[
https://issues.apache.org/jira/browse/KNOX-2915?focusedWorklogId=864417&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-864417
]
ASF GitHub Bot logged work on KNOX-2915:
----------------------------------------
Author: ASF GitHub Bot
Created on: 08/Jun/23 11:04
Start Date: 08/Jun/23 11:04
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #760:
URL: https://github.com/apache/knox/pull/760
## What changes were proposed in this pull request?
Descriptors are reloaded before topology redeployment at startup. Thus, Knox
will have the up-to-date version of the XML topology files generated from the
JSON descriptor before it's deployed as a web app in Knox.
## How was this patch tested?
Manually tested in a secure (i.e. Kerberos-enabled) cluster with high demand
on getting a Knox Token using a topology with HadoopAuth authentication in
place. Before my changes, the token generation failed 99% of the time. After
the fix went in, all tokens were acquired properly.
Issue Time Tracking
-------------------
Worklog Id: (was: 864417)
Remaining Estimate: 0h
Time Spent: 10m
> Knox should update topologies before deploying them
> ---------------------------------------------------
>
> Key: KNOX-2915
> URL: https://issues.apache.org/jira/browse/KNOX-2915
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 2.0.0, 1.6.0, 1.6.1
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Critical
> Fix For: 2.1.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> During the gateway startup, Knox executes the following steps (among others)
> in this order:
> # reloads/redeploys topologies
> # triggers descriptors reload to trigger service discovery (see KNOX-2301)
> The problem with this approach is, that in the case of dynamic Kerberos
> settings (variable keytab path and principal name), Knox may deploy a
> topology with old settings that are no longer valid, and only a couple of
> seconds later (in my test environment it was between 10-20 seconds for a
> particular topology) it redeploys the topology with up-to-date configuration.
> This might be irrelevant if that topology is not used in that small time
> window, however, there is a chance that Knox will fail to serve the request
> with an error message similar to this:
> {noformat}
> 2023-06-06 19:33:00,756 9ee494e4-4ede-4a81-962e-77334bfd80b8 ERROR
> knox.gateway (AbstractGatewayFilter.java:doFilter(60)) - Failed to execute
> filter: javax.servlet.ServletException: javax.servlet.ServletException:
> javax.servlet.ServletException: Keytab does not exist:
> /$DYNAMIC_KEYTAB_PATH//knox.keytab
> 2023-06-06 19:33:00,757 9ee494e4-4ede-4a81-962e-77334bfd80b8 ERROR
> knox.gateway (GatewayFilter.java:doFilter(197)) - Gateway processing failed:
> javax.servlet.ServletException: javax.servlet.ServletException:
> javax.servlet.ServletException: Keytab does not exist:
> /$DYNAMIC_KEYTAB_PATH//knox.keytab
> javax.servlet.ServletException: javax.servlet.ServletException:
> javax.servlet.ServletException: Keytab does not exist:
> /$DYNAMIC_KEYTAB_PATH/knox.keytab
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
