[
https://issues.apache.org/jira/browse/KNOX-640?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15051579#comment-15051579
]
Larry McCay commented on KNOX-640:
----------------------------------
It seems that in openstack environments that the hostname provided ends up
looking like a domain since it only has a single "." in it.
For instance, the following is an altered hostname in such an environment:
vp-os-rh6-my-sim-amb220l-ljm2-3-8-151119-2018-1.novalocal
Current knoxsso logic treats a name like this as a domain and prepends a dot to
the front to make the domain cookie. This behavior is inaccurate and ends up
meaning that it is only ever sent to the machine where the knoxsso token has
been acquired.
What we really need is to create a domain cookie for .novallocal - this will
ensure that the cookie is sent to all hosts in the same domain.
While the existing logic makes sense for accessing resources at the domain
level - say https://example.com:8443/gateway/sandbox/WEBDHS - it does not when
a single dotted name represents a single host.
knoxsso.cookie.domain.suffix Parameter
What I propose is that we add a service parameter to the WebSSO service. This
parameter would indicate a set of strings that would match domains within a
given hostname. For instance, if we get a hostname for the URL that looks like
vp-os-rh6-my-sim-amb220l-ljm2-3-8-151119-2018-1.novalocal and we have
configured a domain.suffix of ".novalocal" that we would match that first and
accept that as the domain for the knoxsso cookie.
Best Match Semantics
This check should also take the approach wherein the most specific domain be
accepted over least specific. Such that, "ljm.localnova" is accepted rather
than ".localnova" when they both match.
> Make Cookie Domain Configurable
> -------------------------------
>
> Key: KNOX-640
> URL: https://issues.apache.org/jira/browse/KNOX-640
> Project: Apache Knox
> Issue Type: Sub-task
> Components: Server
> Reporter: Larry McCay
> Assignee: Larry McCay
> Fix For: 0.7.0, 0.8.0
>
>
> In order to provide sufficient control to the administrator that is setting
> up KnoxSSO, we need to make sure that the cookie domain can be deterministic.
> Current implementation tries to derive the domain from the incoming request
> hostname which ends up being insufficient in certain usecase. OpenStack
> environments for instance use hostnames that are hard to tell apart from
> domains. This causes the domain algorithm to calculate an inappropriate one
> which results in the cookie not being presented to all intended parties.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
