You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by sumit gupta <su...@apache.org> on 2017/03/04 12:56:58 UTC

[VOTE] Release Apache Knox 0.12.0

A candidate for the Apache Knox 0.12.0 release is available at:

https://dist.apache.org/repos/dist/dev/knox/knox-0.12.0/

The release candidate is a zip archive of the sources in:

https://git-wip-us.apache.org/repos/asf/knox.git
Branch v0.12.0 (git checkout -b v0.12.0)

The KEYS file for signature validation is available at:
https://dist.apache.org/repos/dist/release/knox/KEYS

Please vote on releasing this package as Apache Knox 0.12.0.
The vote is open for the next 72 hours and passes if a majority of at
least three +1 Apache Knox PMC votes are cast.

[ ] +1 Release this package as Apache Knox 0.12.0
[ ] -1 Do not release this package because...

Re: [VOTE] Release Apache Knox 0.12.0

Posted by Sumit Gupta <su...@hortonworks.com>.

Thanks for the catch Larry and Vincent. This may have been a merge issue
on my part as well. In any case I agree that the release cannot go out
with this bug. My vote is also -1. I¹ll cancel the vote and file a JIRA
for the issue to be fixed.

Thanks everyone for testing the RC and stay tuned for the next one.

Sumit.


On 3/8/17, 1:19 PM, "Vincent Devillers" <vi...@layer4.fr>
wrote:

>@larry
>
>You are right, in the Hadoop class it should be:
>
>HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
>TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
>if (clientContext.connection().secure()) {
>  hostnameVerifier =
>SSLConnectionSocketFactory.getDefaultHostnameVerifier();
>  trustStrategy = null;
>} else {
>
>instead of:
>
>HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
>TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
>if (clientContext.connection().secure()) {
>  hostnameVerifier =
>SSLConnectionSocketFactory.getDefaultHostnameVerifier();
>} else {
>
>
>The trustStrategy must be null in order to keep the default
>X509TrustManager defined for the default ssl algorithm.
>My bad...
>
>*Vincent Devillers*
>
>tél.: +33 615053430
>email: vincent.devillers@layer4.fr
>blog: https://blog.layer4.fr
>
>2017-03-08 18:37 GMT+01:00 larry mccay <lm...@apache.org>:
>
>> Unfortunately, I have found what I view as a showstopper.
>> We had a regression in the knoxshell with respect to requiring proper
>>trust
>> of the cert presented by the gateway.
>> Somewhere along the line the TrustSelfSignedStrategy was added back and
>> self-signed certs now get a free pass.
>> This needs to be fixed to protect against MITM attacks, etc.
>>
>> Here is my -1.
>>
>>
>> On Tue, Mar 7, 2017 at 10:24 AM, Kevin Risden <co...@gmail.com>
>> wrote:
>>
>> > +1 (non-binding)
>> >
>> > * Updated https://github.com/risdenk/knox_solr_testing to use 0.12.0
>>RC
>> > * Verified that Knox Solr service definition was able to connect to
>> > Kerberized Solr
>> > * Verified both API and UI
>> > * Verified basic auth through LDAP works
>> >
>> > Kevin Risden
>> >
>> > On Mon, Mar 6, 2017 at 9:37 AM, Sandeep More <mo...@gmail.com>
>> > wrote:
>> >
>> > > Thanks Sumit for setting up the release !
>> > >
>> > > +1 (binding)
>> > >
>> > > * Downloaded and built from source (with Java 1.8.0_101)
>> > > * Checked LICENSE and NOTICE files
>> > > * Verified GPG/MD5/SHA signatures
>> > > * Installed pseudo-distributed instance (Mac OS X )
>> > > * Ran through knox tests
>> > > * Checked websocket functionality
>> > > * Checked java script compression (Ambari UI)
>> > > * Checked 'identity-assertion' provider - 'HadoopGroupProvider'
>> > >
>> > >  :-) My fist binding vote
>> > >
>> > > Best,
>> > > Sandeep
>> > >
>> > > On Sat, Mar 4, 2017 at 7:56 AM, sumit gupta <su...@apache.org>
>>wrote:
>> > >
>> > > > A candidate for the Apache Knox 0.12.0 release is available at:
>> > > >
>> > > > https://dist.apache.org/repos/dist/dev/knox/knox-0.12.0/
>> > > >
>> > > > The release candidate is a zip archive of the sources in:
>> > > >
>> > > > https://git-wip-us.apache.org/repos/asf/knox.git
>> > > > Branch v0.12.0 (git checkout -b v0.12.0)
>> > > >
>> > > > The KEYS file for signature validation is available at:
>> > > > https://dist.apache.org/repos/dist/release/knox/KEYS
>> > > >
>> > > > Please vote on releasing this package as Apache Knox 0.12.0.
>> > > > The vote is open for the next 72 hours and passes if a majority
>>of at
>> > > > least three +1 Apache Knox PMC votes are cast.
>> > > >
>> > > > [ ] +1 Release this package as Apache Knox 0.12.0
>> > > > [ ] -1 Do not release this package because...
>> > > >
>> > >
>> >
>>

Re: [VOTE] Release Apache Knox 0.12.0

Posted by Vincent Devillers <vi...@layer4.fr>.

@larry

You are right, in the Hadoop class it should be:

HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
if (clientContext.connection().secure()) {
  hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
  trustStrategy = null;
} else {

instead of:

HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
TrustStrategy trustStrategy = TrustSelfSignedStrategy.INSTANCE;
if (clientContext.connection().secure()) {
  hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
} else {


The trustStrategy must be null in order to keep the default
X509TrustManager defined for the default ssl algorithm.
My bad...

*Vincent Devillers*

tél.: +33 615053430
email: vincent.devillers@layer4.fr
blog: https://blog.layer4.fr

2017-03-08 18:37 GMT+01:00 larry mccay <lm...@apache.org>:

> Unfortunately, I have found what I view as a showstopper.
> We had a regression in the knoxshell with respect to requiring proper trust
> of the cert presented by the gateway.
> Somewhere along the line the TrustSelfSignedStrategy was added back and
> self-signed certs now get a free pass.
> This needs to be fixed to protect against MITM attacks, etc.
>
> Here is my -1.
>
>
> On Tue, Mar 7, 2017 at 10:24 AM, Kevin Risden <co...@gmail.com>
> wrote:
>
> > +1 (non-binding)
> >
> > * Updated https://github.com/risdenk/knox_solr_testing to use 0.12.0 RC
> > * Verified that Knox Solr service definition was able to connect to
> > Kerberized Solr
> > * Verified both API and UI
> > * Verified basic auth through LDAP works
> >
> > Kevin Risden
> >
> > On Mon, Mar 6, 2017 at 9:37 AM, Sandeep More <mo...@gmail.com>
> > wrote:
> >
> > > Thanks Sumit for setting up the release !
> > >
> > > +1 (binding)
> > >
> > > * Downloaded and built from source (with Java 1.8.0_101)
> > > * Checked LICENSE and NOTICE files
> > > * Verified GPG/MD5/SHA signatures
> > > * Installed pseudo-distributed instance (Mac OS X )
> > > * Ran through knox tests
> > > * Checked websocket functionality
> > > * Checked java script compression (Ambari UI)
> > > * Checked 'identity-assertion' provider - 'HadoopGroupProvider'
> > >
> > >  :-) My fist binding vote
> > >
> > > Best,
> > > Sandeep
> > >
> > > On Sat, Mar 4, 2017 at 7:56 AM, sumit gupta <su...@apache.org> wrote:
> > >
> > > > A candidate for the Apache Knox 0.12.0 release is available at:
> > > >
> > > > https://dist.apache.org/repos/dist/dev/knox/knox-0.12.0/
> > > >
> > > > The release candidate is a zip archive of the sources in:
> > > >
> > > > https://git-wip-us.apache.org/repos/asf/knox.git
> > > > Branch v0.12.0 (git checkout -b v0.12.0)
> > > >
> > > > The KEYS file for signature validation is available at:
> > > > https://dist.apache.org/repos/dist/release/knox/KEYS
> > > >
> > > > Please vote on releasing this package as Apache Knox 0.12.0.
> > > > The vote is open for the next 72 hours and passes if a majority of at
> > > > least three +1 Apache Knox PMC votes are cast.
> > > >
> > > > [ ] +1 Release this package as Apache Knox 0.12.0
> > > > [ ] -1 Do not release this package because...
> > > >
> > >
> >
>

Re: [VOTE] Release Apache Knox 0.12.0

Posted by larry mccay <lm...@apache.org>.

Unfortunately, I have found what I view as a showstopper.
We had a regression in the knoxshell with respect to requiring proper trust
of the cert presented by the gateway.
Somewhere along the line the TrustSelfSignedStrategy was added back and
self-signed certs now get a free pass.
This needs to be fixed to protect against MITM attacks, etc.

Here is my -1.


On Tue, Mar 7, 2017 at 10:24 AM, Kevin Risden <co...@gmail.com>
wrote:

> +1 (non-binding)
>
> * Updated https://github.com/risdenk/knox_solr_testing to use 0.12.0 RC
> * Verified that Knox Solr service definition was able to connect to
> Kerberized Solr
> * Verified both API and UI
> * Verified basic auth through LDAP works
>
> Kevin Risden
>
> On Mon, Mar 6, 2017 at 9:37 AM, Sandeep More <mo...@gmail.com>
> wrote:
>
> > Thanks Sumit for setting up the release !
> >
> > +1 (binding)
> >
> > * Downloaded and built from source (with Java 1.8.0_101)
> > * Checked LICENSE and NOTICE files
> > * Verified GPG/MD5/SHA signatures
> > * Installed pseudo-distributed instance (Mac OS X )
> > * Ran through knox tests
> > * Checked websocket functionality
> > * Checked java script compression (Ambari UI)
> > * Checked 'identity-assertion' provider - 'HadoopGroupProvider'
> >
> >  :-) My fist binding vote
> >
> > Best,
> > Sandeep
> >
> > On Sat, Mar 4, 2017 at 7:56 AM, sumit gupta <su...@apache.org> wrote:
> >
> > > A candidate for the Apache Knox 0.12.0 release is available at:
> > >
> > > https://dist.apache.org/repos/dist/dev/knox/knox-0.12.0/
> > >
> > > The release candidate is a zip archive of the sources in:
> > >
> > > https://git-wip-us.apache.org/repos/asf/knox.git
> > > Branch v0.12.0 (git checkout -b v0.12.0)
> > >
> > > The KEYS file for signature validation is available at:
> > > https://dist.apache.org/repos/dist/release/knox/KEYS
> > >
> > > Please vote on releasing this package as Apache Knox 0.12.0.
> > > The vote is open for the next 72 hours and passes if a majority of at
> > > least three +1 Apache Knox PMC votes are cast.
> > >
> > > [ ] +1 Release this package as Apache Knox 0.12.0
> > > [ ] -1 Do not release this package because...
> > >
> >
>

Re: [VOTE] Release Apache Knox 0.12.0

Posted by Sumit Gupta <su...@hortonworks.com>.

Thanks for the +1 and testing the release Kevin Risden!



On 3/7/17, 10:24 AM, "Kevin Risden" <co...@gmail.com> wrote:

>+1 (non-binding)
>
>* Updated https://github.com/risdenk/knox_solr_testing to use 0.12.0 RC
>* Verified that Knox Solr service definition was able to connect to
>Kerberized Solr
>* Verified both API and UI
>* Verified basic auth through LDAP works
>
>Kevin Risden
>
>On Mon, Mar 6, 2017 at 9:37 AM, Sandeep More <mo...@gmail.com>
>wrote:
>
>> Thanks Sumit for setting up the release !
>>
>> +1 (binding)
>>
>> * Downloaded and built from source (with Java 1.8.0_101)
>> * Checked LICENSE and NOTICE files
>> * Verified GPG/MD5/SHA signatures
>> * Installed pseudo-distributed instance (Mac OS X )
>> * Ran through knox tests
>> * Checked websocket functionality
>> * Checked java script compression (Ambari UI)
>> * Checked 'identity-assertion' provider - 'HadoopGroupProvider'
>>
>>  :-) My fist binding vote
>>
>> Best,
>> Sandeep
>>
>> On Sat, Mar 4, 2017 at 7:56 AM, sumit gupta <su...@apache.org> wrote:
>>
>> > A candidate for the Apache Knox 0.12.0 release is available at:
>> >
>> > https://dist.apache.org/repos/dist/dev/knox/knox-0.12.0/
>> >
>> > The release candidate is a zip archive of the sources in:
>> >
>> > https://git-wip-us.apache.org/repos/asf/knox.git
>> > Branch v0.12.0 (git checkout -b v0.12.0)
>> >
>> > The KEYS file for signature validation is available at:
>> > https://dist.apache.org/repos/dist/release/knox/KEYS
>> >
>> > Please vote on releasing this package as Apache Knox 0.12.0.
>> > The vote is open for the next 72 hours and passes if a majority of at
>> > least three +1 Apache Knox PMC votes are cast.
>> >
>> > [ ] +1 Release this package as Apache Knox 0.12.0
>> > [ ] -1 Do not release this package because...
>> >
>>

Re: [VOTE] Release Apache Knox 0.12.0

Posted by Kevin Risden <co...@gmail.com>.

+1 (non-binding)

* Updated https://github.com/risdenk/knox_solr_testing to use 0.12.0 RC
* Verified that Knox Solr service definition was able to connect to
Kerberized Solr
* Verified both API and UI
* Verified basic auth through LDAP works

Kevin Risden

On Mon, Mar 6, 2017 at 9:37 AM, Sandeep More <mo...@gmail.com> wrote:

> Thanks Sumit for setting up the release !
>
> +1 (binding)
>
> * Downloaded and built from source (with Java 1.8.0_101)
> * Checked LICENSE and NOTICE files
> * Verified GPG/MD5/SHA signatures
> * Installed pseudo-distributed instance (Mac OS X )
> * Ran through knox tests
> * Checked websocket functionality
> * Checked java script compression (Ambari UI)
> * Checked 'identity-assertion' provider - 'HadoopGroupProvider'
>
>  :-) My fist binding vote
>
> Best,
> Sandeep
>
> On Sat, Mar 4, 2017 at 7:56 AM, sumit gupta <su...@apache.org> wrote:
>
> > A candidate for the Apache Knox 0.12.0 release is available at:
> >
> > https://dist.apache.org/repos/dist/dev/knox/knox-0.12.0/
> >
> > The release candidate is a zip archive of the sources in:
> >
> > https://git-wip-us.apache.org/repos/asf/knox.git
> > Branch v0.12.0 (git checkout -b v0.12.0)
> >
> > The KEYS file for signature validation is available at:
> > https://dist.apache.org/repos/dist/release/knox/KEYS
> >
> > Please vote on releasing this package as Apache Knox 0.12.0.
> > The vote is open for the next 72 hours and passes if a majority of at
> > least three +1 Apache Knox PMC votes are cast.
> >
> > [ ] +1 Release this package as Apache Knox 0.12.0
> > [ ] -1 Do not release this package because...
> >
>

Re: [VOTE] Release Apache Knox 0.12.0

Posted by Sandeep More <mo...@gmail.com>.

Thanks Sumit for setting up the release !

+1 (binding)

* Downloaded and built from source (with Java 1.8.0_101)
* Checked LICENSE and NOTICE files
* Verified GPG/MD5/SHA signatures
* Installed pseudo-distributed instance (Mac OS X )
* Ran through knox tests
* Checked websocket functionality
* Checked java script compression (Ambari UI)
* Checked 'identity-assertion' provider - 'HadoopGroupProvider'

 :-) My fist binding vote

Best,
Sandeep

On Sat, Mar 4, 2017 at 7:56 AM, sumit gupta <su...@apache.org> wrote:

> A candidate for the Apache Knox 0.12.0 release is available at:
>
> https://dist.apache.org/repos/dist/dev/knox/knox-0.12.0/
>
> The release candidate is a zip archive of the sources in:
>
> https://git-wip-us.apache.org/repos/asf/knox.git
> Branch v0.12.0 (git checkout -b v0.12.0)
>
> The KEYS file for signature validation is available at:
> https://dist.apache.org/repos/dist/release/knox/KEYS
>
> Please vote on releasing this package as Apache Knox 0.12.0.
> The vote is open for the next 72 hours and passes if a majority of at
> least three +1 Apache Knox PMC votes are cast.
>
> [ ] +1 Release this package as Apache Knox 0.12.0
> [ ] -1 Do not release this package because...
>