I’m in favor of continuing to stabilize the 0.7.0 branch with the current bits
we have and then doing an 0.8.0 with the new KNOX-641 stuff as quickly as
possible after that.
KNOX-641 ends up providing a wonderful new big feature set and we are going to
need to bandwidth to learn/absorb it.
BTW here is my take on all of the commits from the branch point for 0.6.0.
Seems we are getting better with our CHANGES discipline but there is still a
great deal of room for improvement. The CHANGES file has ~30 entries for 0.7.0
and the list below has about ~90 entries.
[KNOX-639] - Knoxcli.sh create-master should not allow empty strings
KNOX-640 - Make Cookie Domain Configurable
[KNOX-638] - Hive dispatch failing for secure clusters
KNOX-626 Minor fix to namespace parsing
KNOX-637 - Compilation Error in gateway-service-admin and gateway-test test
projects (arshad.mohammad via lmccay)
KNOX-636 - IdentityAsserterHttpServletRequestWrapper must override
getUserPrincipal
KNOX-635 - open up default whitelist for dev - localhost
KNOX-635 - Provide Whitelisting for Redirect Destinations for KnoxSSO
KNOX-634 - CORS Support as Part of WebAppSec Provider
KNOX-632 added back configuration for 'replayBufferSize'
KNOX-633: Upgrade apache commons-collections
KNOX-632: Oozie dispatch failing for secure clusters. Fix tests.
KNOX-632: Oozie dispatch failing for secure clusters
KNOX-625 initial template file for topology using ui proxy services
KNOX-623: Gateway provider rewriter doesn't support boolean attributes in HTML.
KNOX-622 - Misconfigured providers should cause topology deployment to fail
KNOX-624: Expose configuration for Jetty's request and response buffer sizes.
Fix property names.
KNOX-624: Expose configuration for Jetty's request and response buffer sizes
KNOX-621 - Simplify KnoxSSO API Resource Path
KNOX-620: Jenkins Knox-master-verify failing since #725 due to JDK version
issues
KNOX-394: Request and response URLs must be parsed as literals not templates.
Part 2.
KNOX-394: Request and response URLs must be parsed as literals not templates
KNOX-617 - Add the use of CredentialCollectors to Samples
KNOX-616: XmlUrlRewriteStreamFilter unscapes escaped special characters
KNOX-611: Expose configuration for Jetty's thread pool and connection queue
KNOX-604: Expose configuration of HttpClient's max connections per route setting
KNOX-614: Incorrect URI template expansion with {**} query params #fragments
KNOX-615 Domain Cookies cannot Wildcard IP Addresses
KNOX-613 - Provide Credential Collector Abstraction to Client Shell
KNOX-610 - DefaultTokenService issueToken should never return null
KNOX-609 - Add unit tests for the SSOCookieFederationProvider.
KNOX-608: Improve Knox read and write performance by tuning buffer sizes.
KNOX-607 - Fix SSOCookieProvider to Handle null Query Strings
KNOX-602 - protect against NPE in audience validation
KNOX-603: Coverity: Potential resource leak in
BaseKeystoreService.createKeystore
KNOX-602 JWT/SSO Cookie Based Federation Provider
KNOX-601: Knox test failures on windows
KNOX-600 setting all service params as filter params for dispatch
KNOX-593 removed replayBufferSize and CappedBufferHttpEntity references
KNOX-447: Incorrect parsing and expansion of valueless query params
KNOX-599: Template with {**} in queries are expanded with =null for query
params without a value
KNOX-598: Concurrent JDBC clients via KNOX to Kerberized HiveServer2 causes
HTTP 401 error (due to Kerberos
KNOX-570 added zookeeper lookup capability for HS2 HA
KNOX-596: Add diagnostics to topology depoloyment
KNOX-597: Improve diagnostic logging of HTTP traffic. Update CHANGES.
KNOX-597: Improve diagnostic logging of HTTP traffic
KNOX-593 Moved SPNEGO code to httpclient
KNOX-584 Fix for UT instability in GatewayBasicFuncTest.testCLIServiceTest
KNOX-590 - add more ShiroProvider configuration support to KnoxCLI
sys-user-auth-test and user-auth-test
KNOX-582 Query Parameter rewrite does not honor empty string value (jeffreyr
via lmccay)
KNOX-581: Hive dispatch not propagating effective principal name
KNOX-580 Initial refactoring out of default HA dispatch
KNOX-579: Regex based identity assertion provider with static dictionary lookup
KNOX-576: CLI user-auth-test should print a message when a user successfully
authenticates.
KNOX-565: Supporting All the Quick Links on Ambari Dashboard to Go Through Knox
KNOX-564: NPE for Topology with no Providers Confgured
KNOX-575: Add more logging for LDAP Authentication issues with ShiroProvider
KNOX-573: KNOX-574 make SecureOnly and MaxAge configurable for SSO
KNOX-549: Test service connections through Knox with Knox CLI
KNOX-566 - Make the Default Ephemeral DH Key Size 2048 for TLS
KNOX-460: UrlRewriteServletFilterTest failed with IBM JAVA
KNOX-423: XmlFilterReaderTest failed with IBM JVM JAVA
KNOX-548: LDAP Bind in Knox CLI. Fixed help usage.
KNOX-562: Fix Null pointer exceptions in KnoxCLI LDAP commands
KNOX-548: KnoxCLI adds a new system-user-auth-test command to test a topology's
system username and password
KNOX-560: Test LDAP Authentication+Authorization from KnoxCLI
KNOX-561: Allow Knox pid directory to be configured via the knox-env.sh file
KNOX-559 renaming service definition files
KNOX-558: HttpClient connections are not always returned to the pool for HBase
on Windows
KNOX-554: Cannot access topologies through admin API if gateway.path is modified
KNOX-556 - fix extraneous imports
KNOX-556 - provide better diagnostics for keystore failures
KNOX-555: Prevent dispatch client from attempting retry and redirects
KNOX-553: Added topology validation from KnoxCLI to TopologyService deployment.
KNOX-547: Topology Validation in Knox CLI. Fix schema load from JAR
NullPointerException
KNOX-547: Topology Validation in Knox CLI
KNOX-550 reverting back to original hive kerberos dispatch behavior
KNOX-546 Consuming intermediate response during kerberos request dispatching
KNOX-545 - Simplify Keystore Management for Cluster Scaleout
KNOX-544: Knox process does not exit if startup fails due to credential store
issues
KNOX-476 implementation for X-Forwarded-* headers support and population
KNOX-539 add message to identity mapping audit entries
KNOX-538: Log some important system properties at startup
KNOX-534 auditing shiro authentication exceptions
KNOX-533 - add version component to knoxsso url pattern
KNOX-291: Improve audit for topology deployment process
KNOX-532: Update root pom.xml maven-compiler-plugin configuration.
KNOX-531 fix extraneous audit entries and add additional principal mapping test
KNOX-529 - second attempt to get all usecases - missed wildcard plus explicit
mappings before
KNOX-530 fixed oozie rewrite rules to handle missing port information
KNOX-529 - Fix wildcard based principal group mapping
On 12/15/15, 3:11 PM, "larry mccay" <[email protected]> wrote:
>Knox dev's -
>
>We need to start locking down the release for 0.7.0.
>In preparation of this, Sumit created a branch a week or so ago and we
>should start considering the creation of a release candidate.
>
>I believe that I have to update the CHANGES file with an entry for a patch
>that I cherry picked into 0.7.0 branch and I will look into that shortly.
>
>Standout features include: KnoxSSO for WebSSO, HA support for numerous
>services, diagnostic commands for KnoxCLI, regex based identity
>assertion, better control over thread pool, connection queue and
>request/response buffers. The ability to proxy Hadoop UIs, CORS support for
>cross origin request sharing and more. As well as a number of important bug
>fixes.
>
>We do have an important feature coming from the community - specifically
>from Jérôme that will be committed in coming days. KNOX-641 adds a
>federation provider that integrates pac4j in order to add: OAuth, Facebook,
>CAS, SAML, OpenID Connect. I think that this is an exciting integration
>that will require a bit of testing before it can be merged into a release
>branch.
>
>In my opinion, the set of features and improvements that are currently in
>the v0.7.0 branch more than justify a new release and delaying that any
>longer would be less than ideal.
>
>Concentrating on defining and testing the usecases that the pac4j provider
>will bring to the table post 0.7.0 and coming up with a compelling story
>for that feature set can be used to justify a release of its own. I think
>that we should target a feature release which we'll call 0.8.0 for now for
>a mid January timeframe.
>
>So, discussion points:
>
>1. Should we move forward with the 0.7.0 release once the CHANGES file is
>updated?
>2. Thoughts on holding the pac4j provider out until an early 2016 release
>when the main usecases are better defined and tested?
>
>thanks,
>
>--larry
