[jira] [Commented] (KNOX-1364) Cookie path should contain the topology name aswell

Fri, 07 Dec 2018 06:27:21 -0800 


    [ 
https://issues.apache.org/jira/browse/KNOX-1364?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16712918#comment-16712918
 ] 

Kevin Risden commented on KNOX-1364:
------------------------------------

So here is an example where a single Knox instance has two topologies pointing 
to a single Ambari.
 * Ambari: [http://ambari.vagrant.test:8080|http://ambari.vagrant.test:8080/]
 * Knox: [https://knox.vagrant.test:8443|https://knox.vagrant.test:8443/]
 * Topology 1: gateway/test-ambari/ambari/
 * Topology 2: gateway/test2/ambari/

When navigating to the first topology 
([https://knox.vagrant.test:8443/gateway/test-ambari/ambari/)|https://knox.vagrant.test:8443/gateway/test-ambari/ambari/)_],
 I am prompted by Ambari to login.  you end up with only the AMBARISESSIONID 
cookie being set.

  !Screen Shot 2018-12-07 at 9.19.39 AM.png|width=600!

When navigating to the second topology 
([https://knox.vagrant.test:8443/gateway/test2/ambari/)], I am auto logged into 
Ambari since the AMBARISESSIONID already exists. The only cookie is still 
AMBARISESSIONID with the exact same value.

!Screen Shot 2018-12-07 at 9.20.27 AM.png|width=600!
----
Now if this were two separate Ambari instances behind Knox, I would be logged 
out of one instance when I try to go to the second instance. This is because 
the AMBARISESSIONID is only valid on a single Ambari instance at a time. Ambari 
is setting the AMBARISESSIONID cookie to the domain knox.vagrant.test and path 
/ since that is where Ambari thinks the request is coming from.

> Cookie path should contain the topology name aswell
> ---------------------------------------------------
>
>                 Key: KNOX-1364
>                 URL: https://issues.apache.org/jira/browse/KNOX-1364
>             Project: Apache Knox
>          Issue Type: Improvement
>    Affects Versions: 0.14.0
>            Reporter: Laszlo Nardai
>            Priority: Major
>              Labels: Patch, review
>             Fix For: 1.3.0
>
>         Attachments: KNOX-1364.patch, Screen Shot 2018-12-07 at 9.19.39 
> AM.png, Screen Shot 2018-12-07 at 9.20.27 AM.png
>
>
> When using knox in PROXY only mode, cookies are set with the following domain 
> and path.
> *[https://sandbox-hdf.hortonworks.com:5443/gateway/local-hdf/ambari#/login*]
>  I login to ambari on this URL, and I get a cookie with
>  domain: sandbox-hdf.hortonworks.com
>  path: gateway
> If I try to access another ambari instance through the same knox in the 
> following URL:
>  
> *[https://sandbox-hdf.hortonworks.com:5443/gateway/local-hdf2/ambari#/login*|https://sandbox-hdf.hortonworks.com:5443/gateway/local-hdf/ambari#/login*]
>  domain: sandbox-hdf.hortonworks.com
>  path: gateway
> So basically this cookie will overwrite the previous one and will trigger a 
> logout from the first ambari ui.
> Proposed solution:
>  include the topology name in the cookie path:
>  domain: sandbox-hdf.hortonworks.com
>  path: gateway/local-hdf



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to