[jira] [Commented] (KNOX-2743) Upgrade netty
[ https://issues.apache.org/jira/browse/KNOX-2743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17534517#comment-17534517 ] ASF subversion and git services commented on KNOX-2743: --- Commit d5f0c377812a96df356681e924be983bbc00608c in knox's branch refs/heads/master from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d5f0c3778 ] KNOX-2743 - Upgrade netty (#573) > Upgrade netty > - > > Key: KNOX-2743 > URL: https://issues.apache.org/jira/browse/KNOX-2743 > Project: Apache Knox > Issue Type: Bug >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2743) Upgrade netty
[ https://issues.apache.org/jira/browse/KNOX-2743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17534523#comment-17534523 ] ASF subversion and git services commented on KNOX-2743: --- Commit d5f0c377812a96df356681e924be983bbc00608c in knox's branch refs/heads/dependabot/maven/org.apache.mina-mina-core-2.0.22 from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d5f0c3778 ] KNOX-2743 - Upgrade netty (#573) > Upgrade netty > - > > Key: KNOX-2743 > URL: https://issues.apache.org/jira/browse/KNOX-2743 > Project: Apache Knox > Issue Type: Bug >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 1.6.2 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2742) CM service discovery retry may be needed
[ https://issues.apache.org/jira/browse/KNOX-2742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17534771#comment-17534771 ] ASF subversion and git services commented on KNOX-2742: --- Commit 3b63b9851937b484546d974612e6ddd3ceaabbc9 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=3b63b9851 ] KNOX-2742 - Retrying CM service discovery in case of ConnectExceptions (#571) > CM service discovery retry may be needed > > > Key: KNOX-2742 > URL: https://issues.apache.org/jira/browse/KNOX-2742 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 1.5.0, 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > If there is a connection issue the first time Knox discovers a cluster in CM, > the topology will remain empty (bc. it was empty anyway). Fixing KNOX-2690 > should help here a lot but maybe it's not enough. We may add some sort of > retry logic if service discovery failed due to communication errors. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2744) Upgrade protobuf-java to 3.16.1
[ https://issues.apache.org/jira/browse/KNOX-2744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17534791#comment-17534791 ] ASF subversion and git services commented on KNOX-2744: --- Commit 5b6f389dffb9319f13a707b2f38340ec3682a612 in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=5b6f389df ] KNOX-2744 Upgrade protobuf-java to 3.16.1 (#572) > Upgrade protobuf-java to 3.16.1 > --- > > Key: KNOX-2744 > URL: https://issues.apache.org/jira/browse/KNOX-2744 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Upgrade protobuf-java to 3.16.1 due to CVE. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2745) VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter
[ https://issues.apache.org/jira/browse/KNOX-2745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17535925#comment-17535925 ] ASF subversion and git services commented on KNOX-2745: --- Commit 1b177a2638126afb5280ad5c113e901e42fec375 in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=1b177a263 ] KNOX-2745 VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter (#575) > VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter > > > Key: KNOX-2745 > URL: https://issues.apache.org/jira/browse/KNOX-2745 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > The groups calculated by HadoopGroupProviderFilter are not passed to the > virtual group mapper. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2736) Knox clients should support retry/failover
[ https://issues.apache.org/jira/browse/KNOX-2736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17537401#comment-17537401 ] ASF subversion and git services commented on KNOX-2736: --- Commit 7ac870f16563eda499b7eafa072bb119f4cd5754 in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=7ac870f16 ] KNOX-2736 Knox clients should support retry/failover (#568) > Knox clients should support retry/failover > -- > > Key: KNOX-2736 > URL: https://issues.apache.org/jira/browse/KNOX-2736 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > Not having retries in knox clients can cause service upgrade failures. > The apache http client has a default mechanism > (StandardHttpRequestRetryHandler and DefaultServiceUnavailableRetryStrategy) > to support retries. > * DefaultServiceUnavailableRetryStrategy only retries in case of a 503 - > ServiceUnavailable. > * StandardHttpRequestRetryHandler retries when a non excluded exception > occurs during the request. > The excluded exceptions are: InterruptedIOException, UnknownHostException, > ConnectException, SSLException. In these cases no retry is going to happen. > The following HTTP methods are considered idempotent so they can be retried: > GET, HEAD, PUT, DELETE, OPTIONS, TRACE. > Note that if an endpoint is implemented as a non-idempotent way (for example > a PUT) then this might have unwanted side-effects. > Other methods such as POST are only retried if the request has not yet > written out to the output stream when the error happened. Or if > requestSentRetryEnabled is enabled. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2346) Remove unused maxRetryAttempts and retrySleep
[ https://issues.apache.org/jira/browse/KNOX-2346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17538361#comment-17538361 ] ASF subversion and git services commented on KNOX-2346: --- Commit b15685c953f8e7763cd4770b8457d263951eca66 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=b15685c95 ] KNOX-2346 - Eliminated the accidentally re-introduced configs in one of the tests (#577) > Remove unused maxRetryAttempts and retrySleep > - > > Key: KNOX-2346 > URL: https://issues.apache.org/jira/browse/KNOX-2346 > Project: Apache Knox > Issue Type: Task >Reporter: Kevin Risden >Assignee: Sandor Molnar >Priority: Major > Fix For: 1.5.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > Currently maxRetryAttempts and retrySleep are wired throughout the code, but > don't actually hook up to anything. The handling should be removed to make it > clear that these aren't used anywhere. > There is no backwards compatibility issue here since the parsing is lazy - > its not a required field so if a user is specifying it will be silently > ignore. Just like it is silently ignored today. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2736) Knox clients should support retry/failover
[ https://issues.apache.org/jira/browse/KNOX-2736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17540867#comment-17540867 ] ASF subversion and git services commented on KNOX-2736: --- Commit fc48add49a0c6015247b71ca118c90fb6dde347f in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=fc48add49 ] KNOX-2736 Knox clients should support retry/failover - addendum (#578) > Knox clients should support retry/failover > -- > > Key: KNOX-2736 > URL: https://issues.apache.org/jira/browse/KNOX-2736 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > > Not having retries in knox clients can cause service upgrade failures. > The apache http client has a default mechanism > (StandardHttpRequestRetryHandler and DefaultServiceUnavailableRetryStrategy) > to support retries. > * DefaultServiceUnavailableRetryStrategy only retries in case of a 503 - > ServiceUnavailable. > * StandardHttpRequestRetryHandler retries when a non excluded exception > occurs during the request. > The excluded exceptions are: InterruptedIOException, UnknownHostException, > ConnectException, SSLException. In these cases no retry is going to happen. > The following HTTP methods are considered idempotent so they can be retried: > GET, HEAD, PUT, DELETE, OPTIONS, TRACE. > Note that if an endpoint is implemented as a non-idempotent way (for example > a PUT) then this might have unwanted side-effects. > Other methods such as POST are only retried if the request has not yet > written out to the output stream when the error happened. Or if > requestSentRetryEnabled is enabled. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2732) Issuer claim in Knox JWTs should be configurable
[ https://issues.apache.org/jira/browse/KNOX-2732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17540868#comment-17540868 ] ASF subversion and git services commented on KNOX-2732: --- Commit 8c468b095128ef9dd83e08d80e45a4c3db2ff44d in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=8c468b095 ] KNOX-2732 Issuer claim in Knox JWTs should be configurable (#560) > Issuer claim in Knox JWTs should be configurable > > > Key: KNOX-2732 > URL: https://issues.apache.org/jira/browse/KNOX-2732 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h 40m > Remaining Estimate: 0h > > Currently, the issuer claim in JWTs issued by Knox is always "KNOXSSO". This > value should be configurable via a KNOXTOKEN service param in the topology. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2726) Impersonation Params Declared by Service Definitions
[
https://issues.apache.org/jira/browse/KNOX-2726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17541071#comment-17541071
]
ASF subversion and git services commented on KNOX-2726:
---
Commit 93bceed9c33d8e63cb48bdac86d9bc98fca44f90 in knox's branch
refs/heads/master from Sandeep Moré
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=93bceed9c ]
KNOX-2726 - Impersonation Params should be configurable (#579)
* KNOX-2726 - Impersonation Params should be configurable
> Impersonation Params Declared by Service Definitions
>
>
> Key: KNOX-2726
> URL: https://issues.apache.org/jira/browse/KNOX-2726
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.6.0
>Reporter: Philip Zampino
>Assignee: Sandeep More
>Priority: Major
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> _org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper#getImpersonationParamNames()_
> has the following comment:
> {noformat}
> // TODO: let's have service definitions register their impersonation
> // params in a future release and get this list from a central registry.
> // This will provide better coverage of protection by removing any
> // pre-populated impersonation params.{noformat}
> Currently, Knox excludes some well-known impersonation request parameters
> from proxied requests. Rather than maintaining a hard-coded list of these
> params, service definitions should be able to declare them such that they
> would be available at runtime to
> {_}org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper{_}.
> This will allow service-specific impersonation parameter details to be
> defined by the service definitions, and eliminate the need for Knox runtime
> code changes when new impersonation params need to be handled.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2747) RemoteAliasService generates password without checking if it already exists
[
https://issues.apache.org/jira/browse/KNOX-2747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17542879#comment-17542879
]
ASF subversion and git services commented on KNOX-2747:
---
Commit e2bfa1535317186c3e7b69de188f998aeb864431 in knox's branch
refs/heads/master from Attila Magyar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=e2bfa1535 ]
KNOX-2747 RemoteAliasService generates password without checking if it already
exists (#581)
> RemoteAliasService generates password without checking if it already exists
> ---
>
> Key: KNOX-2747
> URL: https://issues.apache.org/jira/browse/KNOX-2747
> Project: Apache Knox
> Issue Type: Bug
>Reporter: Attila Magyar
>Assignee: Attila Magyar
>Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> RemoteAliasService:
> {code}
> /* Generate a new password */
> if (generate) {
> generateAliasForCluster(clusterName, alias);
> }
> {code}
> DefaultAliasService checks first
> {code}
> credential = keystoreService.getCredentialForCluster(clusterName,
> alias);
> if (credential == null && generate) {
> generateAliasForCluster(clusterName, alias);
> credential = keystoreService.getCredentialForCluster(clusterName,
> alias);
> }
> {code}
> This causes the Pac4jDispatcherFilter to regenerate the password at each
> topology change.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2746) Add presto and presto ui support in service definition
[ https://issues.apache.org/jira/browse/KNOX-2746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17550825#comment-17550825 ] ASF subversion and git services commented on KNOX-2746: --- Commit 02763cae0f3f148f089d7807e49184169d2d258f in knox's branch refs/heads/master from Bhargavi-Sagi [ https://gitbox.apache.org/repos/asf?p=knox.git;h=02763cae0 ] KNOX-2746 - Add presto/presto ui support in service definition (#576) > Add presto and presto ui support in service definition > -- > > Key: KNOX-2746 > URL: https://issues.apache.org/jira/browse/KNOX-2746 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Reporter: sagi bhargavi >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > Add spport for [Presto|https://github.com/prestodb/presto], also known as > PrestoDB in knox service definition. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2757) Mutually exclusive filter params in the HadoopGroupProvider identity-assertion provider
[
https://issues.apache.org/jira/browse/KNOX-2757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17552062#comment-17552062
]
ASF subversion and git services commented on KNOX-2757:
---
Commit 6cdd2f0589e44bb464cf03f4e6848b059fd9c113 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=6cdd2f058 ]
KNOX-2757 - HadoopGroupProvider parameters should be added to the filter even
there is a gateway level property with CENTRAL_GROUP_CONFIG_PREFIX (#590)
> Mutually exclusive filter params in the HadoopGroupProvider
> identity-assertion provider
> ---
>
> Key: KNOX-2757
> URL: https://issues.apache.org/jira/browse/KNOX-2757
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Blocker
> Fix For: 2.0.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> *Steps to reproduce:*
> 1. replace the {{Default}} identity-assertion provider in the {{sandbox}}
> topology with this:
> {noformat}
>
> identity-assertion
> HadoopGroupProvider
> true
>
> CENTRAL_GROUP_CONFIG_PREFIX
> gateway.group.config.
>
>
> group.mapping.scientist
> (!= 0 (size groups))
>
> {noformat}
> 2. wait until Knox redeploys the {{sandbox}} topology and check the generated
> {{gateway.xml}} in the newly deployed web application
> *Actual results:*
> The {{group.mapping.scientist}} filter parameter is missing; only the params
> in {{gateway-site.xml}} with the {{gateway.group.config.}} prefix were added:
> {noformat}
>
> identity-assertion
> HadoopGroupProvider
>
> org.apache.knox.gateway.identityasserter.hadoop.groups.filter.HadoopGroupProviderFilter
>
>
> hadoop.security.group.mapping.ldap.search.attr.member
> member
>
>
>
> hadoop.security.group.mapping.ldap.search.filter.user
>
> (&(|(objectclass=person)(objectclass=applicationProcess))(cn={0}))
>
>
>
> hadoop.security.group.mapping.ldap.search.attr.group.name
> cn
>
>
> hadoop.security.group.mapping.ldap.url
> ldap://localhost:33389
>
>
> hadoop.security.group.mapping
> org.apache.hadoop.security.LdapGroupsMapping
>
>
>
> hadoop.security.group.mapping.ldap.search.filter.group
> (objectclass=groupOfNames)
>
>
> hadoop.security.group.mapping.ldap.bind.user
> uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
>
>
> hadoop.security.group.mapping.ldap.bind.password
> guest-password
>
>
> {noformat}
> *Expected results:*
> Both the pre-configured gateway-site.xml and the {{group.mapping.scientist}}
> provider parameter should be added to the filter.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2752) knoxcli should support batch alias creation
[
https://issues.apache.org/jira/browse/KNOX-2752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17552293#comment-17552293
]
ASF subversion and git services commented on KNOX-2752:
---
Commit aa8e1531f970d5477d60f7ea2c669657b5bf077a in knox's branch
refs/heads/master from Attila Magyar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=aa8e1531f ]
KNOX-2752 knoxcli should support batch alias creation (#583)
> knoxcli should support batch alias creation
> ---
>
> Key: KNOX-2752
> URL: https://issues.apache.org/jira/browse/KNOX-2752
> Project: Apache Knox
> Issue Type: Bug
> Components: KnoxCLI
>Reporter: Attila Magyar
>Assignee: Attila Magyar
>Priority: Major
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Currently we can only create aliases one by one:
> {code}
> bin/knoxcli.sh create-alias name --cluster cl1 --value value
> {code}
> This is very slow if we want to create multiple aliases.
> KnoxCLI should support creating multiple aliases for the same cluster in one
> batch
> {code}
> bin/knoxcli.sh create-aliases --alias a1 --value v1 --alias a2 --value v2
> --alias a3 --value v3
> {code}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2762) Whitespaces around delimiters in composite provider names gives NullPointerException
[
https://issues.apache.org/jira/browse/KNOX-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17554635#comment-17554635
]
ASF subversion and git services commented on KNOX-2762:
---
Commit 31485649e6ea11921b97dbbce5672d5eef5bf0b9 in knox's branch
refs/heads/master from Harshil Jhaveri
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=31485649e ]
KNOX-2762 (#594)
* Fixing bug related to whitespaces around delimters in composite provider
names.
* KNOX-2762 Fixing bug related to whitespaces around delimters in composite
provider names.
> Whitespaces around delimiters in composite provider names gives
> NullPointerException
>
>
> Key: KNOX-2762
> URL: https://issues.apache.org/jira/browse/KNOX-2762
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 1.6.0
>Reporter: Harshil Jhaveri
>Assignee: Harshil Jhaveri
>Priority: Minor
> Attachments: NPE gateway log.png
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> When giving space before the delimiter for composite.provider.names in
> composite authorisation provider. The topology deployment is failing and
> returning a null pointer exception.
> The topology state:
> {code:java}
>
> authorization
> CompositeAuthz
> true
>
> composite.provider.names
> AclsAuthz ,XASecurePDPKnox
>
>
> AclsAuthz.ranger.acl
> *;;
> {code}
> {color:#e8bf6a}CC:{color} [~pzampino] [~smore] [~smolnar]
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2761) KnoxShell does not reflect KNOX-2661
[ https://issues.apache.org/jira/browse/KNOX-2761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17554942#comment-17554942 ] ASF subversion and git services commented on KNOX-2761: --- Commit 50a0552dc428069f396fe4926f4bff0e97372cfc in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=50a0552dc ] KNOX-2761 - Knox Token renew/revoke operations are now PUT/DELETE HTTP methods in KnoxShell too (#593) > KnoxShell does not reflect KNOX-2661 > > > Key: KNOX-2761 > URL: https://issues.apache.org/jira/browse/KNOX-2761 > Project: Apache Knox > Issue Type: Bug > Components: KnoxShell >Affects Versions: 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > KNOX-2661 changed the HTTP method for some of the Knox Token resource API. > However, those changes were not reflected in KnoxToken-related KnoxShell > classes. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2738) On Fresh install JDBCTokenStateService initiation failed
[ https://issues.apache.org/jira/browse/KNOX-2738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557899#comment-17557899 ] ASF subversion and git services commented on KNOX-2738: --- Commit 3163401292d0640a6ade44d77cbefce1db8d9f10 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=316340129 ] KNOX-2738 On Fresh install JDBCTokenStateService initiation failed (#567) > On Fresh install JDBCTokenStateService initiation failed > > > Key: KNOX-2738 > URL: https://issues.apache.org/jira/browse/KNOX-2738 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Knox intermittently failed to start due to a race condition between multiple > knox instances when creating database tables. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2717) upgrade shiro due to security issue
[ https://issues.apache.org/jira/browse/KNOX-2717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557898#comment-17557898 ] ASF subversion and git services commented on KNOX-2717: --- Commit c60ad2e5a33ce5b83b39366209c82d1372315ba4 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from PJ Fanning [ https://gitbox.apache.org/repos/asf?p=knox.git;h=c60ad2e5a ] KNOX-2717: upgrade shiro (#547) > upgrade shiro due to security issue > --- > > Key: KNOX-2717 > URL: https://issues.apache.org/jira/browse/KNOX-2717 > Project: Apache Knox > Issue Type: Bug >Reporter: PJ Fanning >Priority: Major > Fix For: 2.0.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > https://github.com/apache/knox/blob/master/pom.xml#L256 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41303 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2742) CM service discovery retry may be needed
[ https://issues.apache.org/jira/browse/KNOX-2742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557903#comment-17557903 ] ASF subversion and git services commented on KNOX-2742: --- Commit 3b63b9851937b484546d974612e6ddd3ceaabbc9 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=3b63b9851 ] KNOX-2742 - Retrying CM service discovery in case of ConnectExceptions (#571) > CM service discovery retry may be needed > > > Key: KNOX-2742 > URL: https://issues.apache.org/jira/browse/KNOX-2742 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 1.5.0, 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > If there is a connection issue the first time Knox discovers a cluster in CM, > the topology will remain empty (bc. it was empty anyway). Fixing KNOX-2690 > should help here a lot but maybe it's not enough. We may add some sort of > retry logic if service discovery failed due to communication errors. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2736) Knox clients should support retry/failover
[ https://issues.apache.org/jira/browse/KNOX-2736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557906#comment-17557906 ] ASF subversion and git services commented on KNOX-2736: --- Commit 7ac870f16563eda499b7eafa072bb119f4cd5754 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=7ac870f16 ] KNOX-2736 Knox clients should support retry/failover (#568) > Knox clients should support retry/failover > -- > > Key: KNOX-2736 > URL: https://issues.apache.org/jira/browse/KNOX-2736 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > > Not having retries in knox clients can cause service upgrade failures. > The apache http client has a default mechanism > (StandardHttpRequestRetryHandler and DefaultServiceUnavailableRetryStrategy) > to support retries. > * DefaultServiceUnavailableRetryStrategy only retries in case of a 503 - > ServiceUnavailable. > * StandardHttpRequestRetryHandler retries when a non excluded exception > occurs during the request. > The excluded exceptions are: InterruptedIOException, UnknownHostException, > ConnectException, SSLException. In these cases no retry is going to happen. > The following HTTP methods are considered idempotent so they can be retried: > GET, HEAD, PUT, DELETE, OPTIONS, TRACE. > Note that if an endpoint is implemented as a non-idempotent way (for example > a PUT) then this might have unwanted side-effects. > Other methods such as POST are only retried if the request has not yet > written out to the output stream when the error happened. Or if > requestSentRetryEnabled is enabled. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2737) Make maxFormContentSize and maxFormKeys configurable in Knox's embedded Jetty server
[
https://issues.apache.org/jira/browse/KNOX-2737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557897#comment-17557897
]
ASF subversion and git services commented on KNOX-2737:
---
Commit 69bfd417263e62dd37d69979b627561aa2198573 in knox's branch
refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from
Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=69bfd4172 ]
KNOX-2737 - Make maxFormContentSize and maxFormKeys configurable in Knox's
embedded Jetty server (#563)
> Make maxFormContentSize and maxFormKeys configurable in Knox's embedded Jetty
> server
>
>
> Key: KNOX-2737
> URL: https://issues.apache.org/jira/browse/KNOX-2737
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> There are certain deployments, where increasing the {{maxFormContentSize}}
> configuration is required because the default 200kB is not enough in POST
> forms.
> Jetty checks these configurations on two levels: first in the context, and
> then, if the context is not available (it's a very rare non-typical Jetty
> deployment), looks it up in the server's attributes:
> {noformat}
> The form content that a request can process is limited to protect from Denial
> of Service attacks. The size in bytes is limited by {@link
> ContextHandler#getMaxFormContentSize()} or if there is no context then the
> "org.eclipse.jetty.server.Request.maxFormContentSize" {@link Server}
> attribute.
> The number of parameters keys is limited by {@link
> ContextHandler#getMaxFormKeys()} or if there is no context then the
> "org.eclipse.jetty.server.Request.maxFormKeys" {@link Server}
> attribute.{noformat}
> Please note that these configurations are controlled by the System properties
> called {{org.eclipse.jetty.server.Request.maxFormKeys}} and
> {{{}org.eclipse.jetty.server.Request.maxFormContentSize{}}}.
> This Jira is about to override them in {{{}gateway-site.xml{}}}.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2746) Add presto and presto ui support in service definition
[ https://issues.apache.org/jira/browse/KNOX-2746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557914#comment-17557914 ] ASF subversion and git services commented on KNOX-2746: --- Commit 02763cae0f3f148f089d7807e49184169d2d258f in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Bhargavi-Sagi [ https://gitbox.apache.org/repos/asf?p=knox.git;h=02763cae0 ] KNOX-2746 - Add presto/presto ui support in service definition (#576) > Add presto and presto ui support in service definition > -- > > Key: KNOX-2746 > URL: https://issues.apache.org/jira/browse/KNOX-2746 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Reporter: sagi bhargavi >Priority: Major > Fix For: 2.0.0 > > Time Spent: 40m > Remaining Estimate: 0h > > Add spport for [Presto|https://github.com/prestodb/presto], also known as > PrestoDB in knox service definition. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2732) Issuer claim in Knox JWTs should be configurable
[ https://issues.apache.org/jira/browse/KNOX-2732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557909#comment-17557909 ] ASF subversion and git services commented on KNOX-2732: --- Commit 8c468b095128ef9dd83e08d80e45a4c3db2ff44d in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=8c468b095 ] KNOX-2732 Issuer claim in Knox JWTs should be configurable (#560) > Issuer claim in Knox JWTs should be configurable > > > Key: KNOX-2732 > URL: https://issues.apache.org/jira/browse/KNOX-2732 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h 40m > Remaining Estimate: 0h > > Currently, the issuer claim in JWTs issued by Knox is always "KNOXSSO". This > value should be configurable via a KNOXTOKEN service param in the topology. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2740) Impersonation-related fields should be displayed only if that's enabled in the topology for the KnoxToken service
[ https://issues.apache.org/jira/browse/KNOX-2740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557900#comment-17557900 ] ASF subversion and git services commented on KNOX-2740: --- Commit 2c7140ed4e4231134f0a91f5c99fcfe321e8611f in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=2c7140ed4 ] KNOX-2740 - Impersonation-related fields should be displayed only if that's enabled in the topology for the KnoxToken service (#569) > Impersonation-related fields should be displayed only if that's enabled in > the topology for the KnoxToken service > -- > > Key: KNOX-2740 > URL: https://issues.apache.org/jira/browse/KNOX-2740 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 2.0.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > With KNOX-2714, the following changes were done on the following Knox UIs: > * on the Token Generation page, a new input field was introduced to allow > end-users to declare the impersonated user > * on the Token Management page, another table is shown with the impersonated > tokens > There should be a way to show/hide these UI elements. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2720) upgrade postgresql to 42.3.3 due to security issues
[ https://issues.apache.org/jira/browse/KNOX-2720?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557912#comment-17557912 ] ASF subversion and git services commented on KNOX-2720: --- Commit ce523efddab377a6a2067f88f4b587064914a4d2 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from PJ Fanning [ https://gitbox.apache.org/repos/asf?p=knox.git;h=ce523efdd ] KNOX-2720 upgrade postgresql due to security issue (#548) > upgrade postgresql to 42.3.3 due to security issues > --- > > Key: KNOX-2720 > URL: https://issues.apache.org/jira/browse/KNOX-2720 > Project: Apache Knox > Issue Type: Bug >Reporter: PJ Fanning >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > https://github.com/apache/knox/blob/master/pom.xml#L252 > https://mvnrepository.com/artifact/org.postgresql/postgresql > 42.3.3 removes a logging feature that is not great from a security standpoint > - https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2741) Upgrade to velocity 2.3 due to CVE-2020-13936
[
https://issues.apache.org/jira/browse/KNOX-2741?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557901#comment-17557901
]
ASF subversion and git services commented on KNOX-2741:
---
Commit 08ba70c4cc16c7c74f9f792aa779f6dcb18392ae in knox's branch
refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from
Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=08ba70c4c ]
KNOX-2741 - Upgraded Velocity and Pac4j versions (#570)
* KNOX-2741 - Upgraded velocity to 2.3 due to CVE-2020-13936
* KNOX-2741 - Upgraded Pac4j to 4.5.2
> Upgrade to velocity 2.3 due to CVE-2020-13936
> --
>
> Key: KNOX-2741
> URL: https://issues.apache.org/jira/browse/KNOX-2741
> Project: Apache Knox
> Issue Type: Task
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Knox is pulling in Velocity 1.7 which is vulnerable to CVE-2020-13926.
> Upgrade to Velocity 2.3 to address. The last 1.x release was 2010 so no new
> 1.x release to go to. See
> [https://velocity.apache.org/engine/2.3/upgrading.html] about upgrading to
> 2.x.
> There is one very important side effect:
> Upgrading Velocity to 2.3 makes Knox incompatible with the current Pac4J
> version if it is configured to use SAML:
> {noformat}
> HTTP ERROR 500 javax.servlet.ServletException:
> javax.servlet.ServletException: java.lang.NoClassDefFoundError:
> org/apache/velocity/runtime/log/LogChute
> {noformat}
> In Knox, we are using Pac4j 4.3.0 (including {{pac4j-saml-opensamlv3}}). In
> this version, the velocity is still on 1.7. In 4.5.2 they changed their
> velocity dependency to 2.3:
> [https://repo1.maven.org/maven2/org/pac4j/pac4j-saml-opensamlv3/4.5.2/pac4j-saml-opensamlv3-4.5.2.pom]
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2757) Mutually exclusive filter params in the HadoopGroupProvider identity-assertion provider
[
https://issues.apache.org/jira/browse/KNOX-2757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557915#comment-17557915
]
ASF subversion and git services commented on KNOX-2757:
---
Commit 6cdd2f0589e44bb464cf03f4e6848b059fd9c113 in knox's branch
refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from
Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=6cdd2f058 ]
KNOX-2757 - HadoopGroupProvider parameters should be added to the filter even
there is a gateway level property with CENTRAL_GROUP_CONFIG_PREFIX (#590)
> Mutually exclusive filter params in the HadoopGroupProvider
> identity-assertion provider
> ---
>
> Key: KNOX-2757
> URL: https://issues.apache.org/jira/browse/KNOX-2757
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Blocker
> Fix For: 2.0.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> *Steps to reproduce:*
> 1. replace the {{Default}} identity-assertion provider in the {{sandbox}}
> topology with this:
> {noformat}
>
> identity-assertion
> HadoopGroupProvider
> true
>
> CENTRAL_GROUP_CONFIG_PREFIX
> gateway.group.config.
>
>
> group.mapping.scientist
> (!= 0 (size groups))
>
> {noformat}
> 2. wait until Knox redeploys the {{sandbox}} topology and check the generated
> {{gateway.xml}} in the newly deployed web application
> *Actual results:*
> The {{group.mapping.scientist}} filter parameter is missing; only the params
> in {{gateway-site.xml}} with the {{gateway.group.config.}} prefix were added:
> {noformat}
>
> identity-assertion
> HadoopGroupProvider
>
> org.apache.knox.gateway.identityasserter.hadoop.groups.filter.HadoopGroupProviderFilter
>
>
> hadoop.security.group.mapping.ldap.search.attr.member
> member
>
>
>
> hadoop.security.group.mapping.ldap.search.filter.user
>
> (&(|(objectclass=person)(objectclass=applicationProcess))(cn={0}))
>
>
>
> hadoop.security.group.mapping.ldap.search.attr.group.name
> cn
>
>
> hadoop.security.group.mapping.ldap.url
> ldap://localhost:33389
>
>
> hadoop.security.group.mapping
> org.apache.hadoop.security.LdapGroupsMapping
>
>
>
> hadoop.security.group.mapping.ldap.search.filter.group
> (objectclass=groupOfNames)
>
>
> hadoop.security.group.mapping.ldap.bind.user
> uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
>
>
> hadoop.security.group.mapping.ldap.bind.password
> guest-password
>
>
> {noformat}
> *Expected results:*
> Both the pre-configured gateway-site.xml and the {{group.mapping.scientist}}
> provider parameter should be added to the filter.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2743) Upgrade netty
[ https://issues.apache.org/jira/browse/KNOX-2743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557902#comment-17557902 ] ASF subversion and git services commented on KNOX-2743: --- Commit d5f0c377812a96df356681e924be983bbc00608c in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d5f0c3778 ] KNOX-2743 - Upgrade netty (#573) > Upgrade netty > - > > Key: KNOX-2743 > URL: https://issues.apache.org/jira/browse/KNOX-2743 > Project: Apache Knox > Issue Type: Bug >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 1.6.2 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2346) Remove unused maxRetryAttempts and retrySleep
[ https://issues.apache.org/jira/browse/KNOX-2346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557907#comment-17557907 ] ASF subversion and git services commented on KNOX-2346: --- Commit b15685c953f8e7763cd4770b8457d263951eca66 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=b15685c95 ] KNOX-2346 - Eliminated the accidentally re-introduced configs in one of the tests (#577) > Remove unused maxRetryAttempts and retrySleep > - > > Key: KNOX-2346 > URL: https://issues.apache.org/jira/browse/KNOX-2346 > Project: Apache Knox > Issue Type: Task >Reporter: Kevin Risden >Assignee: Sandor Molnar >Priority: Major > Fix For: 1.5.0, 2.0.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > Currently maxRetryAttempts and retrySleep are wired throughout the code, but > don't actually hook up to anything. The handling should be removed to make it > clear that these aren't used anywhere. > There is no backwards compatibility issue here since the parsing is lazy - > its not a required field so if a user is specifying it will be silently > ignore. Just like it is silently ignored today. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2747) RemoteAliasService generates password without checking if it already exists
[
https://issues.apache.org/jira/browse/KNOX-2747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557911#comment-17557911
]
ASF subversion and git services commented on KNOX-2747:
---
Commit e2bfa1535317186c3e7b69de188f998aeb864431 in knox's branch
refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from
Attila Magyar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=e2bfa1535 ]
KNOX-2747 RemoteAliasService generates password without checking if it already
exists (#581)
> RemoteAliasService generates password without checking if it already exists
> ---
>
> Key: KNOX-2747
> URL: https://issues.apache.org/jira/browse/KNOX-2747
> Project: Apache Knox
> Issue Type: Bug
>Reporter: Attila Magyar
>Assignee: Attila Magyar
>Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> RemoteAliasService:
> {code}
> /* Generate a new password */
> if (generate) {
> generateAliasForCluster(clusterName, alias);
> }
> {code}
> DefaultAliasService checks first
> {code}
> credential = keystoreService.getCredentialForCluster(clusterName,
> alias);
> if (credential == null && generate) {
> generateAliasForCluster(clusterName, alias);
> credential = keystoreService.getCredentialForCluster(clusterName,
> alias);
> }
> {code}
> This causes the Pac4jDispatcherFilter to regenerate the password at each
> topology change.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2745) VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter
[ https://issues.apache.org/jira/browse/KNOX-2745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557905#comment-17557905 ] ASF subversion and git services commented on KNOX-2745: --- Commit 1b177a2638126afb5280ad5c113e901e42fec375 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=1b177a263 ] KNOX-2745 VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter (#575) > VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter > > > Key: KNOX-2745 > URL: https://issues.apache.org/jira/browse/KNOX-2745 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > The groups calculated by HadoopGroupProviderFilter are not passed to the > virtual group mapper. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2744) Upgrade protobuf-java to 3.16.1
[ https://issues.apache.org/jira/browse/KNOX-2744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557904#comment-17557904 ] ASF subversion and git services commented on KNOX-2744: --- Commit 5b6f389dffb9319f13a707b2f38340ec3682a612 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=5b6f389df ] KNOX-2744 Upgrade protobuf-java to 3.16.1 (#572) > Upgrade protobuf-java to 3.16.1 > --- > > Key: KNOX-2744 > URL: https://issues.apache.org/jira/browse/KNOX-2744 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Upgrade protobuf-java to 3.16.1 due to CVE. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2752) knoxcli should support batch alias creation
[
https://issues.apache.org/jira/browse/KNOX-2752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557916#comment-17557916
]
ASF subversion and git services commented on KNOX-2752:
---
Commit aa8e1531f970d5477d60f7ea2c669657b5bf077a in knox's branch
refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from
Attila Magyar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=aa8e1531f ]
KNOX-2752 knoxcli should support batch alias creation (#583)
> knoxcli should support batch alias creation
> ---
>
> Key: KNOX-2752
> URL: https://issues.apache.org/jira/browse/KNOX-2752
> Project: Apache Knox
> Issue Type: Bug
> Components: KnoxCLI
>Reporter: Attila Magyar
>Assignee: Attila Magyar
>Priority: Major
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Currently we can only create aliases one by one:
> {code}
> bin/knoxcli.sh create-alias name --cluster cl1 --value value
> {code}
> This is very slow if we want to create multiple aliases.
> KnoxCLI should support creating multiple aliases for the same cluster in one
> batch
> {code}
> bin/knoxcli.sh create-aliases --alias a1 --value v1 --alias a2 --value v2
> --alias a3 --value v3
> {code}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2726) Impersonation Params Declared by Service Definitions
[
https://issues.apache.org/jira/browse/KNOX-2726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557910#comment-17557910
]
ASF subversion and git services commented on KNOX-2726:
---
Commit 93bceed9c33d8e63cb48bdac86d9bc98fca44f90 in knox's branch
refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from
Sandeep Moré
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=93bceed9c ]
KNOX-2726 - Impersonation Params should be configurable (#579)
* KNOX-2726 - Impersonation Params should be configurable
> Impersonation Params Declared by Service Definitions
>
>
> Key: KNOX-2726
> URL: https://issues.apache.org/jira/browse/KNOX-2726
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.6.0
>Reporter: Philip Zampino
>Assignee: Sandeep More
>Priority: Major
> Fix For: 1.6.2
>
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> _org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper#getImpersonationParamNames()_
> has the following comment:
> {noformat}
> // TODO: let's have service definitions register their impersonation
> // params in a future release and get this list from a central registry.
> // This will provide better coverage of protection by removing any
> // pre-populated impersonation params.{noformat}
> Currently, Knox excludes some well-known impersonation request parameters
> from proxied requests. Rather than maintaining a hard-coded list of these
> params, service definitions should be able to declare them such that they
> would be available at runtime to
> {_}org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper{_}.
> This will allow service-specific impersonation parameter details to be
> defined by the service definitions, and eliminate the need for Knox runtime
> code changes when new impersonation params need to be handled.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2762) Whitespaces around delimiters in composite provider names gives NullPointerException
[
https://issues.apache.org/jira/browse/KNOX-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557917#comment-17557917
]
ASF subversion and git services commented on KNOX-2762:
---
Commit 31485649e6ea11921b97dbbce5672d5eef5bf0b9 in knox's branch
refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from
Harshil Jhaveri
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=31485649e ]
KNOX-2762 (#594)
* Fixing bug related to whitespaces around delimters in composite provider
names.
* KNOX-2762 Fixing bug related to whitespaces around delimters in composite
provider names.
> Whitespaces around delimiters in composite provider names gives
> NullPointerException
>
>
> Key: KNOX-2762
> URL: https://issues.apache.org/jira/browse/KNOX-2762
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 1.6.0
>Reporter: Harshil Jhaveri
>Assignee: Harshil Jhaveri
>Priority: Minor
> Fix For: 2.0.0
>
> Attachments: NPE gateway log.png
>
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> When giving space before the delimiter for composite.provider.names in
> composite authorisation provider. The topology deployment is failing and
> returning a null pointer exception.
> The topology state:
> {code:java}
>
> authorization
> CompositeAuthz
> true
>
> composite.provider.names
> AclsAuthz ,XASecurePDPKnox
>
>
> AclsAuthz.ranger.acl
> *;;
> {code}
> {color:#e8bf6a}CC:{color} [~pzampino] [~smore] [~smolnar]
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2761) KnoxShell does not reflect KNOX-2661
[ https://issues.apache.org/jira/browse/KNOX-2761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557918#comment-17557918 ] ASF subversion and git services commented on KNOX-2761: --- Commit 50a0552dc428069f396fe4926f4bff0e97372cfc in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=50a0552dc ] KNOX-2761 - Knox Token renew/revoke operations are now PUT/DELETE HTTP methods in KnoxShell too (#593) > KnoxShell does not reflect KNOX-2661 > > > Key: KNOX-2761 > URL: https://issues.apache.org/jira/browse/KNOX-2761 > Project: Apache Knox > Issue Type: Bug > Components: KnoxShell >Affects Versions: 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > KNOX-2661 changed the HTTP method for some of the Knox Token resource API. > However, those changes were not reflected in KnoxToken-related KnoxShell > classes. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2742) CM service discovery retry may be needed
[ https://issues.apache.org/jira/browse/KNOX-2742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557925#comment-17557925 ] ASF subversion and git services commented on KNOX-2742: --- Commit 3b63b9851937b484546d974612e6ddd3ceaabbc9 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=3b63b9851 ] KNOX-2742 - Retrying CM service discovery in case of ConnectExceptions (#571) > CM service discovery retry may be needed > > > Key: KNOX-2742 > URL: https://issues.apache.org/jira/browse/KNOX-2742 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 1.5.0, 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > If there is a connection issue the first time Knox discovers a cluster in CM, > the topology will remain empty (bc. it was empty anyway). Fixing KNOX-2690 > should help here a lot but maybe it's not enough. We may add some sort of > retry logic if service discovery failed due to communication errors. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2743) Upgrade netty
[ https://issues.apache.org/jira/browse/KNOX-2743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557924#comment-17557924 ] ASF subversion and git services commented on KNOX-2743: --- Commit d5f0c377812a96df356681e924be983bbc00608c in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d5f0c3778 ] KNOX-2743 - Upgrade netty (#573) > Upgrade netty > - > > Key: KNOX-2743 > URL: https://issues.apache.org/jira/browse/KNOX-2743 > Project: Apache Knox > Issue Type: Bug >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 1.6.2 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2738) On Fresh install JDBCTokenStateService initiation failed
[ https://issues.apache.org/jira/browse/KNOX-2738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557921#comment-17557921 ] ASF subversion and git services commented on KNOX-2738: --- Commit 3163401292d0640a6ade44d77cbefce1db8d9f10 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=316340129 ] KNOX-2738 On Fresh install JDBCTokenStateService initiation failed (#567) > On Fresh install JDBCTokenStateService initiation failed > > > Key: KNOX-2738 > URL: https://issues.apache.org/jira/browse/KNOX-2738 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Knox intermittently failed to start due to a race condition between multiple > knox instances when creating database tables. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2745) VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter
[ https://issues.apache.org/jira/browse/KNOX-2745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557927#comment-17557927 ] ASF subversion and git services commented on KNOX-2745: --- Commit 1b177a2638126afb5280ad5c113e901e42fec375 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=1b177a263 ] KNOX-2745 VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter (#575) > VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter > > > Key: KNOX-2745 > URL: https://issues.apache.org/jira/browse/KNOX-2745 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > The groups calculated by HadoopGroupProviderFilter are not passed to the > virtual group mapper. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2752) knoxcli should support batch alias creation
[
https://issues.apache.org/jira/browse/KNOX-2752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557938#comment-17557938
]
ASF subversion and git services commented on KNOX-2752:
---
Commit aa8e1531f970d5477d60f7ea2c669657b5bf077a in knox's branch
refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from
Attila Magyar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=aa8e1531f ]
KNOX-2752 knoxcli should support batch alias creation (#583)
> knoxcli should support batch alias creation
> ---
>
> Key: KNOX-2752
> URL: https://issues.apache.org/jira/browse/KNOX-2752
> Project: Apache Knox
> Issue Type: Bug
> Components: KnoxCLI
>Reporter: Attila Magyar
>Assignee: Attila Magyar
>Priority: Major
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Currently we can only create aliases one by one:
> {code}
> bin/knoxcli.sh create-alias name --cluster cl1 --value value
> {code}
> This is very slow if we want to create multiple aliases.
> KnoxCLI should support creating multiple aliases for the same cluster in one
> batch
> {code}
> bin/knoxcli.sh create-aliases --alias a1 --value v1 --alias a2 --value v2
> --alias a3 --value v3
> {code}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2732) Issuer claim in Knox JWTs should be configurable
[ https://issues.apache.org/jira/browse/KNOX-2732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557931#comment-17557931 ] ASF subversion and git services commented on KNOX-2732: --- Commit 8c468b095128ef9dd83e08d80e45a4c3db2ff44d in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=8c468b095 ] KNOX-2732 Issuer claim in Knox JWTs should be configurable (#560) > Issuer claim in Knox JWTs should be configurable > > > Key: KNOX-2732 > URL: https://issues.apache.org/jira/browse/KNOX-2732 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h 40m > Remaining Estimate: 0h > > Currently, the issuer claim in JWTs issued by Knox is always "KNOXSSO". This > value should be configurable via a KNOXTOKEN service param in the topology. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2741) Upgrade to velocity 2.3 due to CVE-2020-13936
[
https://issues.apache.org/jira/browse/KNOX-2741?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557943#comment-17557943
]
ASF subversion and git services commented on KNOX-2741:
---
Commit 08ba70c4cc16c7c74f9f792aa779f6dcb18392ae in knox's branch
refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Sandor
Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=08ba70c4c ]
KNOX-2741 - Upgraded Velocity and Pac4j versions (#570)
* KNOX-2741 - Upgraded velocity to 2.3 due to CVE-2020-13936
* KNOX-2741 - Upgraded Pac4j to 4.5.2
> Upgrade to velocity 2.3 due to CVE-2020-13936
> --
>
> Key: KNOX-2741
> URL: https://issues.apache.org/jira/browse/KNOX-2741
> Project: Apache Knox
> Issue Type: Task
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Knox is pulling in Velocity 1.7 which is vulnerable to CVE-2020-13926.
> Upgrade to Velocity 2.3 to address. The last 1.x release was 2010 so no new
> 1.x release to go to. See
> [https://velocity.apache.org/engine/2.3/upgrading.html] about upgrading to
> 2.x.
> There is one very important side effect:
> Upgrading Velocity to 2.3 makes Knox incompatible with the current Pac4J
> version if it is configured to use SAML:
> {noformat}
> HTTP ERROR 500 javax.servlet.ServletException:
> javax.servlet.ServletException: java.lang.NoClassDefFoundError:
> org/apache/velocity/runtime/log/LogChute
> {noformat}
> In Knox, we are using Pac4j 4.3.0 (including {{pac4j-saml-opensamlv3}}). In
> this version, the velocity is still on 1.7. In 4.5.2 they changed their
> velocity dependency to 2.3:
> [https://repo1.maven.org/maven2/org/pac4j/pac4j-saml-opensamlv3/4.5.2/pac4j-saml-opensamlv3-4.5.2.pom]
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2747) RemoteAliasService generates password without checking if it already exists
[
https://issues.apache.org/jira/browse/KNOX-2747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557933#comment-17557933
]
ASF subversion and git services commented on KNOX-2747:
---
Commit e2bfa1535317186c3e7b69de188f998aeb864431 in knox's branch
refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from
Attila Magyar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=e2bfa1535 ]
KNOX-2747 RemoteAliasService generates password without checking if it already
exists (#581)
> RemoteAliasService generates password without checking if it already exists
> ---
>
> Key: KNOX-2747
> URL: https://issues.apache.org/jira/browse/KNOX-2747
> Project: Apache Knox
> Issue Type: Bug
>Reporter: Attila Magyar
>Assignee: Attila Magyar
>Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> RemoteAliasService:
> {code}
> /* Generate a new password */
> if (generate) {
> generateAliasForCluster(clusterName, alias);
> }
> {code}
> DefaultAliasService checks first
> {code}
> credential = keystoreService.getCredentialForCluster(clusterName,
> alias);
> if (credential == null && generate) {
> generateAliasForCluster(clusterName, alias);
> credential = keystoreService.getCredentialForCluster(clusterName,
> alias);
> }
> {code}
> This causes the Pac4jDispatcherFilter to regenerate the password at each
> topology change.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2742) CM service discovery retry may be needed
[ https://issues.apache.org/jira/browse/KNOX-2742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557945#comment-17557945 ] ASF subversion and git services commented on KNOX-2742: --- Commit 3b63b9851937b484546d974612e6ddd3ceaabbc9 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=3b63b9851 ] KNOX-2742 - Retrying CM service discovery in case of ConnectExceptions (#571) > CM service discovery retry may be needed > > > Key: KNOX-2742 > URL: https://issues.apache.org/jira/browse/KNOX-2742 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 1.5.0, 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > If there is a connection issue the first time Knox discovers a cluster in CM, > the topology will remain empty (bc. it was empty anyway). Fixing KNOX-2690 > should help here a lot but maybe it's not enough. We may add some sort of > retry logic if service discovery failed due to communication errors. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2736) Knox clients should support retry/failover
[ https://issues.apache.org/jira/browse/KNOX-2736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557930#comment-17557930 ] ASF subversion and git services commented on KNOX-2736: --- Commit fc48add49a0c6015247b71ca118c90fb6dde347f in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=fc48add49 ] KNOX-2736 Knox clients should support retry/failover - addendum (#578) > Knox clients should support retry/failover > -- > > Key: KNOX-2736 > URL: https://issues.apache.org/jira/browse/KNOX-2736 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > > Not having retries in knox clients can cause service upgrade failures. > The apache http client has a default mechanism > (StandardHttpRequestRetryHandler and DefaultServiceUnavailableRetryStrategy) > to support retries. > * DefaultServiceUnavailableRetryStrategy only retries in case of a 503 - > ServiceUnavailable. > * StandardHttpRequestRetryHandler retries when a non excluded exception > occurs during the request. > The excluded exceptions are: InterruptedIOException, UnknownHostException, > ConnectException, SSLException. In these cases no retry is going to happen. > The following HTTP methods are considered idempotent so they can be retried: > GET, HEAD, PUT, DELETE, OPTIONS, TRACE. > Note that if an endpoint is implemented as a non-idempotent way (for example > a PUT) then this might have unwanted side-effects. > Other methods such as POST are only retried if the request has not yet > written out to the output stream when the error happened. Or if > requestSentRetryEnabled is enabled. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2746) Add presto and presto ui support in service definition
[ https://issues.apache.org/jira/browse/KNOX-2746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557936#comment-17557936 ] ASF subversion and git services commented on KNOX-2746: --- Commit 02763cae0f3f148f089d7807e49184169d2d258f in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Bhargavi-Sagi [ https://gitbox.apache.org/repos/asf?p=knox.git;h=02763cae0 ] KNOX-2746 - Add presto/presto ui support in service definition (#576) > Add presto and presto ui support in service definition > -- > > Key: KNOX-2746 > URL: https://issues.apache.org/jira/browse/KNOX-2746 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Reporter: sagi bhargavi >Priority: Major > Fix For: 2.0.0 > > Time Spent: 40m > Remaining Estimate: 0h > > Add spport for [Presto|https://github.com/prestodb/presto], also known as > PrestoDB in knox service definition. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2736) Knox clients should support retry/failover
[ https://issues.apache.org/jira/browse/KNOX-2736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557948#comment-17557948 ] ASF subversion and git services commented on KNOX-2736: --- Commit 7ac870f16563eda499b7eafa072bb119f4cd5754 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=7ac870f16 ] KNOX-2736 Knox clients should support retry/failover (#568) > Knox clients should support retry/failover > -- > > Key: KNOX-2736 > URL: https://issues.apache.org/jira/browse/KNOX-2736 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > > Not having retries in knox clients can cause service upgrade failures. > The apache http client has a default mechanism > (StandardHttpRequestRetryHandler and DefaultServiceUnavailableRetryStrategy) > to support retries. > * DefaultServiceUnavailableRetryStrategy only retries in case of a 503 - > ServiceUnavailable. > * StandardHttpRequestRetryHandler retries when a non excluded exception > occurs during the request. > The excluded exceptions are: InterruptedIOException, UnknownHostException, > ConnectException, SSLException. In these cases no retry is going to happen. > The following HTTP methods are considered idempotent so they can be retried: > GET, HEAD, PUT, DELETE, OPTIONS, TRACE. > Note that if an endpoint is implemented as a non-idempotent way (for example > a PUT) then this might have unwanted side-effects. > Other methods such as POST are only retried if the request has not yet > written out to the output stream when the error happened. Or if > requestSentRetryEnabled is enabled. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2743) Upgrade netty
[ https://issues.apache.org/jira/browse/KNOX-2743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557944#comment-17557944 ] ASF subversion and git services commented on KNOX-2743: --- Commit d5f0c377812a96df356681e924be983bbc00608c in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d5f0c3778 ] KNOX-2743 - Upgrade netty (#573) > Upgrade netty > - > > Key: KNOX-2743 > URL: https://issues.apache.org/jira/browse/KNOX-2743 > Project: Apache Knox > Issue Type: Bug >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 1.6.2 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2346) Remove unused maxRetryAttempts and retrySleep
[ https://issues.apache.org/jira/browse/KNOX-2346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557949#comment-17557949 ] ASF subversion and git services commented on KNOX-2346: --- Commit b15685c953f8e7763cd4770b8457d263951eca66 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=b15685c95 ] KNOX-2346 - Eliminated the accidentally re-introduced configs in one of the tests (#577) > Remove unused maxRetryAttempts and retrySleep > - > > Key: KNOX-2346 > URL: https://issues.apache.org/jira/browse/KNOX-2346 > Project: Apache Knox > Issue Type: Task >Reporter: Kevin Risden >Assignee: Sandor Molnar >Priority: Major > Fix For: 1.5.0, 2.0.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > Currently maxRetryAttempts and retrySleep are wired throughout the code, but > don't actually hook up to anything. The handling should be removed to make it > clear that these aren't used anywhere. > There is no backwards compatibility issue here since the parsing is lazy - > its not a required field so if a user is specifying it will be silently > ignore. Just like it is silently ignored today. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2740) Impersonation-related fields should be displayed only if that's enabled in the topology for the KnoxToken service
[ https://issues.apache.org/jira/browse/KNOX-2740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557922#comment-17557922 ] ASF subversion and git services commented on KNOX-2740: --- Commit 2c7140ed4e4231134f0a91f5c99fcfe321e8611f in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=2c7140ed4 ] KNOX-2740 - Impersonation-related fields should be displayed only if that's enabled in the topology for the KnoxToken service (#569) > Impersonation-related fields should be displayed only if that's enabled in > the topology for the KnoxToken service > -- > > Key: KNOX-2740 > URL: https://issues.apache.org/jira/browse/KNOX-2740 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 2.0.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > With KNOX-2714, the following changes were done on the following Knox UIs: > * on the Token Generation page, a new input field was introduced to allow > end-users to declare the impersonated user > * on the Token Management page, another table is shown with the impersonated > tokens > There should be a way to show/hide these UI elements. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2741) Upgrade to velocity 2.3 due to CVE-2020-13936
[
https://issues.apache.org/jira/browse/KNOX-2741?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557923#comment-17557923
]
ASF subversion and git services commented on KNOX-2741:
---
Commit 08ba70c4cc16c7c74f9f792aa779f6dcb18392ae in knox's branch
refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from
Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=08ba70c4c ]
KNOX-2741 - Upgraded Velocity and Pac4j versions (#570)
* KNOX-2741 - Upgraded velocity to 2.3 due to CVE-2020-13936
* KNOX-2741 - Upgraded Pac4j to 4.5.2
> Upgrade to velocity 2.3 due to CVE-2020-13936
> --
>
> Key: KNOX-2741
> URL: https://issues.apache.org/jira/browse/KNOX-2741
> Project: Apache Knox
> Issue Type: Task
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Knox is pulling in Velocity 1.7 which is vulnerable to CVE-2020-13926.
> Upgrade to Velocity 2.3 to address. The last 1.x release was 2010 so no new
> 1.x release to go to. See
> [https://velocity.apache.org/engine/2.3/upgrading.html] about upgrading to
> 2.x.
> There is one very important side effect:
> Upgrading Velocity to 2.3 makes Knox incompatible with the current Pac4J
> version if it is configured to use SAML:
> {noformat}
> HTTP ERROR 500 javax.servlet.ServletException:
> javax.servlet.ServletException: java.lang.NoClassDefFoundError:
> org/apache/velocity/runtime/log/LogChute
> {noformat}
> In Knox, we are using Pac4j 4.3.0 (including {{pac4j-saml-opensamlv3}}). In
> this version, the velocity is still on 1.7. In 4.5.2 they changed their
> velocity dependency to 2.3:
> [https://repo1.maven.org/maven2/org/pac4j/pac4j-saml-opensamlv3/4.5.2/pac4j-saml-opensamlv3-4.5.2.pom]
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2736) Knox clients should support retry/failover
[ https://issues.apache.org/jira/browse/KNOX-2736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557928#comment-17557928 ] ASF subversion and git services commented on KNOX-2736: --- Commit 7ac870f16563eda499b7eafa072bb119f4cd5754 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=7ac870f16 ] KNOX-2736 Knox clients should support retry/failover (#568) > Knox clients should support retry/failover > -- > > Key: KNOX-2736 > URL: https://issues.apache.org/jira/browse/KNOX-2736 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > > Not having retries in knox clients can cause service upgrade failures. > The apache http client has a default mechanism > (StandardHttpRequestRetryHandler and DefaultServiceUnavailableRetryStrategy) > to support retries. > * DefaultServiceUnavailableRetryStrategy only retries in case of a 503 - > ServiceUnavailable. > * StandardHttpRequestRetryHandler retries when a non excluded exception > occurs during the request. > The excluded exceptions are: InterruptedIOException, UnknownHostException, > ConnectException, SSLException. In these cases no retry is going to happen. > The following HTTP methods are considered idempotent so they can be retried: > GET, HEAD, PUT, DELETE, OPTIONS, TRACE. > Note that if an endpoint is implemented as a non-idempotent way (for example > a PUT) then this might have unwanted side-effects. > Other methods such as POST are only retried if the request has not yet > written out to the output stream when the error happened. Or if > requestSentRetryEnabled is enabled. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2726) Impersonation Params Declared by Service Definitions
[
https://issues.apache.org/jira/browse/KNOX-2726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557932#comment-17557932
]
ASF subversion and git services commented on KNOX-2726:
---
Commit 93bceed9c33d8e63cb48bdac86d9bc98fca44f90 in knox's branch
refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from
Sandeep Moré
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=93bceed9c ]
KNOX-2726 - Impersonation Params should be configurable (#579)
* KNOX-2726 - Impersonation Params should be configurable
> Impersonation Params Declared by Service Definitions
>
>
> Key: KNOX-2726
> URL: https://issues.apache.org/jira/browse/KNOX-2726
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.6.0
>Reporter: Philip Zampino
>Assignee: Sandeep More
>Priority: Major
> Fix For: 1.6.2
>
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> _org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper#getImpersonationParamNames()_
> has the following comment:
> {noformat}
> // TODO: let's have service definitions register their impersonation
> // params in a future release and get this list from a central registry.
> // This will provide better coverage of protection by removing any
> // pre-populated impersonation params.{noformat}
> Currently, Knox excludes some well-known impersonation request parameters
> from proxied requests. Rather than maintaining a hard-coded list of these
> params, service definitions should be able to declare them such that they
> would be available at runtime to
> {_}org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper{_}.
> This will allow service-specific impersonation parameter details to be
> defined by the service definitions, and eliminate the need for Knox runtime
> code changes when new impersonation params need to be handled.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2761) KnoxShell does not reflect KNOX-2661
[ https://issues.apache.org/jira/browse/KNOX-2761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557940#comment-17557940 ] ASF subversion and git services commented on KNOX-2761: --- Commit 50a0552dc428069f396fe4926f4bff0e97372cfc in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=50a0552dc ] KNOX-2761 - Knox Token renew/revoke operations are now PUT/DELETE HTTP methods in KnoxShell too (#593) > KnoxShell does not reflect KNOX-2661 > > > Key: KNOX-2761 > URL: https://issues.apache.org/jira/browse/KNOX-2761 > Project: Apache Knox > Issue Type: Bug > Components: KnoxShell >Affects Versions: 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > KNOX-2661 changed the HTTP method for some of the Knox Token resource API. > However, those changes were not reflected in KnoxToken-related KnoxShell > classes. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2744) Upgrade protobuf-java to 3.16.1
[ https://issues.apache.org/jira/browse/KNOX-2744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557926#comment-17557926 ] ASF subversion and git services commented on KNOX-2744: --- Commit 5b6f389dffb9319f13a707b2f38340ec3682a612 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=5b6f389df ] KNOX-2744 Upgrade protobuf-java to 3.16.1 (#572) > Upgrade protobuf-java to 3.16.1 > --- > > Key: KNOX-2744 > URL: https://issues.apache.org/jira/browse/KNOX-2744 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Upgrade protobuf-java to 3.16.1 due to CVE. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2346) Remove unused maxRetryAttempts and retrySleep
[ https://issues.apache.org/jira/browse/KNOX-2346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557929#comment-17557929 ] ASF subversion and git services commented on KNOX-2346: --- Commit b15685c953f8e7763cd4770b8457d263951eca66 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=b15685c95 ] KNOX-2346 - Eliminated the accidentally re-introduced configs in one of the tests (#577) > Remove unused maxRetryAttempts and retrySleep > - > > Key: KNOX-2346 > URL: https://issues.apache.org/jira/browse/KNOX-2346 > Project: Apache Knox > Issue Type: Task >Reporter: Kevin Risden >Assignee: Sandor Molnar >Priority: Major > Fix For: 1.5.0, 2.0.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > Currently maxRetryAttempts and retrySleep are wired throughout the code, but > don't actually hook up to anything. The handling should be removed to make it > clear that these aren't used anywhere. > There is no backwards compatibility issue here since the parsing is lazy - > its not a required field so if a user is specifying it will be silently > ignore. Just like it is silently ignored today. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2762) Whitespaces around delimiters in composite provider names gives NullPointerException
[
https://issues.apache.org/jira/browse/KNOX-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557939#comment-17557939
]
ASF subversion and git services commented on KNOX-2762:
---
Commit 31485649e6ea11921b97dbbce5672d5eef5bf0b9 in knox's branch
refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from
Harshil Jhaveri
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=31485649e ]
KNOX-2762 (#594)
* Fixing bug related to whitespaces around delimters in composite provider
names.
* KNOX-2762 Fixing bug related to whitespaces around delimters in composite
provider names.
> Whitespaces around delimiters in composite provider names gives
> NullPointerException
>
>
> Key: KNOX-2762
> URL: https://issues.apache.org/jira/browse/KNOX-2762
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 1.6.0
>Reporter: Harshil Jhaveri
>Assignee: Harshil Jhaveri
>Priority: Minor
> Fix For: 2.0.0
>
> Attachments: NPE gateway log.png
>
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> When giving space before the delimiter for composite.provider.names in
> composite authorisation provider. The topology deployment is failing and
> returning a null pointer exception.
> The topology state:
> {code:java}
>
> authorization
> CompositeAuthz
> true
>
> composite.provider.names
> AclsAuthz ,XASecurePDPKnox
>
>
> AclsAuthz.ranger.acl
> *;;
> {code}
> {color:#e8bf6a}CC:{color} [~pzampino] [~smore] [~smolnar]
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2752) knoxcli should support batch alias creation
[
https://issues.apache.org/jira/browse/KNOX-2752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557958#comment-17557958
]
ASF subversion and git services commented on KNOX-2752:
---
Commit aa8e1531f970d5477d60f7ea2c669657b5bf077a in knox's branch
refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Attila
Magyar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=aa8e1531f ]
KNOX-2752 knoxcli should support batch alias creation (#583)
> knoxcli should support batch alias creation
> ---
>
> Key: KNOX-2752
> URL: https://issues.apache.org/jira/browse/KNOX-2752
> Project: Apache Knox
> Issue Type: Bug
> Components: KnoxCLI
>Reporter: Attila Magyar
>Assignee: Attila Magyar
>Priority: Major
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> Currently we can only create aliases one by one:
> {code}
> bin/knoxcli.sh create-alias name --cluster cl1 --value value
> {code}
> This is very slow if we want to create multiple aliases.
> KnoxCLI should support creating multiple aliases for the same cluster in one
> batch
> {code}
> bin/knoxcli.sh create-aliases --alias a1 --value v1 --alias a2 --value v2
> --alias a3 --value v3
> {code}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2738) On Fresh install JDBCTokenStateService initiation failed
[ https://issues.apache.org/jira/browse/KNOX-2738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557941#comment-17557941 ] ASF subversion and git services commented on KNOX-2738: --- Commit 3163401292d0640a6ade44d77cbefce1db8d9f10 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=316340129 ] KNOX-2738 On Fresh install JDBCTokenStateService initiation failed (#567) > On Fresh install JDBCTokenStateService initiation failed > > > Key: KNOX-2738 > URL: https://issues.apache.org/jira/browse/KNOX-2738 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Knox intermittently failed to start due to a race condition between multiple > knox instances when creating database tables. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2736) Knox clients should support retry/failover
[ https://issues.apache.org/jira/browse/KNOX-2736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557950#comment-17557950 ] ASF subversion and git services commented on KNOX-2736: --- Commit fc48add49a0c6015247b71ca118c90fb6dde347f in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=fc48add49 ] KNOX-2736 Knox clients should support retry/failover - addendum (#578) > Knox clients should support retry/failover > -- > > Key: KNOX-2736 > URL: https://issues.apache.org/jira/browse/KNOX-2736 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > > Not having retries in knox clients can cause service upgrade failures. > The apache http client has a default mechanism > (StandardHttpRequestRetryHandler and DefaultServiceUnavailableRetryStrategy) > to support retries. > * DefaultServiceUnavailableRetryStrategy only retries in case of a 503 - > ServiceUnavailable. > * StandardHttpRequestRetryHandler retries when a non excluded exception > occurs during the request. > The excluded exceptions are: InterruptedIOException, UnknownHostException, > ConnectException, SSLException. In these cases no retry is going to happen. > The following HTTP methods are considered idempotent so they can be retried: > GET, HEAD, PUT, DELETE, OPTIONS, TRACE. > Note that if an endpoint is implemented as a non-idempotent way (for example > a PUT) then this might have unwanted side-effects. > Other methods such as POST are only retried if the request has not yet > written out to the output stream when the error happened. Or if > requestSentRetryEnabled is enabled. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2740) Impersonation-related fields should be displayed only if that's enabled in the topology for the KnoxToken service
[ https://issues.apache.org/jira/browse/KNOX-2740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557942#comment-17557942 ] ASF subversion and git services commented on KNOX-2740: --- Commit 2c7140ed4e4231134f0a91f5c99fcfe321e8611f in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=2c7140ed4 ] KNOX-2740 - Impersonation-related fields should be displayed only if that's enabled in the topology for the KnoxToken service (#569) > Impersonation-related fields should be displayed only if that's enabled in > the topology for the KnoxToken service > -- > > Key: KNOX-2740 > URL: https://issues.apache.org/jira/browse/KNOX-2740 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 2.0.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > With KNOX-2714, the following changes were done on the following Knox UIs: > * on the Token Generation page, a new input field was introduced to allow > end-users to declare the impersonated user > * on the Token Management page, another table is shown with the impersonated > tokens > There should be a way to show/hide these UI elements. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2720) upgrade postgresql to 42.3.3 due to security issues
[ https://issues.apache.org/jira/browse/KNOX-2720?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557934#comment-17557934 ] ASF subversion and git services commented on KNOX-2720: --- Commit ce523efddab377a6a2067f88f4b587064914a4d2 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from PJ Fanning [ https://gitbox.apache.org/repos/asf?p=knox.git;h=ce523efdd ] KNOX-2720 upgrade postgresql due to security issue (#548) > upgrade postgresql to 42.3.3 due to security issues > --- > > Key: KNOX-2720 > URL: https://issues.apache.org/jira/browse/KNOX-2720 > Project: Apache Knox > Issue Type: Bug >Reporter: PJ Fanning >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > https://github.com/apache/knox/blob/master/pom.xml#L252 > https://mvnrepository.com/artifact/org.postgresql/postgresql > 42.3.3 removes a logging feature that is not great from a security standpoint > - https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2762) Whitespaces around delimiters in composite provider names gives NullPointerException
[
https://issues.apache.org/jira/browse/KNOX-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557959#comment-17557959
]
ASF subversion and git services commented on KNOX-2762:
---
Commit 31485649e6ea11921b97dbbce5672d5eef5bf0b9 in knox's branch
refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Harshil
Jhaveri
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=31485649e ]
KNOX-2762 (#594)
* Fixing bug related to whitespaces around delimters in composite provider
names.
* KNOX-2762 Fixing bug related to whitespaces around delimters in composite
provider names.
> Whitespaces around delimiters in composite provider names gives
> NullPointerException
>
>
> Key: KNOX-2762
> URL: https://issues.apache.org/jira/browse/KNOX-2762
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 1.6.0
>Reporter: Harshil Jhaveri
>Assignee: Harshil Jhaveri
>Priority: Minor
> Fix For: 2.0.0
>
> Attachments: NPE gateway log.png
>
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> When giving space before the delimiter for composite.provider.names in
> composite authorisation provider. The topology deployment is failing and
> returning a null pointer exception.
> The topology state:
> {code:java}
>
> authorization
> CompositeAuthz
> true
>
> composite.provider.names
> AclsAuthz ,XASecurePDPKnox
>
>
> AclsAuthz.ranger.acl
> *;;
> {code}
> {color:#e8bf6a}CC:{color} [~pzampino] [~smore] [~smolnar]
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2744) Upgrade protobuf-java to 3.16.1
[ https://issues.apache.org/jira/browse/KNOX-2744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557946#comment-17557946 ] ASF subversion and git services commented on KNOX-2744: --- Commit 5b6f389dffb9319f13a707b2f38340ec3682a612 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=5b6f389df ] KNOX-2744 Upgrade protobuf-java to 3.16.1 (#572) > Upgrade protobuf-java to 3.16.1 > --- > > Key: KNOX-2744 > URL: https://issues.apache.org/jira/browse/KNOX-2744 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Upgrade protobuf-java to 3.16.1 due to CVE. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2745) VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter
[ https://issues.apache.org/jira/browse/KNOX-2745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557947#comment-17557947 ] ASF subversion and git services commented on KNOX-2745: --- Commit 1b177a2638126afb5280ad5c113e901e42fec375 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=1b177a263 ] KNOX-2745 VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter (#575) > VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter > > > Key: KNOX-2745 > URL: https://issues.apache.org/jira/browse/KNOX-2745 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > The groups calculated by HadoopGroupProviderFilter are not passed to the > virtual group mapper. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2732) Issuer claim in Knox JWTs should be configurable
[ https://issues.apache.org/jira/browse/KNOX-2732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557951#comment-17557951 ] ASF subversion and git services commented on KNOX-2732: --- Commit 8c468b095128ef9dd83e08d80e45a4c3db2ff44d in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=8c468b095 ] KNOX-2732 Issuer claim in Knox JWTs should be configurable (#560) > Issuer claim in Knox JWTs should be configurable > > > Key: KNOX-2732 > URL: https://issues.apache.org/jira/browse/KNOX-2732 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h 40m > Remaining Estimate: 0h > > Currently, the issuer claim in JWTs issued by Knox is always "KNOXSSO". This > value should be configurable via a KNOXTOKEN service param in the topology. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2746) Add presto and presto ui support in service definition
[ https://issues.apache.org/jira/browse/KNOX-2746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557956#comment-17557956 ] ASF subversion and git services commented on KNOX-2746: --- Commit 02763cae0f3f148f089d7807e49184169d2d258f in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Bhargavi-Sagi [ https://gitbox.apache.org/repos/asf?p=knox.git;h=02763cae0 ] KNOX-2746 - Add presto/presto ui support in service definition (#576) > Add presto and presto ui support in service definition > -- > > Key: KNOX-2746 > URL: https://issues.apache.org/jira/browse/KNOX-2746 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Reporter: sagi bhargavi >Priority: Major > Fix For: 2.0.0 > > Time Spent: 40m > Remaining Estimate: 0h > > Add spport for [Presto|https://github.com/prestodb/presto], also known as > PrestoDB in knox service definition. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2757) Mutually exclusive filter params in the HadoopGroupProvider identity-assertion provider
[
https://issues.apache.org/jira/browse/KNOX-2757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557937#comment-17557937
]
ASF subversion and git services commented on KNOX-2757:
---
Commit 6cdd2f0589e44bb464cf03f4e6848b059fd9c113 in knox's branch
refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from
Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=6cdd2f058 ]
KNOX-2757 - HadoopGroupProvider parameters should be added to the filter even
there is a gateway level property with CENTRAL_GROUP_CONFIG_PREFIX (#590)
> Mutually exclusive filter params in the HadoopGroupProvider
> identity-assertion provider
> ---
>
> Key: KNOX-2757
> URL: https://issues.apache.org/jira/browse/KNOX-2757
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Blocker
> Fix For: 2.0.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> *Steps to reproduce:*
> 1. replace the {{Default}} identity-assertion provider in the {{sandbox}}
> topology with this:
> {noformat}
>
> identity-assertion
> HadoopGroupProvider
> true
>
> CENTRAL_GROUP_CONFIG_PREFIX
> gateway.group.config.
>
>
> group.mapping.scientist
> (!= 0 (size groups))
>
> {noformat}
> 2. wait until Knox redeploys the {{sandbox}} topology and check the generated
> {{gateway.xml}} in the newly deployed web application
> *Actual results:*
> The {{group.mapping.scientist}} filter parameter is missing; only the params
> in {{gateway-site.xml}} with the {{gateway.group.config.}} prefix were added:
> {noformat}
>
> identity-assertion
> HadoopGroupProvider
>
> org.apache.knox.gateway.identityasserter.hadoop.groups.filter.HadoopGroupProviderFilter
>
>
> hadoop.security.group.mapping.ldap.search.attr.member
> member
>
>
>
> hadoop.security.group.mapping.ldap.search.filter.user
>
> (&(|(objectclass=person)(objectclass=applicationProcess))(cn={0}))
>
>
>
> hadoop.security.group.mapping.ldap.search.attr.group.name
> cn
>
>
> hadoop.security.group.mapping.ldap.url
> ldap://localhost:33389
>
>
> hadoop.security.group.mapping
> org.apache.hadoop.security.LdapGroupsMapping
>
>
>
> hadoop.security.group.mapping.ldap.search.filter.group
> (objectclass=groupOfNames)
>
>
> hadoop.security.group.mapping.ldap.bind.user
> uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
>
>
> hadoop.security.group.mapping.ldap.bind.password
> guest-password
>
>
> {noformat}
> *Expected results:*
> Both the pre-configured gateway-site.xml and the {{group.mapping.scientist}}
> provider parameter should be added to the filter.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2720) upgrade postgresql to 42.3.3 due to security issues
[ https://issues.apache.org/jira/browse/KNOX-2720?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557954#comment-17557954 ] ASF subversion and git services commented on KNOX-2720: --- Commit ce523efddab377a6a2067f88f4b587064914a4d2 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from PJ Fanning [ https://gitbox.apache.org/repos/asf?p=knox.git;h=ce523efdd ] KNOX-2720 upgrade postgresql due to security issue (#548) > upgrade postgresql to 42.3.3 due to security issues > --- > > Key: KNOX-2720 > URL: https://issues.apache.org/jira/browse/KNOX-2720 > Project: Apache Knox > Issue Type: Bug >Reporter: PJ Fanning >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > https://github.com/apache/knox/blob/master/pom.xml#L252 > https://mvnrepository.com/artifact/org.postgresql/postgresql > 42.3.3 removes a logging feature that is not great from a security standpoint > - https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2726) Impersonation Params Declared by Service Definitions
[
https://issues.apache.org/jira/browse/KNOX-2726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557952#comment-17557952
]
ASF subversion and git services commented on KNOX-2726:
---
Commit 93bceed9c33d8e63cb48bdac86d9bc98fca44f90 in knox's branch
refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Sandeep
Moré
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=93bceed9c ]
KNOX-2726 - Impersonation Params should be configurable (#579)
* KNOX-2726 - Impersonation Params should be configurable
> Impersonation Params Declared by Service Definitions
>
>
> Key: KNOX-2726
> URL: https://issues.apache.org/jira/browse/KNOX-2726
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
>Affects Versions: 1.6.0
>Reporter: Philip Zampino
>Assignee: Sandeep More
>Priority: Major
> Fix For: 1.6.2
>
> Time Spent: 2.5h
> Remaining Estimate: 0h
>
> _org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper#getImpersonationParamNames()_
> has the following comment:
> {noformat}
> // TODO: let's have service definitions register their impersonation
> // params in a future release and get this list from a central registry.
> // This will provide better coverage of protection by removing any
> // pre-populated impersonation params.{noformat}
> Currently, Knox excludes some well-known impersonation request parameters
> from proxied requests. Rather than maintaining a hard-coded list of these
> params, service definitions should be able to declare them such that they
> would be available at runtime to
> {_}org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper{_}.
> This will allow service-specific impersonation parameter details to be
> defined by the service definitions, and eliminate the need for Knox runtime
> code changes when new impersonation params need to be handled.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2736) Knox clients should support retry/failover
[ https://issues.apache.org/jira/browse/KNOX-2736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557908#comment-17557908 ] ASF subversion and git services commented on KNOX-2736: --- Commit fc48add49a0c6015247b71ca118c90fb6dde347f in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=fc48add49 ] KNOX-2736 Knox clients should support retry/failover - addendum (#578) > Knox clients should support retry/failover > -- > > Key: KNOX-2736 > URL: https://issues.apache.org/jira/browse/KNOX-2736 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > > Not having retries in knox clients can cause service upgrade failures. > The apache http client has a default mechanism > (StandardHttpRequestRetryHandler and DefaultServiceUnavailableRetryStrategy) > to support retries. > * DefaultServiceUnavailableRetryStrategy only retries in case of a 503 - > ServiceUnavailable. > * StandardHttpRequestRetryHandler retries when a non excluded exception > occurs during the request. > The excluded exceptions are: InterruptedIOException, UnknownHostException, > ConnectException, SSLException. In these cases no retry is going to happen. > The following HTTP methods are considered idempotent so they can be retried: > GET, HEAD, PUT, DELETE, OPTIONS, TRACE. > Note that if an endpoint is implemented as a non-idempotent way (for example > a PUT) then this might have unwanted side-effects. > Other methods such as POST are only retried if the request has not yet > written out to the output stream when the error happened. Or if > requestSentRetryEnabled is enabled. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2718) upgrade xmlsec due to security issue
[ https://issues.apache.org/jira/browse/KNOX-2718?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557962#comment-17557962 ] ASF subversion and git services commented on KNOX-2718: --- Commit 295a041a728444d1a1ee7b82104dfe387a704929 in knox's branch refs/heads/master from PJ Fanning [ https://gitbox.apache.org/repos/asf?p=knox.git;h=295a041a7 ] KNOX-2718: upgrade xmlsec due to security issue (#584) > upgrade xmlsec due to security issue > > > Key: KNOX-2718 > URL: https://issues.apache.org/jira/browse/KNOX-2718 > Project: Apache Knox > Issue Type: Bug >Reporter: PJ Fanning >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > https://github.com/apache/knox/blob/master/pom.xml#L273 > https://mvnrepository.com/artifact/org.apache.santuario/xmlsec -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2754) upgrade hadoop-common due to cve
[ https://issues.apache.org/jira/browse/KNOX-2754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557963#comment-17557963 ] ASF subversion and git services commented on KNOX-2754: --- Commit 52c586587c512fa5a72eb12f2df7dfa4ac8f5ec2 in knox's branch refs/heads/master from PJ Fanning [ https://gitbox.apache.org/repos/asf?p=knox.git;h=52c586587 ] KNOX-2754: upgrade hadoop-common due to cve (#586) > upgrade hadoop-common due to cve > > > Key: KNOX-2754 > URL: https://issues.apache.org/jira/browse/KNOX-2754 > Project: Apache Knox > Issue Type: Bug >Reporter: PJ Fanning >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > https://github.com/apache/knox/pull/557 > https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-common has the > versions and vulnerabilities associated with them -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2721) upgrade jetty to 9.4.45 due to cves
[ https://issues.apache.org/jira/browse/KNOX-2721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557964#comment-17557964 ] ASF subversion and git services commented on KNOX-2721: --- Commit 167bc5268fcfc3418faeddbaea06ce4decf926c2 in knox's branch refs/heads/master from PJ Fanning [ https://gitbox.apache.org/repos/asf?p=knox.git;h=167bc5268 ] KNOX-2721: upgrade jetty to 9.4.45 due to cves (#587) > upgrade jetty to 9.4.45 due to cves > --- > > Key: KNOX-2721 > URL: https://issues.apache.org/jira/browse/KNOX-2721 > Project: Apache Knox > Issue Type: Bug >Reporter: PJ Fanning >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server > https://github.com/apache/knox/blob/master/pom.xml#L229 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2757) Mutually exclusive filter params in the HadoopGroupProvider identity-assertion provider
[
https://issues.apache.org/jira/browse/KNOX-2757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557957#comment-17557957
]
ASF subversion and git services commented on KNOX-2757:
---
Commit 6cdd2f0589e44bb464cf03f4e6848b059fd9c113 in knox's branch
refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Sandor
Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=6cdd2f058 ]
KNOX-2757 - HadoopGroupProvider parameters should be added to the filter even
there is a gateway level property with CENTRAL_GROUP_CONFIG_PREFIX (#590)
> Mutually exclusive filter params in the HadoopGroupProvider
> identity-assertion provider
> ---
>
> Key: KNOX-2757
> URL: https://issues.apache.org/jira/browse/KNOX-2757
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Blocker
> Fix For: 2.0.0
>
> Time Spent: 50m
> Remaining Estimate: 0h
>
> *Steps to reproduce:*
> 1. replace the {{Default}} identity-assertion provider in the {{sandbox}}
> topology with this:
> {noformat}
>
> identity-assertion
> HadoopGroupProvider
> true
>
> CENTRAL_GROUP_CONFIG_PREFIX
> gateway.group.config.
>
>
> group.mapping.scientist
> (!= 0 (size groups))
>
> {noformat}
> 2. wait until Knox redeploys the {{sandbox}} topology and check the generated
> {{gateway.xml}} in the newly deployed web application
> *Actual results:*
> The {{group.mapping.scientist}} filter parameter is missing; only the params
> in {{gateway-site.xml}} with the {{gateway.group.config.}} prefix were added:
> {noformat}
>
> identity-assertion
> HadoopGroupProvider
>
> org.apache.knox.gateway.identityasserter.hadoop.groups.filter.HadoopGroupProviderFilter
>
>
> hadoop.security.group.mapping.ldap.search.attr.member
> member
>
>
>
> hadoop.security.group.mapping.ldap.search.filter.user
>
> (&(|(objectclass=person)(objectclass=applicationProcess))(cn={0}))
>
>
>
> hadoop.security.group.mapping.ldap.search.attr.group.name
> cn
>
>
> hadoop.security.group.mapping.ldap.url
> ldap://localhost:33389
>
>
> hadoop.security.group.mapping
> org.apache.hadoop.security.LdapGroupsMapping
>
>
>
> hadoop.security.group.mapping.ldap.search.filter.group
> (objectclass=groupOfNames)
>
>
> hadoop.security.group.mapping.ldap.bind.user
> uid=guest,ou=people,dc=hadoop,dc=apache,dc=org
>
>
> hadoop.security.group.mapping.ldap.bind.password
> guest-password
>
>
> {noformat}
> *Expected results:*
> Both the pre-configured gateway-site.xml and the {{group.mapping.scientist}}
> provider parameter should be added to the filter.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2761) KnoxShell does not reflect KNOX-2661
[ https://issues.apache.org/jira/browse/KNOX-2761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557960#comment-17557960 ] ASF subversion and git services commented on KNOX-2761: --- Commit 50a0552dc428069f396fe4926f4bff0e97372cfc in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=50a0552dc ] KNOX-2761 - Knox Token renew/revoke operations are now PUT/DELETE HTTP methods in KnoxShell too (#593) > KnoxShell does not reflect KNOX-2661 > > > Key: KNOX-2761 > URL: https://issues.apache.org/jira/browse/KNOX-2761 > Project: Apache Knox > Issue Type: Bug > Components: KnoxShell >Affects Versions: 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > KNOX-2661 changed the HTTP method for some of the Knox Token resource API. > However, those changes were not reflected in KnoxToken-related KnoxShell > classes. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2747) RemoteAliasService generates password without checking if it already exists
[
https://issues.apache.org/jira/browse/KNOX-2747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557953#comment-17557953
]
ASF subversion and git services commented on KNOX-2747:
---
Commit e2bfa1535317186c3e7b69de188f998aeb864431 in knox's branch
refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Attila
Magyar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=e2bfa1535 ]
KNOX-2747 RemoteAliasService generates password without checking if it already
exists (#581)
> RemoteAliasService generates password without checking if it already exists
> ---
>
> Key: KNOX-2747
> URL: https://issues.apache.org/jira/browse/KNOX-2747
> Project: Apache Knox
> Issue Type: Bug
>Reporter: Attila Magyar
>Assignee: Attila Magyar
>Priority: Major
> Time Spent: 40m
> Remaining Estimate: 0h
>
> RemoteAliasService:
> {code}
> /* Generate a new password */
> if (generate) {
> generateAliasForCluster(clusterName, alias);
> }
> {code}
> DefaultAliasService checks first
> {code}
> credential = keystoreService.getCredentialForCluster(clusterName,
> alias);
> if (credential == null && generate) {
> generateAliasForCluster(clusterName, alias);
> credential = keystoreService.getCredentialForCluster(clusterName,
> alias);
> }
> {code}
> This causes the Pac4jDispatcherFilter to regenerate the password at each
> topology change.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2766) "disableLoadBalancingForUserAgents" property for HA dispatch cannot be set.
[
https://issues.apache.org/jira/browse/KNOX-2766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17558094#comment-17558094
]
ASF subversion and git services commented on KNOX-2766:
---
Commit 43f4723ea2cce745c4916721155cb962dd04e855 in knox's branch
refs/heads/master from Sandeep Moré
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=43f4723ea ]
KNOX-2766 - Make sure disableLoadBalancingForUserAgents is picked up from HA
configs (#599)
> "disableLoadBalancingForUserAgents" property for HA dispatch cannot be set.
> ---
>
> Key: KNOX-2766
> URL: https://issues.apache.org/jira/browse/KNOX-2766
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Reporter: Sandeep More
>Assignee: Sandeep More
>Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> {{It appears that disableLoadBalancingForUserAgents property for HA dispatch
> is not getting set. This property was introduced as part of change KNOX-2634.
> }}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2766) "disableLoadBalancingForUserAgents" property for HA dispatch cannot be set.
[
https://issues.apache.org/jira/browse/KNOX-2766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17558118#comment-17558118
]
ASF subversion and git services commented on KNOX-2766:
---
Commit 43f4723ea2cce745c4916721155cb962dd04e855 in knox's branch
refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from
Sandeep Moré
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=43f4723ea ]
KNOX-2766 - Make sure disableLoadBalancingForUserAgents is picked up from HA
configs (#599)
> "disableLoadBalancingForUserAgents" property for HA dispatch cannot be set.
> ---
>
> Key: KNOX-2766
> URL: https://issues.apache.org/jira/browse/KNOX-2766
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Reporter: Sandeep More
>Assignee: Sandeep More
>Priority: Major
> Fix For: 2.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> {{It appears that disableLoadBalancingForUserAgents property for HA dispatch
> is not getting set. This property was introduced as part of change KNOX-2634.
> }}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2721) upgrade jetty to 9.4.45 due to cves
[ https://issues.apache.org/jira/browse/KNOX-2721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17558117#comment-17558117 ] ASF subversion and git services commented on KNOX-2721: --- Commit 167bc5268fcfc3418faeddbaea06ce4decf926c2 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from PJ Fanning [ https://gitbox.apache.org/repos/asf?p=knox.git;h=167bc5268 ] KNOX-2721: upgrade jetty to 9.4.45 due to cves (#587) > upgrade jetty to 9.4.45 due to cves > --- > > Key: KNOX-2721 > URL: https://issues.apache.org/jira/browse/KNOX-2721 > Project: Apache Knox > Issue Type: Bug >Reporter: PJ Fanning >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server > https://github.com/apache/knox/blob/master/pom.xml#L229 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2754) upgrade hadoop-common due to cve
[ https://issues.apache.org/jira/browse/KNOX-2754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17558116#comment-17558116 ] ASF subversion and git services commented on KNOX-2754: --- Commit 52c586587c512fa5a72eb12f2df7dfa4ac8f5ec2 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from PJ Fanning [ https://gitbox.apache.org/repos/asf?p=knox.git;h=52c586587 ] KNOX-2754: upgrade hadoop-common due to cve (#586) > upgrade hadoop-common due to cve > > > Key: KNOX-2754 > URL: https://issues.apache.org/jira/browse/KNOX-2754 > Project: Apache Knox > Issue Type: Bug >Reporter: PJ Fanning >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > https://github.com/apache/knox/pull/557 > https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-common has the > versions and vulnerabilities associated with them -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2718) upgrade xmlsec due to security issue
[ https://issues.apache.org/jira/browse/KNOX-2718?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17558115#comment-17558115 ] ASF subversion and git services commented on KNOX-2718: --- Commit 295a041a728444d1a1ee7b82104dfe387a704929 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from PJ Fanning [ https://gitbox.apache.org/repos/asf?p=knox.git;h=295a041a7 ] KNOX-2718: upgrade xmlsec due to security issue (#584) > upgrade xmlsec due to security issue > > > Key: KNOX-2718 > URL: https://issues.apache.org/jira/browse/KNOX-2718 > Project: Apache Knox > Issue Type: Bug >Reporter: PJ Fanning >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > https://github.com/apache/knox/blob/master/pom.xml#L273 > https://mvnrepository.com/artifact/org.apache.santuario/xmlsec -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2762) Whitespaces around delimiters in composite provider names gives NullPointerException
[
https://issues.apache.org/jira/browse/KNOX-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17558871#comment-17558871
]
ASF subversion and git services commented on KNOX-2762:
---
Commit f6d190d7a1339eef199e26d9b053fedbb9dc4dcb in knox's branch
refs/heads/master from Harshil Jhaveri
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=f6d190d7a ]
KNOX-2762 Bug fixes for spaces around delimiters with all reviewed comments
addressed (#597)
> Whitespaces around delimiters in composite provider names gives
> NullPointerException
>
>
> Key: KNOX-2762
> URL: https://issues.apache.org/jira/browse/KNOX-2762
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 1.6.0
>Reporter: Harshil Jhaveri
>Assignee: Harshil Jhaveri
>Priority: Minor
> Fix For: 2.0.0
>
> Attachments: NPE gateway log.png
>
> Time Spent: 3h 40m
> Remaining Estimate: 0h
>
> When giving space before the delimiter for composite.provider.names in
> composite authorisation provider. The topology deployment is failing and
> returning a null pointer exception.
> The topology state:
> {code:java}
>
> authorization
> CompositeAuthz
> true
>
> composite.provider.names
> AclsAuthz ,XASecurePDPKnox
>
>
> AclsAuthz.ranger.acl
> *;;
> {code}
> {color:#e8bf6a}CC:{color} [~pzampino] [~smore] [~smolnar]
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
[jira] [Commented] (KNOX-2771) Log HTTP client config parameters such as socket timeouts with info level
[
https://issues.apache.org/jira/browse/KNOX-2771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17563399#comment-17563399
]
ASF subversion and git services commented on KNOX-2771:
---
Commit 40139df79cf5434417237d115984a341236c1a37 in knox's branch
refs/heads/master from MrtnBalazs
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=40139df79 ]
KNOX-2771 - Log HTTP client config parameters such as socket timeouts with info
level (#602)
> Log HTTP client config parameters such as socket timeouts with info level
> -
>
> Key: KNOX-2771
> URL: https://issues.apache.org/jira/browse/KNOX-2771
> Project: Apache Knox
> Issue Type: Improvement
>Reporter: Balazs Marton
>Priority: Minor
> Time Spent: 1h 20m
> Remaining Estimate: 0h
>
> Timeout parameters can be defined in two places, in gateway-site.xml and
> service.xml
>
> {code:java}
> gateway.httpclient.connectionTimeout -> 600
> gateway.httpclient.socketTimeout -> 600
> {code}
>
> {code:java}
> ha-classname="org.apache.knox.gateway.hive.HiveHaDispatch">
>
> httpclient.connectionTimeout
> 5m
>
>
> httpclient.socketTimeout
> 5m
>
> {code}
> The latter takes priority over the former. There are multiple examples where
> the customer and/or the support tried to set these in gateway-site level but
> it didn't work.
> It would be good to see these parameters (plus other http related configs) in
> the log.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2773) Log replay buffer size with info level
[
https://issues.apache.org/jira/browse/KNOX-2773?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17563671#comment-17563671
]
ASF subversion and git services commented on KNOX-2773:
---
Commit 32ecc76be4bb4e1728fb9acf537a5a619dfcd7ef in knox's branch
refs/heads/master from MrtnBalazs
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=32ecc76be ]
KNOX-2773 - Changed log level from debug to info for replayBufferSize log (#604)
> Log replay buffer size with info level
> --
>
> Key: KNOX-2773
> URL: https://issues.apache.org/jira/browse/KNOX-2773
> Project: Apache Knox
> Issue Type: Improvement
>Reporter: Balazs Marton
>Priority: Minor
> Time Spent: 1h 40m
> Remaining Estimate: 0h
>
> Replay buffer size can be defined in two places, in the topology file and in
> the service.xml.
> The topology file takes priority over the service.xml. To prevent confusion
> it would be nice to see it's value in the log.
> {code:java}
>
> HIVE
> http://localhost:10001/cliservice
>
> replayBufferSize
> 8
>
>
> {code}
> {code:java}
>
> ha-classname="org.apache.knox.gateway.ha.dispatch.ConfigurableHADispatch">
>
> responseExcludeHeaders
> WWW-AUTHENTICATE
>
>
> replayBufferSize
> 65
>
>
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2774) "usage: sleep seconds" messages in terminal after starting knox
[
https://issues.apache.org/jira/browse/KNOX-2774?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17564089#comment-17564089
]
ASF subversion and git services commented on KNOX-2774:
---
Commit 4366185351eb0dfa40d1ccac4a0766bf707bd440 in knox's branch
refs/heads/master from MrtnBalazs
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=436618535 ]
KNOX-2774 - Changed DEFAULT_APP_STATUS_TEST_RETRY_SLEEP value from 2s to 2
(#606)
> "usage: sleep seconds" messages in terminal after starting knox
> ---
>
> Key: KNOX-2774
> URL: https://issues.apache.org/jira/browse/KNOX-2774
> Project: Apache Knox
> Issue Type: Bug
>Reporter: Balazs Marton
>Priority: Minor
> Attachments: Screenshot 2022-07-06 at 18.00.24.png
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> After starting apache knox
> {code:java}
> usage: sleep seconds
> {code}
> messages appear in terminal until the jetty server starts.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2770) KnoxToken doAs won't work with HadoopAuth filter
[
https://issues.apache.org/jira/browse/KNOX-2770?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17568831#comment-17568831
]
ASF subversion and git services commented on KNOX-2770:
---
Commit 120915227d1b44e30ac8f0d9924675c854b8ce4a in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=120915227 ]
KNOX-2770 - KnoxToken doAs support depends on token state service and a
service-level configuration (#609)
> KnoxToken doAs won't work with HadoopAuth filter
>
>
> Key: KNOX-2770
> URL: https://issues.apache.org/jira/browse/KNOX-2770
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
>Affects Versions: 2.0.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Blocker
> Fix For: 2.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> *Steps to reproduce*
> * create a topology with Knox's HadoopAuth filter as the authentication
> provider and include the KNOXTOKEN service (let's call it
> {{myKnoxTokenTopology}} in this sample)
> * make sure the HadoopAuth filter is configured in a way such as it allows
> the hive users (can be any user, I use hive as a sample) to impersonate hdfs
> * make sure that token state management is disabled in the KNOXTOKEN service
> * login to Kerberos as the hive user (kinit using a valid hive keytab)
> * try to get 2 Knox tokens using that topology on behalf of hdfs (e.g.
> {{curl --negotiate -u : "https://$(hostname
> -f):8443/gateway/myKnoxTokenTopology/knoxtoken/api/v1/token?doAs=hdfs"}}
> *Actual results*
> The second call fails with an error message like this:
> {noformat}
> {
> "RemoteException" : {
> "message" : "User: hive@MY_HOST is not allowed to impersonate hdfs",
> "exception" : "AuthorizationException",
> "javaClassName" :
> "org.apache.hadoop.security.authorize.AuthorizationException"
> }
> } {noformat}
>
> *Expected results*
> Both KnoxToken REST API invocations should have succeeded.
>
> *Action plan:*
> * fix the issue of refreshing Hadoop's proxyuser configuration in
> TokenResource when token state management is disabled
> * introduce a new service-level configuration that let us enable/disable the
> doAs support on the KnoxToken path regardless of the token state management
> settings
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2782) Knox CLI user-auth-test command failure
[
https://issues.apache.org/jira/browse/KNOX-2782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17569341#comment-17569341
]
ASF subversion and git services commented on KNOX-2782:
---
Commit ae0fe4606e56aa5b63714504c6951e3bb1c0 in knox's branch
refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=ae0fe4606 ]
KNOX-2782 - Enhanced Shiro config with the object class of invalidRequest (#610)
> Knox CLI user-auth-test command failure
> ---
>
> Key: KNOX-2782
> URL: https://issues.apache.org/jira/browse/KNOX-2782
> Project: Apache Knox
> Issue Type: Bug
> Components: KnoxCLI
>Affects Versions: 1.6.0
>Reporter: Sandor Molnar
>Assignee: Sandor Molnar
>Priority: Major
> Fix For: 2.0.0
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> There is an issue with KnoxCLI's {{user-auth-test}} command:
> {noformat}
> bin/knoxcli.sh user-auth-test --cluster sandbox --u admin --p admin-password
> java.lang.IllegalArgumentException: Configuration error. Specified object
> [invalidRequest] with property [blockSemicolon] without first defining that
> object's class. Please first specify the class property first, e.g. myObject
> = fully_qualified_class_name and then define additional properties.
> org.apache.knox.gateway.util.KnoxCLI$LDAPCommand$BadSubjectException: Subject
> could not be created with Shiro Config at sections=main,urls
> For more information use --d for debug output.
> ERR: Unable to authenticate user: admin {noformat}
> The reason is, that 3 properties are added OOTB to the generated Shiro
> configuration, under the "{{{}main{}}}" section, as per KNOX-2455
> {noformat}
> params.putIfAbsent("main.invalidRequest.blockSemicolon", "false");
> params.putIfAbsent("main.invalidRequest.blockBackslash", "false");
> params.putIfAbsent("main.invalidRequest.blockNonAscii", "false");
> {noformat}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2777) Implement concurrent session verifier
[
https://issues.apache.org/jira/browse/KNOX-2777?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17569960#comment-17569960
]
ASF subversion and git services commented on KNOX-2777:
---
Commit 82cd96d99398cc9aad86596fb65240ccd0244498 in knox's branch
refs/heads/master from MrtnBalazs
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=82cd96d99 ]
KNOX-2777 - Add configurations for concurrent session verifier feature (#608)
Co-authored-by: MrtnBalazs
> Implement concurrent session verifier
> -
>
> Key: KNOX-2777
> URL: https://issues.apache.org/jira/browse/KNOX-2777
> Project: Apache Knox
> Issue Type: Sub-task
> Components: Server
>Affects Versions: 2.0.0
>Reporter: Sandor Molnar
>Assignee: Balazs Marton
>Priority: Major
> Fix For: 2.0.0
>
> Time Spent: 3h 10m
> Remaining Estimate: 0h
>
> The following needs to be implemented in the scope of this JIRA:
> * we need 4 new Gateway-level configurations:
> ** privileged user list (defaults to an empty collection)
> ** non-privileged user list (defaults to an empty collection)
> ** session limit for privileged users (defaults to 3)
> ** session limit for non-privileged users (defaults to 2)
> * if a session limit for any of the groups is set to a negative number, that
> means the users in that group are allowed to have an unlimited number of
> sessions
> * In addition to the new configs, a verifier has to be implemented that
> enforces the following business logic: if a user is listed in the
> above-introduced privileged/non-privileged collection AND is about to pass a
> configured session limit the verification should fail. The verification
> should succeed if the given user is declared neither a privileged nor a
> non-privileged user.
> The new verifier implementation may be placed in the {{gateway-spi-common}}
> project for now.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2772) add configuration for jetty renegotiation
[ https://issues.apache.org/jira/browse/KNOX-2772?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17571551#comment-17571551 ] ASF subversion and git services commented on KNOX-2772: --- Commit 07cd031e1ee2e6be14308749d61cb5a495a6fe11 in knox's branch refs/heads/master from 南慧荣 [ https://gitbox.apache.org/repos/asf?p=knox.git;h=07cd031e1 ] KNOX-2772 - add configuration for jetty renegotiation (#605) > add configuration for jetty renegotiation > - > > Key: KNOX-2772 > URL: https://issues.apache.org/jira/browse/KNOX-2772 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.6.0 >Reporter: nanhuirong >Priority: Critical > Attachments: KNOX-2772.patch > > Time Spent: 2.5h > Remaining Estimate: 0h > > the user or developer can't config the renegotiation for knox > *Action plan:* > set the value when building the SslContextFactory -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2779) support multiple hosts for gateway.host config
[ https://issues.apache.org/jira/browse/KNOX-2779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17578104#comment-17578104 ] ASF subversion and git services commented on KNOX-2779: --- Commit d51173a83e364d6eacf19d9ac8823ea2afb807f5 in knox's branch refs/heads/master from 南慧荣 [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d51173a83 ] KNOX-2779 - support multiple hosts for gateway.host config (#613) > support multiple hosts for gateway.host config > -- > > Key: KNOX-2779 > URL: https://issues.apache.org/jira/browse/KNOX-2779 > Project: Apache Knox > Issue Type: Improvement >Reporter: nanhuirong >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > Knox may dispatch requests from multiple services and must listen on 0.0.0.0 > if the request is not on the same plane. For example, host A has three > network adapters and only two adapters receive requests, we must config > 0.0.0.0 for gateway.host, Thus, the knox servive may has security issues. > > I think that we can expose multiple hosts for gateway.host as follows: > > gateway.host > ip1,ip2... > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2783) User can be mapped to an empty virtual group
[
https://issues.apache.org/jira/browse/KNOX-2783?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17579609#comment-17579609
]
ASF subversion and git services commented on KNOX-2783:
---
Commit 255ca75236a415e72ff506546135a660708bf6a3 in knox's branch
refs/heads/master from Attila Magyar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=255ca7523 ]
KNOX-2783 - User can be mapped to an empty virtual group (#611)
> User can be mapped to an empty virtual group
>
>
> Key: KNOX-2783
> URL: https://issues.apache.org/jira/browse/KNOX-2783
> Project: Apache Knox
> Issue Type: Improvement
>Reporter: Attila Magyar
>Assignee: Attila Magyar
>Priority: Minor
> Time Spent: 10m
> Remaining Estimate: 0h
>
> If there is no group name after the dot, the user is getting mapped to an ""
> group.
> {code}
>
> identity-assertion
> HadoopGroupProvider
> true
>
> hadoop.security.group.mapping
>
> org.apache.hadoop.security.ShellBasedUnixGroupsMapping
>
>
> group.mapping.
> true
>
>
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2786) Upgrade spring and json-smart due to CVEs
[ https://issues.apache.org/jira/browse/KNOX-2786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17579684#comment-17579684 ] ASF subversion and git services commented on KNOX-2786: --- Commit 5121758bc86d53c7a41314486be1d5d9b5e074a4 in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=5121758bc ] KNOX-2786 - Upgrade spring and json-smart due to CVEs (#614) > Upgrade spring and json-smart due to CVEs > - > > Key: KNOX-2786 > URL: https://issues.apache.org/jira/browse/KNOX-2786 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > # upgrade json-smart to 2.4.8 > # upgrade spring to 5.3.21 spring:5.3.2 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2778) Enforce concurrent session limit in KnoxSSO
[ https://issues.apache.org/jira/browse/KNOX-2778?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17581283#comment-17581283 ] ASF subversion and git services commented on KNOX-2778: --- Commit 78a058900f17078ea3278cc41bf8cc9540ed4415 in knox's branch refs/heads/master from MrtnBalazs [ https://gitbox.apache.org/repos/asf?p=knox.git;h=78a058900 ] KNOX-2778 - Enforce concurrent session limit in KnoxSSO (#615) > Enforce concurrent session limit in KnoxSSO > --- > > Key: KNOX-2778 > URL: https://issues.apache.org/jira/browse/KNOX-2778 > Project: Apache Knox > Issue Type: Sub-task > Components: Server >Affects Versions: 2.0.0 >Reporter: Sandor Molnar >Assignee: Balazs Marton >Priority: Major > Fix For: 2.0.0 > > Time Spent: 5h 10m > Remaining Estimate: 0h > > Once, KNOX-2777 is ready, the next step is to wire that verifier > implementation into the KnoxSSO flow such as it throws an authorization error > (FORBIDDEN; 403) when a user tries to log in to UIs (both Knox's own UIs or > UIs proxied by Knox) but that user exceeds the configured concurrent session > limit. > Basic logout handling should be covered too: > * manually clicking on the logout button > * subscribing to a session timeout event (you may want to talk to [~smore] > about this) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2788) Implement deleting expired tokens and make Verifier disableable
[ https://issues.apache.org/jira/browse/KNOX-2788?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17582838#comment-17582838 ] ASF subversion and git services commented on KNOX-2788: --- Commit 66012400d4bf1e850e80d17709b8ab6a07f91a07 in knox's branch refs/heads/master from MrtnBalazs [ https://gitbox.apache.org/repos/asf?p=knox.git;h=66012400d ] KNOX-2788 - Implementing EmptyVerifier and Cleaning background thread (#620) > Implement deleting expired tokens and make Verifier disableable > --- > > Key: KNOX-2788 > URL: https://issues.apache.org/jira/browse/KNOX-2788 > Project: Apache Knox > Issue Type: Sub-task > Components: Server >Affects Versions: 2.0.0 >Reporter: Balazs Marton >Assignee: Balazs Marton >Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > A background thread is needed to check periodically which tokens are expired, > and remove them. The checking period must be configurable in > gateway-site.xml. The default cleaning time is 30 minutes. > Change the initialization of the verifier, so it is only enabled if > configured in gateway-site.xml, so it is not checking and running a > background thread if it is not used. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2787) Upgrade Pac4J to v4.5.6
[ https://issues.apache.org/jira/browse/KNOX-2787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17583627#comment-17583627 ] ASF subversion and git services commented on KNOX-2787: --- Commit 2deaf375b9f7869b3e72982397eec34785378c40 in knox's branch refs/heads/master from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=2deaf375b ] KNOX-2787 - Upgrade pac4j to 4.5.6 (#621) > Upgrade Pac4J to v4.5.6 > --- > > Key: KNOX-2787 > URL: https://issues.apache.org/jira/browse/KNOX-2787 > Project: Apache Knox > Issue Type: Bug >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2783) User can be mapped to an empty virtual group
[
https://issues.apache.org/jira/browse/KNOX-2783?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17583632#comment-17583632
]
ASF subversion and git services commented on KNOX-2783:
---
Commit 255ca75236a415e72ff506546135a660708bf6a3 in knox's branch
refs/heads/dependabot/maven/org.postgresql-postgresql-42.4.1 from Attila Magyar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=255ca7523 ]
KNOX-2783 - User can be mapped to an empty virtual group (#611)
> User can be mapped to an empty virtual group
>
>
> Key: KNOX-2783
> URL: https://issues.apache.org/jira/browse/KNOX-2783
> Project: Apache Knox
> Issue Type: Improvement
>Reporter: Attila Magyar
>Assignee: Attila Magyar
>Priority: Minor
> Time Spent: 20m
> Remaining Estimate: 0h
>
> If there is no group name after the dot, the user is getting mapped to an ""
> group.
> {code}
>
> identity-assertion
> HadoopGroupProvider
> true
>
> hadoop.security.group.mapping
>
> org.apache.hadoop.security.ShellBasedUnixGroupsMapping
>
>
> group.mapping.
> true
>
>
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
[jira] [Commented] (KNOX-2787) Upgrade Pac4J to v4.5.6
[ https://issues.apache.org/jira/browse/KNOX-2787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17583636#comment-17583636 ] ASF subversion and git services commented on KNOX-2787: --- Commit 2deaf375b9f7869b3e72982397eec34785378c40 in knox's branch refs/heads/dependabot/maven/org.postgresql-postgresql-42.4.1 from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=2deaf375b ] KNOX-2787 - Upgrade pac4j to 4.5.6 (#621) > Upgrade Pac4J to v4.5.6 > --- > > Key: KNOX-2787 > URL: https://issues.apache.org/jira/browse/KNOX-2787 > Project: Apache Knox > Issue Type: Bug >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 1.6.1 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2779) support multiple hosts for gateway.host config
[ https://issues.apache.org/jira/browse/KNOX-2779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17583631#comment-17583631 ] ASF subversion and git services commented on KNOX-2779: --- Commit d51173a83e364d6eacf19d9ac8823ea2afb807f5 in knox's branch refs/heads/dependabot/maven/org.postgresql-postgresql-42.4.1 from 南慧荣 [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d51173a83 ] KNOX-2779 - support multiple hosts for gateway.host config (#613) > support multiple hosts for gateway.host config > -- > > Key: KNOX-2779 > URL: https://issues.apache.org/jira/browse/KNOX-2779 > Project: Apache Knox > Issue Type: Improvement >Reporter: nanhuirong >Priority: Major > Time Spent: 1h 10m > Remaining Estimate: 0h > > Knox may dispatch requests from multiple services and must listen on 0.0.0.0 > if the request is not on the same plane. For example, host A has three > network adapters and only two adapters receive requests, we must config > 0.0.0.0 for gateway.host, Thus, the knox servive may has security issues. > > I think that we can expose multiple hosts for gateway.host as follows: > > gateway.host > ip1,ip2... > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
