You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/05/24 09:45:00 UTC

[jira] [Work logged] (KNOX-2747) RemoteAliasService generates password without checking if it already exists

     [ https://issues.apache.org/jira/browse/KNOX-2747?focusedWorklogId=773942&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-773942 ]

ASF GitHub Bot logged work on KNOX-2747:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 24/May/22 09:44
            Start Date: 24/May/22 09:44
    Worklog Time Spent: 10m 
      Work Description: zeroflag opened a new pull request, #581:
URL: https://github.com/apache/knox/pull/581

   ## What changes were proposed in this pull request?
   
   RemoteAliasService always regenerates the password if generates=true, unlike the other implementation. This causes problems with HA deployments where the RemoteAliasService is used but the zookeeper based keystore is turned off. Each knox instance ends up having a different pac4j.password.
   
   ## How was this patch tested?
   
   Using the following configs:
   
   ```
   gateway.remote.alias.service.enabled=true
   gateway.remote.config.monitor.client=zookeeper-client
   gateway.service.alias.impl=org.apache.knox.gateway.services.security.impl.RemoteAliasService
   gateway.remote.alias.service.config.type=zookeeper
   gateway.remote.config.registry.zookeeper-client=type=ZooKeeper;address=ZKHOST:2181;authType=Kerberos;principal=knox@ROOT.HWX.SITE;keytab=/cdep/keytabs/knox.keytab;useKeyTab=true;useTicketCache=false
   ```
   
   * I verified that redeployments and restarts doesn't change a user generated password. 
   * I verified that after a clean start passwords are synchronized to both host.




Issue Time Tracking
-------------------

            Worklog Id:     (was: 773942)
    Remaining Estimate: 0h
            Time Spent: 10m

> RemoteAliasService generates password without checking if it already exists
> ---------------------------------------------------------------------------
>
>                 Key: KNOX-2747
>                 URL: https://issues.apache.org/jira/browse/KNOX-2747
>             Project: Apache Knox
>          Issue Type: Bug
>            Reporter: Attila Magyar
>            Assignee: Attila Magyar
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> RemoteAliasService:
> {code}
>     /* Generate a new password  */
>     if (generate) {
>       generateAliasForCluster(clusterName, alias);
>     }
> {code}
> DefaultAliasService checks first
> {code}
>       credential = keystoreService.getCredentialForCluster(clusterName, alias);
>       if (credential == null && generate) {
>         generateAliasForCluster(clusterName, alias);
>         credential = keystoreService.getCredentialForCluster(clusterName, alias);
>       }
> {code}
> This causes the Pac4jDispatcherFilter to regenerate the password at each topology change.



--
This message was sent by Atlassian Jira
(v8.20.7#820007)