[jira] [Commented] (KNOX-3073) Token verification fallback to Knox keys behavior should configurable

2024-11-24 Thread ASF subversion and git services (Jira)


[ 
https://issues.apache.org/jira/browse/KNOX-3073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17900778#comment-17900778
 ] 

ASF subversion and git services commented on KNOX-3073:
---

Commit 7dd8b4318c8a685985b08cd2870bf212be814db2 in knox's branch 
refs/heads/dependabot/maven/org.apache.derby-derby-10.17.1.0 from Philip Zampino
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=7dd8b4318 ]

KNOX-3073 - Token verification fallback to Knox keys behavior should 
configurable (#949)



> Token verification fallback to Knox keys behavior should configurable
> -
>
> Key: KNOX-3073
> URL: https://issues.apache.org/jira/browse/KNOX-3073
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: Server
>Reporter: Philip Zampino
>Assignee: Philip Zampino
>Priority: Major
> Fix For: 2.1.0
>
>  Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> KNOX-3040 
> ntroduced support for multiple token verification mechanisms (i.e., PEM, 
> jwks) for the same topology (provider instance), falling back to Knox's own 
> signing and TLS keys if any of those configured should fail.
> This behavior may not be expected by some, and we should provide the ability 
> to control the fallback to the Knox keys.
> To support deployments expecting the previous behavior, there should be a 
> provider param for indicating that the new fall-back behavior is desired 
> (e.g., instance-keys-fallback=true), which defaults to false.
> Default Behavior:
>  * Neither PEM nor jwks URL(s) is configured, attempt verification using (in 
> order)
>  ** Knox's signing key
>  ** Knox's TLS key
>  * Only PEM is configured: Knox will attempt verification using ONLY the 
> configured PEM
>  * Only jwks URL(s) are configured: Knox will attempt verification using ONLY 
> the configured jwks URL(s)
>  * PEM AND jwks URL(s) are configured: Knox will attempt verification using 
> ONLY (in order)
>  ** The configured PEM
>  ** The configured jwks URL(s).
> instance-keys-fallback=true Behavior:
>  * Same as default behavior except that in the cases where PEM and/or jwks 
> URL(s) are configured and fail to verify, Knox will subsequently attempt 
> verification using (in order):
>  ** Knox's signing key
>  ** Knox's TLS key
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)


[jira] [Commented] (KNOX-3073) Token verification fallback to Knox keys behavior should configurable

2024-11-08 Thread ASF subversion and git services (Jira)


[ 
https://issues.apache.org/jira/browse/KNOX-3073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17896815#comment-17896815
 ] 

ASF subversion and git services commented on KNOX-3073:
---

Commit 7dd8b4318c8a685985b08cd2870bf212be814db2 in knox's branch 
refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/multi-9f37c16f8f from 
Philip Zampino
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=7dd8b4318 ]

KNOX-3073 - Token verification fallback to Knox keys behavior should 
configurable (#949)



> Token verification fallback to Knox keys behavior should configurable
> -
>
> Key: KNOX-3073
> URL: https://issues.apache.org/jira/browse/KNOX-3073
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: Server
>Reporter: Philip Zampino
>Assignee: Philip Zampino
>Priority: Major
>  Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> KNOX-3040 
> ntroduced support for multiple token verification mechanisms (i.e., PEM, 
> jwks) for the same topology (provider instance), falling back to Knox's own 
> signing and TLS keys if any of those configured should fail.
> This behavior may not be expected by some, and we should provide the ability 
> to control the fallback to the Knox keys.
> To support deployments expecting the previous behavior, there should be a 
> provider param for indicating that the new fall-back behavior is desired 
> (e.g., instance-keys-fallback=true), which defaults to false.
> Default Behavior:
>  * Neither PEM nor jwks URL(s) is configured, attempt verification using (in 
> order)
>  ** Knox's signing key
>  ** Knox's TLS key
>  * Only PEM is configured: Knox will attempt verification using ONLY the 
> configured PEM
>  * Only jwks URL(s) are configured: Knox will attempt verification using ONLY 
> the configured jwks URL(s)
>  * PEM AND jwks URL(s) are configured: Knox will attempt verification using 
> ONLY (in order)
>  ** The configured PEM
>  ** The configured jwks URL(s).
> instance-keys-fallback=true Behavior:
>  * Same as default behavior except that in the cases where PEM and/or jwks 
> URL(s) are configured and fail to verify, Knox will subsequently attempt 
> verification using (in order):
>  ** Knox's signing key
>  ** Knox's TLS key
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)


[jira] [Commented] (KNOX-3073) Token verification fallback to Knox keys behavior should configurable

2024-11-08 Thread ASF subversion and git services (Jira)


[ 
https://issues.apache.org/jira/browse/KNOX-3073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17896811#comment-17896811
 ] 

ASF subversion and git services commented on KNOX-3073:
---

Commit 7dd8b4318c8a685985b08cd2870bf212be814db2 in knox's branch 
refs/heads/dependabot/maven/commons-io-commons-io-2.14.0 from Philip Zampino
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=7dd8b4318 ]

KNOX-3073 - Token verification fallback to Knox keys behavior should 
configurable (#949)



> Token verification fallback to Knox keys behavior should configurable
> -
>
> Key: KNOX-3073
> URL: https://issues.apache.org/jira/browse/KNOX-3073
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: Server
>Reporter: Philip Zampino
>Assignee: Philip Zampino
>Priority: Major
>  Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> KNOX-3040 
> ntroduced support for multiple token verification mechanisms (i.e., PEM, 
> jwks) for the same topology (provider instance), falling back to Knox's own 
> signing and TLS keys if any of those configured should fail.
> This behavior may not be expected by some, and we should provide the ability 
> to control the fallback to the Knox keys.
> To support deployments expecting the previous behavior, there should be a 
> provider param for indicating that the new fall-back behavior is desired 
> (e.g., instance-keys-fallback=true), which defaults to false.
> Default Behavior:
>  * Neither PEM nor jwks URL(s) is configured, attempt verification using (in 
> order)
>  ** Knox's signing key
>  ** Knox's TLS key
>  * Only PEM is configured: Knox will attempt verification using ONLY the 
> configured PEM
>  * Only jwks URL(s) are configured: Knox will attempt verification using ONLY 
> the configured jwks URL(s)
>  * PEM AND jwks URL(s) are configured: Knox will attempt verification using 
> ONLY (in order)
>  ** The configured PEM
>  ** The configured jwks URL(s).
> instance-keys-fallback=true Behavior:
>  * Same as default behavior except that in the cases where PEM and/or jwks 
> URL(s) are configured and fail to verify, Knox will subsequently attempt 
> verification using (in order):
>  ** Knox's signing key
>  ** Knox's TLS key
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)


[jira] [Commented] (KNOX-3073) Token verification fallback to Knox keys behavior should configurable

2024-11-08 Thread ASF subversion and git services (Jira)


[ 
https://issues.apache.org/jira/browse/KNOX-3073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17896813#comment-17896813
 ] 

ASF subversion and git services commented on KNOX-3073:
---

Commit 7dd8b4318c8a685985b08cd2870bf212be814db2 in knox's branch 
refs/heads/dependabot/maven/org.apache.hadoop-hadoop-common-3.4.0 from Philip 
Zampino
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=7dd8b4318 ]

KNOX-3073 - Token verification fallback to Knox keys behavior should 
configurable (#949)



> Token verification fallback to Knox keys behavior should configurable
> -
>
> Key: KNOX-3073
> URL: https://issues.apache.org/jira/browse/KNOX-3073
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: Server
>Reporter: Philip Zampino
>Assignee: Philip Zampino
>Priority: Major
>  Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> KNOX-3040 
> ntroduced support for multiple token verification mechanisms (i.e., PEM, 
> jwks) for the same topology (provider instance), falling back to Knox's own 
> signing and TLS keys if any of those configured should fail.
> This behavior may not be expected by some, and we should provide the ability 
> to control the fallback to the Knox keys.
> To support deployments expecting the previous behavior, there should be a 
> provider param for indicating that the new fall-back behavior is desired 
> (e.g., instance-keys-fallback=true), which defaults to false.
> Default Behavior:
>  * Neither PEM nor jwks URL(s) is configured, attempt verification using (in 
> order)
>  ** Knox's signing key
>  ** Knox's TLS key
>  * Only PEM is configured: Knox will attempt verification using ONLY the 
> configured PEM
>  * Only jwks URL(s) are configured: Knox will attempt verification using ONLY 
> the configured jwks URL(s)
>  * PEM AND jwks URL(s) are configured: Knox will attempt verification using 
> ONLY (in order)
>  ** The configured PEM
>  ** The configured jwks URL(s).
> instance-keys-fallback=true Behavior:
>  * Same as default behavior except that in the cases where PEM and/or jwks 
> URL(s) are configured and fail to verify, Knox will subsequently attempt 
> verification using (in order):
>  ** Knox's signing key
>  ** Knox's TLS key
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)


[jira] [Commented] (KNOX-3073) Token verification fallback to Knox keys behavior should configurable

2024-11-08 Thread ASF subversion and git services (Jira)


[ 
https://issues.apache.org/jira/browse/KNOX-3073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17896809#comment-17896809
 ] 

ASF subversion and git services commented on KNOX-3073:
---

Commit 7dd8b4318c8a685985b08cd2870bf212be814db2 in knox's branch 
refs/heads/dependabot/npm_and_yarn/knox-homepage-ui/multi-9f37c16f8f from 
Philip Zampino
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=7dd8b4318 ]

KNOX-3073 - Token verification fallback to Knox keys behavior should 
configurable (#949)



> Token verification fallback to Knox keys behavior should configurable
> -
>
> Key: KNOX-3073
> URL: https://issues.apache.org/jira/browse/KNOX-3073
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: Server
>Reporter: Philip Zampino
>Assignee: Philip Zampino
>Priority: Major
>  Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> KNOX-3040 
> ntroduced support for multiple token verification mechanisms (i.e., PEM, 
> jwks) for the same topology (provider instance), falling back to Knox's own 
> signing and TLS keys if any of those configured should fail.
> This behavior may not be expected by some, and we should provide the ability 
> to control the fallback to the Knox keys.
> To support deployments expecting the previous behavior, there should be a 
> provider param for indicating that the new fall-back behavior is desired 
> (e.g., instance-keys-fallback=true), which defaults to false.
> Default Behavior:
>  * Neither PEM nor jwks URL(s) is configured, attempt verification using (in 
> order)
>  ** Knox's signing key
>  ** Knox's TLS key
>  * Only PEM is configured: Knox will attempt verification using ONLY the 
> configured PEM
>  * Only jwks URL(s) are configured: Knox will attempt verification using ONLY 
> the configured jwks URL(s)
>  * PEM AND jwks URL(s) are configured: Knox will attempt verification using 
> ONLY (in order)
>  ** The configured PEM
>  ** The configured jwks URL(s).
> instance-keys-fallback=true Behavior:
>  * Same as default behavior except that in the cases where PEM and/or jwks 
> URL(s) are configured and fail to verify, Knox will subsequently attempt 
> verification using (in order):
>  ** Knox's signing key
>  ** Knox's TLS key
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)


[jira] [Commented] (KNOX-3073) Token verification fallback to Knox keys behavior should configurable

2024-11-08 Thread ASF subversion and git services (Jira)


[ 
https://issues.apache.org/jira/browse/KNOX-3073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17896807#comment-17896807
 ] 

ASF subversion and git services commented on KNOX-3073:
---

Commit 7dd8b4318c8a685985b08cd2870bf212be814db2 in knox's branch 
refs/heads/dependabot/maven/jetty.version-9.4.56.v20240826 from Philip Zampino
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=7dd8b4318 ]

KNOX-3073 - Token verification fallback to Knox keys behavior should 
configurable (#949)



> Token verification fallback to Knox keys behavior should configurable
> -
>
> Key: KNOX-3073
> URL: https://issues.apache.org/jira/browse/KNOX-3073
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: Server
>Reporter: Philip Zampino
>Assignee: Philip Zampino
>Priority: Major
>  Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> KNOX-3040 
> ntroduced support for multiple token verification mechanisms (i.e., PEM, 
> jwks) for the same topology (provider instance), falling back to Knox's own 
> signing and TLS keys if any of those configured should fail.
> This behavior may not be expected by some, and we should provide the ability 
> to control the fallback to the Knox keys.
> To support deployments expecting the previous behavior, there should be a 
> provider param for indicating that the new fall-back behavior is desired 
> (e.g., instance-keys-fallback=true), which defaults to false.
> Default Behavior:
>  * Neither PEM nor jwks URL(s) is configured, attempt verification using (in 
> order)
>  ** Knox's signing key
>  ** Knox's TLS key
>  * Only PEM is configured: Knox will attempt verification using ONLY the 
> configured PEM
>  * Only jwks URL(s) are configured: Knox will attempt verification using ONLY 
> the configured jwks URL(s)
>  * PEM AND jwks URL(s) are configured: Knox will attempt verification using 
> ONLY (in order)
>  ** The configured PEM
>  ** The configured jwks URL(s).
> instance-keys-fallback=true Behavior:
>  * Same as default behavior except that in the cases where PEM and/or jwks 
> URL(s) are configured and fail to verify, Knox will subsequently attempt 
> verification using (in order):
>  ** Knox's signing key
>  ** Knox's TLS key
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)


[jira] [Commented] (KNOX-3073) Token verification fallback to Knox keys behavior should configurable

2024-11-08 Thread ASF subversion and git services (Jira)


[ 
https://issues.apache.org/jira/browse/KNOX-3073?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17896801#comment-17896801
 ] 

ASF subversion and git services commented on KNOX-3073:
---

Commit 7dd8b4318c8a685985b08cd2870bf212be814db2 in knox's branch 
refs/heads/master from Philip Zampino
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=7dd8b4318 ]

KNOX-3073 - Token verification fallback to Knox keys behavior should 
configurable (#949)



> Token verification fallback to Knox keys behavior should configurable
> -
>
> Key: KNOX-3073
> URL: https://issues.apache.org/jira/browse/KNOX-3073
> Project: Apache Knox
>  Issue Type: Improvement
>  Components: Server
>Reporter: Philip Zampino
>Assignee: Philip Zampino
>Priority: Major
>  Time Spent: 1h 10m
>  Remaining Estimate: 0h
>
> KNOX-3040 
> ntroduced support for multiple token verification mechanisms (i.e., PEM, 
> jwks) for the same topology (provider instance), falling back to Knox's own 
> signing and TLS keys if any of those configured should fail.
> This behavior may not be expected by some, and we should provide the ability 
> to control the fallback to the Knox keys.
> To support deployments expecting the previous behavior, there should be a 
> provider param for indicating that the new fall-back behavior is desired 
> (e.g., instance-keys-fallback=true), which defaults to false.
> Default Behavior:
>  * Neither PEM nor jwks URL(s) is configured, attempt verification using (in 
> order)
>  ** Knox's signing key
>  ** Knox's TLS key
>  * Only PEM is configured: Knox will attempt verification using ONLY the 
> configured PEM
>  * Only jwks URL(s) are configured: Knox will attempt verification using ONLY 
> the configured jwks URL(s)
>  * PEM AND jwks URL(s) are configured: Knox will attempt verification using 
> ONLY (in order)
>  ** The configured PEM
>  ** The configured jwks URL(s).
> instance-keys-fallback=true Behavior:
>  * Same as default behavior except that in the cases where PEM and/or jwks 
> URL(s) are configured and fail to verify, Knox will subsequently attempt 
> verification using (in order):
>  ** Knox's signing key
>  ** Knox's TLS key
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)