Re: Knox SSO in Openstack Environments

[larry mccay <lm...@apache.org>]

I've had the opportunity to play around with this issue a bit and found:

1. default domains - when one isn't set by KnoxSSO a default domain used
2. rather than setting a domain for things like ip addresses we should just
not set one
3. if a domainSuffix is configured then it can explicitly represent the
intention for supporting subdomains for that configured domain
4. if an ip address or localhost is being used then it is fine to limit
cookie domain to that particular host (local dev environment)

I am going to change the behavior to first check whether there is a
matching domainSuffix. If there is take that as the cookie domain.
If there isn't and the requests hostname is an ip address don't set one and
accept the default domain.
If there is fewer than 2 dots in a hostname then don't set one and accept
the default.
If there are greater than 2 then strip the first element of the hostname
and use the remainder (with leading dot) as the cookie domain.

Tests will be updated to ensure the expected behavior.
This may require folks that are working from master to need additional
config to get their previous behavior.


On Mon, Nov 23, 2015 at 4:45 PM, larry mccay <lm...@apache.org> wrote:

> All -
>
> It seems that in openstack environments that the hostname provided ends up
> looking like a domain since it only has a single "." in it.
>
> For instance, the following is an altered hostname in such an environment:
>
> vp-os-rh6-my-sim-amb220l-ljm2-3-8-151119-2018-1.novalocal
>
> Current knoxsso logic treats a name like this as a domain and prepends a
> dot to the front to make the domain cookie. This behavior is inaccurate and
> ends up meaning that it is only ever sent to the machine where the knoxsso
> token has been acquired.
>
> What we really need is to create a domain cookie for .novallocal - this
> will ensure that the cookie is sent to all hosts in the same domain.
>
> While the existing logic makes sense for accessing resources at the domain
> level - say https://example.com:8443/gateway/sandbox/WEBDHS - it does not
> when a single dotted name represents a single host.
>
> knoxsso.cookie.domain.suffix Parameter
>
> What I propose is that we add a service parameter to the WebSSO service.
> This parameter would indicate a set of strings that would match domains
> within a given hostname. For instance, if we get a hostname for the URL
> that looks like vp-os-rh6-my-sim-amb220l-ljm2-3-8-151119-2018-1.novalocal
> and we have configured a domain.suffix of ".novalocal" that we would match
> that first and accept that as the domain for the knoxsso cookie.
>
> Best Match Semantics
>
> This check should also take the approach wherein the most specific domain
> be accepted over least specific. Such that, "ljm.localnova" is accepted
> rather than ".localnova" when they both match.
>
> I will likely file a JIRA for this and POC the approach in the next couple
> days.
>
> Thoughts?
>
> thanks,
>
> --larry
>
>
>