[jira] [Updated] (KNOX-2574) Missing proper logging when hmac secret is short (misconfigured)

Mon, 09 Aug 2021 13:51:06 -0700 


     [ 
https://issues.apache.org/jira/browse/KNOX-2574?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Attila Magyar updated KNOX-2574:
--------------------------------
    Resolution: Fixed
        Status: Resolved  (was: Patch Available)

> Missing proper logging when hmac secret is short (misconfigured)
> ----------------------------------------------------------------
>
>                 Key: KNOX-2574
>                 URL: https://issues.apache.org/jira/browse/KNOX-2574
>             Project: Apache Knox
>          Issue Type: New Feature
>          Components: Server
>            Reporter: Sandeep More
>            Assignee: Attila Magyar
>            Priority: Major
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> I was testing out creating tokens with HMAC and created a secret which was 
> less than 256 bits. When I tried to create tokens the operation failed with 
> no meaningful message, even the gateway logs were not logging the error. If 
> this happens in prod it would be extremely painful to track down. 
> This is what I get when I try to create tokens
> {code}
> (base) ➜  ~ curl -iku admin:admin-password 
> 'https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token'
> HTTP/1.1 200 OK
> Date: Wed, 07 Apr 2021 19:27:42 GMT
> Set-Cookie: KNOXSESSIONID=node01hfs7ly3arqcelcoiofnz3de0.node0; 
> Path=/gateway/sandbox; Secure; HttpOnly
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; 
> Expires=Tue, 06-Apr-2021 19:27:42 GMT; SameSite=lax
> Content-Type: application/json
> Content-Length: 30
> { "Unable to acquire token." }
> {code}
>  
> And this is what I see in the logs
> {code}
> 2021-04-07 15:27:42,405 INFO  knox.gateway 
> (KnoxLdapRealm.java:getUserDn(688)) - Computed userDn: 
> uid=admin,ou=people,dc=hadoop,dc=apache,dc=org using dnTemplate for 
> principal: admin
> 2021-04-07 15:29:25,667 INFO  service.knoxtoken 
> (TokenResource.java:getAuthenticationToken(453)) - toString
> 2021-04-07 15:29:28,125 INFO  service.knoxtoken 
> (TokenResource.java:getAuthenticationToken(454)) - toString
> 2021-04-07 15:29:29,671 ERROR service.knoxtoken 
> (TokenResource.java:getAuthenticationToken(454)) - Unable to issue token.
> 2021-04-07 15:29:29,863 INFO  service.knoxtoken 
> (TokenResource.java:getAuthenticationToken(456)) - toString
> {code}
> There were few issues I noticed that needs some attention:
> 1. Should we even allow creating secrets less than 256 bits? how do we 
> validate it?
> 2. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to