You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@knox.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2021/08/09 20:29:00 UTC

[jira] [Commented] (KNOX-2574) Missing proper logging when hmac secret is short (misconfigured)

    [ https://issues.apache.org/jira/browse/KNOX-2574?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17396265#comment-17396265 ] 

ASF subversion and git services commented on KNOX-2574:
-------------------------------------------------------

Commit a43b1ff1e304dcbcb90e277d998477fa3e5890d7 in knox's branch refs/heads/master from Attila Magyar
[ https://gitbox.apache.org/repos/asf?p=knox.git;h=a43b1ff ]

KNOX-2574 - Missing proper logging when hmac secret is short (misconfigured) (#478)



> Missing proper logging when hmac secret is short (misconfigured)
> ----------------------------------------------------------------
>
>                 Key: KNOX-2574
>                 URL: https://issues.apache.org/jira/browse/KNOX-2574
>             Project: Apache Knox
>          Issue Type: New Feature
>          Components: Server
>            Reporter: Sandeep More
>            Assignee: Attila Magyar
>            Priority: Major
>          Time Spent: 50m
>  Remaining Estimate: 0h
>
> I was testing out creating tokens with HMAC and created a secret which was less than 256 bits. When I tried to create tokens the operation failed with no meaningful message, even the gateway logs were not logging the error. If this happens in prod it would be extremely painful to track down. 
> This is what I get when I try to create tokens
> {code}
> (base) ➜  ~ curl -iku admin:admin-password 'https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token'
> HTTP/1.1 200 OK
> Date: Wed, 07 Apr 2021 19:27:42 GMT
> Set-Cookie: KNOXSESSIONID=node01hfs7ly3arqcelcoiofnz3de0.node0; Path=/gateway/sandbox; Secure; HttpOnly
> Expires: Thu, 01 Jan 1970 00:00:00 GMT
> Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; Expires=Tue, 06-Apr-2021 19:27:42 GMT; SameSite=lax
> Content-Type: application/json
> Content-Length: 30
> { "Unable to acquire token." }
> {code}
>  
> And this is what I see in the logs
> {code}
> 2021-04-07 15:27:42,405 INFO  knox.gateway (KnoxLdapRealm.java:getUserDn(688)) - Computed userDn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org using dnTemplate for principal: admin
> 2021-04-07 15:29:25,667 INFO  service.knoxtoken (TokenResource.java:getAuthenticationToken(453)) - toString
> 2021-04-07 15:29:28,125 INFO  service.knoxtoken (TokenResource.java:getAuthenticationToken(454)) - toString
> 2021-04-07 15:29:29,671 ERROR service.knoxtoken (TokenResource.java:getAuthenticationToken(454)) - Unable to issue token.
> 2021-04-07 15:29:29,863 INFO  service.knoxtoken (TokenResource.java:getAuthenticationToken(456)) - toString
> {code}
> There were few issues I noticed that needs some attention:
> 1. Should we even allow creating secrets less than 256 bits? how do we validate it?
> 2. 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)