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part
of a bulk update. If there is a specific reason to pull this back into the
2.0.0 release and you intend to provide a PR in the next few days please
provide justification and reset the Fix Version to 2.0.0.
> Adding a token in TokenStateService should work with token metadata
> ---
>
> Key: KNOX-2580
> URL: https://issues.apache.org/jira/browse/KNOX-2580
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.6.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
>
> Currently, when token management is enabled and a token is being created
> there are two subsequent method invocation is made:
> * addToken(...)
> * addMetadata(String, TokenMetadata)
> This should be refactored in a way that these two methods are merged as
> {{addToken(String, TokenMetadata)}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (KNOX-2358) Reload the Knox Home page upon topology changes
[ https://issues.apache.org/jira/browse/KNOX-2358?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-2358: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Reload the Knox Home page upon topology changes > --- > > Key: KNOX-2358 > URL: https://issues.apache.org/jira/browse/KNOX-2358 > Project: Apache Knox > Issue Type: Improvement > Components: Homepage >Affects Versions: 1.4.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Minor > Fix For: 2.1.0 > > > It would be nice if the Knox home page got reloaded when Knox redeploys a > topology. Using push notifications seems to be a good way to do this. > Alternatively, a client-side poll can be configured to fetch changes from the > Knox back-end. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2409) HS2 Interactive Active/Passive HA not working
[ https://issues.apache.org/jira/browse/KNOX-2409?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-2409: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > HS2 Interactive Active/Passive HA not working > - > > Key: KNOX-2409 > URL: https://issues.apache.org/jira/browse/KNOX-2409 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 0.14.0 >Reporter: Theyaa Matti >Priority: Major > Fix For: 2.1.0 > > > Trying to use Knox to access HS2 Interactive where there are 2 HS2 > Interactive instances as active/passive. Adding both instances in the > topology as HA service does not make Knox check if the first HS2 interactive > is passive and switch to the second one. > > Knox need to check whether the selected HS2 Interactive is actually active or > not. Then check the second one if the first is Passive. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1749) Improve Docker integration
[ https://issues.apache.org/jira/browse/KNOX-1749?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1749: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Improve Docker integration > -- > > Key: KNOX-1749 > URL: https://issues.apache.org/jira/browse/KNOX-1749 > Project: Apache Knox > Issue Type: Improvement > Components: docker >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > > Few things that come to mind: > * start gateway.sh/ldap.sh in the foreground > ** This would avoiding tailing the log files > ** Would allow for proper shutdown of container > * Expose gateway.sh/ldap.sh environment variables for customization > ** APP_MEM_OPTS/etc > * Handle Knox custom master secret -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-925) Configurable - Encryption Algorithm and it's key size, Salt and iteration count for PBKDF
[ https://issues.apache.org/jira/browse/KNOX-925?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-925: - Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Configurable - Encryption Algorithm and it's key size, Salt and iteration > count for PBKDF > - > > Key: KNOX-925 > URL: https://issues.apache.org/jira/browse/KNOX-925 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 0.11.0 >Reporter: Krishna Pandey >Priority: Minor > Fix For: 2.1.0 > > > We can make key length configurable to be used with the RSA algorithm, so > that Users can set the value as per current cryptography guidelines. > Also, in a password-based key derivation function, the base key is a password > and the other parameters are a salt value and an iteration count. An > iteration count has traditionally served the purpose of increasing the cost > of generating keys from a password. We can keep the Scheme, Salt and > Iteration Count configurable for Users to fine tune as per their requirements. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1865) Admin UI Provider Config Forms need Tooltips/Help Text
[ https://issues.apache.org/jira/browse/KNOX-1865?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1865: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Admin UI Provider Config Forms need Tooltips/Help Text > -- > > Key: KNOX-1865 > URL: https://issues.apache.org/jira/browse/KNOX-1865 > Project: Apache Knox > Issue Type: Bug > Components: AdminUI >Reporter: Larry McCay >Assignee: Ljmiv >Priority: Major > Fix For: 2.1.0 > > > While the Provider Configuration pages in the UI are a nicer experience than > having to hand edit XML for many people, for those that don't have the > context of the configuration from prior knowledge of the underlying providers > and what the params mean - many of the fields are ambiguous. > We need to provide at least some tooltips for some of the easier fields and > perhaps a [?] link with more help than would be possible in a simple tooltip. > Possibly linking to online docs in the user guide with more details would be > good as well. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1704) Upgrade to JUnit 5
[ https://issues.apache.org/jira/browse/KNOX-1704?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1704: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Upgrade to JUnit 5 > -- > > Key: KNOX-1704 > URL: https://issues.apache.org/jira/browse/KNOX-1704 > Project: Apache Knox > Issue Type: Improvement > Components: Tests >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > Attachments: KNOX-1704.patch > > > Junit 5 has been out for a while now. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1644) Improve HDFSUI 3.0.0 version to handle no ?host= parameter
[ https://issues.apache.org/jira/browse/KNOX-1644?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1644: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Improve HDFSUI 3.0.0 version to handle no ?host= parameter > -- > > Key: KNOX-1644 > URL: https://issues.apache.org/jira/browse/KNOX-1644 > Project: Apache Knox > Issue Type: Bug >Affects Versions: 1.1.0, 1.2.0 >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > Attachments: KNOX-1644.patch > > > Currently the HDFSUI service is broken with version 3.0.0. Version 2.7.0 > works. It looks like there were a bunch of changes to the 2.7.0 version but > not the 3.0.0 version. Version 2.7.0 seems to fix the issue that 3.0.0 was > introduced for. We should remove it since currently version 3.0.0 is broken. > Version 3.0.0 was introduced in KNOX-1340 > *Update*: ?host=http://NAMENODE_HOST:NAMENODE_PORT needs to be added to the > /hdfs/ endpoint. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1595) Support JDK 12/13/14
[ https://issues.apache.org/jira/browse/KNOX-1595?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1595: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Support JDK 12/13/14 > > > Key: KNOX-1595 > URL: https://issues.apache.org/jira/browse/KNOX-1595 > Project: Apache Knox > Issue Type: Improvement > Components: Build >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > > Splitting JDK 12 and JDK 13 support out specifically from KNOX-1458 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1425) UI Changes to include dispatch element in topology
[
https://issues.apache.org/jira/browse/KNOX-1425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-1425:
--
Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part
of a bulk update. If there is a specific reason to pull this back into the
2.0.0 release and you intend to provide a PR in the next few days please
provide justification and reset the Fix Version to 2.0.0.
> UI Changes to include dispatch element in topology
> ---
>
> Key: KNOX-1425
> URL: https://issues.apache.org/jira/browse/KNOX-1425
> Project: Apache Knox
> Issue Type: Bug
> Components: AdminUI
>Reporter: Sandeep More
>Priority: Major
> Fix For: 2.1.0
>
>
> As part of KNOX-1339 cloud federation, now topology element contains a
> dispatch element and Admin UI needs to be updated to take that into account.
> {code:java}
>
>
>
> ...
>
> ...
>
>
>
>
> org.apache.hadoop.gateway.hbase.HBaseDispatch
>
>
>
>
>
>
>
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (KNOX-1706) Look at using WebJars for knoxauth application
[ https://issues.apache.org/jira/browse/KNOX-1706?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1706: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Look at using WebJars for knoxauth application > -- > > Key: KNOX-1706 > URL: https://issues.apache.org/jira/browse/KNOX-1706 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > > Currently knoxauth doesn't integrate with the Maven build. It would be nice > to be able to specify dependencies via Maven if possible. WebJars could be > helpful here: https://www.webjars.org/ -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2363) Fix KnoxShellTable Call History across the various Builders
[ https://issues.apache.org/jira/browse/KNOX-2363?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-2363: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Fix KnoxShellTable Call History across the various Builders > --- > > Key: KNOX-2363 > URL: https://issues.apache.org/jira/browse/KNOX-2363 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > > Currently, the call history gets forgotten across a number of the > builders/filters and we lose the ability to rollback to the previous dataset. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2509) Use Open API UI to browse the Knox Admin/Metadata API REST endpoints
[ https://issues.apache.org/jira/browse/KNOX-2509?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-2509: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Use Open API UI to browse the Knox Admin/Metadata API REST endpoints > > > Key: KNOX-2509 > URL: https://issues.apache.org/jira/browse/KNOX-2509 > Project: Apache Knox > Issue Type: New Feature > Components: Homepage, Server >Affects Versions: 1.5.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.1.0 > > Time Spent: 2.5h > Remaining Estimate: 0h > > I had some contribution that allows end-users managing service definitions > without restarting the Knox Gateway. See KNOX-2053 and KNOX-2056 for further > details. > > I've been just about creating a new JIRA to document those new API endpoints > in the Knox user guide but it has come to my mind that we can do it much > better by using Swagger. > > Given the fact, the Admin/Metadata API does not consist of hundreds of > existing endpoints it should not be 'that' huge work. I personally believe > the project would gain a lot by using this very useful tool. This way the > Admin/Metadata API documentation would be generated out-of-the-box, no more > documentation JIRAs required. Moreover, the generated documentation would be > in sync with the actual implementation. > You can check this out here: [https://swagger.io/tools/swagger-ui/] (there is > a live demo too; it's worth looking at). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1339) Support for cloud federation
[ https://issues.apache.org/jira/browse/KNOX-1339?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1339: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Support for cloud federation > > > Key: KNOX-1339 > URL: https://issues.apache.org/jira/browse/KNOX-1339 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.1.0 > > > This is part of [KIP-11 - Cloud Usecase > |https://cwiki.apache.org/confluence/display/KNOX/KIP-11+Cloud+Usecases] and > allows for a topology based federation from one Knox instance to another. > It will allow clients to interact with a single on-prem Knox instance > (cluster of instances) but have the interaction federated transparently to a > corresponding cloud based instance. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2643) TopologyService should validate descriptor and provider config file paths
[ https://issues.apache.org/jira/browse/KNOX-2643?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-2643: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > TopologyService should validate descriptor and provider config file paths > - > > Key: KNOX-2643 > URL: https://issues.apache.org/jira/browse/KNOX-2643 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.5.0 >Reporter: Philip Zampino >Priority: Major > Fix For: 2.1.0 > > > DefaultTopologyService#deployProviderConfiguration and > DefaultTopologyService#deployDescriptor blindly trust the file name without > validating that the location will be bound to the expected resource directory > (e.g., sharedProvidersDirectory, descriptorsDirectory). > Names that would place the file outside the expected location or intent > (e.g., ../gateway-site.xml) should be rejected. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1873) Add HiveServer2 UI proxy support
[ https://issues.apache.org/jira/browse/KNOX-1873?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1873: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Add HiveServer2 UI proxy support > > > Key: KNOX-1873 > URL: https://issues.apache.org/jira/browse/KNOX-1873 > Project: Apache Knox > Issue Type: New Feature >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > > Currently Knox supports the HiveServer2 JDBC API. HiveServer2 has a UI added > in Hive 2.0.0 as part of HIVE-12338. This will probably require a separate > service definition since we can't reuse the Hive JDBC dispatch for the > standard UI. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1432) Knox directories should not be world readable (conf, logs, data etc.)
[ https://issues.apache.org/jira/browse/KNOX-1432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1432: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Knox directories should not be world readable (conf, logs, data etc.) > - > > Key: KNOX-1432 > URL: https://issues.apache.org/jira/browse/KNOX-1432 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.1.0 > > Attachments: KNOX-1432.002.patch, KNOX-1432.patch > > > Knox directories need not be open to everyone, out of the box important > directories should have restricted permissions (except samples and templates) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1355) Knox not honoring originalUrl when pac4j federation is used
[ https://issues.apache.org/jira/browse/KNOX-1355?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1355: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Knox not honoring originalUrl when pac4j federation is used > --- > > Key: KNOX-1355 > URL: https://issues.apache.org/jira/browse/KNOX-1355 > Project: Apache Knox > Issue Type: Bug > Components: KnoxSSO >Reporter: DIPAYAN BHOWMICK >Priority: Major > Fix For: 2.1.0 > > Attachments: KNOX-1355.patch, knox_fix_for_dp_keycloak.patch, > knoxsso.xml, sequence_diagram.txt > > > I wanted to integrate Keycloak as the IdP provider for Knox using the pac4j > federation. This is for an SSO scenario and not Knox Gateway proxy. So, > requested to gateway/knoxsso/api/v1/websso?originalUrl=https://service. > After, the redirection happens to Keycloak and successful authentication knox > rather than returning to the requested original URL, it is redirecting to the > original requestedURL (ie. > gateway/knoxsso/api/v1/websso?originalUrl=https://service/) > The complete Sequence diagram is attached. [^sequence_diagram.txt] > Also, knoxsso.xml is attached as an example. [^knoxsso.xml] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1653) Atlas dispatches - Add tests and reduce duplication
[ https://issues.apache.org/jira/browse/KNOX-1653?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1653: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Atlas dispatches - Add tests and reduce duplication > --- > > Key: KNOX-1653 > URL: https://issues.apache.org/jira/browse/KNOX-1653 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > > Currently there are a few Atlas dispatches that should be cleaned up to avoid > duplication. It would be better to be able to configure a dispatch instead of > having to copy to new dispatches. > See KNOX-1559 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1652) Move Atlas dispatches to their own module
[ https://issues.apache.org/jira/browse/KNOX-1652?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1652: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Move Atlas dispatches to their own module > - > > Key: KNOX-1652 > URL: https://issues.apache.org/jira/browse/KNOX-1652 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Priority: Major > Labels: atlas > Fix For: 2.1.0 > > > Currently Atlas dispatches live in the gateway-provider-ha module. These > classes should be moved to their own module for better separation. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2374) Compress rolled logs and delete logs files that older
[ https://issues.apache.org/jira/browse/KNOX-2374?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-2374: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Compress rolled logs and delete logs files that older > - > > Key: KNOX-2374 > URL: https://issues.apache.org/jira/browse/KNOX-2374 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.1.0 > > > Currently Knox just rolls log which keeps accumulating. There needs to be a > way where Knox can compress rolled over files and delete backup files after a > certain number of days to save space. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1674) Remove nimbus-jose-jwt allowWeakKey
[ https://issues.apache.org/jira/browse/KNOX-1674?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1674: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Remove nimbus-jose-jwt allowWeakKey > --- > > Key: KNOX-1674 > URL: https://issues.apache.org/jira/browse/KNOX-1674 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > > We should remove the ability to use 1024 bit certificates with > nimbus-jose-jwt. We put allowWeakKey to not break existing users. This should > change with 2.0.0 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1741) KnoxSSO to Support IDP Initiated Flow
[ https://issues.apache.org/jira/browse/KNOX-1741?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1741: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > KnoxSSO to Support IDP Initiated Flow > - > > Key: KNOX-1741 > URL: https://issues.apache.org/jira/browse/KNOX-1741 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxSSO >Reporter: Larry McCay >Priority: Major > Fix For: 2.1.0 > > > Currently, KnoxSSO is constrained to an SP Initiated Flow - meaning, the user > must attempt to access a participating application before s/he is redirected > to an IdP for authentication. > This restriction has been problematic for some deployments that have multiple > tenants or realms since the participating application has only a single URL > to redirect to when authentication is required. > This JIRA is an umbrella for a few tasks in order to enable the following: > # A landing page that displays a portal of available Topologies and then > services/UIs within each. Need to determine which topologies to inclulde - > maybe only those protected by KnoxSSO - which will require some Admin API > calls. This will be similar to the Okta portal page with tiles for UIs and > Services. > # KnoxSSO protection of the landing page to insure that the user is logged in > # A login form that includes username, password and realm - or perhaps a top > level page that requires realm only. This can become the URL that > participating application redirect the user to when a new authentication is > required. > # Clicking into a Service rather than a UI should result in a REST Client > Page where the KnoxSSO token will be presented and results returned in a > scrollable textarea or meaningful rendering of JSON in a tree or table. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1380) Create an Admin API to return a topology status
[ https://issues.apache.org/jira/browse/KNOX-1380?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1380: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Create an Admin API to return a topology status > --- > > Key: KNOX-1380 > URL: https://issues.apache.org/jira/browse/KNOX-1380 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0 >Reporter: J.Andreina >Priority: Major > Fix For: 2.1.0 > > > Currently we have Admin api to return the list of topologies ( which will > also return the topology which is not deployed completely as it just list the > files in topology directory ) > Need to have an Admin api to return the status of a topology ( Whether > topology is activated or not) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1439) HA Dispatch implementations should differentiate IOExceptions
[ https://issues.apache.org/jira/browse/KNOX-1439?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1439: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > HA Dispatch implementations should differentiate IOExceptions > - > > Key: KNOX-1439 > URL: https://issues.apache.org/jira/browse/KNOX-1439 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0 >Reporter: Philip Zampino >Priority: Major > Fix For: 2.1.0 > > > The HA Dispatch implementations catch IOException, and initiate failover > logic regardless of the type of error the exception represents. For instance, > some IOExceptions indicate interrupted data transfer while others represent > connection errors. > This distinction is especially important for PUT and POST requests, for which > InputStreamEntity is used for the content. InputStreamEntity is a > non-repeatable entity type, making the results of subsequent attempts > unreliable. > We should probably only failover / retry on connection-related IOException > types: > * java.net.SocketException > * java.net.UnknownHostException > And return an error response to the client for other IOException types. Maybe > it makes sense to consider the HTTP method to make this decision (e.g., retry > GET requests, but not PUT or POST). > The affected dispatch implementations includes at least: > * org.apache.knox.gateway.ha.dispatch.DefaultHaDispatch > * org.apache.knox.gateway.ha.dispatch.AtlasApiHaDispatch > * org.apache.knox.gateway.ha.dispatch.AtlasHaDispatch > * org.apache.knox.gateway.dispatch.NiFiHaDispatch > * org.apache.knox.gateway.hdfs.dispatch.AbstractHdfsHaDispatch > > If retry is configured, but we won't retry, then perhaps > java.net.HttpRetryException should be thrown. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2349) knoxcli convert-topology descriptor-name is not optional
[ https://issues.apache.org/jira/browse/KNOX-2349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-2349: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > knoxcli convert-topology descriptor-name is not optional > > > Key: KNOX-2349 > URL: https://issues.apache.org/jira/browse/KNOX-2349 > Project: Apache Knox > Issue Type: Bug > Components: KnoxCLI >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.1.0 > > > The newly introduced knoxcli command convert-topology in KNOX-2287 > descriptor-name param is not optional, it should be optional. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1725) gateway.custom.federation.header.name property should be at a dispatch level
[ https://issues.apache.org/jira/browse/KNOX-1725?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1725: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > gateway.custom.federation.header.name property should be at a dispatch level > > > Key: KNOX-1725 > URL: https://issues.apache.org/jira/browse/KNOX-1725 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.1.0 > > > Currently for topology federation feature the property > "gateway.custom.federation.header.name" needs to be updated in > gateway-site.xml. This property needs to be part of the dispatch so that it > can be set in the topology file. > > KNOX-1728 plans to add some changes that will make this simpler. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1852) Simplify ZookeeperRemoteAliasService and make it generic
[
https://issues.apache.org/jira/browse/KNOX-1852?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-1852:
--
Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part
of a bulk update. If there is a specific reason to pull this back into the
2.0.0 release and you intend to provide a PR in the next few days please
provide justification and reset the Fix Version to 2.0.0.
> Simplify ZookeeperRemoteAliasService and make it generic
>
>
> Key: KNOX-1852
> URL: https://issues.apache.org/jira/browse/KNOX-1852
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Reporter: Sandeep More
>Priority: Major
> Fix For: 2.1.0
>
>
> ZookeeperRemoteAliasService class can be made more generic to support future
> implementations of AliasService that depend on
> RemoteConfigurationRegistryClient class. Currently, we only have Zookeeper
> implementation. The purpose of this Jira is to document the following two
> enhancements to ZookeeperRemoteAliasService class to make it more generic:
> # Change the name to something more generic
> # Move the Zookeeper specific implementation to the class that implements
> RemoteConfigurationRegistryClient, CuratorClientService in case of Zookeeper
> service. As an example.
> ## ZookeeperRemoteAliasService.{color:#ffc66d}ensureEntry{color}() logic
> ## {color:#9876aa}AUTHENTICATED_USERS_ALL{color}
> ## {color:#9876aa}TYPE{color}
> This will be helpful when we decide to implement support for services like
> consul.
> This is a result of offline discussion with [~pzamp...@apache.org] about
> KNOX-1851.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (KNOX-1614) Improve error propagation for topology deployments
[ https://issues.apache.org/jira/browse/KNOX-1614?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1614: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Improve error propagation for topology deployments > -- > > Key: KNOX-1614 > URL: https://issues.apache.org/jira/browse/KNOX-1614 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > > KNOX-1612 highlighted that there can be better error propagation throughout > the topology redeployment. Catching throwable everywhere seems wrong. We > should look at this and improve it. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1860) Need redirect to login when SSO cookie expires
[ https://issues.apache.org/jira/browse/KNOX-1860?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1860: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Need redirect to login when SSO cookie expires > -- > > Key: KNOX-1860 > URL: https://issues.apache.org/jira/browse/KNOX-1860 > Project: Apache Knox > Issue Type: Bug > Components: AdminUI >Affects Versions: 1.2.0 >Reporter: Philip Zampino >Priority: Major > Fix For: 2.1.0 > > > When Knox SSO is in play, the Admin UI can become unusable when the SSO > cookie expires. All of the underlying API calls fail, and content is not > displayed; the behavior is confusing to users who really need to know that > they need to login again. > Reloading the app/page is the simple work-around if the user understands what > is happening, but it will be better if the app itself could recognize this > state, and redirect the user to the login screen. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-929) Identity Broker API
[
https://issues.apache.org/jira/browse/KNOX-929?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-929:
-
Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part
of a bulk update. If there is a specific reason to pull this back into the
2.0.0 release and you intend to provide a PR in the next few days please
provide justification and reset the Fix Version to 2.0.0.
> Identity Broker API
> ---
>
> Key: KNOX-929
> URL: https://issues.apache.org/jira/browse/KNOX-929
> Project: Apache Knox
> Issue Type: New Feature
> Components: Server
>Reporter: Larry McCay
>Assignee: Larry McCay
>Priority: Major
> Labels: KIP-11, KIP-7, security
> Fix For: 2.1.0
>
>
> Ability to request a token on behalf of another user w/ cryptographically
> verifiable trust relationship. This is essentially an extension of the
> KnoxToken service where the username of the authenticated user is presented
> and the resulting token should represent
> Ability to specify what type of token is being requested. There are use cases
> where Knox may be expected to interact with another STS service in order to
> acquire another token. This may need to be addressed as a separate REST
> resource and API or perhaps it can be a subtype of a more generic token
> response. Current KnoxToken API response looks something like:
> bq. {
> "access_token":"eyJhbGciOiJSUzI1NiJ9.
>
> eyJzdWIiOiJndWVzdCIsImF1ZCI6InRva2VuYmFzZWQiLCJpc3MiOiJLTk9YU1NPIiwiZXhwIjoxNDkzNTM4MjY1fQ.
>
> FHsIdhlCi_h61PEXoKSbIEp5AlnVe9U5uEgcp7ktmVS8kLClFD2dj0KS-8sSnvNiPYdyZhEvxqNhjmhqXMd2YQz97O6FUSGf69_
>
> lmarJPjz9K_6sDgrgpZnVQhUfHUG3k6-zetqzKZhu3gZYVLfu36TXb3C62TfXIrPF2qI9psM",
> "target_url":"https://localhost:8443/gateway/tokenbased;,
> "token_type":"Bearer ",
> "expires_in":1493538265484
> }
> It is possible that the above could be used to represent multiple token types
> by adding additional token_type values for the client to interrogate and
> handle appropriately.
> Of course, a client should request a token from a KnoxToken service that is
> configured to provide the desired token.
> Perhaps, we limit an endpoint to a single token_type or we could configure a
> single service endpoint to service requests for certain types and rely on the
> client to ask for the desired one and default to current 'Bearer' type.
> Where 'Bearer' implies our Knox JWT token.
> Other potential types would include things like S3 or AWS tokens.
> We may also want to consider base64 encoding the token for certain types.
> Clients would have to know whether it needs to be decoded based on the type.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (KNOX-2297) NPE during Shiro cleanup?
[
https://issues.apache.org/jira/browse/KNOX-2297?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-2297:
--
Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part
of a bulk update. If there is a specific reason to pull this back into the
2.0.0 release and you intend to provide a PR in the next few days please
provide justification and reset the Fix Version to 2.0.0.
> NPE during Shiro cleanup?
> -
>
> Key: KNOX-2297
> URL: https://issues.apache.org/jira/browse/KNOX-2297
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Reporter: Kevin Risden
>Assignee: Attila Magyar
>Priority: Major
> Fix For: 2.1.0
>
>
> I saw this while hitting Knox repeatedly during topology redeploys/restarts.
> There should never be a NPE.
> {code:java}
> 2020-03-17 15:13:08,878 ERROR knox.gateway
> (AbstractGatewayFilter.java:doFilter(60)) - Failed to execute filter:
> javax.servlet.ServletException: java.lang.NullPointerException
> 2020-03-17 15:13:08,878 ERROR knox.gateway
> (AbstractGatewayFilter.java:doFilter(60)) - Failed to execute filter:
> javax.servlet.ServletException: java.lang.NullPointerException
> 2020-03-17 15:13:08,878 ERROR knox.gateway (GatewayFilter.java:doFilter(169))
> - Gateway processing failed: javax.servlet.ServletException:
> java.lang.NullPointerException
> javax.servlet.ServletException: java.lang.NullPointerException
> at
> org.apache.shiro.web.servlet.AdviceFilter.cleanup(AdviceFilter.java:196)
> at
> org.apache.shiro.web.filter.authc.AuthenticatingFilter.cleanup(AuthenticatingFilter.java:155)
> at
> org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:148)
> at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> at
> org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:449)
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter$1.call(AbstractShiroFilter.java:365)
> at
> org.apache.shiro.subject.support.SubjectCallable.doCall(SubjectCallable.java:90)
> at
> org.apache.shiro.subject.support.SubjectCallable.call(SubjectCallable.java:83)
> at
> org.apache.shiro.subject.support.DelegatingSubject.execute(DelegatingSubject.java:387)
> at
> org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:362)
> at
> org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
> at
> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:349)
> at
> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:263)
> at
> org.apache.knox.gateway.filter.ResponseCookieFilter.doFilter(ResponseCookieFilter.java:49)
> at
> org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
> at
> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:349)
> at
> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:263)
> at
> org.apache.knox.gateway.filter.XForwardedHeaderFilter.doFilter(XForwardedHeaderFilter.java:50)
> at
> org.apache.knox.gateway.filter.AbstractGatewayFilter.doFilter(AbstractGatewayFilter.java:58)
> at
> org.apache.knox.gateway.GatewayFilter$Holder.doFilter(GatewayFilter.java:349)
> at
> org.apache.knox.gateway.GatewayFilter$Chain.doFilter(GatewayFilter.java:263)
> at
> org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:167)
> at org.apache.knox.gateway.GatewayFilter.doFilter(GatewayFilter.java:92)
> at
> org.apache.knox.gateway.GatewayServlet.service(GatewayServlet.java:135)
> at
> org.eclipse.jetty.servlet.ServletHolder$NotAsyncServlet.service(ServletHolder.java:1386)
> at
> org.eclipse.jetty.servlet.ServletHolder.handle(ServletHolder.java:755)
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1617)
> at
> org.eclipse.jetty.websocket.server.WebSocketUpgradeFilter.doFilter(WebSocketUpgradeFilter.java:226)
> at
> org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1604)
> at
> org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:545)
> at
> org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
> at
> org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:590)
> at
> org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:127)
> at
>
[jira] [Updated] (KNOX-2264) Docker - move from docker-maven-plugin to dockerfile-maven
[ https://issues.apache.org/jira/browse/KNOX-2264?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-2264: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Docker - move from docker-maven-plugin to dockerfile-maven > -- > > Key: KNOX-2264 > URL: https://issues.apache.org/jira/browse/KNOX-2264 > Project: Apache Knox > Issue Type: Sub-task > Components: Build, docker >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > > https://github.com/spotify/docker-maven-plugin is inactive. should use > https://github.com/spotify/dockerfile-maven instead. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-799) Rewrite rules for handling of trailing slash '/'
[
https://issues.apache.org/jira/browse/KNOX-799?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-799:
-
Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part
of a bulk update. If there is a specific reason to pull this back into the
2.0.0 release and you intend to provide a PR in the next few days please
provide justification and reset the Fix Version to 2.0.0.
> Rewrite rules for handling of trailing slash '/'
> -
>
> Key: KNOX-799
> URL: https://issues.apache.org/jira/browse/KNOX-799
> Project: Apache Knox
> Issue Type: Bug
>Reporter: Nishant Bangarwa
>Priority: Major
> Fix For: 2.1.0
>
>
> I am trying to use knox as a proxy for superset which is a flask application.
> Flask applications have behave differently when we add or remove trailing
> slash in the URL.
> In superset we have urls both with and without trailing slash and the
> expected behavior is to keep trailing ‘/‘ if its in the input URL I.e do
> exact match for the path and substitute it in template including trailing
> ‘/'.
> Consider the case of of these two URLs -
> 1) /users/list/
> 2) /users/add
> Now when I use following rewrite rule -
> {code}
> pattern="*://*:*/**/superset-ui/{path=**}">
>
>
> {code}
> It removes trailing slash from all the matching urls.
> The expected behavior for knox is to preserve trailing '/' in the urls while
> rewriting.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (KNOX-1591) Remove NODEUI service since it doesn't work in current state
[ https://issues.apache.org/jira/browse/KNOX-1591?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1591: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Remove NODEUI service since it doesn't work in current state > > > Key: KNOX-1591 > URL: https://issues.apache.org/jira/browse/KNOX-1591 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > Attachments: KNOX-1591.patch > > > NODEUI is a service definition introduced in KNOX-975. There have been other > fixes like KNOX-1207 that should resolve the underlying node link issues. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2644) Topology names should be validated when uploaded via API
[ https://issues.apache.org/jira/browse/KNOX-2644?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-2644: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Topology names should be validated when uploaded via API > > > Key: KNOX-2644 > URL: https://issues.apache.org/jira/browse/KNOX-2644 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.5.0 >Reporter: Philip Zampino >Priority: Major > Fix For: 2.1.0 > > > DefaultTopologyService#deployTopology does not validate the topology's name > to prevent the creation of files outside the location or intent of the API. > The name could be something like _*../gateway-site*_, which could be used to > overwrite the gateway configuration. > (e.g., _KNOX_HOME_/conf/topologies/../gateway-site.xml) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2362) Extend KnoxShell Commands to publish KnoxShellTable to JDBC Data Source
[ https://issues.apache.org/jira/browse/KNOX-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-2362: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Extend KnoxShell Commands to publish KnoxShellTable to JDBC Data Source > --- > > Key: KNOX-2362 > URL: https://issues.apache.org/jira/browse/KNOX-2362 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > > Given a KnoxShellTable with its headers and values, we should be able to > generate DDL with a best guess of types based on the values which could be > used to publish the table to Hive or other JDBC datasources. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2096) Create new column from existing columns
[ https://issues.apache.org/jira/browse/KNOX-2096?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-2096: -- Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part of a bulk update. If there is a specific reason to pull this back into the 2.0.0 release and you intend to provide a PR in the next few days please provide justification and reset the Fix Version to 2.0.0. > Create new column from existing columns > --- > > Key: KNOX-2096 > URL: https://issues.apache.org/jira/browse/KNOX-2096 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Ljmiv >Assignee: Ljmiv >Priority: Major > Fix For: 2.1.0 > > > Need ability to create a new column based on a mathematical operation between > existing columns (Column A + Column B = Column C). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-899) Trailing slashes when proxying UIs causes issues
[
https://issues.apache.org/jira/browse/KNOX-899?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-899:
-
Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part
of a bulk update. If there is a specific reason to pull this back into the
2.0.0 release and you intend to provide a PR in the next few days please
provide justification and reset the Fix Version to 2.0.0.
> Trailing slashes when proxying UIs causes issues
>
>
> Key: KNOX-899
> URL: https://issues.apache.org/jira/browse/KNOX-899
> Project: Apache Knox
> Issue Type: Improvement
>Reporter: Kevin Risden
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
> Attachments: Solr_Admin.png
>
>
> From KNOX-841:
> {quote}
> The biggest thing is that https://localhost:8443/gateway/default/solr
> (without the trailing slash) results in a bad rendering of the Solr UI page.
> With the trailing slash it works just fine.
> {quote}
> Response by [~sumit.gupta]
> {quote}
> Thanks for testing it [~risdenk]! The trailing slash issue with UI proxying
> seems to be a recurring thing. At this point we should file a bug for that.
> Since you discovered it, it would be great if you could file it.
> {quote}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (KNOX-2688) Knox does not honour token limit per user
[
https://issues.apache.org/jira/browse/KNOX-2688?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-2688:
--
Due to the pending 2.0.0 release this JIRA has been pushed out to 2.1.0 as part
of a bulk update. If there is a specific reason to pull this back into the
2.0.0 release and you intend to provide a PR in the next few days please
provide justification and reset the Fix Version to 2.0.0.
> Knox does not honour token limit per user
> -
>
> Key: KNOX-2688
> URL: https://issues.apache.org/jira/browse/KNOX-2688
> Project: Apache Knox
> Issue Type: Bug
>Affects Versions: 1.6.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
>
> *Steps to reproduce:*
> * configure Knox's performance test tool as follows:
> ** perf.test.usecase.knoxtoken.numOfThreads = 20
> ** perf.test.usecase.knoxtoken.topology.gateway=homepage
> ** perf.test.usecase.knoxtoken.requestDelayLowerBoundInSecs=1
> ** perf.test.usecase.knoxtoken.requestDelayUpperBoundInSecs=3
> * run the tool
> Observation: Knox allows more than 10 tokens to be created for the {{guest
> }}user. This should not be the case because the default token limit is 10.
> *RCA:*
> there is a gap between the token limit check and the actual place where the
> token metadata is saved in the underlying token backend. Thus - in the case
> of several threads are acquiring tokens - the flow lets this check pass and
> Knox continues to create the token.
> *Additional information:*
> This issue cannot be reproduced by generating tokens on the Token Generation
> page since tit requires a multi-threaded and highly concurrent ENV to happen.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (KNOX-925) Configurable - Encryption Algorithm and it's key size, Salt and iteration count for PBKDF
[ https://issues.apache.org/jira/browse/KNOX-925?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-925: - Fix Version/s: 2.1.0 (was: 2.0.0) > Configurable - Encryption Algorithm and it's key size, Salt and iteration > count for PBKDF > - > > Key: KNOX-925 > URL: https://issues.apache.org/jira/browse/KNOX-925 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 0.11.0 >Reporter: Krishna Pandey >Priority: Minor > Fix For: 2.1.0 > > > We can make key length configurable to be used with the RSA algorithm, so > that Users can set the value as per current cryptography guidelines. > Also, in a password-based key derivation function, the base key is a password > and the other parameters are a salt value and an iteration count. An > iteration count has traditionally served the purpose of increasing the cost > of generating keys from a password. We can keep the Scheme, Salt and > Iteration Count configurable for Users to fine tune as per their requirements. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2358) Reload the Knox Home page upon topology changes
[ https://issues.apache.org/jira/browse/KNOX-2358?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-2358: -- Fix Version/s: 2.1.0 (was: 2.0.0) > Reload the Knox Home page upon topology changes > --- > > Key: KNOX-2358 > URL: https://issues.apache.org/jira/browse/KNOX-2358 > Project: Apache Knox > Issue Type: Improvement > Components: Homepage >Affects Versions: 1.4.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Minor > Fix For: 2.1.0 > > > It would be nice if the Knox home page got reloaded when Knox redeploys a > topology. Using push notifications seems to be a good way to do this. > Alternatively, a client-side poll can be configured to fetch changes from the > Knox back-end. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1674) Remove nimbus-jose-jwt allowWeakKey
[ https://issues.apache.org/jira/browse/KNOX-1674?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1674: -- Fix Version/s: 2.1.0 (was: 2.0.0) > Remove nimbus-jose-jwt allowWeakKey > --- > > Key: KNOX-1674 > URL: https://issues.apache.org/jira/browse/KNOX-1674 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > > We should remove the ability to use 1024 bit certificates with > nimbus-jose-jwt. We put allowWeakKey to not break existing users. This should > change with 2.0.0 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2828) Token generation maximum token ttl unlimited not working when lifespan input is disabled
[
https://issues.apache.org/jira/browse/KNOX-2828?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-2828:
--
Fix Version/s: 2.1.0
(was: 2.0.0)
> Token generation maximum token ttl unlimited not working when lifespan input
> is disabled
>
>
> Key: KNOX-2828
> URL: https://issues.apache.org/jira/browse/KNOX-2828
> Project: Apache Knox
> Issue Type: Bug
> Components: Homepage, Server
>Reporter: Balazs Marton
>Priority: Minor
> Fix For: 2.1.0
>
>
> Even though there's no documentation about this feature, when the _KNOXTOKEN_
> service param _knox.token.ttl_ is set to _-1_ in the _homepage_ topology, the
> token generation site indicates that the generated token lifetime can be
> {_}unlimited{_}. Combining this with configuring the
> _knox.token.lifespan.input.enabled_ param of the _KNOXTOKEN_ service to
> _false_ and generating a token, result in generating a token which expiry
> date is: _01/01/1970, 00:59:59._
> Configurations for recreation of the problem:
> In homepage topology KNOXTOKEN service
> {code:java}
>
> knox.token.ttl
> -1
>
>
> knox.token.lifespan.input.enabled
> false
>
> {code}
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (KNOX-2643) TopologyService should validate descriptor and provider config file paths
[ https://issues.apache.org/jira/browse/KNOX-2643?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-2643: -- Fix Version/s: 2.1.0 (was: 2.0.0) > TopologyService should validate descriptor and provider config file paths > - > > Key: KNOX-2643 > URL: https://issues.apache.org/jira/browse/KNOX-2643 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.5.0 >Reporter: Philip Zampino >Priority: Major > Fix For: 2.1.0 > > > DefaultTopologyService#deployProviderConfiguration and > DefaultTopologyService#deployDescriptor blindly trust the file name without > validating that the location will be bound to the expected resource directory > (e.g., sharedProvidersDirectory, descriptorsDirectory). > Names that would place the file outside the expected location or intent > (e.g., ../gateway-site.xml) should be rejected. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1704) Upgrade to JUnit 5
[ https://issues.apache.org/jira/browse/KNOX-1704?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1704: -- Fix Version/s: 2.1.0 (was: 2.0.0) > Upgrade to JUnit 5 > -- > > Key: KNOX-1704 > URL: https://issues.apache.org/jira/browse/KNOX-1704 > Project: Apache Knox > Issue Type: Improvement > Components: Tests >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > Attachments: KNOX-1704.patch > > > Junit 5 has been out for a while now. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2528) Tracking URL link in YARN for Killed applications broken
[ https://issues.apache.org/jira/browse/KNOX-2528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-2528: -- Fix Version/s: 2.1.0 (was: 2.0.0) > Tracking URL link in YARN for Killed applications broken > > > Key: KNOX-2528 > URL: https://issues.apache.org/jira/browse/KNOX-2528 > Project: Apache Knox > Issue Type: Bug >Affects Versions: 1.4.0 >Reporter: Iain Buclaw >Priority: Major > Fix For: 2.1.0 > > Attachments: image-2021-01-11-11-53-33-672.png > > > The Tracking UI History link for all jobs under /yarn/cluster/apps/KILLED are > broken. > > The service port and path suggest that it's a link intended for the Timeline > Server UI, which is currently unimplemented, see KNOX-1032. > > Steps to reproduce are: > # Start a mid-to-long running spark job, I picked > `org.apache.spark.examples.SparkPi` with an argument of `10`. > # Kill the running job: `yarn application -kill > application_1610360301299_0002` > # In YARN, navigate to Applications/KILLED, and see the link at the end of > the row. It'll be in the form of > [http://dataproc-m:8188/applicationhistory/app/application_1610360301299_0002] > > !image-2021-01-11-11-53-33-672.png! -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2644) Topology names should be validated when uploaded via API
[ https://issues.apache.org/jira/browse/KNOX-2644?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-2644: -- Fix Version/s: 2.1.0 (was: 2.0.0) > Topology names should be validated when uploaded via API > > > Key: KNOX-2644 > URL: https://issues.apache.org/jira/browse/KNOX-2644 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.5.0 >Reporter: Philip Zampino >Priority: Major > Fix For: 2.1.0 > > > DefaultTopologyService#deployTopology does not validate the topology's name > to prevent the creation of files outside the location or intent of the API. > The name could be something like _*../gateway-site*_, which could be used to > overwrite the gateway configuration. > (e.g., _KNOX_HOME_/conf/topologies/../gateway-site.xml) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2580) Adding a token in TokenStateService should work with token metadata
[
https://issues.apache.org/jira/browse/KNOX-2580?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-2580:
--
Fix Version/s: 2.1.0
(was: 2.0.0)
> Adding a token in TokenStateService should work with token metadata
> ---
>
> Key: KNOX-2580
> URL: https://issues.apache.org/jira/browse/KNOX-2580
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.6.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.1.0
>
>
> Currently, when token management is enabled and a token is being created
> there are two subsequent method invocation is made:
> * addToken(...)
> * addMetadata(String, TokenMetadata)
> This should be refactored in a way that these two methods are merged as
> {{addToken(String, TokenMetadata)}}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (KNOX-2096) Create new column from existing columns
[ https://issues.apache.org/jira/browse/KNOX-2096?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-2096: -- Fix Version/s: 2.1.0 (was: 2.0.0) > Create new column from existing columns > --- > > Key: KNOX-2096 > URL: https://issues.apache.org/jira/browse/KNOX-2096 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Ljmiv >Assignee: Ljmiv >Priority: Major > Fix For: 2.1.0 > > > Need ability to create a new column based on a mathematical operation between > existing columns (Column A + Column B = Column C). -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-799) Rewrite rules for handling of trailing slash '/'
[
https://issues.apache.org/jira/browse/KNOX-799?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-799:
-
Fix Version/s: 2.1.0
(was: 2.0.0)
> Rewrite rules for handling of trailing slash '/'
> -
>
> Key: KNOX-799
> URL: https://issues.apache.org/jira/browse/KNOX-799
> Project: Apache Knox
> Issue Type: Bug
>Reporter: Nishant Bangarwa
>Priority: Major
> Fix For: 2.1.0
>
>
> I am trying to use knox as a proxy for superset which is a flask application.
> Flask applications have behave differently when we add or remove trailing
> slash in the URL.
> In superset we have urls both with and without trailing slash and the
> expected behavior is to keep trailing ‘/‘ if its in the input URL I.e do
> exact match for the path and substitute it in template including trailing
> ‘/'.
> Consider the case of of these two URLs -
> 1) /users/list/
> 2) /users/add
> Now when I use following rewrite rule -
> {code}
> pattern="*://*:*/**/superset-ui/{path=**}">
>
>
> {code}
> It removes trailing slash from all the matching urls.
> The expected behavior for knox is to preserve trailing '/' in the urls while
> rewriting.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (KNOX-1953) Figure out how to publish Knox Docker image
[ https://issues.apache.org/jira/browse/KNOX-1953?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1953: -- Fix Version/s: 2.1.0 (was: 2.0.0) > Figure out how to publish Knox Docker image > --- > > Key: KNOX-1953 > URL: https://issues.apache.org/jira/browse/KNOX-1953 > Project: Apache Knox > Issue Type: Sub-task > Components: Build >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > > Currently we provide the ability to build a Knox Docker image. It would be > helpful if we could publish it. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1991) Rewrite websocket data
[ https://issues.apache.org/jira/browse/KNOX-1991?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1991: -- Fix Version/s: 2.1.0 (was: 2.0.0) > Rewrite websocket data > -- > > Key: KNOX-1991 > URL: https://issues.apache.org/jira/browse/KNOX-1991 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Affects Versions: 1.4.0 >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.1.0 > > > Currently Knox does not rewrite Websocket data, we need to explore a way to > do it. > Current rewrite engine is filter based so cannot be directly applied to > Websocket traffic. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1860) Need redirect to login when SSO cookie expires
[ https://issues.apache.org/jira/browse/KNOX-1860?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1860: -- Fix Version/s: 2.1.0 (was: 2.0.0) > Need redirect to login when SSO cookie expires > -- > > Key: KNOX-1860 > URL: https://issues.apache.org/jira/browse/KNOX-1860 > Project: Apache Knox > Issue Type: Bug > Components: AdminUI >Affects Versions: 1.2.0 >Reporter: Philip Zampino >Priority: Major > Fix For: 2.1.0 > > > When Knox SSO is in play, the Admin UI can become unusable when the SSO > cookie expires. All of the underlying API calls fail, and content is not > displayed; the behavior is confusing to users who really need to know that > they need to login again. > Reloading the app/page is the simple work-around if the user understands what > is happening, but it will be better if the app itself could recognize this > state, and redirect the user to the login screen. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1852) Simplify ZookeeperRemoteAliasService and make it generic
[
https://issues.apache.org/jira/browse/KNOX-1852?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-1852:
--
Fix Version/s: 2.1.0
(was: 2.0.0)
> Simplify ZookeeperRemoteAliasService and make it generic
>
>
> Key: KNOX-1852
> URL: https://issues.apache.org/jira/browse/KNOX-1852
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Reporter: Sandeep More
>Priority: Major
> Fix For: 2.1.0
>
>
> ZookeeperRemoteAliasService class can be made more generic to support future
> implementations of AliasService that depend on
> RemoteConfigurationRegistryClient class. Currently, we only have Zookeeper
> implementation. The purpose of this Jira is to document the following two
> enhancements to ZookeeperRemoteAliasService class to make it more generic:
> # Change the name to something more generic
> # Move the Zookeeper specific implementation to the class that implements
> RemoteConfigurationRegistryClient, CuratorClientService in case of Zookeeper
> service. As an example.
> ## ZookeeperRemoteAliasService.{color:#ffc66d}ensureEntry{color}() logic
> ## {color:#9876aa}AUTHENTICATED_USERS_ALL{color}
> ## {color:#9876aa}TYPE{color}
> This will be helpful when we decide to implement support for services like
> consul.
> This is a result of offline discussion with [~pzamp...@apache.org] about
> KNOX-1851.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (KNOX-1865) Admin UI Provider Config Forms need Tooltips/Help Text
[ https://issues.apache.org/jira/browse/KNOX-1865?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1865: -- Fix Version/s: 2.1.0 (was: 2.0.0) > Admin UI Provider Config Forms need Tooltips/Help Text > -- > > Key: KNOX-1865 > URL: https://issues.apache.org/jira/browse/KNOX-1865 > Project: Apache Knox > Issue Type: Bug > Components: AdminUI >Reporter: Larry McCay >Assignee: Ljmiv >Priority: Major > Fix For: 2.1.0 > > > While the Provider Configuration pages in the UI are a nicer experience than > having to hand edit XML for many people, for those that don't have the > context of the configuration from prior knowledge of the underlying providers > and what the params mean - many of the fields are ambiguous. > We need to provide at least some tooltips for some of the easier fields and > perhaps a [?] link with more help than would be possible in a simple tooltip. > Possibly linking to online docs in the user guide with more details would be > good as well. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1790) Docker - Handle custom Knox master secret
[ https://issues.apache.org/jira/browse/KNOX-1790?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1790: -- Fix Version/s: 2.1.0 (was: 2.0.0) > Docker - Handle custom Knox master secret > - > > Key: KNOX-1790 > URL: https://issues.apache.org/jira/browse/KNOX-1790 > Project: Apache Knox > Issue Type: Sub-task >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1741) KnoxSSO to Support IDP Initiated Flow
[ https://issues.apache.org/jira/browse/KNOX-1741?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1741: -- Fix Version/s: 2.1.0 (was: 2.0.0) > KnoxSSO to Support IDP Initiated Flow > - > > Key: KNOX-1741 > URL: https://issues.apache.org/jira/browse/KNOX-1741 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxSSO >Reporter: Larry McCay >Priority: Major > Fix For: 2.1.0 > > > Currently, KnoxSSO is constrained to an SP Initiated Flow - meaning, the user > must attempt to access a participating application before s/he is redirected > to an IdP for authentication. > This restriction has been problematic for some deployments that have multiple > tenants or realms since the participating application has only a single URL > to redirect to when authentication is required. > This JIRA is an umbrella for a few tasks in order to enable the following: > # A landing page that displays a portal of available Topologies and then > services/UIs within each. Need to determine which topologies to inclulde - > maybe only those protected by KnoxSSO - which will require some Admin API > calls. This will be similar to the Okta portal page with tiles for UIs and > Services. > # KnoxSSO protection of the landing page to insure that the user is logged in > # A login form that includes username, password and realm - or perhaps a top > level page that requires realm only. This can become the URL that > participating application redirect the user to when a new authentication is > required. > # Clicking into a Service rather than a UI should result in a REST Client > Page where the KnoxSSO token will be presented and results returned in a > scrollable textarea or meaningful rendering of JSON in a tree or table. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1706) Look at using WebJars for knoxauth application
[ https://issues.apache.org/jira/browse/KNOX-1706?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1706: -- Fix Version/s: 2.1.0 (was: 2.0.0) > Look at using WebJars for knoxauth application > -- > > Key: KNOX-1706 > URL: https://issues.apache.org/jira/browse/KNOX-1706 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > > Currently knoxauth doesn't integrate with the Maven build. It would be nice > to be able to specify dependencies via Maven if possible. WebJars could be > helpful here: https://www.webjars.org/ -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1729) Add support for proxying Grafana
[ https://issues.apache.org/jira/browse/KNOX-1729?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1729: -- Fix Version/s: 2.1.0 (was: 2.0.0) > Add support for proxying Grafana > > > Key: KNOX-1729 > URL: https://issues.apache.org/jira/browse/KNOX-1729 > Project: Apache Knox > Issue Type: New Feature >Reporter: Papirkovskyy Myroslav >Priority: Major > Fix For: 2.1.0 > > > Provide UI proxy support for the Grafana UI -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1725) gateway.custom.federation.header.name property should be at a dispatch level
[ https://issues.apache.org/jira/browse/KNOX-1725?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1725: -- Fix Version/s: 2.1.0 (was: 2.0.0) > gateway.custom.federation.header.name property should be at a dispatch level > > > Key: KNOX-1725 > URL: https://issues.apache.org/jira/browse/KNOX-1725 > Project: Apache Knox > Issue Type: New Feature > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.1.0 > > > Currently for topology federation feature the property > "gateway.custom.federation.header.name" needs to be updated in > gateway-site.xml. This property needs to be part of the dispatch so that it > can be set in the topology file. > > KNOX-1728 plans to add some changes that will make this simpler. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1652) Move Atlas dispatches to their own module
[ https://issues.apache.org/jira/browse/KNOX-1652?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1652: -- Fix Version/s: 2.1.0 (was: 2.0.0) > Move Atlas dispatches to their own module > - > > Key: KNOX-1652 > URL: https://issues.apache.org/jira/browse/KNOX-1652 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Priority: Major > Labels: atlas > Fix For: 2.1.0 > > > Currently Atlas dispatches live in the gateway-provider-ha module. These > classes should be moved to their own module for better separation. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1614) Improve error propagation for topology deployments
[ https://issues.apache.org/jira/browse/KNOX-1614?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1614: -- Fix Version/s: 2.1.0 (was: 2.0.0) > Improve error propagation for topology deployments > -- > > Key: KNOX-1614 > URL: https://issues.apache.org/jira/browse/KNOX-1614 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > > KNOX-1612 highlighted that there can be better error propagation throughout > the topology redeployment. Catching throwable everywhere seems wrong. We > should look at this and improve it. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1439) HA Dispatch implementations should differentiate IOExceptions
[ https://issues.apache.org/jira/browse/KNOX-1439?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1439: -- Fix Version/s: 2.1.0 (was: 2.0.0) > HA Dispatch implementations should differentiate IOExceptions > - > > Key: KNOX-1439 > URL: https://issues.apache.org/jira/browse/KNOX-1439 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0 >Reporter: Philip Zampino >Priority: Major > Fix For: 2.1.0 > > > The HA Dispatch implementations catch IOException, and initiate failover > logic regardless of the type of error the exception represents. For instance, > some IOExceptions indicate interrupted data transfer while others represent > connection errors. > This distinction is especially important for PUT and POST requests, for which > InputStreamEntity is used for the content. InputStreamEntity is a > non-repeatable entity type, making the results of subsequent attempts > unreliable. > We should probably only failover / retry on connection-related IOException > types: > * java.net.SocketException > * java.net.UnknownHostException > And return an error response to the client for other IOException types. Maybe > it makes sense to consider the HTTP method to make this decision (e.g., retry > GET requests, but not PUT or POST). > The affected dispatch implementations includes at least: > * org.apache.knox.gateway.ha.dispatch.DefaultHaDispatch > * org.apache.knox.gateway.ha.dispatch.AtlasApiHaDispatch > * org.apache.knox.gateway.ha.dispatch.AtlasHaDispatch > * org.apache.knox.gateway.dispatch.NiFiHaDispatch > * org.apache.knox.gateway.hdfs.dispatch.AbstractHdfsHaDispatch > > If retry is configured, but we won't retry, then perhaps > java.net.HttpRetryException should be thrown. > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1653) Atlas dispatches - Add tests and reduce duplication
[ https://issues.apache.org/jira/browse/KNOX-1653?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1653: -- Fix Version/s: 2.1.0 (was: 2.0.0) > Atlas dispatches - Add tests and reduce duplication > --- > > Key: KNOX-1653 > URL: https://issues.apache.org/jira/browse/KNOX-1653 > Project: Apache Knox > Issue Type: Improvement >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > > Currently there are a few Atlas dispatches that should be cleaned up to avoid > duplication. It would be better to be able to configure a dispatch instead of > having to copy to new dispatches. > See KNOX-1559 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1432) Knox directories should not be world readable (conf, logs, data etc.)
[ https://issues.apache.org/jira/browse/KNOX-1432?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1432: -- Fix Version/s: 2.1.0 (was: 2.0.0) > Knox directories should not be world readable (conf, logs, data etc.) > - > > Key: KNOX-1432 > URL: https://issues.apache.org/jira/browse/KNOX-1432 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.1.0 > > Attachments: KNOX-1432.002.patch, KNOX-1432.patch > > > Knox directories need not be open to everyone, out of the box important > directories should have restricted permissions (except samples and templates) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1425) UI Changes to include dispatch element in topology
[
https://issues.apache.org/jira/browse/KNOX-1425?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Larry McCay updated KNOX-1425:
--
Fix Version/s: 2.1.0
(was: 2.0.0)
> UI Changes to include dispatch element in topology
> ---
>
> Key: KNOX-1425
> URL: https://issues.apache.org/jira/browse/KNOX-1425
> Project: Apache Knox
> Issue Type: Bug
> Components: AdminUI
>Reporter: Sandeep More
>Priority: Major
> Fix For: 2.1.0
>
>
> As part of KNOX-1339 cloud federation, now topology element contains a
> dispatch element and Admin UI needs to be updated to take that into account.
> {code:java}
>
>
>
> ...
>
> ...
>
>
>
>
> org.apache.hadoop.gateway.hbase.HBaseDispatch
>
>
>
>
>
>
>
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Updated] (KNOX-1380) Create an Admin API to return a topology status
[ https://issues.apache.org/jira/browse/KNOX-1380?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1380: -- Fix Version/s: 2.1.0 (was: 2.0.0) > Create an Admin API to return a topology status > --- > > Key: KNOX-1380 > URL: https://issues.apache.org/jira/browse/KNOX-1380 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.1.0 >Reporter: J.Andreina >Priority: Major > Fix For: 2.1.0 > > > Currently we have Admin api to return the list of topologies ( which will > also return the topology which is not deployed completely as it just list the > files in topology directory ) > Need to have an Admin api to return the status of a topology ( Whether > topology is activated or not) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1355) Knox not honoring originalUrl when pac4j federation is used
[ https://issues.apache.org/jira/browse/KNOX-1355?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1355: -- Fix Version/s: 2.1.0 (was: 2.0.0) > Knox not honoring originalUrl when pac4j federation is used > --- > > Key: KNOX-1355 > URL: https://issues.apache.org/jira/browse/KNOX-1355 > Project: Apache Knox > Issue Type: Bug > Components: KnoxSSO >Reporter: DIPAYAN BHOWMICK >Priority: Major > Fix For: 2.1.0 > > Attachments: KNOX-1355.patch, knox_fix_for_dp_keycloak.patch, > knoxsso.xml, sequence_diagram.txt > > > I wanted to integrate Keycloak as the IdP provider for Knox using the pac4j > federation. This is for an SSO scenario and not Knox Gateway proxy. So, > requested to gateway/knoxsso/api/v1/websso?originalUrl=https://service. > After, the redirection happens to Keycloak and successful authentication knox > rather than returning to the requested original URL, it is redirecting to the > original requestedURL (ie. > gateway/knoxsso/api/v1/websso?originalUrl=https://service/) > The complete Sequence diagram is attached. [^sequence_diagram.txt] > Also, knoxsso.xml is attached as an example. [^knoxsso.xml] -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2349) knoxcli convert-topology descriptor-name is not optional
[ https://issues.apache.org/jira/browse/KNOX-2349?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-2349: -- Fix Version/s: 2.1.0 2.1.0 (was: 2.0.1) > knoxcli convert-topology descriptor-name is not optional > > > Key: KNOX-2349 > URL: https://issues.apache.org/jira/browse/KNOX-2349 > Project: Apache Knox > Issue Type: Bug > Components: KnoxCLI >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.1.0 > > > The newly introduced knoxcli command convert-topology in KNOX-2287 > descriptor-name param is not optional, it should be optional. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1749) Improve Docker integration
[ https://issues.apache.org/jira/browse/KNOX-1749?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1749: -- Fix Version/s: 2.1.0 2.1.0 (was: 2.0.1) > Improve Docker integration > -- > > Key: KNOX-1749 > URL: https://issues.apache.org/jira/browse/KNOX-1749 > Project: Apache Knox > Issue Type: Improvement > Components: docker >Reporter: Kevin Risden >Priority: Major > Fix For: 2.1.0 > > > Few things that come to mind: > * start gateway.sh/ldap.sh in the foreground > ** This would avoiding tailing the log files > ** Would allow for proper shutdown of container > * Expose gateway.sh/ldap.sh environment variables for customization > ** APP_MEM_OPTS/etc > * Handle Knox custom master secret -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-2362) Extend KnoxShell Commands to publish KnoxShellTable to JDBC Data Source
[ https://issues.apache.org/jira/browse/KNOX-2362?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-2362: -- Fix Version/s: 2.1.0 2.1.0 (was: 2.0.1) > Extend KnoxShell Commands to publish KnoxShellTable to JDBC Data Source > --- > > Key: KNOX-2362 > URL: https://issues.apache.org/jira/browse/KNOX-2362 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Larry McCay >Assignee: Larry McCay >Priority: Major > Fix For: 2.1.0 > > > Given a KnoxShellTable with its headers and values, we should be able to > generate DDL with a best guess of types based on the values which could be > used to publish the table to Hive or other JDBC datasources. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Updated] (KNOX-1785) Inject tag to simplify rewrite rules
[ https://issues.apache.org/jira/browse/KNOX-1785?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Larry McCay updated KNOX-1785: -- Fix Version/s: 2.1.0 2.1.0 (was: 2.0.1) > Inject tag to simplify rewrite rules > --- > > Key: KNOX-1785 > URL: https://issues.apache.org/jira/browse/KNOX-1785 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Labels: kip-9 > Fix For: 2.1.0 > > > By inserting the [ tag|https://www.w3schools.com/tags/tag_base.asp] (or > rewriting the existing one if present) will simplify a lot of rewrite rules, > we won't have to rewrite relative URLs then which can be significant number > of rules for doing the same thing again and again. tag would simplify > a lot of things when it comes to rewriting. -- This message was sent by Atlassian Jira (v8.20.10#820010)
