[jira] [Created] (KNOX-1577) Knox automatically derived dispatch whitelist doesn't seem to actually match the knox domain

["Kat Petre (JIRA)" <ji...@apache.org>]

Kat Petre created KNOX-1577:
-------------------------------

             Summary: Knox automatically derived dispatch whitelist doesn't seem to actually match the knox domain
                 Key: KNOX-1577
                 URL: https://issues.apache.org/jira/browse/KNOX-1577
             Project: Apache Knox
          Issue Type: Bug
          Components: Server
    Affects Versions: 1.1.0
            Reporter: Kat Petre
         Attachments: CDC05871-10A2-43CE-8190-E6AAC51AC3D9.png

When the dispatch whitelist is not explicitly configured, Knox attempts to derive this whitelist based on the domain of the knox host. We can see this in the logs as follows:
{code:java}
2018-11-08 20:57:34,173 INFO knox.gateway (WhitelistUtils.java:getDispatchWhitelist(63)) - Applying a derived dispatch whitelist because none is configured in gateway-site: ^/.*$;^https?://(.+\.honeypot\.hortonworks\.site):[0-9]+/?.*$
{code}

However, login via knox sso with this configuration is not possible. Upon closer inspection (with a regex editor) we see there are 4 unescaped forward slashes which cause the knox hostname (or hostname of another host on the same domain as knox) to not match the auto-configured whitelist. 

!CDC05871-10A2-43CE-8190-E6AAC51AC3D9.png!

(Thanks [~vrathor-hw] helping find this)

Escaping the forward slashes and explicitly configuring the whitelist with following example values seems to solve the problem, and allow login via knox sso. 
{code:java}
 <param>
 <name>knoxsso.redirect.whitelist.regex</name>
 <value>^https?:\/\/(.*\.honeypot\.hortonworks\.site|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
 </param>
{code}

If escaping the / as I did above is the correct workaround for this solution, should we configure the automatically derived whitelists to do this also?



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)