Yes, does that sound appropriate to you? If the LDAP config in gateway-site.xml gets updated to product the whitelist would be in the same place.
On Thu, Jul 19, 2018 at 6:26 PM, Philip Zampino <pzamp...@gmail.com> wrote: > I am working on a solution for the ip address being treated as a hostname > issue. > > On Thu, Jul 19, 2018 at 6:24 PM larry mccay <lmc...@apache.org> wrote: > > > Playing around a bit more, I noticed that there is nondeterministic > > behavior of the default whitelist feature. > > Especially on macs - since the hostname ends up being any number of > things. > > I have noticed the following things when there is no explicit whitelist > > configured: > > > > * ip address based whitelist being derived which is treated like a domain > > * localhost is not supported out of the box unless the logic is unable to > > determine a domain > > * sometimes my host is HW14155.home and sometimes it is new-host-5.home > for > > some reason > > > > Given that all of our samples and docs assume localhost and OOTB we are > > setup for DEMO LDAP server, I propose that we at least add localhost back > > for OOTB. > > Ip address handling may be worth tackling as well but only if we can do > it > > in a day. > > > > Thoughts? > > > > > > On Thu, Jul 19, 2018 at 6:12 PM, larry mccay <lmc...@apache.org> wrote: > > > > > Awesome - just checked it out and I will kick off a new build shortly! > > > > > > On Thu, Jul 19, 2018 at 6:01 PM, Sandeep Moré <moresand...@gmail.com> > > > wrote: > > > > > >> Hello Larry, > > >> > > >> I committed the fix to master and v1.1.0, it is under the JIRA > KNOX-1391 > > >> <https://issues.apache.org/jira/browse/KNOX-1391>. > > >> we should be good to to cut the RC, provided there are no more issues > ! > > >> > > >> Thanks ! > > >> Sandeep > > >> > > >> On Thu, Jul 19, 2018 at 4:25 PM larry mccay <larry.mc...@gmail.com> > > >> wrote: > > >> > > >> > Awesome, @sandeep! > > >> > I'll keep an eye out. > > >> > > > >> > Once that lands, you can bump this thread and I'll cut the RC. > > >> > Obviously, we will need it in both master and v1.1.0 branches. > > >> > > > >> > On Thu, Jul 19, 2018 at 4:19 PM, Sandeep Moré < > moresand...@gmail.com> > > >> > wrote: > > >> > > > >> > > Hello Larry, > > >> > > > > >> > > Yes, I have seen those exceptions, they seem to be happening > fairly > > >> > > consistently and only for KnoxSSO redirects when trying to access > > >> admin > > >> > UI, > > >> > > I am taking a look at them as we speak, will open up a JIRA for it > > as > > >> > well. > > >> > > It would be good if we can get it in, I will try to get the fix > out > > as > > >> > soon > > >> > > as I can. > > >> > > > > >> > > Best, > > >> > > Sandeep > > >> > > > > >> > > On Thu, Jul 19, 2018 at 4:15 PM larry mccay <lmc...@apache.org> > > >> wrote: > > >> > > > > >> > > > @Phil, I see a couple commits land that seem to address the NPE. > > >> > > > Is that correct? > > >> > > > > > >> > > > I have also seen an IllegalStateException during redirect from > > >> Admin UI > > >> > > to > > >> > > > KnoxSSO. > > >> > > > Has anyone seen this and/or is working on it - is it related to > > the > > >> > NPE? > > >> > > > I don't think it is since I see it more frequently and not > always > > >> with > > >> > > the > > >> > > > NPEs. > > >> > > > > > >> > > > I'd like to get a new RC cut by end of the week, if possible. > > >> > > > > > >> > > > On Fri, Jul 13, 2018 at 7:57 PM, larry mccay <lmc...@apache.org > > > > >> > wrote: > > >> > > > > > >> > > > > Agreed, Phil. > > >> > > > > I have cut an RC but we need to address this first. I'll hold > > >> off on > > >> > > > > announcing it. > > >> > > > > > > >> > > > > On Fri, Jul 13, 2018, 11:36 AM Phil Zampino < > > pzamp...@apache.org> > > >> > > wrote: > > >> > > > > > > >> > > > >> During some testing of the proposed 1.1.0 code, I've > discovered > > >> some > > >> > > > NPEs > > >> > > > >> in filters (e.g., AclsAuthorizationFilter, > > >> > HadoopGroupProviderFilter), > > >> > > > >> which are concerning. > > >> > > > >> > > >> > > > >> I've committed a change to address the > AclsAuthorizationFilter, > > >> but > > >> > > > seeing > > >> > > > >> similar behavior for the HadoopGroupProviderFilter has > > increased > > >> my > > >> > > > >> concern > > >> > > > >> that there may be a more fundamental problem. > > >> > > > >> In both cases, it seems that the filters are being invoked > > prior > > >> to > > >> > > (or > > >> > > > >> during) their respective init() methods have been invoked. > > Thus, > > >> > > members > > >> > > > >> which should be initialized in the init() method are not yet > > >> > > > initialized. > > >> > > > >> > > >> > > > >> This can be consistently reproduced, though it is a bit of a > > >> pain: > > >> > > > >> > > >> > > > >> - Install Knox (‘ant install-test-home’, or just unzip > > >> > > > knox-1.1.0.zip) > > >> > > > >> - Start the gateway > > >> > > > >> - Access the Admin UI > > >> > > > >> > > >> > > > >> > > >> > > > >> Note that the latest 1.1.0 source has a *fix* for the > > >> > > > >> AclsAuthorizationFilter NPE, but master does not yet have > this > > >> > change. > > >> > > > >> This > > >> > > > >> is important because that change effectively hides the issue. > > >> > > > >> > > >> > > > >> I think we should determine what's happening with this before > > >> > > > >> producing/testing a release candidate. > > >> > > > >> > > >> > > > >> > > >> > > > >> > > >> > > > >> > > >> > > > >> On Sat, Feb 24, 2018 at 12:57 PM larry mccay < > > lmc...@apache.org> > > >> > > wrote: > > >> > > > >> > > >> > > > >> > All - > > >> > > > >> > > > >> > > > >> > Sorry for the delay on this topic. > > >> > > > >> > > > >> > > > >> > We are going to start of this planning thread with ~85 > > >> Unresolved > > >> > > > JIRAs > > >> > > > >> in > > >> > > > >> > either 1.1.0 or 0.15.0 fixVersion. > > >> > > > >> > > > >> > > > >> > project = KNOX AND resolution = Unresolved AND fixVersion > in > > >> > (1.1.0, > > >> > > > >> > 0.15.0) ORDER BY priority DESC, updated DESC > > >> > > > >> > > > >> > > > >> > I will spend some time migrating all 0.15.0 to 1.1.0 to > begin > > >> with > > >> > > and > > >> > > > >> then > > >> > > > >> > we will need to go through and see what is already taken > care > > >> of > > >> > or > > >> > > > can > > >> > > > >> > wait for a 1.2.0 or later. > > >> > > > >> > > > >> > > > >> > I also have a couple KIPs in mind to target larger > > >> features/themes > > >> > > for > > >> > > > >> this > > >> > > > >> > release. > > >> > > > >> > > > >> > > > >> > Off the top of my head: > > >> > > > >> > > > >> > > > >> > * I think we need to address some cloud specific usecases > and > > >> plan > > >> > > to > > >> > > > >> > provide a KIP for that. Hybrid cloud/federated knox > > instances, > > >> > Azure > > >> > > > AD > > >> > > > >> > integration, ID mapping from Hadoop user to IAM > users/roles, > > >> etc. > > >> > > > >> Perhaps > > >> > > > >> > some CASB-like features if they make sense. > > >> > > > >> > > > >> > > > >> > * I also think we need one for articulating a reasonable > flow > > >> for > > >> > > > >> Logout in > > >> > > > >> > KnoxSSO. There are a lot of little nuances to logout across > > >> > multiple > > >> > > > >> apps > > >> > > > >> > and between different IDPs. This will require some > > discussion. > > >> > > > >> > > > >> > > > >> > * Another thing that has been tugging at my interest has > been > > >> the > > >> > > fact > > >> > > > >> that > > >> > > > >> > we may be able provide some common libraries to help > > ecosystem > > >> > > > >> applications > > >> > > > >> > uptake the trusted proxy pattern and KnoxSSO. > > >> > > > >> > > > >> > > > >> > Anyway, these are my initial thoughts, please feel free to > > >> raise > > >> > > > >> additional > > >> > > > >> > ideas/themes for KIPs, etc. > > >> > > > >> > > > >> > > > >> > I was thinking that we could try and target an end of March > > or > > >> Mid > > >> > > > April > > >> > > > >> > 1.1.0 release. > > >> > > > >> > > > >> > > > >> > Thoughts? > > >> > > > >> > > > >> > > > >> > --larry > > >> > > > >> > > > >> > > > >> > > >> > > > > > > >> > > > > > >> > > > > >> > > > >> > > > > > > > > >
