You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by GitBox <gi...@apache.org> on 2022/05/24 09:44:27 UTC

[GitHub] [knox] zeroflag opened a new pull request, #581: KNOX-2747 RemoteAliasService generates password without checking if it already exists

zeroflag opened a new pull request, #581:
URL: https://github.com/apache/knox/pull/581

   ## What changes were proposed in this pull request?
   
   RemoteAliasService always regenerates the password if generates=true, unlike the other implementation. This causes problems with HA deployments where the RemoteAliasService is used but the zookeeper based keystore is turned off. Each knox instance ends up having a different pac4j.password.
   
   ## How was this patch tested?
   
   Using the following configs:
   
   ```
   gateway.remote.alias.service.enabled=true
   gateway.remote.config.monitor.client=zookeeper-client
   gateway.service.alias.impl=org.apache.knox.gateway.services.security.impl.RemoteAliasService
   gateway.remote.alias.service.config.type=zookeeper
   gateway.remote.config.registry.zookeeper-client=type=ZooKeeper;address=ZKHOST:2181;authType=Kerberos;principal=knox@ROOT.HWX.SITE;keytab=/cdep/keytabs/knox.keytab;useKeyTab=true;useTicketCache=false
   ```
   
   * I verified that redeployments and restarts doesn't change a user generated password. 
   * I verified that after a clean start passwords are synchronized to both host.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@knox.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [knox] zeroflag commented on a diff in pull request #581: KNOX-2747 RemoteAliasService generates password without checking if it already exists

Posted by GitBox <gi...@apache.org>.

zeroflag commented on code in PR #581:
URL: https://github.com/apache/knox/pull/581#discussion_r883106816


##########
gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/RemoteAliasServiceTestProvider.java:
##########
@@ -88,7 +88,8 @@ public void removeAliasesForCluster(String clusterName, Set<String> aliases) thr
 
     @Override
     public char[] getPasswordFromAliasForCluster(String clusterName, String alias) {
-      return aliases.getOrDefault(clusterName, new HashMap<>()).get(alias).toCharArray();
+      String value = aliases.getOrDefault(clusterName, new HashMap<>()).get(alias);
+      return value == null ? null : value.toCharArray();

Review Comment:
   It is because of the new test (this is also test code). We simulate that there is no password yet and check if the password was generated.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@knox.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [knox] pzampino commented on a diff in pull request #581: KNOX-2747 RemoteAliasService generates password without checking if it already exists

Posted by GitBox <gi...@apache.org>.

pzampino commented on code in PR #581:
URL: https://github.com/apache/knox/pull/581#discussion_r882870933


##########
gateway-server/src/test/java/org/apache/knox/gateway/services/security/impl/RemoteAliasServiceTestProvider.java:
##########
@@ -88,7 +88,8 @@ public void removeAliasesForCluster(String clusterName, Set<String> aliases) thr
 
     @Override
     public char[] getPasswordFromAliasForCluster(String clusterName, String alias) {
-      return aliases.getOrDefault(clusterName, new HashMap<>()).get(alias).toCharArray();
+      String value = aliases.getOrDefault(clusterName, new HashMap<>()).get(alias);
+      return value == null ? null : value.toCharArray();

Review Comment:
   This is only needed now because the password may be null since it's not ALWAYS being generated?



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@knox.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [knox] zeroflag merged pull request #581: KNOX-2747 RemoteAliasService generates password without checking if it already exists

Posted by GitBox <gi...@apache.org>.

zeroflag merged PR #581:
URL: https://github.com/apache/knox/pull/581


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@knox.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org