You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@knox.apache.org by pz...@apache.org on 2019/08/29 21:12:19 UTC

[knox] branch master updated: KNOX-2001 - KnoxSession should log a warning message when useSubjectCredsOnly is false

This is an automated email from the ASF dual-hosted git repository.

pzampino pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/knox.git


The following commit(s) were added to refs/heads/master by this push:
     new 880217d  KNOX-2001 - KnoxSession should log a warning message when useSubjectCredsOnly is false
880217d is described below

commit 880217d79543e7e029db391e2acdfc868a06ab61
Author: pzampino <pz...@cloudera.com>
AuthorDate: Thu Aug 29 16:43:02 2019 -0400

    KNOX-2001 - KnoxSession should log a warning message when useSubjectCredsOnly is false
---
 .../src/main/java/org/apache/knox/gateway/shell/KnoxSession.java  | 8 ++++++++
 .../java/org/apache/knox/gateway/shell/KnoxShellMessages.java     | 4 ++++
 2 files changed, 12 insertions(+)

diff --git a/gateway-shell/src/main/java/org/apache/knox/gateway/shell/KnoxSession.java b/gateway-shell/src/main/java/org/apache/knox/gateway/shell/KnoxSession.java
index 7c817f4..3952a1c 100644
--- a/gateway-shell/src/main/java/org/apache/knox/gateway/shell/KnoxSession.java
+++ b/gateway-shell/src/main/java/org/apache/knox/gateway/shell/KnoxSession.java
@@ -326,6 +326,14 @@ public class KnoxSession implements Closeable {
         System.setProperty("sun.security.jgss.debug", "true");
       }
 
+      // (KNOX-2001) Log a warning if the useSubjectCredsOnly restriction is "relaxed"
+      String useSubjectCredsOnly = System.getProperty("javax.security.auth.useSubjectCredsOnly");
+      if (useSubjectCredsOnly != null) {
+        if (!Boolean.valueOf(useSubjectCredsOnly)) {
+          LOG.useSubjectCredsOnlyIsFalse();
+        }
+      }
+
       final Registry<AuthSchemeProvider> authSchemeRegistry =
           RegistryBuilder.<AuthSchemeProvider>create().register(AuthSchemes.SPNEGO, new SPNegoSchemeFactory(true)).build();
 
diff --git a/gateway-shell/src/main/java/org/apache/knox/gateway/shell/KnoxShellMessages.java b/gateway-shell/src/main/java/org/apache/knox/gateway/shell/KnoxShellMessages.java
index 16c05bc..4c188db 100644
--- a/gateway-shell/src/main/java/org/apache/knox/gateway/shell/KnoxShellMessages.java
+++ b/gateway-shell/src/main/java/org/apache/knox/gateway/shell/KnoxShellMessages.java
@@ -59,4 +59,8 @@ public interface KnoxShellMessages {
   @Message( level = MessageLevel.DEBUG, text = "JAAS configuration: {0}" )
   void jaasConfigurationLocation(String location);
 
+  @Message( level = MessageLevel.WARN,
+            text = "The javax.security.auth.useSubjectCredsOnly system property is set to 'false'; This may yield unexpected results with respect to Kerberos authentication." )
+  void useSubjectCredsOnlyIsFalse();
+
 }