You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "Phil Zampino (JIRA)" <ji...@apache.org> on 2018/11/09 19:00:00 UTC

[jira] [Work started] (KNOX-1577) Knox automatically derived dispatch whitelist doesn't seem to actually match the knox domain

     [ https://issues.apache.org/jira/browse/KNOX-1577?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Work on KNOX-1577 started by Phil Zampino.
------------------------------------------
> Knox automatically derived dispatch whitelist doesn't seem to actually match the knox domain
> --------------------------------------------------------------------------------------------
>
>                 Key: KNOX-1577
>                 URL: https://issues.apache.org/jira/browse/KNOX-1577
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>    Affects Versions: 1.1.0
>            Reporter: Kat Petre
>            Assignee: Phil Zampino
>            Priority: Critical
>             Fix For: 1.2.0
>
>         Attachments: CDC05871-10A2-43CE-8190-E6AAC51AC3D9.png
>
>
> When the dispatch whitelist is not explicitly configured, Knox attempts to derive this whitelist based on the domain of the knox host. We can see this in the logs as follows:
> {code:java}
> 2018-11-08 20:57:34,173 INFO knox.gateway (WhitelistUtils.java:getDispatchWhitelist(63)) - Applying a derived dispatch whitelist because none is configured in gateway-site: ^/.*$;^https?://(.+\.honeypot\.hortonworks\.site):[0-9]+/?.*$
> {code}
> However, login via knox sso with this configuration is not possible. Upon closer inspection (with a regex editor) we see there are 4 unescaped forward slashes which cause the knox hostname (or hostname of another host on the same domain as knox) to not match the auto-configured whitelist. 
> !CDC05871-10A2-43CE-8190-E6AAC51AC3D9.png!
> (Thanks [~vrathor-hw] helping find this)
> Escaping the forward slashes and explicitly configuring the whitelist with following example values seems to solve the problem, and allow login via knox sso. 
> {code:java}
>  <param>
>  <name>knoxsso.redirect.whitelist.regex</name>
>  <value>^https?:\/\/(.*\.honeypot\.hortonworks\.site|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
>  </param>
> {code}
> If escaping the / as I did above is the correct workaround for this solution, should we configure the automatically derived whitelists to do this also?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)