You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by GitBox <gi...@apache.org> on 2020/10/13 14:48:06 UTC

[GitHub] [knox] smolnar82 opened a new pull request #381: KNOX-2462 - Make credential store type configurable

smolnar82 opened a new pull request #381:
URL: https://github.com/apache/knox/pull/381


   KNOX-2463 - Let end-users customize security algorithm for internal credential stores
   KNOX-2464 - KnoxCLI should pass GatewayConfig when setting up master secret so that encryptor becomes initialized
   
   ## What changes were proposed in this pull request?
   
   This PR contains resolution for 3 JIRAs at once (using different commits, of course) as they are related to each other. In these commits, I made sure that:
   - credential store type is configurable via `gateway-site.xml` (defaults to `JCEKS`)
   - the algorithm Knox uses when creating an entry in a credential is configurable via `gateway-site.xml` (defaults to `AES`)
   - fixed the bug in KnoxCLI of not considering inputs from `gateway-site.xml`
   
   ## How was this patch tested?
   
   Tested manually in a CM managed cluster where I set:
   ```
   gateway.credential.store.type = BCFKS
   gateway.credential.store.alg = HMACSHA512
   gateway.crypto.salt.size = 16
   ```
   All changes were picked up and Knox functioned as expected.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [knox] smolnar82 commented on pull request #381: KNOX-2462 - Make credential store type configurable

Posted by GitBox <gi...@apache.org>.

smolnar82 commented on pull request #381:
URL: https://github.com/apache/knox/pull/381#issuecomment-707798106


   Do you mean if credential store type changes AND Knox is restarted?


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [knox] smolnar82 commented on pull request #381: KNOX-2462 - Make credential store type configurable

Posted by GitBox <gi...@apache.org>.

smolnar82 commented on pull request #381:
URL: https://github.com/apache/knox/pull/381#issuecomment-707883397


   This is a valid point. Let me think and come up with a proposal.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [knox] smolnar82 commented on pull request #381: KNOX-2462 - Make credential store type configurable

Posted by GitBox <gi...@apache.org>.

smolnar82 commented on pull request #381:
URL: https://github.com/apache/knox/pull/381#issuecomment-724577142


   Added a check to log a WARN message if a credential store existed before with a different extension.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [knox] risdenk commented on pull request #381: KNOX-2462 - Make credential store type configurable

Posted by GitBox <gi...@apache.org>.

risdenk commented on pull request #381:
URL: https://github.com/apache/knox/pull/381#issuecomment-707805908


   > Do you mean if credential store type changes AND Knox is restarted?
   
   Yup. Like you start with the default, and then go oops changed my mind. Or you change it and then want to go back to the default


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [knox] lmccay commented on pull request #381: KNOX-2462 - Make credential store type configurable

Posted by GitBox <gi...@apache.org>.

lmccay commented on pull request #381:
URL: https://github.com/apache/knox/pull/381#issuecomment-721185136


   I think logging + creating a new one and leaving the old one will be sufficient.
   Let's not try and be smart about it and delete something that may be needed.
   It seems like an unusual or at least infrequent thing to do anyway.


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [knox] smolnar82 merged pull request #381: KNOX-2462 - Make credential store type configurable

Posted by GitBox <gi...@apache.org>.

smolnar82 merged pull request #381:
URL: https://github.com/apache/knox/pull/381


   


----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org