[jira] [Commented] (KNOX-2743) Upgrade netty
[ https://issues.apache.org/jira/browse/KNOX-2743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17534517#comment-17534517 ] ASF subversion and git services commented on KNOX-2743: --- Commit d5f0c377812a96df356681e924be983bbc00608c in knox's branch refs/heads/master from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d5f0c3778 ] KNOX-2743 - Upgrade netty (#573) > Upgrade netty > - > > Key: KNOX-2743 > URL: https://issues.apache.org/jira/browse/KNOX-2743 > Project: Apache Knox > Issue Type: Bug >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2743) Upgrade netty
[ https://issues.apache.org/jira/browse/KNOX-2743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17534523#comment-17534523 ] ASF subversion and git services commented on KNOX-2743: --- Commit d5f0c377812a96df356681e924be983bbc00608c in knox's branch refs/heads/dependabot/maven/org.apache.mina-mina-core-2.0.22 from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d5f0c3778 ] KNOX-2743 - Upgrade netty (#573) > Upgrade netty > - > > Key: KNOX-2743 > URL: https://issues.apache.org/jira/browse/KNOX-2743 > Project: Apache Knox > Issue Type: Bug >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 1.6.2 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2742) CM service discovery retry may be needed
[ https://issues.apache.org/jira/browse/KNOX-2742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17534771#comment-17534771 ] ASF subversion and git services commented on KNOX-2742: --- Commit 3b63b9851937b484546d974612e6ddd3ceaabbc9 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=3b63b9851 ] KNOX-2742 - Retrying CM service discovery in case of ConnectExceptions (#571) > CM service discovery retry may be needed > > > Key: KNOX-2742 > URL: https://issues.apache.org/jira/browse/KNOX-2742 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 1.5.0, 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > If there is a connection issue the first time Knox discovers a cluster in CM, > the topology will remain empty (bc. it was empty anyway). Fixing KNOX-2690 > should help here a lot but maybe it's not enough. We may add some sort of > retry logic if service discovery failed due to communication errors. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2744) Upgrade protobuf-java to 3.16.1
[ https://issues.apache.org/jira/browse/KNOX-2744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17534791#comment-17534791 ] ASF subversion and git services commented on KNOX-2744: --- Commit 5b6f389dffb9319f13a707b2f38340ec3682a612 in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=5b6f389df ] KNOX-2744 Upgrade protobuf-java to 3.16.1 (#572) > Upgrade protobuf-java to 3.16.1 > --- > > Key: KNOX-2744 > URL: https://issues.apache.org/jira/browse/KNOX-2744 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Upgrade protobuf-java to 3.16.1 due to CVE. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2745) VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter
[ https://issues.apache.org/jira/browse/KNOX-2745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17535925#comment-17535925 ] ASF subversion and git services commented on KNOX-2745: --- Commit 1b177a2638126afb5280ad5c113e901e42fec375 in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=1b177a263 ] KNOX-2745 VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter (#575) > VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter > > > Key: KNOX-2745 > URL: https://issues.apache.org/jira/browse/KNOX-2745 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > The groups calculated by HadoopGroupProviderFilter are not passed to the > virtual group mapper. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2736) Knox clients should support retry/failover
[ https://issues.apache.org/jira/browse/KNOX-2736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17537401#comment-17537401 ] ASF subversion and git services commented on KNOX-2736: --- Commit 7ac870f16563eda499b7eafa072bb119f4cd5754 in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=7ac870f16 ] KNOX-2736 Knox clients should support retry/failover (#568) > Knox clients should support retry/failover > -- > > Key: KNOX-2736 > URL: https://issues.apache.org/jira/browse/KNOX-2736 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > Not having retries in knox clients can cause service upgrade failures. > The apache http client has a default mechanism > (StandardHttpRequestRetryHandler and DefaultServiceUnavailableRetryStrategy) > to support retries. > * DefaultServiceUnavailableRetryStrategy only retries in case of a 503 - > ServiceUnavailable. > * StandardHttpRequestRetryHandler retries when a non excluded exception > occurs during the request. > The excluded exceptions are: InterruptedIOException, UnknownHostException, > ConnectException, SSLException. In these cases no retry is going to happen. > The following HTTP methods are considered idempotent so they can be retried: > GET, HEAD, PUT, DELETE, OPTIONS, TRACE. > Note that if an endpoint is implemented as a non-idempotent way (for example > a PUT) then this might have unwanted side-effects. > Other methods such as POST are only retried if the request has not yet > written out to the output stream when the error happened. Or if > requestSentRetryEnabled is enabled. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2346) Remove unused maxRetryAttempts and retrySleep
[ https://issues.apache.org/jira/browse/KNOX-2346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17538361#comment-17538361 ] ASF subversion and git services commented on KNOX-2346: --- Commit b15685c953f8e7763cd4770b8457d263951eca66 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=b15685c95 ] KNOX-2346 - Eliminated the accidentally re-introduced configs in one of the tests (#577) > Remove unused maxRetryAttempts and retrySleep > - > > Key: KNOX-2346 > URL: https://issues.apache.org/jira/browse/KNOX-2346 > Project: Apache Knox > Issue Type: Task >Reporter: Kevin Risden >Assignee: Sandor Molnar >Priority: Major > Fix For: 1.5.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > Currently maxRetryAttempts and retrySleep are wired throughout the code, but > don't actually hook up to anything. The handling should be removed to make it > clear that these aren't used anywhere. > There is no backwards compatibility issue here since the parsing is lazy - > its not a required field so if a user is specifying it will be silently > ignore. Just like it is silently ignored today. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2736) Knox clients should support retry/failover
[ https://issues.apache.org/jira/browse/KNOX-2736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17540867#comment-17540867 ] ASF subversion and git services commented on KNOX-2736: --- Commit fc48add49a0c6015247b71ca118c90fb6dde347f in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=fc48add49 ] KNOX-2736 Knox clients should support retry/failover - addendum (#578) > Knox clients should support retry/failover > -- > > Key: KNOX-2736 > URL: https://issues.apache.org/jira/browse/KNOX-2736 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > > Not having retries in knox clients can cause service upgrade failures. > The apache http client has a default mechanism > (StandardHttpRequestRetryHandler and DefaultServiceUnavailableRetryStrategy) > to support retries. > * DefaultServiceUnavailableRetryStrategy only retries in case of a 503 - > ServiceUnavailable. > * StandardHttpRequestRetryHandler retries when a non excluded exception > occurs during the request. > The excluded exceptions are: InterruptedIOException, UnknownHostException, > ConnectException, SSLException. In these cases no retry is going to happen. > The following HTTP methods are considered idempotent so they can be retried: > GET, HEAD, PUT, DELETE, OPTIONS, TRACE. > Note that if an endpoint is implemented as a non-idempotent way (for example > a PUT) then this might have unwanted side-effects. > Other methods such as POST are only retried if the request has not yet > written out to the output stream when the error happened. Or if > requestSentRetryEnabled is enabled. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2732) Issuer claim in Knox JWTs should be configurable
[ https://issues.apache.org/jira/browse/KNOX-2732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17540868#comment-17540868 ] ASF subversion and git services commented on KNOX-2732: --- Commit 8c468b095128ef9dd83e08d80e45a4c3db2ff44d in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=8c468b095 ] KNOX-2732 Issuer claim in Knox JWTs should be configurable (#560) > Issuer claim in Knox JWTs should be configurable > > > Key: KNOX-2732 > URL: https://issues.apache.org/jira/browse/KNOX-2732 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h 40m > Remaining Estimate: 0h > > Currently, the issuer claim in JWTs issued by Knox is always "KNOXSSO". This > value should be configurable via a KNOXTOKEN service param in the topology. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2726) Impersonation Params Declared by Service Definitions
[ https://issues.apache.org/jira/browse/KNOX-2726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17541071#comment-17541071 ] ASF subversion and git services commented on KNOX-2726: --- Commit 93bceed9c33d8e63cb48bdac86d9bc98fca44f90 in knox's branch refs/heads/master from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=93bceed9c ] KNOX-2726 - Impersonation Params should be configurable (#579) * KNOX-2726 - Impersonation Params should be configurable > Impersonation Params Declared by Service Definitions > > > Key: KNOX-2726 > URL: https://issues.apache.org/jira/browse/KNOX-2726 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Sandeep More >Priority: Major > Time Spent: 2.5h > Remaining Estimate: 0h > > _org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper#getImpersonationParamNames()_ > has the following comment: > {noformat} > // TODO: let's have service definitions register their impersonation > // params in a future release and get this list from a central registry. > // This will provide better coverage of protection by removing any > // pre-populated impersonation params.{noformat} > Currently, Knox excludes some well-known impersonation request parameters > from proxied requests. Rather than maintaining a hard-coded list of these > params, service definitions should be able to declare them such that they > would be available at runtime to > {_}org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper{_}. > This will allow service-specific impersonation parameter details to be > defined by the service definitions, and eliminate the need for Knox runtime > code changes when new impersonation params need to be handled. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2747) RemoteAliasService generates password without checking if it already exists
[ https://issues.apache.org/jira/browse/KNOX-2747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17542879#comment-17542879 ] ASF subversion and git services commented on KNOX-2747: --- Commit e2bfa1535317186c3e7b69de188f998aeb864431 in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=e2bfa1535 ] KNOX-2747 RemoteAliasService generates password without checking if it already exists (#581) > RemoteAliasService generates password without checking if it already exists > --- > > Key: KNOX-2747 > URL: https://issues.apache.org/jira/browse/KNOX-2747 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > RemoteAliasService: > {code} > /* Generate a new password */ > if (generate) { > generateAliasForCluster(clusterName, alias); > } > {code} > DefaultAliasService checks first > {code} > credential = keystoreService.getCredentialForCluster(clusterName, > alias); > if (credential == null && generate) { > generateAliasForCluster(clusterName, alias); > credential = keystoreService.getCredentialForCluster(clusterName, > alias); > } > {code} > This causes the Pac4jDispatcherFilter to regenerate the password at each > topology change. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2746) Add presto and presto ui support in service definition
[ https://issues.apache.org/jira/browse/KNOX-2746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17550825#comment-17550825 ] ASF subversion and git services commented on KNOX-2746: --- Commit 02763cae0f3f148f089d7807e49184169d2d258f in knox's branch refs/heads/master from Bhargavi-Sagi [ https://gitbox.apache.org/repos/asf?p=knox.git;h=02763cae0 ] KNOX-2746 - Add presto/presto ui support in service definition (#576) > Add presto and presto ui support in service definition > -- > > Key: KNOX-2746 > URL: https://issues.apache.org/jira/browse/KNOX-2746 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Reporter: sagi bhargavi >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > Add spport for [Presto|https://github.com/prestodb/presto], also known as > PrestoDB in knox service definition. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2757) Mutually exclusive filter params in the HadoopGroupProvider identity-assertion provider
[ https://issues.apache.org/jira/browse/KNOX-2757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17552062#comment-17552062 ] ASF subversion and git services commented on KNOX-2757: --- Commit 6cdd2f0589e44bb464cf03f4e6848b059fd9c113 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=6cdd2f058 ] KNOX-2757 - HadoopGroupProvider parameters should be added to the filter even there is a gateway level property with CENTRAL_GROUP_CONFIG_PREFIX (#590) > Mutually exclusive filter params in the HadoopGroupProvider > identity-assertion provider > --- > > Key: KNOX-2757 > URL: https://issues.apache.org/jira/browse/KNOX-2757 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Blocker > Fix For: 2.0.0 > > Time Spent: 50m > Remaining Estimate: 0h > > *Steps to reproduce:* > 1. replace the {{Default}} identity-assertion provider in the {{sandbox}} > topology with this: > {noformat} > > identity-assertion > HadoopGroupProvider > true > > CENTRAL_GROUP_CONFIG_PREFIX > gateway.group.config. > > > group.mapping.scientist > (!= 0 (size groups)) > > {noformat} > 2. wait until Knox redeploys the {{sandbox}} topology and check the generated > {{gateway.xml}} in the newly deployed web application > *Actual results:* > The {{group.mapping.scientist}} filter parameter is missing; only the params > in {{gateway-site.xml}} with the {{gateway.group.config.}} prefix were added: > {noformat} > > identity-assertion > HadoopGroupProvider > > org.apache.knox.gateway.identityasserter.hadoop.groups.filter.HadoopGroupProviderFilter > > > hadoop.security.group.mapping.ldap.search.attr.member > member > > > > hadoop.security.group.mapping.ldap.search.filter.user > > (&(|(objectclass=person)(objectclass=applicationProcess))(cn={0})) > > > > hadoop.security.group.mapping.ldap.search.attr.group.name > cn > > > hadoop.security.group.mapping.ldap.url > ldap://localhost:33389 > > > hadoop.security.group.mapping > org.apache.hadoop.security.LdapGroupsMapping > > > > hadoop.security.group.mapping.ldap.search.filter.group > (objectclass=groupOfNames) > > > hadoop.security.group.mapping.ldap.bind.user > uid=guest,ou=people,dc=hadoop,dc=apache,dc=org > > > hadoop.security.group.mapping.ldap.bind.password > guest-password > > > {noformat} > *Expected results:* > Both the pre-configured gateway-site.xml and the {{group.mapping.scientist}} > provider parameter should be added to the filter. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2752) knoxcli should support batch alias creation
[ https://issues.apache.org/jira/browse/KNOX-2752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17552293#comment-17552293 ] ASF subversion and git services commented on KNOX-2752: --- Commit aa8e1531f970d5477d60f7ea2c669657b5bf077a in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=aa8e1531f ] KNOX-2752 knoxcli should support batch alias creation (#583) > knoxcli should support batch alias creation > --- > > Key: KNOX-2752 > URL: https://issues.apache.org/jira/browse/KNOX-2752 > Project: Apache Knox > Issue Type: Bug > Components: KnoxCLI >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > Currently we can only create aliases one by one: > {code} > bin/knoxcli.sh create-alias name --cluster cl1 --value value > {code} > This is very slow if we want to create multiple aliases. > KnoxCLI should support creating multiple aliases for the same cluster in one > batch > {code} > bin/knoxcli.sh create-aliases --alias a1 --value v1 --alias a2 --value v2 > --alias a3 --value v3 > {code} -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2762) Whitespaces around delimiters in composite provider names gives NullPointerException
[ https://issues.apache.org/jira/browse/KNOX-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17554635#comment-17554635 ] ASF subversion and git services commented on KNOX-2762: --- Commit 31485649e6ea11921b97dbbce5672d5eef5bf0b9 in knox's branch refs/heads/master from Harshil Jhaveri [ https://gitbox.apache.org/repos/asf?p=knox.git;h=31485649e ] KNOX-2762 (#594) * Fixing bug related to whitespaces around delimters in composite provider names. * KNOX-2762 Fixing bug related to whitespaces around delimters in composite provider names. > Whitespaces around delimiters in composite provider names gives > NullPointerException > > > Key: KNOX-2762 > URL: https://issues.apache.org/jira/browse/KNOX-2762 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Harshil Jhaveri >Assignee: Harshil Jhaveri >Priority: Minor > Attachments: NPE gateway log.png > > Time Spent: 20m > Remaining Estimate: 0h > > When giving space before the delimiter for composite.provider.names in > composite authorisation provider. The topology deployment is failing and > returning a null pointer exception. > The topology state: > {code:java} > > authorization > CompositeAuthz > true > > composite.provider.names > AclsAuthz ,XASecurePDPKnox > > > AclsAuthz.ranger.acl > *;; > {code} > {color:#e8bf6a}CC:{color} [~pzampino] [~smore] [~smolnar] -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2761) KnoxShell does not reflect KNOX-2661
[ https://issues.apache.org/jira/browse/KNOX-2761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17554942#comment-17554942 ] ASF subversion and git services commented on KNOX-2761: --- Commit 50a0552dc428069f396fe4926f4bff0e97372cfc in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=50a0552dc ] KNOX-2761 - Knox Token renew/revoke operations are now PUT/DELETE HTTP methods in KnoxShell too (#593) > KnoxShell does not reflect KNOX-2661 > > > Key: KNOX-2761 > URL: https://issues.apache.org/jira/browse/KNOX-2761 > Project: Apache Knox > Issue Type: Bug > Components: KnoxShell >Affects Versions: 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > KNOX-2661 changed the HTTP method for some of the Knox Token resource API. > However, those changes were not reflected in KnoxToken-related KnoxShell > classes. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2738) On Fresh install JDBCTokenStateService initiation failed
[ https://issues.apache.org/jira/browse/KNOX-2738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557899#comment-17557899 ] ASF subversion and git services commented on KNOX-2738: --- Commit 3163401292d0640a6ade44d77cbefce1db8d9f10 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=316340129 ] KNOX-2738 On Fresh install JDBCTokenStateService initiation failed (#567) > On Fresh install JDBCTokenStateService initiation failed > > > Key: KNOX-2738 > URL: https://issues.apache.org/jira/browse/KNOX-2738 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Knox intermittently failed to start due to a race condition between multiple > knox instances when creating database tables. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2717) upgrade shiro due to security issue
[ https://issues.apache.org/jira/browse/KNOX-2717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557898#comment-17557898 ] ASF subversion and git services commented on KNOX-2717: --- Commit c60ad2e5a33ce5b83b39366209c82d1372315ba4 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from PJ Fanning [ https://gitbox.apache.org/repos/asf?p=knox.git;h=c60ad2e5a ] KNOX-2717: upgrade shiro (#547) > upgrade shiro due to security issue > --- > > Key: KNOX-2717 > URL: https://issues.apache.org/jira/browse/KNOX-2717 > Project: Apache Knox > Issue Type: Bug >Reporter: PJ Fanning >Priority: Major > Fix For: 2.0.0 > > Time Spent: 1h 10m > Remaining Estimate: 0h > > https://github.com/apache/knox/blob/master/pom.xml#L256 > https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41303 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2742) CM service discovery retry may be needed
[ https://issues.apache.org/jira/browse/KNOX-2742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557903#comment-17557903 ] ASF subversion and git services commented on KNOX-2742: --- Commit 3b63b9851937b484546d974612e6ddd3ceaabbc9 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=3b63b9851 ] KNOX-2742 - Retrying CM service discovery in case of ConnectExceptions (#571) > CM service discovery retry may be needed > > > Key: KNOX-2742 > URL: https://issues.apache.org/jira/browse/KNOX-2742 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 1.5.0, 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > If there is a connection issue the first time Knox discovers a cluster in CM, > the topology will remain empty (bc. it was empty anyway). Fixing KNOX-2690 > should help here a lot but maybe it's not enough. We may add some sort of > retry logic if service discovery failed due to communication errors. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2736) Knox clients should support retry/failover
[ https://issues.apache.org/jira/browse/KNOX-2736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557906#comment-17557906 ] ASF subversion and git services commented on KNOX-2736: --- Commit 7ac870f16563eda499b7eafa072bb119f4cd5754 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=7ac870f16 ] KNOX-2736 Knox clients should support retry/failover (#568) > Knox clients should support retry/failover > -- > > Key: KNOX-2736 > URL: https://issues.apache.org/jira/browse/KNOX-2736 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > > Not having retries in knox clients can cause service upgrade failures. > The apache http client has a default mechanism > (StandardHttpRequestRetryHandler and DefaultServiceUnavailableRetryStrategy) > to support retries. > * DefaultServiceUnavailableRetryStrategy only retries in case of a 503 - > ServiceUnavailable. > * StandardHttpRequestRetryHandler retries when a non excluded exception > occurs during the request. > The excluded exceptions are: InterruptedIOException, UnknownHostException, > ConnectException, SSLException. In these cases no retry is going to happen. > The following HTTP methods are considered idempotent so they can be retried: > GET, HEAD, PUT, DELETE, OPTIONS, TRACE. > Note that if an endpoint is implemented as a non-idempotent way (for example > a PUT) then this might have unwanted side-effects. > Other methods such as POST are only retried if the request has not yet > written out to the output stream when the error happened. Or if > requestSentRetryEnabled is enabled. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2737) Make maxFormContentSize and maxFormKeys configurable in Knox's embedded Jetty server
[ https://issues.apache.org/jira/browse/KNOX-2737?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557897#comment-17557897 ] ASF subversion and git services commented on KNOX-2737: --- Commit 69bfd417263e62dd37d69979b627561aa2198573 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=69bfd4172 ] KNOX-2737 - Make maxFormContentSize and maxFormKeys configurable in Knox's embedded Jetty server (#563) > Make maxFormContentSize and maxFormKeys configurable in Knox's embedded Jetty > server > > > Key: KNOX-2737 > URL: https://issues.apache.org/jira/browse/KNOX-2737 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > There are certain deployments, where increasing the {{maxFormContentSize}} > configuration is required because the default 200kB is not enough in POST > forms. > Jetty checks these configurations on two levels: first in the context, and > then, if the context is not available (it's a very rare non-typical Jetty > deployment), looks it up in the server's attributes: > {noformat} > The form content that a request can process is limited to protect from Denial > of Service attacks. The size in bytes is limited by {@link > ContextHandler#getMaxFormContentSize()} or if there is no context then the > "org.eclipse.jetty.server.Request.maxFormContentSize" {@link Server} > attribute. > The number of parameters keys is limited by {@link > ContextHandler#getMaxFormKeys()} or if there is no context then the > "org.eclipse.jetty.server.Request.maxFormKeys" {@link Server} > attribute.{noformat} > Please note that these configurations are controlled by the System properties > called {{org.eclipse.jetty.server.Request.maxFormKeys}} and > {{{}org.eclipse.jetty.server.Request.maxFormContentSize{}}}. > This Jira is about to override them in {{{}gateway-site.xml{}}}. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2746) Add presto and presto ui support in service definition
[ https://issues.apache.org/jira/browse/KNOX-2746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557914#comment-17557914 ] ASF subversion and git services commented on KNOX-2746: --- Commit 02763cae0f3f148f089d7807e49184169d2d258f in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Bhargavi-Sagi [ https://gitbox.apache.org/repos/asf?p=knox.git;h=02763cae0 ] KNOX-2746 - Add presto/presto ui support in service definition (#576) > Add presto and presto ui support in service definition > -- > > Key: KNOX-2746 > URL: https://issues.apache.org/jira/browse/KNOX-2746 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Reporter: sagi bhargavi >Priority: Major > Fix For: 2.0.0 > > Time Spent: 40m > Remaining Estimate: 0h > > Add spport for [Presto|https://github.com/prestodb/presto], also known as > PrestoDB in knox service definition. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2732) Issuer claim in Knox JWTs should be configurable
[ https://issues.apache.org/jira/browse/KNOX-2732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557909#comment-17557909 ] ASF subversion and git services commented on KNOX-2732: --- Commit 8c468b095128ef9dd83e08d80e45a4c3db2ff44d in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=8c468b095 ] KNOX-2732 Issuer claim in Knox JWTs should be configurable (#560) > Issuer claim in Knox JWTs should be configurable > > > Key: KNOX-2732 > URL: https://issues.apache.org/jira/browse/KNOX-2732 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h 40m > Remaining Estimate: 0h > > Currently, the issuer claim in JWTs issued by Knox is always "KNOXSSO". This > value should be configurable via a KNOXTOKEN service param in the topology. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2740) Impersonation-related fields should be displayed only if that's enabled in the topology for the KnoxToken service
[ https://issues.apache.org/jira/browse/KNOX-2740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557900#comment-17557900 ] ASF subversion and git services commented on KNOX-2740: --- Commit 2c7140ed4e4231134f0a91f5c99fcfe321e8611f in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=2c7140ed4 ] KNOX-2740 - Impersonation-related fields should be displayed only if that's enabled in the topology for the KnoxToken service (#569) > Impersonation-related fields should be displayed only if that's enabled in > the topology for the KnoxToken service > -- > > Key: KNOX-2740 > URL: https://issues.apache.org/jira/browse/KNOX-2740 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 2.0.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > With KNOX-2714, the following changes were done on the following Knox UIs: > * on the Token Generation page, a new input field was introduced to allow > end-users to declare the impersonated user > * on the Token Management page, another table is shown with the impersonated > tokens > There should be a way to show/hide these UI elements. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2720) upgrade postgresql to 42.3.3 due to security issues
[ https://issues.apache.org/jira/browse/KNOX-2720?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557912#comment-17557912 ] ASF subversion and git services commented on KNOX-2720: --- Commit ce523efddab377a6a2067f88f4b587064914a4d2 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from PJ Fanning [ https://gitbox.apache.org/repos/asf?p=knox.git;h=ce523efdd ] KNOX-2720 upgrade postgresql due to security issue (#548) > upgrade postgresql to 42.3.3 due to security issues > --- > > Key: KNOX-2720 > URL: https://issues.apache.org/jira/browse/KNOX-2720 > Project: Apache Knox > Issue Type: Bug >Reporter: PJ Fanning >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > https://github.com/apache/knox/blob/master/pom.xml#L252 > https://mvnrepository.com/artifact/org.postgresql/postgresql > 42.3.3 removes a logging feature that is not great from a security standpoint > - https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2741) Upgrade to velocity 2.3 due to CVE-2020-13936
[ https://issues.apache.org/jira/browse/KNOX-2741?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557901#comment-17557901 ] ASF subversion and git services commented on KNOX-2741: --- Commit 08ba70c4cc16c7c74f9f792aa779f6dcb18392ae in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=08ba70c4c ] KNOX-2741 - Upgraded Velocity and Pac4j versions (#570) * KNOX-2741 - Upgraded velocity to 2.3 due to CVE-2020-13936 * KNOX-2741 - Upgraded Pac4j to 4.5.2 > Upgrade to velocity 2.3 due to CVE-2020-13936 > -- > > Key: KNOX-2741 > URL: https://issues.apache.org/jira/browse/KNOX-2741 > Project: Apache Knox > Issue Type: Task >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Knox is pulling in Velocity 1.7 which is vulnerable to CVE-2020-13926. > Upgrade to Velocity 2.3 to address. The last 1.x release was 2010 so no new > 1.x release to go to. See > [https://velocity.apache.org/engine/2.3/upgrading.html] about upgrading to > 2.x. > There is one very important side effect: > Upgrading Velocity to 2.3 makes Knox incompatible with the current Pac4J > version if it is configured to use SAML: > {noformat} > HTTP ERROR 500 javax.servlet.ServletException: > javax.servlet.ServletException: java.lang.NoClassDefFoundError: > org/apache/velocity/runtime/log/LogChute > {noformat} > In Knox, we are using Pac4j 4.3.0 (including {{pac4j-saml-opensamlv3}}). In > this version, the velocity is still on 1.7. In 4.5.2 they changed their > velocity dependency to 2.3: > [https://repo1.maven.org/maven2/org/pac4j/pac4j-saml-opensamlv3/4.5.2/pac4j-saml-opensamlv3-4.5.2.pom] -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2757) Mutually exclusive filter params in the HadoopGroupProvider identity-assertion provider
[ https://issues.apache.org/jira/browse/KNOX-2757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557915#comment-17557915 ] ASF subversion and git services commented on KNOX-2757: --- Commit 6cdd2f0589e44bb464cf03f4e6848b059fd9c113 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=6cdd2f058 ] KNOX-2757 - HadoopGroupProvider parameters should be added to the filter even there is a gateway level property with CENTRAL_GROUP_CONFIG_PREFIX (#590) > Mutually exclusive filter params in the HadoopGroupProvider > identity-assertion provider > --- > > Key: KNOX-2757 > URL: https://issues.apache.org/jira/browse/KNOX-2757 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Blocker > Fix For: 2.0.0 > > Time Spent: 50m > Remaining Estimate: 0h > > *Steps to reproduce:* > 1. replace the {{Default}} identity-assertion provider in the {{sandbox}} > topology with this: > {noformat} > > identity-assertion > HadoopGroupProvider > true > > CENTRAL_GROUP_CONFIG_PREFIX > gateway.group.config. > > > group.mapping.scientist > (!= 0 (size groups)) > > {noformat} > 2. wait until Knox redeploys the {{sandbox}} topology and check the generated > {{gateway.xml}} in the newly deployed web application > *Actual results:* > The {{group.mapping.scientist}} filter parameter is missing; only the params > in {{gateway-site.xml}} with the {{gateway.group.config.}} prefix were added: > {noformat} > > identity-assertion > HadoopGroupProvider > > org.apache.knox.gateway.identityasserter.hadoop.groups.filter.HadoopGroupProviderFilter > > > hadoop.security.group.mapping.ldap.search.attr.member > member > > > > hadoop.security.group.mapping.ldap.search.filter.user > > (&(|(objectclass=person)(objectclass=applicationProcess))(cn={0})) > > > > hadoop.security.group.mapping.ldap.search.attr.group.name > cn > > > hadoop.security.group.mapping.ldap.url > ldap://localhost:33389 > > > hadoop.security.group.mapping > org.apache.hadoop.security.LdapGroupsMapping > > > > hadoop.security.group.mapping.ldap.search.filter.group > (objectclass=groupOfNames) > > > hadoop.security.group.mapping.ldap.bind.user > uid=guest,ou=people,dc=hadoop,dc=apache,dc=org > > > hadoop.security.group.mapping.ldap.bind.password > guest-password > > > {noformat} > *Expected results:* > Both the pre-configured gateway-site.xml and the {{group.mapping.scientist}} > provider parameter should be added to the filter. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2743) Upgrade netty
[ https://issues.apache.org/jira/browse/KNOX-2743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557902#comment-17557902 ] ASF subversion and git services commented on KNOX-2743: --- Commit d5f0c377812a96df356681e924be983bbc00608c in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d5f0c3778 ] KNOX-2743 - Upgrade netty (#573) > Upgrade netty > - > > Key: KNOX-2743 > URL: https://issues.apache.org/jira/browse/KNOX-2743 > Project: Apache Knox > Issue Type: Bug >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 1.6.2 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2346) Remove unused maxRetryAttempts and retrySleep
[ https://issues.apache.org/jira/browse/KNOX-2346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557907#comment-17557907 ] ASF subversion and git services commented on KNOX-2346: --- Commit b15685c953f8e7763cd4770b8457d263951eca66 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=b15685c95 ] KNOX-2346 - Eliminated the accidentally re-introduced configs in one of the tests (#577) > Remove unused maxRetryAttempts and retrySleep > - > > Key: KNOX-2346 > URL: https://issues.apache.org/jira/browse/KNOX-2346 > Project: Apache Knox > Issue Type: Task >Reporter: Kevin Risden >Assignee: Sandor Molnar >Priority: Major > Fix For: 1.5.0, 2.0.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > Currently maxRetryAttempts and retrySleep are wired throughout the code, but > don't actually hook up to anything. The handling should be removed to make it > clear that these aren't used anywhere. > There is no backwards compatibility issue here since the parsing is lazy - > its not a required field so if a user is specifying it will be silently > ignore. Just like it is silently ignored today. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2747) RemoteAliasService generates password without checking if it already exists
[ https://issues.apache.org/jira/browse/KNOX-2747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557911#comment-17557911 ] ASF subversion and git services commented on KNOX-2747: --- Commit e2bfa1535317186c3e7b69de188f998aeb864431 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=e2bfa1535 ] KNOX-2747 RemoteAliasService generates password without checking if it already exists (#581) > RemoteAliasService generates password without checking if it already exists > --- > > Key: KNOX-2747 > URL: https://issues.apache.org/jira/browse/KNOX-2747 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > RemoteAliasService: > {code} > /* Generate a new password */ > if (generate) { > generateAliasForCluster(clusterName, alias); > } > {code} > DefaultAliasService checks first > {code} > credential = keystoreService.getCredentialForCluster(clusterName, > alias); > if (credential == null && generate) { > generateAliasForCluster(clusterName, alias); > credential = keystoreService.getCredentialForCluster(clusterName, > alias); > } > {code} > This causes the Pac4jDispatcherFilter to regenerate the password at each > topology change. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2745) VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter
[ https://issues.apache.org/jira/browse/KNOX-2745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557905#comment-17557905 ] ASF subversion and git services commented on KNOX-2745: --- Commit 1b177a2638126afb5280ad5c113e901e42fec375 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=1b177a263 ] KNOX-2745 VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter (#575) > VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter > > > Key: KNOX-2745 > URL: https://issues.apache.org/jira/browse/KNOX-2745 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > The groups calculated by HadoopGroupProviderFilter are not passed to the > virtual group mapper. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2744) Upgrade protobuf-java to 3.16.1
[ https://issues.apache.org/jira/browse/KNOX-2744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557904#comment-17557904 ] ASF subversion and git services commented on KNOX-2744: --- Commit 5b6f389dffb9319f13a707b2f38340ec3682a612 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=5b6f389df ] KNOX-2744 Upgrade protobuf-java to 3.16.1 (#572) > Upgrade protobuf-java to 3.16.1 > --- > > Key: KNOX-2744 > URL: https://issues.apache.org/jira/browse/KNOX-2744 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Upgrade protobuf-java to 3.16.1 due to CVE. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2752) knoxcli should support batch alias creation
[ https://issues.apache.org/jira/browse/KNOX-2752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557916#comment-17557916 ] ASF subversion and git services commented on KNOX-2752: --- Commit aa8e1531f970d5477d60f7ea2c669657b5bf077a in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=aa8e1531f ] KNOX-2752 knoxcli should support batch alias creation (#583) > knoxcli should support batch alias creation > --- > > Key: KNOX-2752 > URL: https://issues.apache.org/jira/browse/KNOX-2752 > Project: Apache Knox > Issue Type: Bug > Components: KnoxCLI >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > Currently we can only create aliases one by one: > {code} > bin/knoxcli.sh create-alias name --cluster cl1 --value value > {code} > This is very slow if we want to create multiple aliases. > KnoxCLI should support creating multiple aliases for the same cluster in one > batch > {code} > bin/knoxcli.sh create-aliases --alias a1 --value v1 --alias a2 --value v2 > --alias a3 --value v3 > {code} -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2726) Impersonation Params Declared by Service Definitions
[ https://issues.apache.org/jira/browse/KNOX-2726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557910#comment-17557910 ] ASF subversion and git services commented on KNOX-2726: --- Commit 93bceed9c33d8e63cb48bdac86d9bc98fca44f90 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=93bceed9c ] KNOX-2726 - Impersonation Params should be configurable (#579) * KNOX-2726 - Impersonation Params should be configurable > Impersonation Params Declared by Service Definitions > > > Key: KNOX-2726 > URL: https://issues.apache.org/jira/browse/KNOX-2726 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Sandeep More >Priority: Major > Fix For: 1.6.2 > > Time Spent: 2.5h > Remaining Estimate: 0h > > _org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper#getImpersonationParamNames()_ > has the following comment: > {noformat} > // TODO: let's have service definitions register their impersonation > // params in a future release and get this list from a central registry. > // This will provide better coverage of protection by removing any > // pre-populated impersonation params.{noformat} > Currently, Knox excludes some well-known impersonation request parameters > from proxied requests. Rather than maintaining a hard-coded list of these > params, service definitions should be able to declare them such that they > would be available at runtime to > {_}org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper{_}. > This will allow service-specific impersonation parameter details to be > defined by the service definitions, and eliminate the need for Knox runtime > code changes when new impersonation params need to be handled. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2762) Whitespaces around delimiters in composite provider names gives NullPointerException
[ https://issues.apache.org/jira/browse/KNOX-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557917#comment-17557917 ] ASF subversion and git services commented on KNOX-2762: --- Commit 31485649e6ea11921b97dbbce5672d5eef5bf0b9 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Harshil Jhaveri [ https://gitbox.apache.org/repos/asf?p=knox.git;h=31485649e ] KNOX-2762 (#594) * Fixing bug related to whitespaces around delimters in composite provider names. * KNOX-2762 Fixing bug related to whitespaces around delimters in composite provider names. > Whitespaces around delimiters in composite provider names gives > NullPointerException > > > Key: KNOX-2762 > URL: https://issues.apache.org/jira/browse/KNOX-2762 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Harshil Jhaveri >Assignee: Harshil Jhaveri >Priority: Minor > Fix For: 2.0.0 > > Attachments: NPE gateway log.png > > Time Spent: 2.5h > Remaining Estimate: 0h > > When giving space before the delimiter for composite.provider.names in > composite authorisation provider. The topology deployment is failing and > returning a null pointer exception. > The topology state: > {code:java} > > authorization > CompositeAuthz > true > > composite.provider.names > AclsAuthz ,XASecurePDPKnox > > > AclsAuthz.ranger.acl > *;; > {code} > {color:#e8bf6a}CC:{color} [~pzampino] [~smore] [~smolnar] -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2761) KnoxShell does not reflect KNOX-2661
[ https://issues.apache.org/jira/browse/KNOX-2761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557918#comment-17557918 ] ASF subversion and git services commented on KNOX-2761: --- Commit 50a0552dc428069f396fe4926f4bff0e97372cfc in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=50a0552dc ] KNOX-2761 - Knox Token renew/revoke operations are now PUT/DELETE HTTP methods in KnoxShell too (#593) > KnoxShell does not reflect KNOX-2661 > > > Key: KNOX-2761 > URL: https://issues.apache.org/jira/browse/KNOX-2761 > Project: Apache Knox > Issue Type: Bug > Components: KnoxShell >Affects Versions: 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > KNOX-2661 changed the HTTP method for some of the Knox Token resource API. > However, those changes were not reflected in KnoxToken-related KnoxShell > classes. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2742) CM service discovery retry may be needed
[ https://issues.apache.org/jira/browse/KNOX-2742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557925#comment-17557925 ] ASF subversion and git services commented on KNOX-2742: --- Commit 3b63b9851937b484546d974612e6ddd3ceaabbc9 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=3b63b9851 ] KNOX-2742 - Retrying CM service discovery in case of ConnectExceptions (#571) > CM service discovery retry may be needed > > > Key: KNOX-2742 > URL: https://issues.apache.org/jira/browse/KNOX-2742 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 1.5.0, 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > If there is a connection issue the first time Knox discovers a cluster in CM, > the topology will remain empty (bc. it was empty anyway). Fixing KNOX-2690 > should help here a lot but maybe it's not enough. We may add some sort of > retry logic if service discovery failed due to communication errors. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2743) Upgrade netty
[ https://issues.apache.org/jira/browse/KNOX-2743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557924#comment-17557924 ] ASF subversion and git services commented on KNOX-2743: --- Commit d5f0c377812a96df356681e924be983bbc00608c in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d5f0c3778 ] KNOX-2743 - Upgrade netty (#573) > Upgrade netty > - > > Key: KNOX-2743 > URL: https://issues.apache.org/jira/browse/KNOX-2743 > Project: Apache Knox > Issue Type: Bug >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 1.6.2 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2738) On Fresh install JDBCTokenStateService initiation failed
[ https://issues.apache.org/jira/browse/KNOX-2738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557921#comment-17557921 ] ASF subversion and git services commented on KNOX-2738: --- Commit 3163401292d0640a6ade44d77cbefce1db8d9f10 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=316340129 ] KNOX-2738 On Fresh install JDBCTokenStateService initiation failed (#567) > On Fresh install JDBCTokenStateService initiation failed > > > Key: KNOX-2738 > URL: https://issues.apache.org/jira/browse/KNOX-2738 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Knox intermittently failed to start due to a race condition between multiple > knox instances when creating database tables. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2745) VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter
[ https://issues.apache.org/jira/browse/KNOX-2745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557927#comment-17557927 ] ASF subversion and git services commented on KNOX-2745: --- Commit 1b177a2638126afb5280ad5c113e901e42fec375 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=1b177a263 ] KNOX-2745 VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter (#575) > VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter > > > Key: KNOX-2745 > URL: https://issues.apache.org/jira/browse/KNOX-2745 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > The groups calculated by HadoopGroupProviderFilter are not passed to the > virtual group mapper. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2752) knoxcli should support batch alias creation
[ https://issues.apache.org/jira/browse/KNOX-2752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557938#comment-17557938 ] ASF subversion and git services commented on KNOX-2752: --- Commit aa8e1531f970d5477d60f7ea2c669657b5bf077a in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=aa8e1531f ] KNOX-2752 knoxcli should support batch alias creation (#583) > knoxcli should support batch alias creation > --- > > Key: KNOX-2752 > URL: https://issues.apache.org/jira/browse/KNOX-2752 > Project: Apache Knox > Issue Type: Bug > Components: KnoxCLI >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > Currently we can only create aliases one by one: > {code} > bin/knoxcli.sh create-alias name --cluster cl1 --value value > {code} > This is very slow if we want to create multiple aliases. > KnoxCLI should support creating multiple aliases for the same cluster in one > batch > {code} > bin/knoxcli.sh create-aliases --alias a1 --value v1 --alias a2 --value v2 > --alias a3 --value v3 > {code} -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2732) Issuer claim in Knox JWTs should be configurable
[ https://issues.apache.org/jira/browse/KNOX-2732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557931#comment-17557931 ] ASF subversion and git services commented on KNOX-2732: --- Commit 8c468b095128ef9dd83e08d80e45a4c3db2ff44d in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=8c468b095 ] KNOX-2732 Issuer claim in Knox JWTs should be configurable (#560) > Issuer claim in Knox JWTs should be configurable > > > Key: KNOX-2732 > URL: https://issues.apache.org/jira/browse/KNOX-2732 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h 40m > Remaining Estimate: 0h > > Currently, the issuer claim in JWTs issued by Knox is always "KNOXSSO". This > value should be configurable via a KNOXTOKEN service param in the topology. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2741) Upgrade to velocity 2.3 due to CVE-2020-13936
[ https://issues.apache.org/jira/browse/KNOX-2741?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557943#comment-17557943 ] ASF subversion and git services commented on KNOX-2741: --- Commit 08ba70c4cc16c7c74f9f792aa779f6dcb18392ae in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=08ba70c4c ] KNOX-2741 - Upgraded Velocity and Pac4j versions (#570) * KNOX-2741 - Upgraded velocity to 2.3 due to CVE-2020-13936 * KNOX-2741 - Upgraded Pac4j to 4.5.2 > Upgrade to velocity 2.3 due to CVE-2020-13936 > -- > > Key: KNOX-2741 > URL: https://issues.apache.org/jira/browse/KNOX-2741 > Project: Apache Knox > Issue Type: Task >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Knox is pulling in Velocity 1.7 which is vulnerable to CVE-2020-13926. > Upgrade to Velocity 2.3 to address. The last 1.x release was 2010 so no new > 1.x release to go to. See > [https://velocity.apache.org/engine/2.3/upgrading.html] about upgrading to > 2.x. > There is one very important side effect: > Upgrading Velocity to 2.3 makes Knox incompatible with the current Pac4J > version if it is configured to use SAML: > {noformat} > HTTP ERROR 500 javax.servlet.ServletException: > javax.servlet.ServletException: java.lang.NoClassDefFoundError: > org/apache/velocity/runtime/log/LogChute > {noformat} > In Knox, we are using Pac4j 4.3.0 (including {{pac4j-saml-opensamlv3}}). In > this version, the velocity is still on 1.7. In 4.5.2 they changed their > velocity dependency to 2.3: > [https://repo1.maven.org/maven2/org/pac4j/pac4j-saml-opensamlv3/4.5.2/pac4j-saml-opensamlv3-4.5.2.pom] -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2747) RemoteAliasService generates password without checking if it already exists
[ https://issues.apache.org/jira/browse/KNOX-2747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557933#comment-17557933 ] ASF subversion and git services commented on KNOX-2747: --- Commit e2bfa1535317186c3e7b69de188f998aeb864431 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=e2bfa1535 ] KNOX-2747 RemoteAliasService generates password without checking if it already exists (#581) > RemoteAliasService generates password without checking if it already exists > --- > > Key: KNOX-2747 > URL: https://issues.apache.org/jira/browse/KNOX-2747 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > RemoteAliasService: > {code} > /* Generate a new password */ > if (generate) { > generateAliasForCluster(clusterName, alias); > } > {code} > DefaultAliasService checks first > {code} > credential = keystoreService.getCredentialForCluster(clusterName, > alias); > if (credential == null && generate) { > generateAliasForCluster(clusterName, alias); > credential = keystoreService.getCredentialForCluster(clusterName, > alias); > } > {code} > This causes the Pac4jDispatcherFilter to regenerate the password at each > topology change. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2742) CM service discovery retry may be needed
[ https://issues.apache.org/jira/browse/KNOX-2742?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557945#comment-17557945 ] ASF subversion and git services commented on KNOX-2742: --- Commit 3b63b9851937b484546d974612e6ddd3ceaabbc9 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=3b63b9851 ] KNOX-2742 - Retrying CM service discovery in case of ConnectExceptions (#571) > CM service discovery retry may be needed > > > Key: KNOX-2742 > URL: https://issues.apache.org/jira/browse/KNOX-2742 > Project: Apache Knox > Issue Type: Improvement >Affects Versions: 1.5.0, 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > If there is a connection issue the first time Knox discovers a cluster in CM, > the topology will remain empty (bc. it was empty anyway). Fixing KNOX-2690 > should help here a lot but maybe it's not enough. We may add some sort of > retry logic if service discovery failed due to communication errors. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2736) Knox clients should support retry/failover
[ https://issues.apache.org/jira/browse/KNOX-2736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557930#comment-17557930 ] ASF subversion and git services commented on KNOX-2736: --- Commit fc48add49a0c6015247b71ca118c90fb6dde347f in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=fc48add49 ] KNOX-2736 Knox clients should support retry/failover - addendum (#578) > Knox clients should support retry/failover > -- > > Key: KNOX-2736 > URL: https://issues.apache.org/jira/browse/KNOX-2736 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > > Not having retries in knox clients can cause service upgrade failures. > The apache http client has a default mechanism > (StandardHttpRequestRetryHandler and DefaultServiceUnavailableRetryStrategy) > to support retries. > * DefaultServiceUnavailableRetryStrategy only retries in case of a 503 - > ServiceUnavailable. > * StandardHttpRequestRetryHandler retries when a non excluded exception > occurs during the request. > The excluded exceptions are: InterruptedIOException, UnknownHostException, > ConnectException, SSLException. In these cases no retry is going to happen. > The following HTTP methods are considered idempotent so they can be retried: > GET, HEAD, PUT, DELETE, OPTIONS, TRACE. > Note that if an endpoint is implemented as a non-idempotent way (for example > a PUT) then this might have unwanted side-effects. > Other methods such as POST are only retried if the request has not yet > written out to the output stream when the error happened. Or if > requestSentRetryEnabled is enabled. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2746) Add presto and presto ui support in service definition
[ https://issues.apache.org/jira/browse/KNOX-2746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557936#comment-17557936 ] ASF subversion and git services commented on KNOX-2746: --- Commit 02763cae0f3f148f089d7807e49184169d2d258f in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Bhargavi-Sagi [ https://gitbox.apache.org/repos/asf?p=knox.git;h=02763cae0 ] KNOX-2746 - Add presto/presto ui support in service definition (#576) > Add presto and presto ui support in service definition > -- > > Key: KNOX-2746 > URL: https://issues.apache.org/jira/browse/KNOX-2746 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Reporter: sagi bhargavi >Priority: Major > Fix For: 2.0.0 > > Time Spent: 40m > Remaining Estimate: 0h > > Add spport for [Presto|https://github.com/prestodb/presto], also known as > PrestoDB in knox service definition. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2736) Knox clients should support retry/failover
[ https://issues.apache.org/jira/browse/KNOX-2736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557948#comment-17557948 ] ASF subversion and git services commented on KNOX-2736: --- Commit 7ac870f16563eda499b7eafa072bb119f4cd5754 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=7ac870f16 ] KNOX-2736 Knox clients should support retry/failover (#568) > Knox clients should support retry/failover > -- > > Key: KNOX-2736 > URL: https://issues.apache.org/jira/browse/KNOX-2736 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > > Not having retries in knox clients can cause service upgrade failures. > The apache http client has a default mechanism > (StandardHttpRequestRetryHandler and DefaultServiceUnavailableRetryStrategy) > to support retries. > * DefaultServiceUnavailableRetryStrategy only retries in case of a 503 - > ServiceUnavailable. > * StandardHttpRequestRetryHandler retries when a non excluded exception > occurs during the request. > The excluded exceptions are: InterruptedIOException, UnknownHostException, > ConnectException, SSLException. In these cases no retry is going to happen. > The following HTTP methods are considered idempotent so they can be retried: > GET, HEAD, PUT, DELETE, OPTIONS, TRACE. > Note that if an endpoint is implemented as a non-idempotent way (for example > a PUT) then this might have unwanted side-effects. > Other methods such as POST are only retried if the request has not yet > written out to the output stream when the error happened. Or if > requestSentRetryEnabled is enabled. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2743) Upgrade netty
[ https://issues.apache.org/jira/browse/KNOX-2743?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557944#comment-17557944 ] ASF subversion and git services commented on KNOX-2743: --- Commit d5f0c377812a96df356681e924be983bbc00608c in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d5f0c3778 ] KNOX-2743 - Upgrade netty (#573) > Upgrade netty > - > > Key: KNOX-2743 > URL: https://issues.apache.org/jira/browse/KNOX-2743 > Project: Apache Knox > Issue Type: Bug >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 1.6.2 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2346) Remove unused maxRetryAttempts and retrySleep
[ https://issues.apache.org/jira/browse/KNOX-2346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557949#comment-17557949 ] ASF subversion and git services commented on KNOX-2346: --- Commit b15685c953f8e7763cd4770b8457d263951eca66 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=b15685c95 ] KNOX-2346 - Eliminated the accidentally re-introduced configs in one of the tests (#577) > Remove unused maxRetryAttempts and retrySleep > - > > Key: KNOX-2346 > URL: https://issues.apache.org/jira/browse/KNOX-2346 > Project: Apache Knox > Issue Type: Task >Reporter: Kevin Risden >Assignee: Sandor Molnar >Priority: Major > Fix For: 1.5.0, 2.0.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > Currently maxRetryAttempts and retrySleep are wired throughout the code, but > don't actually hook up to anything. The handling should be removed to make it > clear that these aren't used anywhere. > There is no backwards compatibility issue here since the parsing is lazy - > its not a required field so if a user is specifying it will be silently > ignore. Just like it is silently ignored today. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2740) Impersonation-related fields should be displayed only if that's enabled in the topology for the KnoxToken service
[ https://issues.apache.org/jira/browse/KNOX-2740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557922#comment-17557922 ] ASF subversion and git services commented on KNOX-2740: --- Commit 2c7140ed4e4231134f0a91f5c99fcfe321e8611f in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=2c7140ed4 ] KNOX-2740 - Impersonation-related fields should be displayed only if that's enabled in the topology for the KnoxToken service (#569) > Impersonation-related fields should be displayed only if that's enabled in > the topology for the KnoxToken service > -- > > Key: KNOX-2740 > URL: https://issues.apache.org/jira/browse/KNOX-2740 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 2.0.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > With KNOX-2714, the following changes were done on the following Knox UIs: > * on the Token Generation page, a new input field was introduced to allow > end-users to declare the impersonated user > * on the Token Management page, another table is shown with the impersonated > tokens > There should be a way to show/hide these UI elements. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2741) Upgrade to velocity 2.3 due to CVE-2020-13936
[ https://issues.apache.org/jira/browse/KNOX-2741?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557923#comment-17557923 ] ASF subversion and git services commented on KNOX-2741: --- Commit 08ba70c4cc16c7c74f9f792aa779f6dcb18392ae in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=08ba70c4c ] KNOX-2741 - Upgraded Velocity and Pac4j versions (#570) * KNOX-2741 - Upgraded velocity to 2.3 due to CVE-2020-13936 * KNOX-2741 - Upgraded Pac4j to 4.5.2 > Upgrade to velocity 2.3 due to CVE-2020-13936 > -- > > Key: KNOX-2741 > URL: https://issues.apache.org/jira/browse/KNOX-2741 > Project: Apache Knox > Issue Type: Task >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Knox is pulling in Velocity 1.7 which is vulnerable to CVE-2020-13926. > Upgrade to Velocity 2.3 to address. The last 1.x release was 2010 so no new > 1.x release to go to. See > [https://velocity.apache.org/engine/2.3/upgrading.html] about upgrading to > 2.x. > There is one very important side effect: > Upgrading Velocity to 2.3 makes Knox incompatible with the current Pac4J > version if it is configured to use SAML: > {noformat} > HTTP ERROR 500 javax.servlet.ServletException: > javax.servlet.ServletException: java.lang.NoClassDefFoundError: > org/apache/velocity/runtime/log/LogChute > {noformat} > In Knox, we are using Pac4j 4.3.0 (including {{pac4j-saml-opensamlv3}}). In > this version, the velocity is still on 1.7. In 4.5.2 they changed their > velocity dependency to 2.3: > [https://repo1.maven.org/maven2/org/pac4j/pac4j-saml-opensamlv3/4.5.2/pac4j-saml-opensamlv3-4.5.2.pom] -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2736) Knox clients should support retry/failover
[ https://issues.apache.org/jira/browse/KNOX-2736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557928#comment-17557928 ] ASF subversion and git services commented on KNOX-2736: --- Commit 7ac870f16563eda499b7eafa072bb119f4cd5754 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=7ac870f16 ] KNOX-2736 Knox clients should support retry/failover (#568) > Knox clients should support retry/failover > -- > > Key: KNOX-2736 > URL: https://issues.apache.org/jira/browse/KNOX-2736 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > > Not having retries in knox clients can cause service upgrade failures. > The apache http client has a default mechanism > (StandardHttpRequestRetryHandler and DefaultServiceUnavailableRetryStrategy) > to support retries. > * DefaultServiceUnavailableRetryStrategy only retries in case of a 503 - > ServiceUnavailable. > * StandardHttpRequestRetryHandler retries when a non excluded exception > occurs during the request. > The excluded exceptions are: InterruptedIOException, UnknownHostException, > ConnectException, SSLException. In these cases no retry is going to happen. > The following HTTP methods are considered idempotent so they can be retried: > GET, HEAD, PUT, DELETE, OPTIONS, TRACE. > Note that if an endpoint is implemented as a non-idempotent way (for example > a PUT) then this might have unwanted side-effects. > Other methods such as POST are only retried if the request has not yet > written out to the output stream when the error happened. Or if > requestSentRetryEnabled is enabled. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2726) Impersonation Params Declared by Service Definitions
[ https://issues.apache.org/jira/browse/KNOX-2726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557932#comment-17557932 ] ASF subversion and git services commented on KNOX-2726: --- Commit 93bceed9c33d8e63cb48bdac86d9bc98fca44f90 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=93bceed9c ] KNOX-2726 - Impersonation Params should be configurable (#579) * KNOX-2726 - Impersonation Params should be configurable > Impersonation Params Declared by Service Definitions > > > Key: KNOX-2726 > URL: https://issues.apache.org/jira/browse/KNOX-2726 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Sandeep More >Priority: Major > Fix For: 1.6.2 > > Time Spent: 2.5h > Remaining Estimate: 0h > > _org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper#getImpersonationParamNames()_ > has the following comment: > {noformat} > // TODO: let's have service definitions register their impersonation > // params in a future release and get this list from a central registry. > // This will provide better coverage of protection by removing any > // pre-populated impersonation params.{noformat} > Currently, Knox excludes some well-known impersonation request parameters > from proxied requests. Rather than maintaining a hard-coded list of these > params, service definitions should be able to declare them such that they > would be available at runtime to > {_}org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper{_}. > This will allow service-specific impersonation parameter details to be > defined by the service definitions, and eliminate the need for Knox runtime > code changes when new impersonation params need to be handled. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2761) KnoxShell does not reflect KNOX-2661
[ https://issues.apache.org/jira/browse/KNOX-2761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557940#comment-17557940 ] ASF subversion and git services commented on KNOX-2761: --- Commit 50a0552dc428069f396fe4926f4bff0e97372cfc in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=50a0552dc ] KNOX-2761 - Knox Token renew/revoke operations are now PUT/DELETE HTTP methods in KnoxShell too (#593) > KnoxShell does not reflect KNOX-2661 > > > Key: KNOX-2761 > URL: https://issues.apache.org/jira/browse/KNOX-2761 > Project: Apache Knox > Issue Type: Bug > Components: KnoxShell >Affects Versions: 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > KNOX-2661 changed the HTTP method for some of the Knox Token resource API. > However, those changes were not reflected in KnoxToken-related KnoxShell > classes. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2744) Upgrade protobuf-java to 3.16.1
[ https://issues.apache.org/jira/browse/KNOX-2744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557926#comment-17557926 ] ASF subversion and git services commented on KNOX-2744: --- Commit 5b6f389dffb9319f13a707b2f38340ec3682a612 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=5b6f389df ] KNOX-2744 Upgrade protobuf-java to 3.16.1 (#572) > Upgrade protobuf-java to 3.16.1 > --- > > Key: KNOX-2744 > URL: https://issues.apache.org/jira/browse/KNOX-2744 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Upgrade protobuf-java to 3.16.1 due to CVE. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2346) Remove unused maxRetryAttempts and retrySleep
[ https://issues.apache.org/jira/browse/KNOX-2346?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557929#comment-17557929 ] ASF subversion and git services commented on KNOX-2346: --- Commit b15685c953f8e7763cd4770b8457d263951eca66 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=b15685c95 ] KNOX-2346 - Eliminated the accidentally re-introduced configs in one of the tests (#577) > Remove unused maxRetryAttempts and retrySleep > - > > Key: KNOX-2346 > URL: https://issues.apache.org/jira/browse/KNOX-2346 > Project: Apache Knox > Issue Type: Task >Reporter: Kevin Risden >Assignee: Sandor Molnar >Priority: Major > Fix For: 1.5.0, 2.0.0 > > Time Spent: 0.5h > Remaining Estimate: 0h > > Currently maxRetryAttempts and retrySleep are wired throughout the code, but > don't actually hook up to anything. The handling should be removed to make it > clear that these aren't used anywhere. > There is no backwards compatibility issue here since the parsing is lazy - > its not a required field so if a user is specifying it will be silently > ignore. Just like it is silently ignored today. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2762) Whitespaces around delimiters in composite provider names gives NullPointerException
[ https://issues.apache.org/jira/browse/KNOX-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557939#comment-17557939 ] ASF subversion and git services commented on KNOX-2762: --- Commit 31485649e6ea11921b97dbbce5672d5eef5bf0b9 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Harshil Jhaveri [ https://gitbox.apache.org/repos/asf?p=knox.git;h=31485649e ] KNOX-2762 (#594) * Fixing bug related to whitespaces around delimters in composite provider names. * KNOX-2762 Fixing bug related to whitespaces around delimters in composite provider names. > Whitespaces around delimiters in composite provider names gives > NullPointerException > > > Key: KNOX-2762 > URL: https://issues.apache.org/jira/browse/KNOX-2762 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Harshil Jhaveri >Assignee: Harshil Jhaveri >Priority: Minor > Fix For: 2.0.0 > > Attachments: NPE gateway log.png > > Time Spent: 2.5h > Remaining Estimate: 0h > > When giving space before the delimiter for composite.provider.names in > composite authorisation provider. The topology deployment is failing and > returning a null pointer exception. > The topology state: > {code:java} > > authorization > CompositeAuthz > true > > composite.provider.names > AclsAuthz ,XASecurePDPKnox > > > AclsAuthz.ranger.acl > *;; > {code} > {color:#e8bf6a}CC:{color} [~pzampino] [~smore] [~smolnar] -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2752) knoxcli should support batch alias creation
[ https://issues.apache.org/jira/browse/KNOX-2752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557958#comment-17557958 ] ASF subversion and git services commented on KNOX-2752: --- Commit aa8e1531f970d5477d60f7ea2c669657b5bf077a in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=aa8e1531f ] KNOX-2752 knoxcli should support batch alias creation (#583) > knoxcli should support batch alias creation > --- > > Key: KNOX-2752 > URL: https://issues.apache.org/jira/browse/KNOX-2752 > Project: Apache Knox > Issue Type: Bug > Components: KnoxCLI >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > Currently we can only create aliases one by one: > {code} > bin/knoxcli.sh create-alias name --cluster cl1 --value value > {code} > This is very slow if we want to create multiple aliases. > KnoxCLI should support creating multiple aliases for the same cluster in one > batch > {code} > bin/knoxcli.sh create-aliases --alias a1 --value v1 --alias a2 --value v2 > --alias a3 --value v3 > {code} -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2738) On Fresh install JDBCTokenStateService initiation failed
[ https://issues.apache.org/jira/browse/KNOX-2738?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557941#comment-17557941 ] ASF subversion and git services commented on KNOX-2738: --- Commit 3163401292d0640a6ade44d77cbefce1db8d9f10 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=316340129 ] KNOX-2738 On Fresh install JDBCTokenStateService initiation failed (#567) > On Fresh install JDBCTokenStateService initiation failed > > > Key: KNOX-2738 > URL: https://issues.apache.org/jira/browse/KNOX-2738 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > Knox intermittently failed to start due to a race condition between multiple > knox instances when creating database tables. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2736) Knox clients should support retry/failover
[ https://issues.apache.org/jira/browse/KNOX-2736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557950#comment-17557950 ] ASF subversion and git services commented on KNOX-2736: --- Commit fc48add49a0c6015247b71ca118c90fb6dde347f in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=fc48add49 ] KNOX-2736 Knox clients should support retry/failover - addendum (#578) > Knox clients should support retry/failover > -- > > Key: KNOX-2736 > URL: https://issues.apache.org/jira/browse/KNOX-2736 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > > Not having retries in knox clients can cause service upgrade failures. > The apache http client has a default mechanism > (StandardHttpRequestRetryHandler and DefaultServiceUnavailableRetryStrategy) > to support retries. > * DefaultServiceUnavailableRetryStrategy only retries in case of a 503 - > ServiceUnavailable. > * StandardHttpRequestRetryHandler retries when a non excluded exception > occurs during the request. > The excluded exceptions are: InterruptedIOException, UnknownHostException, > ConnectException, SSLException. In these cases no retry is going to happen. > The following HTTP methods are considered idempotent so they can be retried: > GET, HEAD, PUT, DELETE, OPTIONS, TRACE. > Note that if an endpoint is implemented as a non-idempotent way (for example > a PUT) then this might have unwanted side-effects. > Other methods such as POST are only retried if the request has not yet > written out to the output stream when the error happened. Or if > requestSentRetryEnabled is enabled. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2740) Impersonation-related fields should be displayed only if that's enabled in the topology for the KnoxToken service
[ https://issues.apache.org/jira/browse/KNOX-2740?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557942#comment-17557942 ] ASF subversion and git services commented on KNOX-2740: --- Commit 2c7140ed4e4231134f0a91f5c99fcfe321e8611f in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=2c7140ed4 ] KNOX-2740 - Impersonation-related fields should be displayed only if that's enabled in the topology for the KnoxToken service (#569) > Impersonation-related fields should be displayed only if that's enabled in > the topology for the KnoxToken service > -- > > Key: KNOX-2740 > URL: https://issues.apache.org/jira/browse/KNOX-2740 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 2.0.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > With KNOX-2714, the following changes were done on the following Knox UIs: > * on the Token Generation page, a new input field was introduced to allow > end-users to declare the impersonated user > * on the Token Management page, another table is shown with the impersonated > tokens > There should be a way to show/hide these UI elements. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2720) upgrade postgresql to 42.3.3 due to security issues
[ https://issues.apache.org/jira/browse/KNOX-2720?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557934#comment-17557934 ] ASF subversion and git services commented on KNOX-2720: --- Commit ce523efddab377a6a2067f88f4b587064914a4d2 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from PJ Fanning [ https://gitbox.apache.org/repos/asf?p=knox.git;h=ce523efdd ] KNOX-2720 upgrade postgresql due to security issue (#548) > upgrade postgresql to 42.3.3 due to security issues > --- > > Key: KNOX-2720 > URL: https://issues.apache.org/jira/browse/KNOX-2720 > Project: Apache Knox > Issue Type: Bug >Reporter: PJ Fanning >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > https://github.com/apache/knox/blob/master/pom.xml#L252 > https://mvnrepository.com/artifact/org.postgresql/postgresql > 42.3.3 removes a logging feature that is not great from a security standpoint > - https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2762) Whitespaces around delimiters in composite provider names gives NullPointerException
[ https://issues.apache.org/jira/browse/KNOX-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557959#comment-17557959 ] ASF subversion and git services commented on KNOX-2762: --- Commit 31485649e6ea11921b97dbbce5672d5eef5bf0b9 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Harshil Jhaveri [ https://gitbox.apache.org/repos/asf?p=knox.git;h=31485649e ] KNOX-2762 (#594) * Fixing bug related to whitespaces around delimters in composite provider names. * KNOX-2762 Fixing bug related to whitespaces around delimters in composite provider names. > Whitespaces around delimiters in composite provider names gives > NullPointerException > > > Key: KNOX-2762 > URL: https://issues.apache.org/jira/browse/KNOX-2762 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Harshil Jhaveri >Assignee: Harshil Jhaveri >Priority: Minor > Fix For: 2.0.0 > > Attachments: NPE gateway log.png > > Time Spent: 2.5h > Remaining Estimate: 0h > > When giving space before the delimiter for composite.provider.names in > composite authorisation provider. The topology deployment is failing and > returning a null pointer exception. > The topology state: > {code:java} > > authorization > CompositeAuthz > true > > composite.provider.names > AclsAuthz ,XASecurePDPKnox > > > AclsAuthz.ranger.acl > *;; > {code} > {color:#e8bf6a}CC:{color} [~pzampino] [~smore] [~smolnar] -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2744) Upgrade protobuf-java to 3.16.1
[ https://issues.apache.org/jira/browse/KNOX-2744?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557946#comment-17557946 ] ASF subversion and git services commented on KNOX-2744: --- Commit 5b6f389dffb9319f13a707b2f38340ec3682a612 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=5b6f389df ] KNOX-2744 Upgrade protobuf-java to 3.16.1 (#572) > Upgrade protobuf-java to 3.16.1 > --- > > Key: KNOX-2744 > URL: https://issues.apache.org/jira/browse/KNOX-2744 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > Upgrade protobuf-java to 3.16.1 due to CVE. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2745) VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter
[ https://issues.apache.org/jira/browse/KNOX-2745?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557947#comment-17557947 ] ASF subversion and git services commented on KNOX-2745: --- Commit 1b177a2638126afb5280ad5c113e901e42fec375 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=1b177a263 ] KNOX-2745 VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter (#575) > VirtualGroupMapper doesn't use groups from HadoopGroupProviderFilter > > > Key: KNOX-2745 > URL: https://issues.apache.org/jira/browse/KNOX-2745 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > The groups calculated by HadoopGroupProviderFilter are not passed to the > virtual group mapper. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2732) Issuer claim in Knox JWTs should be configurable
[ https://issues.apache.org/jira/browse/KNOX-2732?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557951#comment-17557951 ] ASF subversion and git services commented on KNOX-2732: --- Commit 8c468b095128ef9dd83e08d80e45a4c3db2ff44d in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=8c468b095 ] KNOX-2732 Issuer claim in Knox JWTs should be configurable (#560) > Issuer claim in Knox JWTs should be configurable > > > Key: KNOX-2732 > URL: https://issues.apache.org/jira/browse/KNOX-2732 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h 40m > Remaining Estimate: 0h > > Currently, the issuer claim in JWTs issued by Knox is always "KNOXSSO". This > value should be configurable via a KNOXTOKEN service param in the topology. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2746) Add presto and presto ui support in service definition
[ https://issues.apache.org/jira/browse/KNOX-2746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557956#comment-17557956 ] ASF subversion and git services commented on KNOX-2746: --- Commit 02763cae0f3f148f089d7807e49184169d2d258f in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Bhargavi-Sagi [ https://gitbox.apache.org/repos/asf?p=knox.git;h=02763cae0 ] KNOX-2746 - Add presto/presto ui support in service definition (#576) > Add presto and presto ui support in service definition > -- > > Key: KNOX-2746 > URL: https://issues.apache.org/jira/browse/KNOX-2746 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Reporter: sagi bhargavi >Priority: Major > Fix For: 2.0.0 > > Time Spent: 40m > Remaining Estimate: 0h > > Add spport for [Presto|https://github.com/prestodb/presto], also known as > PrestoDB in knox service definition. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2757) Mutually exclusive filter params in the HadoopGroupProvider identity-assertion provider
[ https://issues.apache.org/jira/browse/KNOX-2757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557937#comment-17557937 ] ASF subversion and git services commented on KNOX-2757: --- Commit 6cdd2f0589e44bb464cf03f4e6848b059fd9c113 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=6cdd2f058 ] KNOX-2757 - HadoopGroupProvider parameters should be added to the filter even there is a gateway level property with CENTRAL_GROUP_CONFIG_PREFIX (#590) > Mutually exclusive filter params in the HadoopGroupProvider > identity-assertion provider > --- > > Key: KNOX-2757 > URL: https://issues.apache.org/jira/browse/KNOX-2757 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Blocker > Fix For: 2.0.0 > > Time Spent: 50m > Remaining Estimate: 0h > > *Steps to reproduce:* > 1. replace the {{Default}} identity-assertion provider in the {{sandbox}} > topology with this: > {noformat} > > identity-assertion > HadoopGroupProvider > true > > CENTRAL_GROUP_CONFIG_PREFIX > gateway.group.config. > > > group.mapping.scientist > (!= 0 (size groups)) > > {noformat} > 2. wait until Knox redeploys the {{sandbox}} topology and check the generated > {{gateway.xml}} in the newly deployed web application > *Actual results:* > The {{group.mapping.scientist}} filter parameter is missing; only the params > in {{gateway-site.xml}} with the {{gateway.group.config.}} prefix were added: > {noformat} > > identity-assertion > HadoopGroupProvider > > org.apache.knox.gateway.identityasserter.hadoop.groups.filter.HadoopGroupProviderFilter > > > hadoop.security.group.mapping.ldap.search.attr.member > member > > > > hadoop.security.group.mapping.ldap.search.filter.user > > (&(|(objectclass=person)(objectclass=applicationProcess))(cn={0})) > > > > hadoop.security.group.mapping.ldap.search.attr.group.name > cn > > > hadoop.security.group.mapping.ldap.url > ldap://localhost:33389 > > > hadoop.security.group.mapping > org.apache.hadoop.security.LdapGroupsMapping > > > > hadoop.security.group.mapping.ldap.search.filter.group > (objectclass=groupOfNames) > > > hadoop.security.group.mapping.ldap.bind.user > uid=guest,ou=people,dc=hadoop,dc=apache,dc=org > > > hadoop.security.group.mapping.ldap.bind.password > guest-password > > > {noformat} > *Expected results:* > Both the pre-configured gateway-site.xml and the {{group.mapping.scientist}} > provider parameter should be added to the filter. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2720) upgrade postgresql to 42.3.3 due to security issues
[ https://issues.apache.org/jira/browse/KNOX-2720?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557954#comment-17557954 ] ASF subversion and git services commented on KNOX-2720: --- Commit ce523efddab377a6a2067f88f4b587064914a4d2 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from PJ Fanning [ https://gitbox.apache.org/repos/asf?p=knox.git;h=ce523efdd ] KNOX-2720 upgrade postgresql due to security issue (#548) > upgrade postgresql to 42.3.3 due to security issues > --- > > Key: KNOX-2720 > URL: https://issues.apache.org/jira/browse/KNOX-2720 > Project: Apache Knox > Issue Type: Bug >Reporter: PJ Fanning >Priority: Major > Time Spent: 0.5h > Remaining Estimate: 0h > > https://github.com/apache/knox/blob/master/pom.xml#L252 > https://mvnrepository.com/artifact/org.postgresql/postgresql > 42.3.3 removes a logging feature that is not great from a security standpoint > - https://jdbc.postgresql.org/documentation/changelog.html#version_42.3.3 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2726) Impersonation Params Declared by Service Definitions
[ https://issues.apache.org/jira/browse/KNOX-2726?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557952#comment-17557952 ] ASF subversion and git services commented on KNOX-2726: --- Commit 93bceed9c33d8e63cb48bdac86d9bc98fca44f90 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=93bceed9c ] KNOX-2726 - Impersonation Params should be configurable (#579) * KNOX-2726 - Impersonation Params should be configurable > Impersonation Params Declared by Service Definitions > > > Key: KNOX-2726 > URL: https://issues.apache.org/jira/browse/KNOX-2726 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.6.0 >Reporter: Philip Zampino >Assignee: Sandeep More >Priority: Major > Fix For: 1.6.2 > > Time Spent: 2.5h > Remaining Estimate: 0h > > _org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper#getImpersonationParamNames()_ > has the following comment: > {noformat} > // TODO: let's have service definitions register their impersonation > // params in a future release and get this list from a central registry. > // This will provide better coverage of protection by removing any > // pre-populated impersonation params.{noformat} > Currently, Knox excludes some well-known impersonation request parameters > from proxied requests. Rather than maintaining a hard-coded list of these > params, service definitions should be able to declare them such that they > would be available at runtime to > {_}org.apache.knox.gateway.identityasserter.common.filter.IdentityAsserterHttpServletRequestWrapper{_}. > This will allow service-specific impersonation parameter details to be > defined by the service definitions, and eliminate the need for Knox runtime > code changes when new impersonation params need to be handled. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2736) Knox clients should support retry/failover
[ https://issues.apache.org/jira/browse/KNOX-2736?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557908#comment-17557908 ] ASF subversion and git services commented on KNOX-2736: --- Commit fc48add49a0c6015247b71ca118c90fb6dde347f in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/minimist-1.2.6 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=fc48add49 ] KNOX-2736 Knox clients should support retry/failover - addendum (#578) > Knox clients should support retry/failover > -- > > Key: KNOX-2736 > URL: https://issues.apache.org/jira/browse/KNOX-2736 > Project: Apache Knox > Issue Type: Improvement > Components: KnoxShell >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 1h > Remaining Estimate: 0h > > Not having retries in knox clients can cause service upgrade failures. > The apache http client has a default mechanism > (StandardHttpRequestRetryHandler and DefaultServiceUnavailableRetryStrategy) > to support retries. > * DefaultServiceUnavailableRetryStrategy only retries in case of a 503 - > ServiceUnavailable. > * StandardHttpRequestRetryHandler retries when a non excluded exception > occurs during the request. > The excluded exceptions are: InterruptedIOException, UnknownHostException, > ConnectException, SSLException. In these cases no retry is going to happen. > The following HTTP methods are considered idempotent so they can be retried: > GET, HEAD, PUT, DELETE, OPTIONS, TRACE. > Note that if an endpoint is implemented as a non-idempotent way (for example > a PUT) then this might have unwanted side-effects. > Other methods such as POST are only retried if the request has not yet > written out to the output stream when the error happened. Or if > requestSentRetryEnabled is enabled. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2718) upgrade xmlsec due to security issue
[ https://issues.apache.org/jira/browse/KNOX-2718?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557962#comment-17557962 ] ASF subversion and git services commented on KNOX-2718: --- Commit 295a041a728444d1a1ee7b82104dfe387a704929 in knox's branch refs/heads/master from PJ Fanning [ https://gitbox.apache.org/repos/asf?p=knox.git;h=295a041a7 ] KNOX-2718: upgrade xmlsec due to security issue (#584) > upgrade xmlsec due to security issue > > > Key: KNOX-2718 > URL: https://issues.apache.org/jira/browse/KNOX-2718 > Project: Apache Knox > Issue Type: Bug >Reporter: PJ Fanning >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > https://github.com/apache/knox/blob/master/pom.xml#L273 > https://mvnrepository.com/artifact/org.apache.santuario/xmlsec -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2754) upgrade hadoop-common due to cve
[ https://issues.apache.org/jira/browse/KNOX-2754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557963#comment-17557963 ] ASF subversion and git services commented on KNOX-2754: --- Commit 52c586587c512fa5a72eb12f2df7dfa4ac8f5ec2 in knox's branch refs/heads/master from PJ Fanning [ https://gitbox.apache.org/repos/asf?p=knox.git;h=52c586587 ] KNOX-2754: upgrade hadoop-common due to cve (#586) > upgrade hadoop-common due to cve > > > Key: KNOX-2754 > URL: https://issues.apache.org/jira/browse/KNOX-2754 > Project: Apache Knox > Issue Type: Bug >Reporter: PJ Fanning >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > https://github.com/apache/knox/pull/557 > https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-common has the > versions and vulnerabilities associated with them -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2721) upgrade jetty to 9.4.45 due to cves
[ https://issues.apache.org/jira/browse/KNOX-2721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557964#comment-17557964 ] ASF subversion and git services commented on KNOX-2721: --- Commit 167bc5268fcfc3418faeddbaea06ce4decf926c2 in knox's branch refs/heads/master from PJ Fanning [ https://gitbox.apache.org/repos/asf?p=knox.git;h=167bc5268 ] KNOX-2721: upgrade jetty to 9.4.45 due to cves (#587) > upgrade jetty to 9.4.45 due to cves > --- > > Key: KNOX-2721 > URL: https://issues.apache.org/jira/browse/KNOX-2721 > Project: Apache Knox > Issue Type: Bug >Reporter: PJ Fanning >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server > https://github.com/apache/knox/blob/master/pom.xml#L229 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2757) Mutually exclusive filter params in the HadoopGroupProvider identity-assertion provider
[ https://issues.apache.org/jira/browse/KNOX-2757?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557957#comment-17557957 ] ASF subversion and git services commented on KNOX-2757: --- Commit 6cdd2f0589e44bb464cf03f4e6848b059fd9c113 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=6cdd2f058 ] KNOX-2757 - HadoopGroupProvider parameters should be added to the filter even there is a gateway level property with CENTRAL_GROUP_CONFIG_PREFIX (#590) > Mutually exclusive filter params in the HadoopGroupProvider > identity-assertion provider > --- > > Key: KNOX-2757 > URL: https://issues.apache.org/jira/browse/KNOX-2757 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0, 1.6.0, 1.6.1 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Blocker > Fix For: 2.0.0 > > Time Spent: 50m > Remaining Estimate: 0h > > *Steps to reproduce:* > 1. replace the {{Default}} identity-assertion provider in the {{sandbox}} > topology with this: > {noformat} > > identity-assertion > HadoopGroupProvider > true > > CENTRAL_GROUP_CONFIG_PREFIX > gateway.group.config. > > > group.mapping.scientist > (!= 0 (size groups)) > > {noformat} > 2. wait until Knox redeploys the {{sandbox}} topology and check the generated > {{gateway.xml}} in the newly deployed web application > *Actual results:* > The {{group.mapping.scientist}} filter parameter is missing; only the params > in {{gateway-site.xml}} with the {{gateway.group.config.}} prefix were added: > {noformat} > > identity-assertion > HadoopGroupProvider > > org.apache.knox.gateway.identityasserter.hadoop.groups.filter.HadoopGroupProviderFilter > > > hadoop.security.group.mapping.ldap.search.attr.member > member > > > > hadoop.security.group.mapping.ldap.search.filter.user > > (&(|(objectclass=person)(objectclass=applicationProcess))(cn={0})) > > > > hadoop.security.group.mapping.ldap.search.attr.group.name > cn > > > hadoop.security.group.mapping.ldap.url > ldap://localhost:33389 > > > hadoop.security.group.mapping > org.apache.hadoop.security.LdapGroupsMapping > > > > hadoop.security.group.mapping.ldap.search.filter.group > (objectclass=groupOfNames) > > > hadoop.security.group.mapping.ldap.bind.user > uid=guest,ou=people,dc=hadoop,dc=apache,dc=org > > > hadoop.security.group.mapping.ldap.bind.password > guest-password > > > {noformat} > *Expected results:* > Both the pre-configured gateway-site.xml and the {{group.mapping.scientist}} > provider parameter should be added to the filter. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2761) KnoxShell does not reflect KNOX-2661
[ https://issues.apache.org/jira/browse/KNOX-2761?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557960#comment-17557960 ] ASF subversion and git services commented on KNOX-2761: --- Commit 50a0552dc428069f396fe4926f4bff0e97372cfc in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=50a0552dc ] KNOX-2761 - Knox Token renew/revoke operations are now PUT/DELETE HTTP methods in KnoxShell too (#593) > KnoxShell does not reflect KNOX-2661 > > > Key: KNOX-2761 > URL: https://issues.apache.org/jira/browse/KNOX-2761 > Project: Apache Knox > Issue Type: Bug > Components: KnoxShell >Affects Versions: 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > KNOX-2661 changed the HTTP method for some of the Knox Token resource API. > However, those changes were not reflected in KnoxToken-related KnoxShell > classes. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2747) RemoteAliasService generates password without checking if it already exists
[ https://issues.apache.org/jira/browse/KNOX-2747?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17557953#comment-17557953 ] ASF subversion and git services commented on KNOX-2747: --- Commit e2bfa1535317186c3e7b69de188f998aeb864431 in knox's branch refs/heads/dependabot/npm_and_yarn/gateway-admin-ui/async-2.6.4 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=e2bfa1535 ] KNOX-2747 RemoteAliasService generates password without checking if it already exists (#581) > RemoteAliasService generates password without checking if it already exists > --- > > Key: KNOX-2747 > URL: https://issues.apache.org/jira/browse/KNOX-2747 > Project: Apache Knox > Issue Type: Bug >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > RemoteAliasService: > {code} > /* Generate a new password */ > if (generate) { > generateAliasForCluster(clusterName, alias); > } > {code} > DefaultAliasService checks first > {code} > credential = keystoreService.getCredentialForCluster(clusterName, > alias); > if (credential == null && generate) { > generateAliasForCluster(clusterName, alias); > credential = keystoreService.getCredentialForCluster(clusterName, > alias); > } > {code} > This causes the Pac4jDispatcherFilter to regenerate the password at each > topology change. -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2766) "disableLoadBalancingForUserAgents" property for HA dispatch cannot be set.
[ https://issues.apache.org/jira/browse/KNOX-2766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17558094#comment-17558094 ] ASF subversion and git services commented on KNOX-2766: --- Commit 43f4723ea2cce745c4916721155cb962dd04e855 in knox's branch refs/heads/master from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=43f4723ea ] KNOX-2766 - Make sure disableLoadBalancingForUserAgents is picked up from HA configs (#599) > "disableLoadBalancingForUserAgents" property for HA dispatch cannot be set. > --- > > Key: KNOX-2766 > URL: https://issues.apache.org/jira/browse/KNOX-2766 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > {{It appears that disableLoadBalancingForUserAgents property for HA dispatch > is not getting set. This property was introduced as part of change KNOX-2634. > }} -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2766) "disableLoadBalancingForUserAgents" property for HA dispatch cannot be set.
[ https://issues.apache.org/jira/browse/KNOX-2766?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17558118#comment-17558118 ] ASF subversion and git services commented on KNOX-2766: --- Commit 43f4723ea2cce745c4916721155cb962dd04e855 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=43f4723ea ] KNOX-2766 - Make sure disableLoadBalancingForUserAgents is picked up from HA configs (#599) > "disableLoadBalancingForUserAgents" property for HA dispatch cannot be set. > --- > > Key: KNOX-2766 > URL: https://issues.apache.org/jira/browse/KNOX-2766 > Project: Apache Knox > Issue Type: Bug > Components: Server >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > {{It appears that disableLoadBalancingForUserAgents property for HA dispatch > is not getting set. This property was introduced as part of change KNOX-2634. > }} -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2721) upgrade jetty to 9.4.45 due to cves
[ https://issues.apache.org/jira/browse/KNOX-2721?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17558117#comment-17558117 ] ASF subversion and git services commented on KNOX-2721: --- Commit 167bc5268fcfc3418faeddbaea06ce4decf926c2 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from PJ Fanning [ https://gitbox.apache.org/repos/asf?p=knox.git;h=167bc5268 ] KNOX-2721: upgrade jetty to 9.4.45 due to cves (#587) > upgrade jetty to 9.4.45 due to cves > --- > > Key: KNOX-2721 > URL: https://issues.apache.org/jira/browse/KNOX-2721 > Project: Apache Knox > Issue Type: Bug >Reporter: PJ Fanning >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > https://mvnrepository.com/artifact/org.eclipse.jetty/jetty-server > https://github.com/apache/knox/blob/master/pom.xml#L229 -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2754) upgrade hadoop-common due to cve
[ https://issues.apache.org/jira/browse/KNOX-2754?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17558116#comment-17558116 ] ASF subversion and git services commented on KNOX-2754: --- Commit 52c586587c512fa5a72eb12f2df7dfa4ac8f5ec2 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from PJ Fanning [ https://gitbox.apache.org/repos/asf?p=knox.git;h=52c586587 ] KNOX-2754: upgrade hadoop-common due to cve (#586) > upgrade hadoop-common due to cve > > > Key: KNOX-2754 > URL: https://issues.apache.org/jira/browse/KNOX-2754 > Project: Apache Knox > Issue Type: Bug >Reporter: PJ Fanning >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > https://github.com/apache/knox/pull/557 > https://mvnrepository.com/artifact/org.apache.hadoop/hadoop-common has the > versions and vulnerabilities associated with them -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2718) upgrade xmlsec due to security issue
[ https://issues.apache.org/jira/browse/KNOX-2718?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17558115#comment-17558115 ] ASF subversion and git services commented on KNOX-2718: --- Commit 295a041a728444d1a1ee7b82104dfe387a704929 in knox's branch refs/heads/dependabot/npm_and_yarn/knox-token-management-ui/async-2.6.4 from PJ Fanning [ https://gitbox.apache.org/repos/asf?p=knox.git;h=295a041a7 ] KNOX-2718: upgrade xmlsec due to security issue (#584) > upgrade xmlsec due to security issue > > > Key: KNOX-2718 > URL: https://issues.apache.org/jira/browse/KNOX-2718 > Project: Apache Knox > Issue Type: Bug >Reporter: PJ Fanning >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > https://github.com/apache/knox/blob/master/pom.xml#L273 > https://mvnrepository.com/artifact/org.apache.santuario/xmlsec -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2762) Whitespaces around delimiters in composite provider names gives NullPointerException
[ https://issues.apache.org/jira/browse/KNOX-2762?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17558871#comment-17558871 ] ASF subversion and git services commented on KNOX-2762: --- Commit f6d190d7a1339eef199e26d9b053fedbb9dc4dcb in knox's branch refs/heads/master from Harshil Jhaveri [ https://gitbox.apache.org/repos/asf?p=knox.git;h=f6d190d7a ] KNOX-2762 Bug fixes for spaces around delimiters with all reviewed comments addressed (#597) > Whitespaces around delimiters in composite provider names gives > NullPointerException > > > Key: KNOX-2762 > URL: https://issues.apache.org/jira/browse/KNOX-2762 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 1.6.0 >Reporter: Harshil Jhaveri >Assignee: Harshil Jhaveri >Priority: Minor > Fix For: 2.0.0 > > Attachments: NPE gateway log.png > > Time Spent: 3h 40m > Remaining Estimate: 0h > > When giving space before the delimiter for composite.provider.names in > composite authorisation provider. The topology deployment is failing and > returning a null pointer exception. > The topology state: > {code:java} > > authorization > CompositeAuthz > true > > composite.provider.names > AclsAuthz ,XASecurePDPKnox > > > AclsAuthz.ranger.acl > *;; > {code} > {color:#e8bf6a}CC:{color} [~pzampino] [~smore] [~smolnar] -- This message was sent by Atlassian Jira (v8.20.7#820007)
[jira] [Commented] (KNOX-2771) Log HTTP client config parameters such as socket timeouts with info level
[ https://issues.apache.org/jira/browse/KNOX-2771?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17563399#comment-17563399 ] ASF subversion and git services commented on KNOX-2771: --- Commit 40139df79cf5434417237d115984a341236c1a37 in knox's branch refs/heads/master from MrtnBalazs [ https://gitbox.apache.org/repos/asf?p=knox.git;h=40139df79 ] KNOX-2771 - Log HTTP client config parameters such as socket timeouts with info level (#602) > Log HTTP client config parameters such as socket timeouts with info level > - > > Key: KNOX-2771 > URL: https://issues.apache.org/jira/browse/KNOX-2771 > Project: Apache Knox > Issue Type: Improvement >Reporter: Balazs Marton >Priority: Minor > Time Spent: 1h 20m > Remaining Estimate: 0h > > Timeout parameters can be defined in two places, in gateway-site.xml and > service.xml > > {code:java} > gateway.httpclient.connectionTimeout -> 600 > gateway.httpclient.socketTimeout -> 600 > {code} > > {code:java} > ha-classname="org.apache.knox.gateway.hive.HiveHaDispatch"> > > httpclient.connectionTimeout > 5m > > > httpclient.socketTimeout > 5m > > {code} > The latter takes priority over the former. There are multiple examples where > the customer and/or the support tried to set these in gateway-site level but > it didn't work. > It would be good to see these parameters (plus other http related configs) in > the log. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2773) Log replay buffer size with info level
[ https://issues.apache.org/jira/browse/KNOX-2773?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17563671#comment-17563671 ] ASF subversion and git services commented on KNOX-2773: --- Commit 32ecc76be4bb4e1728fb9acf537a5a619dfcd7ef in knox's branch refs/heads/master from MrtnBalazs [ https://gitbox.apache.org/repos/asf?p=knox.git;h=32ecc76be ] KNOX-2773 - Changed log level from debug to info for replayBufferSize log (#604) > Log replay buffer size with info level > -- > > Key: KNOX-2773 > URL: https://issues.apache.org/jira/browse/KNOX-2773 > Project: Apache Knox > Issue Type: Improvement >Reporter: Balazs Marton >Priority: Minor > Time Spent: 1h 40m > Remaining Estimate: 0h > > Replay buffer size can be defined in two places, in the topology file and in > the service.xml. > The topology file takes priority over the service.xml. To prevent confusion > it would be nice to see it's value in the log. > {code:java} > > HIVE > http://localhost:10001/cliservice > > replayBufferSize > 8 > > > {code} > {code:java} > > ha-classname="org.apache.knox.gateway.ha.dispatch.ConfigurableHADispatch"> > > responseExcludeHeaders > WWW-AUTHENTICATE > > > replayBufferSize > 65 > > > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2774) "usage: sleep seconds" messages in terminal after starting knox
[ https://issues.apache.org/jira/browse/KNOX-2774?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17564089#comment-17564089 ] ASF subversion and git services commented on KNOX-2774: --- Commit 4366185351eb0dfa40d1ccac4a0766bf707bd440 in knox's branch refs/heads/master from MrtnBalazs [ https://gitbox.apache.org/repos/asf?p=knox.git;h=436618535 ] KNOX-2774 - Changed DEFAULT_APP_STATUS_TEST_RETRY_SLEEP value from 2s to 2 (#606) > "usage: sleep seconds" messages in terminal after starting knox > --- > > Key: KNOX-2774 > URL: https://issues.apache.org/jira/browse/KNOX-2774 > Project: Apache Knox > Issue Type: Bug >Reporter: Balazs Marton >Priority: Minor > Attachments: Screenshot 2022-07-06 at 18.00.24.png > > Time Spent: 0.5h > Remaining Estimate: 0h > > After starting apache knox > {code:java} > usage: sleep seconds > {code} > messages appear in terminal until the jetty server starts. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2770) KnoxToken doAs won't work with HadoopAuth filter
[ https://issues.apache.org/jira/browse/KNOX-2770?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17568831#comment-17568831 ] ASF subversion and git services commented on KNOX-2770: --- Commit 120915227d1b44e30ac8f0d9924675c854b8ce4a in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=120915227 ] KNOX-2770 - KnoxToken doAs support depends on token state service and a service-level configuration (#609) > KnoxToken doAs won't work with HadoopAuth filter > > > Key: KNOX-2770 > URL: https://issues.apache.org/jira/browse/KNOX-2770 > Project: Apache Knox > Issue Type: Bug > Components: Server >Affects Versions: 2.0.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Blocker > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > *Steps to reproduce* > * create a topology with Knox's HadoopAuth filter as the authentication > provider and include the KNOXTOKEN service (let's call it > {{myKnoxTokenTopology}} in this sample) > * make sure the HadoopAuth filter is configured in a way such as it allows > the hive users (can be any user, I use hive as a sample) to impersonate hdfs > * make sure that token state management is disabled in the KNOXTOKEN service > * login to Kerberos as the hive user (kinit using a valid hive keytab) > * try to get 2 Knox tokens using that topology on behalf of hdfs (e.g. > {{curl --negotiate -u : "https://$(hostname > -f):8443/gateway/myKnoxTokenTopology/knoxtoken/api/v1/token?doAs=hdfs"}} > *Actual results* > The second call fails with an error message like this: > {noformat} > { > "RemoteException" : { > "message" : "User: hive@MY_HOST is not allowed to impersonate hdfs", > "exception" : "AuthorizationException", > "javaClassName" : > "org.apache.hadoop.security.authorize.AuthorizationException" > } > } {noformat} > > *Expected results* > Both KnoxToken REST API invocations should have succeeded. > > *Action plan:* > * fix the issue of refreshing Hadoop's proxyuser configuration in > TokenResource when token state management is disabled > * introduce a new service-level configuration that let us enable/disable the > doAs support on the KnoxToken path regardless of the token state management > settings -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2782) Knox CLI user-auth-test command failure
[ https://issues.apache.org/jira/browse/KNOX-2782?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17569341#comment-17569341 ] ASF subversion and git services commented on KNOX-2782: --- Commit ae0fe4606e56aa5b63714504c6951e3bb1c0 in knox's branch refs/heads/master from Sandor Molnar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=ae0fe4606 ] KNOX-2782 - Enhanced Shiro config with the object class of invalidRequest (#610) > Knox CLI user-auth-test command failure > --- > > Key: KNOX-2782 > URL: https://issues.apache.org/jira/browse/KNOX-2782 > Project: Apache Knox > Issue Type: Bug > Components: KnoxCLI >Affects Versions: 1.6.0 >Reporter: Sandor Molnar >Assignee: Sandor Molnar >Priority: Major > Fix For: 2.0.0 > > Time Spent: 20m > Remaining Estimate: 0h > > There is an issue with KnoxCLI's {{user-auth-test}} command: > {noformat} > bin/knoxcli.sh user-auth-test --cluster sandbox --u admin --p admin-password > java.lang.IllegalArgumentException: Configuration error. Specified object > [invalidRequest] with property [blockSemicolon] without first defining that > object's class. Please first specify the class property first, e.g. myObject > = fully_qualified_class_name and then define additional properties. > org.apache.knox.gateway.util.KnoxCLI$LDAPCommand$BadSubjectException: Subject > could not be created with Shiro Config at sections=main,urls > For more information use --d for debug output. > ERR: Unable to authenticate user: admin {noformat} > The reason is, that 3 properties are added OOTB to the generated Shiro > configuration, under the "{{{}main{}}}" section, as per KNOX-2455 > {noformat} > params.putIfAbsent("main.invalidRequest.blockSemicolon", "false"); > params.putIfAbsent("main.invalidRequest.blockBackslash", "false"); > params.putIfAbsent("main.invalidRequest.blockNonAscii", "false"); > {noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2777) Implement concurrent session verifier
[ https://issues.apache.org/jira/browse/KNOX-2777?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17569960#comment-17569960 ] ASF subversion and git services commented on KNOX-2777: --- Commit 82cd96d99398cc9aad86596fb65240ccd0244498 in knox's branch refs/heads/master from MrtnBalazs [ https://gitbox.apache.org/repos/asf?p=knox.git;h=82cd96d99 ] KNOX-2777 - Add configurations for concurrent session verifier feature (#608) Co-authored-by: MrtnBalazs > Implement concurrent session verifier > - > > Key: KNOX-2777 > URL: https://issues.apache.org/jira/browse/KNOX-2777 > Project: Apache Knox > Issue Type: Sub-task > Components: Server >Affects Versions: 2.0.0 >Reporter: Sandor Molnar >Assignee: Balazs Marton >Priority: Major > Fix For: 2.0.0 > > Time Spent: 3h 10m > Remaining Estimate: 0h > > The following needs to be implemented in the scope of this JIRA: > * we need 4 new Gateway-level configurations: > ** privileged user list (defaults to an empty collection) > ** non-privileged user list (defaults to an empty collection) > ** session limit for privileged users (defaults to 3) > ** session limit for non-privileged users (defaults to 2) > * if a session limit for any of the groups is set to a negative number, that > means the users in that group are allowed to have an unlimited number of > sessions > * In addition to the new configs, a verifier has to be implemented that > enforces the following business logic: if a user is listed in the > above-introduced privileged/non-privileged collection AND is about to pass a > configured session limit the verification should fail. The verification > should succeed if the given user is declared neither a privileged nor a > non-privileged user. > The new verifier implementation may be placed in the {{gateway-spi-common}} > project for now. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2772) add configuration for jetty renegotiation
[ https://issues.apache.org/jira/browse/KNOX-2772?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17571551#comment-17571551 ] ASF subversion and git services commented on KNOX-2772: --- Commit 07cd031e1ee2e6be14308749d61cb5a495a6fe11 in knox's branch refs/heads/master from 南慧荣 [ https://gitbox.apache.org/repos/asf?p=knox.git;h=07cd031e1 ] KNOX-2772 - add configuration for jetty renegotiation (#605) > add configuration for jetty renegotiation > - > > Key: KNOX-2772 > URL: https://issues.apache.org/jira/browse/KNOX-2772 > Project: Apache Knox > Issue Type: Improvement > Components: Server >Affects Versions: 1.6.0 >Reporter: nanhuirong >Priority: Critical > Attachments: KNOX-2772.patch > > Time Spent: 2.5h > Remaining Estimate: 0h > > the user or developer can't config the renegotiation for knox > *Action plan:* > set the value when building the SslContextFactory -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2779) support multiple hosts for gateway.host config
[ https://issues.apache.org/jira/browse/KNOX-2779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17578104#comment-17578104 ] ASF subversion and git services commented on KNOX-2779: --- Commit d51173a83e364d6eacf19d9ac8823ea2afb807f5 in knox's branch refs/heads/master from 南慧荣 [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d51173a83 ] KNOX-2779 - support multiple hosts for gateway.host config (#613) > support multiple hosts for gateway.host config > -- > > Key: KNOX-2779 > URL: https://issues.apache.org/jira/browse/KNOX-2779 > Project: Apache Knox > Issue Type: Improvement >Reporter: nanhuirong >Priority: Major > Time Spent: 40m > Remaining Estimate: 0h > > Knox may dispatch requests from multiple services and must listen on 0.0.0.0 > if the request is not on the same plane. For example, host A has three > network adapters and only two adapters receive requests, we must config > 0.0.0.0 for gateway.host, Thus, the knox servive may has security issues. > > I think that we can expose multiple hosts for gateway.host as follows: > > gateway.host > ip1,ip2... > > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2783) User can be mapped to an empty virtual group
[ https://issues.apache.org/jira/browse/KNOX-2783?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17579609#comment-17579609 ] ASF subversion and git services commented on KNOX-2783: --- Commit 255ca75236a415e72ff506546135a660708bf6a3 in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=255ca7523 ] KNOX-2783 - User can be mapped to an empty virtual group (#611) > User can be mapped to an empty virtual group > > > Key: KNOX-2783 > URL: https://issues.apache.org/jira/browse/KNOX-2783 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Minor > Time Spent: 10m > Remaining Estimate: 0h > > If there is no group name after the dot, the user is getting mapped to an "" > group. > {code} > > identity-assertion > HadoopGroupProvider > true > > hadoop.security.group.mapping > > org.apache.hadoop.security.ShellBasedUnixGroupsMapping > > > group.mapping. > true > > > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2786) Upgrade spring and json-smart due to CVEs
[ https://issues.apache.org/jira/browse/KNOX-2786?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17579684#comment-17579684 ] ASF subversion and git services commented on KNOX-2786: --- Commit 5121758bc86d53c7a41314486be1d5d9b5e074a4 in knox's branch refs/heads/master from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=5121758bc ] KNOX-2786 - Upgrade spring and json-smart due to CVEs (#614) > Upgrade spring and json-smart due to CVEs > - > > Key: KNOX-2786 > URL: https://issues.apache.org/jira/browse/KNOX-2786 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > > # upgrade json-smart to 2.4.8 > # upgrade spring to 5.3.21 spring:5.3.2 -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2778) Enforce concurrent session limit in KnoxSSO
[ https://issues.apache.org/jira/browse/KNOX-2778?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17581283#comment-17581283 ] ASF subversion and git services commented on KNOX-2778: --- Commit 78a058900f17078ea3278cc41bf8cc9540ed4415 in knox's branch refs/heads/master from MrtnBalazs [ https://gitbox.apache.org/repos/asf?p=knox.git;h=78a058900 ] KNOX-2778 - Enforce concurrent session limit in KnoxSSO (#615) > Enforce concurrent session limit in KnoxSSO > --- > > Key: KNOX-2778 > URL: https://issues.apache.org/jira/browse/KNOX-2778 > Project: Apache Knox > Issue Type: Sub-task > Components: Server >Affects Versions: 2.0.0 >Reporter: Sandor Molnar >Assignee: Balazs Marton >Priority: Major > Fix For: 2.0.0 > > Time Spent: 5h 10m > Remaining Estimate: 0h > > Once, KNOX-2777 is ready, the next step is to wire that verifier > implementation into the KnoxSSO flow such as it throws an authorization error > (FORBIDDEN; 403) when a user tries to log in to UIs (both Knox's own UIs or > UIs proxied by Knox) but that user exceeds the configured concurrent session > limit. > Basic logout handling should be covered too: > * manually clicking on the logout button > * subscribing to a session timeout event (you may want to talk to [~smore] > about this) -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2788) Implement deleting expired tokens and make Verifier disableable
[ https://issues.apache.org/jira/browse/KNOX-2788?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17582838#comment-17582838 ] ASF subversion and git services commented on KNOX-2788: --- Commit 66012400d4bf1e850e80d17709b8ab6a07f91a07 in knox's branch refs/heads/master from MrtnBalazs [ https://gitbox.apache.org/repos/asf?p=knox.git;h=66012400d ] KNOX-2788 - Implementing EmptyVerifier and Cleaning background thread (#620) > Implement deleting expired tokens and make Verifier disableable > --- > > Key: KNOX-2788 > URL: https://issues.apache.org/jira/browse/KNOX-2788 > Project: Apache Knox > Issue Type: Sub-task > Components: Server >Affects Versions: 2.0.0 >Reporter: Balazs Marton >Assignee: Balazs Marton >Priority: Major > Time Spent: 10m > Remaining Estimate: 0h > > A background thread is needed to check periodically which tokens are expired, > and remove them. The checking period must be configurable in > gateway-site.xml. The default cleaning time is 30 minutes. > Change the initialization of the verifier, so it is only enabled if > configured in gateway-site.xml, so it is not checking and running a > background thread if it is not used. -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2787) Upgrade Pac4J to v4.5.6
[ https://issues.apache.org/jira/browse/KNOX-2787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17583627#comment-17583627 ] ASF subversion and git services commented on KNOX-2787: --- Commit 2deaf375b9f7869b3e72982397eec34785378c40 in knox's branch refs/heads/master from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=2deaf375b ] KNOX-2787 - Upgrade pac4j to 4.5.6 (#621) > Upgrade Pac4J to v4.5.6 > --- > > Key: KNOX-2787 > URL: https://issues.apache.org/jira/browse/KNOX-2787 > Project: Apache Knox > Issue Type: Bug >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2783) User can be mapped to an empty virtual group
[ https://issues.apache.org/jira/browse/KNOX-2783?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17583632#comment-17583632 ] ASF subversion and git services commented on KNOX-2783: --- Commit 255ca75236a415e72ff506546135a660708bf6a3 in knox's branch refs/heads/dependabot/maven/org.postgresql-postgresql-42.4.1 from Attila Magyar [ https://gitbox.apache.org/repos/asf?p=knox.git;h=255ca7523 ] KNOX-2783 - User can be mapped to an empty virtual group (#611) > User can be mapped to an empty virtual group > > > Key: KNOX-2783 > URL: https://issues.apache.org/jira/browse/KNOX-2783 > Project: Apache Knox > Issue Type: Improvement >Reporter: Attila Magyar >Assignee: Attila Magyar >Priority: Minor > Time Spent: 20m > Remaining Estimate: 0h > > If there is no group name after the dot, the user is getting mapped to an "" > group. > {code} > > identity-assertion > HadoopGroupProvider > true > > hadoop.security.group.mapping > > org.apache.hadoop.security.ShellBasedUnixGroupsMapping > > > group.mapping. > true > > > {code} -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2787) Upgrade Pac4J to v4.5.6
[ https://issues.apache.org/jira/browse/KNOX-2787?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17583636#comment-17583636 ] ASF subversion and git services commented on KNOX-2787: --- Commit 2deaf375b9f7869b3e72982397eec34785378c40 in knox's branch refs/heads/dependabot/maven/org.postgresql-postgresql-42.4.1 from Sandeep Moré [ https://gitbox.apache.org/repos/asf?p=knox.git;h=2deaf375b ] KNOX-2787 - Upgrade pac4j to 4.5.6 (#621) > Upgrade Pac4J to v4.5.6 > --- > > Key: KNOX-2787 > URL: https://issues.apache.org/jira/browse/KNOX-2787 > Project: Apache Knox > Issue Type: Bug >Reporter: Sandeep More >Assignee: Sandeep More >Priority: Major > Fix For: 1.6.1 > > Time Spent: 20m > Remaining Estimate: 0h > -- This message was sent by Atlassian Jira (v8.20.10#820010)
[jira] [Commented] (KNOX-2779) support multiple hosts for gateway.host config
[ https://issues.apache.org/jira/browse/KNOX-2779?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17583631#comment-17583631 ] ASF subversion and git services commented on KNOX-2779: --- Commit d51173a83e364d6eacf19d9ac8823ea2afb807f5 in knox's branch refs/heads/dependabot/maven/org.postgresql-postgresql-42.4.1 from 南慧荣 [ https://gitbox.apache.org/repos/asf?p=knox.git;h=d51173a83 ] KNOX-2779 - support multiple hosts for gateway.host config (#613) > support multiple hosts for gateway.host config > -- > > Key: KNOX-2779 > URL: https://issues.apache.org/jira/browse/KNOX-2779 > Project: Apache Knox > Issue Type: Improvement >Reporter: nanhuirong >Priority: Major > Time Spent: 1h 10m > Remaining Estimate: 0h > > Knox may dispatch requests from multiple services and must listen on 0.0.0.0 > if the request is not on the same plane. For example, host A has three > network adapters and only two adapters receive requests, we must config > 0.0.0.0 for gateway.host, Thus, the knox servive may has security issues. > > I think that we can expose multiple hosts for gateway.host as follows: > > gateway.host > ip1,ip2... > > -- This message was sent by Atlassian Jira (v8.20.10#820010)