You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "Rick Kellogg (JIRA)" <ji...@apache.org> on 2018/01/02 21:09:00 UTC
[jira] [Comment Edited] (KNOX-1156) Disabled / Multiple Providers
Yield Broken Deployment
[ https://issues.apache.org/jira/browse/KNOX-1156?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16308708#comment-16308708 ]
Rick Kellogg edited comment on KNOX-1156 at 1/2/18 9:08 PM:
------------------------------------------------------------
Upon careful review, I have decided to leave this as WILL NOT FIX. The ServiceDeploymentContributorBase class includes a number of methods related to contributing filters for web app security, authentication, authorization, etc.. In each of these cases, the role alone is used for filtering. It does not pass in a name for the provider. Changes to address this are just too sensitive to touch from a risk perspective.
To be clear, one should only have a single instance of a provider listed in the topology XML file. The "enabled" element does not really work and could probably be removed from the ProviderPropertyInterpreter class. If specified it might be worthwhile to display a warning message that the element is no longer supported.
Another potential spot for correction could be done in the Topology.getProvider method.
was (Author: rkellogg):
Upon careful review, I have decided to leave this as WILL NOT FIX. The ServiceDeploymentContributorBase class includes a number of methods related to contributing filters for web app security, authentication, authorization, etc.. In each of these cases, the role alone is used for filtering. It does not pass in a name for the provider. Changes to address this are just too sensitive to touch from a risk perspective.
To be clear, one should only have a single instance of a provider listed in the topology XML file. The "enabled" element does not really work and could probably be removed from the ProviderPropertyInterpreter class. If specified it might be worthwhile to disable a warning message that the element is no longer supported.
Another potential spot for correction could be done in the Topology.getProvider method.
> Disabled / Multiple Providers Yield Broken Deployment
> -----------------------------------------------------
>
> Key: KNOX-1156
> URL: https://issues.apache.org/jira/browse/KNOX-1156
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 0.10.0, 0.11.0, 0.12.0, 0.13.0, 0.14.0
> Reporter: Rick Kellogg
> Assignee: Rick Kellogg
> Priority: Minor
> Fix For: 1.0.0
>
> Attachments: KNOX-1056.patch
>
>
> Within the topology XML file, the providers include an enabled element. If you include multiple providers with the same role the generated gateway.xml file might not include the enabled providers.
> In my specific example, I had two authentication providers. The first of which was disabled and the second was enabled. The second provider was ignored yielding no authentication provider in the gateway.xml and then subsequent use of the identity provider failed with a missing Subject.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)