During some testing of the proposed 1.1.0 code, I've discovered some NPEs in filters (e.g., AclsAuthorizationFilter, HadoopGroupProviderFilter), which are concerning.
I've committed a change to address the AclsAuthorizationFilter, but seeing similar behavior for the HadoopGroupProviderFilter has increased my concern that there may be a more fundamental problem. In both cases, it seems that the filters are being invoked prior to (or during) their respective init() methods have been invoked. Thus, members which should be initialized in the init() method are not yet initialized. This can be consistently reproduced, though it is a bit of a pain: - Install Knox (‘ant install-test-home’, or just unzip knox-1.1.0.zip) - Start the gateway - Access the Admin UI Note that the latest 1.1.0 source has a *fix* for the AclsAuthorizationFilter NPE, but master does not yet have this change. This is important because that change effectively hides the issue. I think we should determine what's happening with this before producing/testing a release candidate. On Sat, Feb 24, 2018 at 12:57 PM larry mccay <[email protected]> wrote: > All - > > Sorry for the delay on this topic. > > We are going to start of this planning thread with ~85 Unresolved JIRAs in > either 1.1.0 or 0.15.0 fixVersion. > > project = KNOX AND resolution = Unresolved AND fixVersion in (1.1.0, > 0.15.0) ORDER BY priority DESC, updated DESC > > I will spend some time migrating all 0.15.0 to 1.1.0 to begin with and then > we will need to go through and see what is already taken care of or can > wait for a 1.2.0 or later. > > I also have a couple KIPs in mind to target larger features/themes for this > release. > > Off the top of my head: > > * I think we need to address some cloud specific usecases and plan to > provide a KIP for that. Hybrid cloud/federated knox instances, Azure AD > integration, ID mapping from Hadoop user to IAM users/roles, etc. Perhaps > some CASB-like features if they make sense. > > * I also think we need one for articulating a reasonable flow for Logout in > KnoxSSO. There are a lot of little nuances to logout across multiple apps > and between different IDPs. This will require some discussion. > > * Another thing that has been tugging at my interest has been the fact that > we may be able provide some common libraries to help ecosystem applications > uptake the trusted proxy pattern and KnoxSSO. > > Anyway, these are my initial thoughts, please feel free to raise additional > ideas/themes for KIPs, etc. > > I was thinking that we could try and target an end of March or Mid April > 1.1.0 release. > > Thoughts? > > --larry >
