You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2021/03/15 01:27:00 UTC
[jira] [Commented] (KNOX-2551) Token state management improvements
[ https://issues.apache.org/jira/browse/KNOX-2551?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17301316#comment-17301316 ]
ASF subversion and git services commented on KNOX-2551:
-------------------------------------------------------
Commit ca909964cf0c61a205ce6dee2978ff19b4f13839 in knox's branch refs/heads/master from Sandor Molnar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=ca90996 ]
KNOX-2551 - Token state management improvements (#414)
* KNOX-2551 - AliasBasedTokenStateService is the default token state service implementatation
* KNOX-2551 - Fixed parameter index in various token related log messages
* KNOX-2551 - Creating sub-nodes in ZK in case Knox Tokens are stored under /knox/security/topology/__gateway
* KNOX-2551 - To address the side effects of optimistic replication in HA mode the ZK token state service retries to fetch tokens from ZK until it's found or the configured persistence interval is exceeded
* KNOX-2551 - Avoid removing --max aliases from the unpersisted in-memory collection
* KNOX-2551 - ZK token state service performance improvements
Major changes:
- ZK token state service configures ZKRemoteAliasService to not use local keystore
- ZK token state service implements loadTokensFromPersistenceStore to avoid keystore lookup from parent; it actually does nothing as ZK entry change listeners populate in-memory collections in DefaultTokenStateService
- token eviction runs independently of loadTokensFromPersistenceStore (not like in AliasBasedTokenStateService as we no longer need to consider the global keystore locking in DefaultKeystoreService)
* KNOX-2551 - Fixed addAlias in ZKRemoteAliasService to support saving updated data for already existing aliases
* KNOX-2551 - Monitoring the token persister thread and re-initiate it in case an error occured during task execution
> Token state management improvements
> -----------------------------------
>
> Key: KNOX-2551
> URL: https://issues.apache.org/jira/browse/KNOX-2551
> Project: Apache Knox
> Issue Type: Improvement
> Components: Server
> Affects Versions: 1.5.0
> Reporter: Sandor Molnar
> Assignee: Sandor Molnar
> Priority: Critical
> Time Spent: 10m
> Remaining Estimate: 0h
>
> In this Jira a bunch of token management improvements is added:
> * AliasBasedTokenStateService is the default token state service implementation
> * Fixing parameter index in various token related log messages
> * Knox Token related aliases are stored under {{/knox/security/topology/__gateway/tokens}}
> * Addressing the side effects of optimistic replication in Knox HA mode using the ZK token state service
> * Avoid removing --max aliases from the unpersisted in-memory collection
> * ZK token state service performance improvements
> ** ZK token state service should configure ZKRemoteAliasService to not use local keystore
> ** ZK token state service should implement {{loadTokensFromPersistenceStore}} to avoid keystore lookup from the parent; it actually should do nothing as ZK entry change listeners populate in-memory collections in DefaultTokenStateService
> ** token eviction should run independently of {{loadTokensFromPersistenceStore}} (not like in AliasBasedTokenStateService as we no longer need to consider the global keystore locking in {{DefaultKeystoreService}})
> * Fixing {{addAlias}} in {{ZKRemoteAliasService}} to support saving updated data for already existing aliases
> * The token persister thread should be monitored and re-initiated n case an error occurrs during task execution
--
This message was sent by Atlassian Jira
(v8.3.4#803005)