You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "jeff (JIRA)" <ji...@apache.org> on 2016/08/09 01:44:20 UTC
[jira] [Commented] (KNOX-730) pac4jRequestedUrl = null after saml2
assertion is parsed
[ https://issues.apache.org/jira/browse/KNOX-730?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15412814#comment-15412814 ]
jeff commented on KNOX-730:
---------------------------
This is what we have configured in IDP for Hadoop:
<item key="TARGET" value="https://tchdpm01.lmig.com:8445/gateway/knoxsso2/api/v1/websso?pac4jCallback=true&client_name=SAML2Client" />
<item key="ENTITY_ID" value="https://tchdpm01.lmig.com:8445/gateway/knoxsso2/api/v1/websso?pac4jCallback=true&client_name=SAML2Client" />
<item key="RP_CERT" value="certs//hadoop_dev.cer" />
I will also attaché the cert used
> pac4jRequestedUrl = null after saml2 assertion is parsed
> --------------------------------------------------------
>
> Key: KNOX-730
> URL: https://issues.apache.org/jira/browse/KNOX-730
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.9.0
> Environment: rhel
> Reporter: jeff
> Labels: idp, security
>
> We are working with a hadoop system and trying to get the knox saml2 support working with our IDP. (note, this is not Okta but another IDP we use with many of our commercial clients internal and external.)
> We have successfully configured knox 0.9.0 to handle the redirection to idp, we clearly see the assertion being passed back and being parsed by the pc4j component and the requestedurl being stored.
> HOWEVER, it seems that when knox goes to retrieve this info, it finds a null.
> (from last line of log snippet below) 2016-07-22 13:16:27,818 DEBUG session.KnoxSessionStore (KnoxSessionStore.java:get(90)) - Get from session: pac4jRequestedUrl = null
> and therefore the final redirect seems to default to '/' instead of the actual requestedurl (in this case https://tchdpm01.lmig.com:8445/gateway/knoxsso2/webhdfs/v1/?op=LISTSTATUS)
> 2016-07-22 13:13:03,911 INFO hadoop.gateway (GatewayServer.java:startGateway(294)) - Started gateway on port 8,445.
> 2016-07-22 13:15:58,995 DEBUG hadoop.gateway (GatewayFilter.java:doFilter(116)) - Received request: GET /webhdfs/v1/
> 2016-07-22 13:15:59,736 DEBUG session.KnoxSessionStore (KnoxSessionStore.java:get(90)) - Get from session: pac4jUserProfile = null
> 2016-07-22 13:15:59,737 DEBUG session.KnoxSessionStore (KnoxSessionStore.java:set(105)) - Save in session: pac4jRequestedUrl = https://tchdpm01.lmig.com:8445/gateway/knoxsso2/webhdfs/v1/?op=LISTSTATUS
> 2016-07-22 13:15:59,833 DEBUG session.KnoxSessionStore (KnoxSessionStore.java:get(90)) - Get from session: SAML2Client$attemptedAuthentication = null
> 2016-07-22 13:15:59,927 DEBUG session.KnoxSessionStore (KnoxSessionStore.java:get(90)) - Get from session: samlRelayState = null
> 2016-07-22 13:15:59,927 DEBUG session.KnoxSessionStore (KnoxSessionStore.java:set(105)) - Save in session: samlRelayState =
> 2016-07-22 13:16:16,179 DEBUG hadoop.gateway (GatewayFilter.java:doFilter(116)) - Received request: GET /webhdfs/v1/
> 2016-07-22 13:16:16,180 DEBUG session.KnoxSessionStore (KnoxSessionStore.java:get(90)) - Get from session: pac4jUserProfile = null
> 2016-07-22 13:16:16,180 DEBUG session.KnoxSessionStore (KnoxSessionStore.java:set(105)) - Save in session: pac4jRequestedUrl = https://tchdpm01.lmig.com:8445/gateway/knoxsso2/webhdfs/v1/?op=LISTSTATUS
> 2016-07-22 13:16:16,182 DEBUG session.KnoxSessionStore (KnoxSessionStore.java:get(90)) - Get from session: SAML2Client$attemptedAuthentication = null
> 2016-07-22 13:16:16,268 DEBUG session.KnoxSessionStore (KnoxSessionStore.java:get(90)) - Get from session: samlRelayState =
> 2016-07-22 13:16:16,268 DEBUG session.KnoxSessionStore (KnoxSessionStore.java:set(105)) - Save in session: samlRelayState =
> 2016-07-22 13:16:27,641 DEBUG hadoop.gateway (GatewayFilter.java:doFilter(116)) - Received request: POST /api/v1/websso
> 2016-07-22 13:16:27,813 DEBUG session.KnoxSessionStore (KnoxSessionStore.java:set(105)) - Save in session: SAML2Client$attemptedAuthentication = null
> 2016-07-22 13:16:27,814 DEBUG session.KnoxSessionStore (KnoxSessionStore.java:set(105)) - Save in session: pac4jUserProfile = <SAML2Profile> | id: n0251132 | attributes: {Products=[], Groups=[cn=ram_am_im_infc_admin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ram_am_im_infc_AllUsers,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=lram_portal_claims,cn=Products,ou=Groups,o=Liberty,o=Intranet^cn=lram_portal_billing,cn=Products,ou=Groups,o=Liberty,o=Intranet^cn=kev_test_grp1,cn=Products,ou=Groups,o=Liberty,o=Intranet^cn=cp_planit,cn=products,ou=groups,o=Liberty,o=Intranet^cn=cp_is_users,cn=Products,ou=Groups,o=Liberty,o=Intranet^cn=sec_it_only,cn=products,ou=groups,o=Liberty,o=Intranet^cn=cm_SSL_Remote_Access,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=sec_twofactor_population,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cp_dashboard_standard,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ram_AM_IM_Hyp_Admin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_sasa_scheduling,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_sas,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_sas_adm_99,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=am_wasadmin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_WASAdmin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_pwrcntr_admin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ets_libertyforge_git,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ci_ats_datatools_admin,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cp_capsmlinsecureconnect,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ci_data_innov_developer,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cm_DBaaS,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=cp_SS_DBaaS,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=pm_DBaaS,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ram_DBaaS,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ci_HadoopPOC,cn=Products,ou=Groups,o=Liberty,o=intranet^cn=ci_Hadoop_RangerPOC,cn=Products,ou=Groups,o=Liberty,o=intranet], FirstName=[XXXXXX], PhoneNumber=[], LastName=[XXXXXXXXX], CustomerId=[], EmailAddress=[XXXXXXX@LIBERTYMUTUAL.COM]} | roles: [] | permissions: [] | isRemembered: false |
> 2016-07-22 13:16:27,818 DEBUG session.KnoxSessionStore (KnoxSessionStore.java:get(90)) - Get from session: pac4jRequestedUrl = null
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)