You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by Sumit Gupta <su...@hortonworks.com> on 2017/03/08 18:53:24 UTC

[CANCEL] [VOTE] Release Apache Knox 0.12.0

As per the discussion below the VOTE for release is being cancelled.

Sumit.

On 3/8/17, 1:51 PM, "Sumit Gupta" <su...@hortonworks.com> wrote:

>Thanks for the catch Larry and Vincent. This may have been a merge issue
>on my part as well. In any case I agree that the release cannot go out
>with this bug. My vote is also -1. I¹ll cancel the vote and file a JIRA
>for the issue to be fixed.
>
>Thanks everyone for testing the RC and stay tuned for the next one.
>
>Sumit.
>
>
>On 3/8/17, 1:19 PM, "Vincent Devillers" <vi...@layer4.fr>
>wrote:
>
>>@larry
>>
>>You are right, in the Hadoop class it should be:
>>
>>HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
>>TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
>>if (clientContext.connection().secure()) {
>>  hostnameVerifier =
>>SSLConnectionSocketFactory.getDefaultHostnameVerifier();
>>  trustStrategy = null;
>>} else {
>>
>>instead of:
>>
>>HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
>>TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
>>if (clientContext.connection().secure()) {
>>  hostnameVerifier =
>>SSLConnectionSocketFactory.getDefaultHostnameVerifier();
>>} else {
>>
>>
>>The trustStrategy must be null in order to keep the default
>>X509TrustManager defined for the default ssl algorithm.
>>My bad...
>>
>>*Vincent Devillers*
>>
>>tél.: +33 615053430
>>email: vincent.devillers@layer4.fr
>>blog: https://blog.layer4.fr
>>
>>2017-03-08 18:37 GMT+01:00 larry mccay <lm...@apache.org>:
>>
>>> Unfortunately, I have found what I view as a showstopper.
>>> We had a regression in the knoxshell with respect to requiring proper
>>>trust
>>> of the cert presented by the gateway.
>>> Somewhere along the line the TrustSelfSignedStrategy was added back and
>>> self-signed certs now get a free pass.
>>> This needs to be fixed to protect against MITM attacks, etc.
>>>
>>> Here is my -1.
>>>
>>>
>>> On Tue, Mar 7, 2017 at 10:24 AM, Kevin Risden
>>><co...@gmail.com>
>>> wrote:
>>>
>>> > +1 (non-binding)
>>> >
>>> > * Updated https://github.com/risdenk/knox_solr_testing to use 0.12.0
>>>RC
>>> > * Verified that Knox Solr service definition was able to connect to
>>> > Kerberized Solr
>>> > * Verified both API and UI
>>> > * Verified basic auth through LDAP works
>>> >
>>> > Kevin Risden
>>> >
>>> > On Mon, Mar 6, 2017 at 9:37 AM, Sandeep More <mo...@gmail.com>
>>> > wrote:
>>> >
>>> > > Thanks Sumit for setting up the release !
>>> > >
>>> > > +1 (binding)
>>> > >
>>> > > * Downloaded and built from source (with Java 1.8.0_101)
>>> > > * Checked LICENSE and NOTICE files
>>> > > * Verified GPG/MD5/SHA signatures
>>> > > * Installed pseudo-distributed instance (Mac OS X )
>>> > > * Ran through knox tests
>>> > > * Checked websocket functionality
>>> > > * Checked java script compression (Ambari UI)
>>> > > * Checked 'identity-assertion' provider - 'HadoopGroupProvider'
>>> > >
>>> > >  :-) My fist binding vote
>>> > >
>>> > > Best,
>>> > > Sandeep
>>> > >
>>> > > On Sat, Mar 4, 2017 at 7:56 AM, sumit gupta <su...@apache.org>
>>>wrote:
>>> > >
>>> > > > A candidate for the Apache Knox 0.12.0 release is available at:
>>> > > >
>>> > > > https://dist.apache.org/repos/dist/dev/knox/knox-0.12.0/
>>> > > >
>>> > > > The release candidate is a zip archive of the sources in:
>>> > > >
>>> > > > https://git-wip-us.apache.org/repos/asf/knox.git
>>> > > > Branch v0.12.0 (git checkout -b v0.12.0)
>>> > > >
>>> > > > The KEYS file for signature validation is available at:
>>> > > > https://dist.apache.org/repos/dist/release/knox/KEYS
>>> > > >
>>> > > > Please vote on releasing this package as Apache Knox 0.12.0.
>>> > > > The vote is open for the next 72 hours and passes if a majority
>>>of at
>>> > > > least three +1 Apache Knox PMC votes are cast.
>>> > > >
>>> > > > [ ] +1 Release this package as Apache Knox 0.12.0
>>> > > > [ ] -1 Do not release this package because...
>>> > > >
>>> > >
>>> >
>>>
>
>

Re: [CANCEL] [VOTE] Release Apache Knox 0.12.0

Posted by larry mccay <lm...@apache.org>.

We should default the variable to null and only set it conditionally.
This will allow us to fail securely rather than insecurely.

This may have been introduced when I had to merge the knoxtoken branch into
that change.
It was a troublesome merge as I recall.

On Wed, Mar 8, 2017 at 1:53 PM, Sumit Gupta <su...@hortonworks.com>
wrote:

> As per the discussion below the VOTE for release is being cancelled.
>
> Sumit.
>
> On 3/8/17, 1:51 PM, "Sumit Gupta" <su...@hortonworks.com> wrote:
>
> >Thanks for the catch Larry and Vincent. This may have been a merge issue
> >on my part as well. In any case I agree that the release cannot go out
> >with this bug. My vote is also -1. I¹ll cancel the vote and file a JIRA
> >for the issue to be fixed.
> >
> >Thanks everyone for testing the RC and stay tuned for the next one.
> >
> >Sumit.
> >
> >
> >On 3/8/17, 1:19 PM, "Vincent Devillers" <vi...@layer4.fr>
> >wrote:
> >
> >>@larry
> >>
> >>You are right, in the Hadoop class it should be:
> >>
> >>HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
> >>TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
> >>if (clientContext.connection().secure()) {
> >>  hostnameVerifier =
> >>SSLConnectionSocketFactory.getDefaultHostnameVerifier();
> >>  trustStrategy = null;
> >>} else {
> >>
> >>instead of:
> >>
> >>HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
> >>TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
> >>if (clientContext.connection().secure()) {
> >>  hostnameVerifier =
> >>SSLConnectionSocketFactory.getDefaultHostnameVerifier();
> >>} else {
> >>
> >>
> >>The trustStrategy must be null in order to keep the default
> >>X509TrustManager defined for the default ssl algorithm.
> >>My bad...
> >>
> >>*Vincent Devillers*
> >>
> >>tél.: +33 615053430
> >>email: vincent.devillers@layer4.fr
> >>blog: https://blog.layer4.fr
> >>
> >>2017-03-08 18:37 GMT+01:00 larry mccay <lm...@apache.org>:
> >>
> >>> Unfortunately, I have found what I view as a showstopper.
> >>> We had a regression in the knoxshell with respect to requiring proper
> >>>trust
> >>> of the cert presented by the gateway.
> >>> Somewhere along the line the TrustSelfSignedStrategy was added back and
> >>> self-signed certs now get a free pass.
> >>> This needs to be fixed to protect against MITM attacks, etc.
> >>>
> >>> Here is my -1.
> >>>
> >>>
> >>> On Tue, Mar 7, 2017 at 10:24 AM, Kevin Risden
> >>><co...@gmail.com>
> >>> wrote:
> >>>
> >>> > +1 (non-binding)
> >>> >
> >>> > * Updated https://github.com/risdenk/knox_solr_testing to use 0.12.0
> >>>RC
> >>> > * Verified that Knox Solr service definition was able to connect to
> >>> > Kerberized Solr
> >>> > * Verified both API and UI
> >>> > * Verified basic auth through LDAP works
> >>> >
> >>> > Kevin Risden
> >>> >
> >>> > On Mon, Mar 6, 2017 at 9:37 AM, Sandeep More <mo...@gmail.com>
> >>> > wrote:
> >>> >
> >>> > > Thanks Sumit for setting up the release !
> >>> > >
> >>> > > +1 (binding)
> >>> > >
> >>> > > * Downloaded and built from source (with Java 1.8.0_101)
> >>> > > * Checked LICENSE and NOTICE files
> >>> > > * Verified GPG/MD5/SHA signatures
> >>> > > * Installed pseudo-distributed instance (Mac OS X )
> >>> > > * Ran through knox tests
> >>> > > * Checked websocket functionality
> >>> > > * Checked java script compression (Ambari UI)
> >>> > > * Checked 'identity-assertion' provider - 'HadoopGroupProvider'
> >>> > >
> >>> > >  :-) My fist binding vote
> >>> > >
> >>> > > Best,
> >>> > > Sandeep
> >>> > >
> >>> > > On Sat, Mar 4, 2017 at 7:56 AM, sumit gupta <su...@apache.org>
> >>>wrote:
> >>> > >
> >>> > > > A candidate for the Apache Knox 0.12.0 release is available at:
> >>> > > >
> >>> > > > https://dist.apache.org/repos/dist/dev/knox/knox-0.12.0/
> >>> > > >
> >>> > > > The release candidate is a zip archive of the sources in:
> >>> > > >
> >>> > > > https://git-wip-us.apache.org/repos/asf/knox.git
> >>> > > > Branch v0.12.0 (git checkout -b v0.12.0)
> >>> > > >
> >>> > > > The KEYS file for signature validation is available at:
> >>> > > > https://dist.apache.org/repos/dist/release/knox/KEYS
> >>> > > >
> >>> > > > Please vote on releasing this package as Apache Knox 0.12.0.
> >>> > > > The vote is open for the next 72 hours and passes if a majority
> >>>of at
> >>> > > > least three +1 Apache Knox PMC votes are cast.
> >>> > > >
> >>> > > > [ ] +1 Release this package as Apache Knox 0.12.0
> >>> > > > [ ] -1 Do not release this package because...
> >>> > > >
> >>> > >
> >>> >
> >>>
> >
> >
>
>