You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2021/11/13 12:16:00 UTC

[jira] [Work logged] (KNOX-2679) Trim Pac4j entitlements to avoid cookie too large issue.

     [ https://issues.apache.org/jira/browse/KNOX-2679?focusedWorklogId=681094&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-681094 ]

ASF GitHub Bot logged work on KNOX-2679:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 13/Nov/21 12:15
            Start Date: 13/Nov/21 12:15
    Worklog Time Spent: 10m 
      Work Description: moresandeep opened a new pull request #517:
URL: https://github.com/apache/knox/pull/517


   ## What changes were proposed in this pull request?
   There are cases where IdP sends back custom attributes that might be too big. For instance groups name attribute could be `https://knox.apache.org/SAML/Attributes/groups` which might contain large number of groups that might prevent setting cookies properly. This patch adds the ability to remove custom attributes from pac4j profile cookie.
   
   `pac4j.session.store.exclude.custom.attributes` is the configuration setting and it takes a comma separated list of values. Default is blank string.
   
   ## How was this patch tested?
   This patch was tested on a local cluster.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@knox.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 681094)
    Time Spent: 1h 50m  (was: 1h 40m)

> Trim Pac4j entitlements to avoid cookie too large issue.
> --------------------------------------------------------
>
>                 Key: KNOX-2679
>                 URL: https://issues.apache.org/jira/browse/KNOX-2679
>             Project: Apache Knox
>          Issue Type: Bug
>          Components: Server
>            Reporter: Sandeep More
>            Assignee: Sandeep More
>            Priority: Major
>             Fix For: 1.6.0
>
>          Time Spent: 1h 50m
>  Remaining Estimate: 0h
>
> Currently with KnoxSSO if the user is part of too many groups SAML assertions that we get back from IdP is huge. This cause hadoop-jwt cookie to not set throwing the SSO in a loop.
> Knox does not need groups, groups in knox are figured out based on the hadoop-user-group lookup. We should be able to filter out groups from the SAML assertion.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)