You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Sandor Molnar (Jira)" <ji...@apache.org> on 2021/09/23 12:27:00 UTC
[jira] [Updated] (KNOX-2670) AliasBasedTokenStateService does not
throw UnknownTokenException at revocation time
[ https://issues.apache.org/jira/browse/KNOX-2670?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sandor Molnar updated KNOX-2670:
--------------------------------
Description:
*Steps to reproduce*
# Configure Knox to use the AliasBasedTokenStateService implemntation
# Generated token with 1 min lifespan on the token generation UI
# Revoke the token on the token management page
# Use knox token api to revoke again the already revoked token
The result is:
{noformat}
{ "revoked": "true" }{noformat}
*Root cause analysis*
{{AliasBasedTokenStateService.removeToken(String tokenId)}} claims it throws {{UnknownTokenException}} but this is not true since it's missing the {{validateToken(String)}} call. In fact, we would not even need that method: if we remove it then {{DefaultTokenStateService.removeToken(String)}} will be invoked that has the required check.
The good news is that the token is not maintained in the memory or in the underlying keystore because {{AliasBasedTokenStateService.removeToken(Set<String> tokenIds)}} silently tries to remove the token from the keystore and from memory but those implementations are tolerant to invoke a delete with a non-existing alias.
That means, the token was removed perfectly for the first time.
was:
*Steps to reproduce*
# *Configure Knox to use the AliasBasedTokenStateService implemntation*
# *Generated token with 1 min lifespan on the token generation UI*
# *Revoke the token on the token management page*
# *Use knox token api to revoke again the already revoked token*
The result is:
{noformat}
{ "revoked": "true" }{noformat}
*Root cause analysis*
{{AliasBasedTokenStateService.removeToken(String tokenId)}} claims it throws {{UnknownTokenException}} but this is not true since it's missing the {{validateToken(String)}} call. In fact, we would not even need that method: if we remove it then {{DefaultTokenStateService.removeToken(String)}} will be invoked that has the required check.
The good news is that the token is not maintained in the memory or in the underlying keystore because {{AliasBasedTokenStateService.removeToken(Set<String> tokenIds)}} silently tries to remove the token from the keystore and from memory but those implementations are tolerant to invoke a delete with a non-existing alias.
That means, the token was removed perfectly for the first time.
> AliasBasedTokenStateService does not throw UnknownTokenException at revocation time
> -----------------------------------------------------------------------------------
>
> Key: KNOX-2670
> URL: https://issues.apache.org/jira/browse/KNOX-2670
> Project: Apache Knox
> Issue Type: Bug
> Affects Versions: 1.6.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Major
>
> *Steps to reproduce*
> # Configure Knox to use the AliasBasedTokenStateService implemntation
> # Generated token with 1 min lifespan on the token generation UI
> # Revoke the token on the token management page
> # Use knox token api to revoke again the already revoked token
> The result is:
> {noformat}
> { "revoked": "true" }{noformat}
>
> *Root cause analysis*
> {{AliasBasedTokenStateService.removeToken(String tokenId)}} claims it throws {{UnknownTokenException}} but this is not true since it's missing the {{validateToken(String)}} call. In fact, we would not even need that method: if we remove it then {{DefaultTokenStateService.removeToken(String)}} will be invoked that has the required check.
> The good news is that the token is not maintained in the memory or in the underlying keystore because {{AliasBasedTokenStateService.removeToken(Set<String> tokenIds)}} silently tries to remove the token from the keystore and from memory but those implementations are tolerant to invoke a delete with a non-existing alias.
> That means, the token was removed perfectly for the first time.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)