You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by GitBox <gi...@apache.org> on 2021/01/26 10:23:44 UTC
[GitHub] [knox] smolnar82 commented on pull request #397: KNOX-2527 - Added support for HMAC signature/verification in JWT token authority
smolnar82 commented on pull request #397:
URL: https://github.com/apache/knox/pull/397#issuecomment-767448085
@lmccay - I tested it with different topologies come with different signature algorithms (HS256 and RS 256) and it was working as expected. Could you please give me another review and let me know if I can merge this PR?
HS256 test
----------
Created a 256 bit HMAC secret:
`bin/knoxcli.sh create-alias gateway.signing.hmac.secret --value 6w9zAB-E_H-McQfTjWnZr4u7x_A7D8F-`
```
curl -iku admin:admin-password https://localhost:8443/gateway/tokenhs256/knoxtoken/api/v1/token
{"access_token":"eyJhbG...RI2hKM",...,"token_type":"Bearer","expires_in":1611689480150}
```
gateway.log:
`2021-01-26 10:35:24,158 INFO service.knoxtoken (TokenResource.java:getAuthenticationToken(407)) - Knox Token service (tokenhs256) issued token eyJhbG...RI2hKM (7794004b-c3e8-4aea-9d69-226786948ace)`
Testing the acquired token: `curl -ik -H "Authorization: Bearer eyJhbG...RI2hKM" https://localhost:8443/gateway/tokenbased/hdfs`
gateway-audit.log:
```
21/01/26 10:37:27 ||8e4bcfe0-4a26-4f0c-a74b-857217ffeae7|audit|[0:0:0:0:0:0:0:1]|HDFSUI||||access|uri|/gateway/tokenbased/hdfs|unavailable|Request method: GET
21/01/26 10:37:27 ||8e4bcfe0-4a26-4f0c-a74b-857217ffeae7|audit|[0:0:0:0:0:0:0:1]|HDFSUI|admin|||authentication|uri|/gateway/tokenbased/hdfs|success|
```
RS256 test
----------
`curl -iku admin:admin-password https://localhost:8443/gateway/tokenrs256/knoxtoken/api/v1/token`
`{"access_token":"eyJhbG...xukCHw",...,"token_type":"Bearer","expires_in":1611690064630}`
gateway.log:
`2021-01-26 10:41:04,638 INFO service.knoxtoken (TokenResource.java:getAuthenticationToken(407)) - Knox Token service (tokenrs256) issued token eyJhbG...xukCHw (fffd212d-dba7-40c5-8325-3512203ffde2)`
Testing the acquired token: `curl -ik -H "Authorization: Bearer eyJhbG...xukCHw" https://localhost:8443/gateway/tokenbased/hdfs`
gateway-audit.log:
```
21/01/26 10:44:35 ||1bac63c9-1c15-4673-a592-2072f9235d53|audit|[0:0:0:0:0:0:0:1]|HDFSUI||||access|uri|/gateway/tokenbased/hdfs|unavailable|Request method: GET
21/01/26 10:44:45 ||1bac63c9-1c15-4673-a592-2072f9235d53|audit|[0:0:0:0:0:0:0:1]|HDFSUI|admin|||authentication|uri|/gateway/tokenbased/hdfs|success|
```
The only difference between the `tokenhs256` and tokenrs256` topologies is the configured signature algorithm:
```
<service>
<role>KNOXTOKEN</role>
<param>
<name>knox.token.ttl</name>
<value>36000000</value>
</param>
<param>
<name>knox.token.audiences</name>
<value>tokenbased</value>
</param>
<param>
<name>knox.token.target.url</name>
<value>https://localhost:8443/gateway/tokenbased</value>
</param>
<param>
<name>knox.token.sigalg</name>
<value>HS256</value>
</param>
</service>
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org