You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2021/08/06 09:46:00 UTC

[jira] [Work logged] (KNOX-2574) Missing proper logging when hmac secret is short (misconfigured)

     [ https://issues.apache.org/jira/browse/KNOX-2574?focusedWorklogId=635022&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-635022 ]

ASF GitHub Bot logged work on KNOX-2574:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 06/Aug/21 09:45
            Start Date: 06/Aug/21 09:45
    Worklog Time Spent: 10m 
      Work Description: zeroflag opened a new pull request #478:
URL: https://github.com/apache/knox/pull/478


   ## What changes were proposed in this pull request?
   
   When the hmac secret length is shorter than required by the signing algorithm then token generation will fail with no meaningful message.
   
   ```json
   { "Unable to acquire token." }
   ```
   
   The gateway log doesn't contain any information about what went wrong.
   
   I found no simply way to add validation logic to the secret creation (bin/knoxcli.sh create-alias gateway.signing.hmac.secret --value <..>) and prevent creating the secret with invalid length, so I added a check to TokenResorce>>init() instead.
   
   ## How was this patch tested?
   
   1. Created a shorter than expected secret:
   
   ```
   $ bin/knoxcli.sh create-alias gateway.signing.hmac.secret --value 1234
   ```
   
   2. Set the signing alg to HS256 (keylength = 32)
   
   ```   
   <param>
         <name>knox.token.sigalg</name>
         <value>HS256</value>
      </param>
   ```
   
   3. Tried to create a token
   
   ```
   $ curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token
   ```
   
   4. Checked the exception in gateway.logs
   ```
   com.nimbusds.jose.KeyLengthException: Unexpected key length (for HS256 algorithm)
   ```


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscribe@knox.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


Issue Time Tracking
-------------------

            Worklog Id:     (was: 635022)
    Remaining Estimate: 0h
            Time Spent: 10m

> Missing proper logging when hmac secret is short (misconfigured)
> ----------------------------------------------------------------
>
>                 Key: KNOX-2574
>                 URL: https://issues.apache.org/jira/browse/KNOX-2574
>             Project: Apache Knox
>          Issue Type: New Feature
>          Components: Server
>            Reporter: Sandeep More
>            Assignee: Attila Magyar
>            Priority: Major
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> I was testing out creating tokens with HMAC and created a secret which was less than 256 bits. When I tried to create tokens the operation failed with no meaningful message, even the gateway logs were not logging the error. If this happens in prod it would be extremely painful to track down. 
> This is what I get when I try to create tokens
> {code}
> (base) ➜  ~ curl -iku admin:admin-password 'https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token'
> HTTP/1.1 200 OK
> Date: Wed, 07 Apr 2021 19:27:42 GMT
> Set-Cookie: KNOXSESSIONID=node01hfs7ly3arqcelcoiofnz3de0.node0; Path=/gateway/sandbox; Secure; HttpOnly
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; Expires=Tue, 06-Apr-2021 19:27:42 GMT; SameSite=lax
> Content-Type: application/json
> Content-Length: 30
> { "Unable to acquire token." }
> {code}
>  
> And this is what I see in the logs
> {code}
> 2021-04-07 15:27:42,405 INFO  knox.gateway (KnoxLdapRealm.java:getUserDn(688)) - Computed userDn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org using dnTemplate for principal: admin
> 2021-04-07 15:29:25,667 INFO  service.knoxtoken (TokenResource.java:getAuthenticationToken(453)) - toString
> 2021-04-07 15:29:28,125 INFO  service.knoxtoken (TokenResource.java:getAuthenticationToken(454)) - toString
> 2021-04-07 15:29:29,671 ERROR service.knoxtoken (TokenResource.java:getAuthenticationToken(454)) - Unable to issue token.
> 2021-04-07 15:29:29,863 INFO  service.knoxtoken (TokenResource.java:getAuthenticationToken(456)) - toString
> {code}
> There were few issues I noticed that needs some attention:
> 1. Should we even allow creating secrets less than 256 bits? how do we validate it?
> 2. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)