[
https://issues.apache.org/jira/browse/KNOX-2383?focusedWorklogId=443078&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-443078
]
ASF GitHub Bot logged work on KNOX-2383:
----------------------------------------
Author: ASF GitHub Bot
Created on: 09/Jun/20 16:29
Start Date: 09/Jun/20 16:29
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request #341:
URL: https://github.com/apache/knox/pull/341
## What changes were proposed in this pull request?
The issue was that `AliasBasedTokenStateService.getTokenExpiration(...)`
only checked the in-memory cache for token expiration if `validate` flag was
set to `false`. Therefore, if the client wanted to use the previoulsy acquired
token before it got written out to the underlying keystore
(`__gateway-credentials.jceks`) it received an `expired token` error because
this method returned 0 (=nothing was found in either in the memory nor in the
keystore).
The fix is as simple as making sure the `validate` flag should not affect
the source of the token expiration (it should only validate if needed)
## How was this patch tested?
Updated and executed JUnit tests:
```
$ mvn clean -Dshellcheck=true -T1C verify -Prelease,package
...
[INFO]
------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO]
------------------------------------------------------------------------
[INFO] Total time: 18:27 min (Wall Clock)
[INFO] Finished at: 2020-06-09T11:27:21+02:00
[INFO] Final Memory: 432M/2223M
[INFO]
------------------------------------------------------------------------
```
In addition to uni testing the following manual test steps were executed:
1. built and redeployed Knox with my changes and set the following before I
started Knox:
1. created a new topology called `tokenbased` with a JWT federation
provider where I set `knox.token.exp.server-managed` to 'true'. I added the
HDFSUI service here for my tests.
2. added `KNOXTOKEN` service to `sandbox` topology (also set
`knox.token.exp.server-managed` to 'true')
3. set `gateway.knox.token.state.alias.persistence.interval` to `60` so
that I had enough time to invoke the HDFSUI through `tokenbased` before the
previously acquired Knox token got written out into the keystore
2. issued the following two commands:
```
curl -ivku guest:guest-password
https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token
```
and
```
curl -ivk -H "Authorization: Bearer
eyJhbGciOiJSUzI1NiJ9.eyJzd...1xCsdEgkP1Be-H-nbw"
https://localhost:8443/gateway/tokenbased/hdfs?host=https://$HDFS_HOST:20102/
```
3. HDFS UI loaded properly
4. 50 seconds later I saw that the token got actually stored in the keystore:
```
2020-06-09 11:21:31,732 INFO token.state
(AliasBasedTokenStateService.java:persistTokenState(111)) - Creating token
state aliases
2020-06-09 11:21:31,936 INFO token.state
(AliasBasedTokenStateService.java:persistTokenState(116)) - Created token state
aliases for 41bd9151-4ca1-4a06-87e4-ca543412b1b0
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
Issue Time Tracking
-------------------
Worklog Id: (was: 443078)
Time Spent: 0.5h (was: 20m)
> Knox token is expired upon immediate token request after creation
> -----------------------------------------------------------------
>
> Key: KNOX-2383
> URL: https://issues.apache.org/jira/browse/KNOX-2383
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 1.5.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Critical
> Labels: TokenAuth, token
> Fix For: 1.5.0
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> *Steps to reproduce*
> # have a topology with JWT federation provider (let's call it
> {{tokenbased)}} and add a valid HDFS UI service in there (the service itself
> does not really matter, it's just the fastest way in my environment to
> reproduce the issue). It's important that you make sure
> {{knox.token.exp.server-managed}} is set to {{true}} for the {{JWT federation
> provider}}.
> # get a Knox delegation token using the {{KNOXTOKEN}} service. It's
> important that you make sure {{knox.token.exp.server-managed}} is set to
> {{true}} for the {{KNOXTOKEN}} service.
> # right after the previous call, try to hit the HDFS UI via the previously
> created {{tokenbased}} topology
> *Current results*
> The last action fails as the JWT provider receives the following error:
> {code:java}
> HTTP ERROR 400 Bad request: token has expired {code}
> *Expected results*
> HDFS UI should have been displayed w/o any issue.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
