Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

Great, thanks Larry ! On Fri, Jul 20, 2018 at 10:53 AM larry mccay wrote: > I just pushed KNOX-1394 for changing the default whitelist to align with > the DEMO LDAP config in gateway-site.xml. > This will realign with the dev and demo environment assumptions that Knox > has always had OOTB. > >

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

I just pushed KNOX-1394 for changing the default whitelist to align with the DEMO LDAP config in gateway-site.xml. This will realign with the dev and demo environment assumptions that Knox has always had OOTB. I will cut an RC shortly. On Fri, Jul 20, 2018 at 12:40 AM, larry mccay wrote: >

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

Yes, along with ERROR level logging when falling back to specific host/ip or localhost variants. On Thu, Jul 19, 2018, 11:48 PM Philip Zampino wrote: > Sure, but I'm also going to implement the following for the default > behavior (when the DEFAULT value is specified for the whitelist

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

Sure, but I'm also going to implement the following for the default behavior (when the DEFAULT value is specified for the whitelist property): 1. Attempt to determine the domain from the X-Forwarded-Host header value 2. If domain could not be determined, attempt to determine the domain

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

Yes, does that sound appropriate to you? If the LDAP config in gateway-site.xml gets updated to product the whitelist would be in the same place. On Thu, Jul 19, 2018 at 6:26 PM, Philip Zampino wrote: > I am working on a solution for the ip address being treated as a hostname > issue. > > On

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

I am working on a solution for the ip address being treated as a hostname issue. On Thu, Jul 19, 2018 at 6:24 PM larry mccay wrote: > Playing around a bit more, I noticed that there is nondeterministic > behavior of the default whitelist feature. > Especially on macs - since the hostname ends

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

To be clear, you're suggesting an explicit whitelist in gateway.xml, which permits the various forms of "localhost"? On Thu, Jul 19, 2018 at 6:24 PM larry mccay wrote: > Playing around a bit more, I noticed that there is nondeterministic > behavior of the default whitelist feature. > Especially

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

Playing around a bit more, I noticed that there is nondeterministic behavior of the default whitelist feature. Especially on macs - since the hostname ends up being any number of things. I have noticed the following things when there is no explicit whitelist configured: * ip address based

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

The fix for the filter NPEs has been committed to 1.1.0 and master. I don't believe the other exception is related. On Thu, Jul 19, 2018 at 4:15 PM larry mccay wrote: > @Phil, I see a couple commits land that seem to address the NPE. > Is that correct? > > I have also seen an

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

Perfect, thanks ! On Thu, Jul 19, 2018 at 6:12 PM larry mccay wrote: > Awesome - just checked it out and I will kick off a new build shortly! > > On Thu, Jul 19, 2018 at 6:01 PM, Sandeep Moré > wrote: > > > Hello Larry, > > > > I committed the fix to master and v1.1.0, it is under the JIRA

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

Awesome - just checked it out and I will kick off a new build shortly! On Thu, Jul 19, 2018 at 6:01 PM, Sandeep Moré wrote: > Hello Larry, > > I committed the fix to master and v1.1.0, it is under the JIRA KNOX-1391 > . > we should be good to to

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

Hello Larry, I committed the fix to master and v1.1.0, it is under the JIRA KNOX-1391 . we should be good to to cut the RC, provided there are no more issues ! Thanks ! Sandeep On Thu, Jul 19, 2018 at 4:25 PM larry mccay wrote: > Awesome,

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

Cool, will keep the list posted. On Thu, Jul 19, 2018 at 4:25 PM larry mccay wrote: > Awesome, @sandeep! > I'll keep an eye out. > > Once that lands, you can bump this thread and I'll cut the RC. > Obviously, we will need it in both master and v1.1.0 branches. > > On Thu, Jul 19, 2018 at 4:19

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

Awesome, @sandeep! I'll keep an eye out. Once that lands, you can bump this thread and I'll cut the RC. Obviously, we will need it in both master and v1.1.0 branches. On Thu, Jul 19, 2018 at 4:19 PM, Sandeep Moré wrote: > Hello Larry, > > Yes, I have seen those exceptions, they seem to be

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

Hello Larry, Yes, I have seen those exceptions, they seem to be happening fairly consistently and only for KnoxSSO redirects when trying to access admin UI, I am taking a look at them as we speak, will open up a JIRA for it as well. It would be good if we can get it in, I will try to get the fix

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

@Phil, I see a couple commits land that seem to address the NPE. Is that correct? I have also seen an IllegalStateException during redirect from Admin UI to KnoxSSO. Has anyone seen this and/or is working on it - is it related to the NPE? I don't think it is since I see it more frequently and not

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

Agreed, Phil. I have cut an RC but we need to address this first. I'll hold off on announcing it. On Fri, Jul 13, 2018, 11:36 AM Phil Zampino wrote: > During some testing of the proposed 1.1.0 code, I've discovered some NPEs > in filters (e.g., AclsAuthorizationFilter,

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

During some testing of the proposed 1.1.0 code, I've discovered some NPEs in filters (e.g., AclsAuthorizationFilter, HadoopGroupProviderFilter), which are concerning. I've committed a change to address the AclsAuthorizationFilter, but seeing similar behavior for the HadoopGroupProviderFilter has

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

+1, I think the tightly-scoped 1.2.0 release is a great approach for knocking out some of the cloud-related tasks. On Wed, Jul 4, 2018 at 1:18 PM larry mccay wrote: > All - > > We are done to around 4 JIRAs marked as 1.1.0 issues. > > I am thinking about branching for the release where we can

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

+1 Thanks Larry, sounds good. Best, Sandeep On Wed, Jul 4, 2018 at 1:18 PM larry mccay wrote: > All - > > We are done to around 4 JIRAs marked as 1.1.0 issues. > > I am thinking about branching for the release where we can continue the > work on the final changes but also start the planning

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

All - We are done to around 4 JIRAs marked as 1.1.0 issues. I am thinking about branching for the release where we can continue the work on the final changes but also start the planning of 1.2.0. The 1.1.0 release has been largely taken up with improvements in disovery/topology generation, HA

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

All - I'd like to point out that we need to start pulling in the 1.1.0 release. I see lots of progress and collaboration on some important ecosystem UIs which is great. As well as a couple really good features have made it in - like the remote alias service support! I would like to try and reset

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

I'm not sure if it merits an entire KIP, but I think it would be worthwhile to provide a distributed/remote alias service (ala KNOX-1187 ) in the 1.1.0 release. This would make the management of Knox topologies via ZooKeeper more complete, allowing

Re: [DISCUSS] Planning for Apache Knox 1.1.0 Release

Thanks for starting the discussion Larry. I can take care of the Logout of KnoxSSO KIP, been thinking about it a lot lately, I will start a KIP and kickoff a discussion. The cloud KIP sounds great, we can finally iron out the Azure AD integration with this one. I haven't looked at the Jiras but