You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/05/24 09:45:00 UTC
[jira] [Work logged] (KNOX-2747) RemoteAliasService generates password without checking if it already exists
[ https://issues.apache.org/jira/browse/KNOX-2747?focusedWorklogId=773942&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-773942 ]
ASF GitHub Bot logged work on KNOX-2747:
----------------------------------------
Author: ASF GitHub Bot
Created on: 24/May/22 09:44
Start Date: 24/May/22 09:44
Worklog Time Spent: 10m
Work Description: zeroflag opened a new pull request, #581:
URL: https://github.com/apache/knox/pull/581
## What changes were proposed in this pull request?
RemoteAliasService always regenerates the password if generates=true, unlike the other implementation. This causes problems with HA deployments where the RemoteAliasService is used but the zookeeper based keystore is turned off. Each knox instance ends up having a different pac4j.password.
## How was this patch tested?
Using the following configs:
```
gateway.remote.alias.service.enabled=true
gateway.remote.config.monitor.client=zookeeper-client
gateway.service.alias.impl=org.apache.knox.gateway.services.security.impl.RemoteAliasService
gateway.remote.alias.service.config.type=zookeeper
gateway.remote.config.registry.zookeeper-client=type=ZooKeeper;address=ZKHOST:2181;authType=Kerberos;principal=knox@ROOT.HWX.SITE;keytab=/cdep/keytabs/knox.keytab;useKeyTab=true;useTicketCache=false
```
* I verified that redeployments and restarts doesn't change a user generated password.
* I verified that after a clean start passwords are synchronized to both host.
Issue Time Tracking
-------------------
Worklog Id: (was: 773942)
Remaining Estimate: 0h
Time Spent: 10m
> RemoteAliasService generates password without checking if it already exists
> ---------------------------------------------------------------------------
>
> Key: KNOX-2747
> URL: https://issues.apache.org/jira/browse/KNOX-2747
> Project: Apache Knox
> Issue Type: Bug
> Reporter: Attila Magyar
> Assignee: Attila Magyar
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> RemoteAliasService:
> {code}
> /* Generate a new password */
> if (generate) {
> generateAliasForCluster(clusterName, alias);
> }
> {code}
> DefaultAliasService checks first
> {code}
> credential = keystoreService.getCredentialForCluster(clusterName, alias);
> if (credential == null && generate) {
> generateAliasForCluster(clusterName, alias);
> credential = keystoreService.getCredentialForCluster(clusterName, alias);
> }
> {code}
> This causes the Pac4jDispatcherFilter to regenerate the password at each topology change.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)