[
https://issues.apache.org/jira/browse/KNOX-3302?focusedWorklogId=1016676&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-1016676
]
ASF GitHub Bot logged work on KNOX-3302:
----------------------------------------
Author: ASF GitHub Bot
Created on: 21/Apr/26 13:04
Start Date: 21/Apr/26 13:04
Worklog Time Spent: 10m
Work Description: smolnar82 opened a new pull request, #1207:
URL: https://github.com/apache/knox/pull/1207
[KNOX-3302](https://issues.apache.org/jira/browse/KNOX-3302) - Falling back
to gateway-level credential store while looking up LDAP system password
## What changes were proposed in this pull request?
This pull request improves the LDAP system password alias resolution in
the Shiro realm (KnoxLdapContextFactory). Key changes include:
* Fallback Alias Resolution: Updated `KnoxLdapContextFactory` to check
the gateway-level credential store if a system password alias is not found in
the cluster-level (topology) credential store.
* Centralized Alias Logic: Added isAlias and extractAlias default methods
to the `AliasService` interface to standardize how alias strings (e.g.,
`S{ALIAS=...`}) are identified and processed across the codebase.
* Improved Testability: Refactored KnoxLdapContextFactory to allow for
better unit testing by extracting the AliasService lookup into a protected
method.
* Code Cleanup: Replaced manual string parsing with the new AliasService
methods and added validation for blank passwords using StringUtils.
## How was this patch tested?
The changes were verified by adding a new unit test class:
`org.apache.knox.gateway.shirorealm.KnoxLdapContextFactoryTest`.
The following scenarios were tested:
1. Blank Password: Verified that null or empty strings do not trigger
alias resolution.
2. Literal Password: Verified that passwords not matching the alias
pattern are used as-is.
3. Cluster-level Alias: Verified successful resolution when the alias
exists in the cluster-specific credential store.
4. Gateway-level Fallback: Verified that the factory correctly falls back
to the gateway credential store when the alias is missing from the cluster
store.
5. Missing Alias: Verified that the system password is set to an empty
string and a warning is logged when an alias cannot be resolved in either store.
## Integration Tests
No new integration tests were added as the logic was fully covered by the
new unit tests in KnoxLdapContextFactoryTest. Existing Shiro-related
integration tests should be monitored for regressions.
## UI changes
N/A
Issue Time Tracking
-------------------
Worklog Id: (was: 1016676)
Remaining Estimate: 0h
Time Spent: 10m
> KnoxLdapContextFactory to lookup system password on gateway-level credential
> store
> ----------------------------------------------------------------------------------
>
> Key: KNOX-3302
> URL: https://issues.apache.org/jira/browse/KNOX-3302
> Project: Apache Knox
> Issue Type: Task
> Components: Server
> Affects Versions: 2.1.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
> Fix For: 3.0.0
>
> Time Spent: 10m
> Remaining Estimate: 0h
>
> As of today, the KnoxLdapContextFactory tries to lookup a system password in
> the given topology's credential store (e.g. sandbox-credentials.jceks), and
> doesn't fallback to the gateway-level credential store if nothing is there.
> In real-life deployments, topologies usually share the same LDAP instance,
> thus, configuring the system password on the gateway-level is enough and
> should be queried from there.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
