You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@knox.apache.org by GitBox <gi...@apache.org> on 2020/01/31 20:26:15 UTC

[GitHub] [knox] pzampino opened a new pull request #251: KNOX-2215 - Token service should return a 401 response when the renew…

pzampino opened a new pull request #251: KNOX-2215 - Token service should return a 401 response when the renew…
URL: https://github.com/apache/knox/pull/251
 
 
   …er is not white-listed
   
   ## What changes were proposed in this pull request?
   
   The Knox Token service has been modified to respond to renew/revoke requests with a HTTP 401 Unauthorized status when the "renewer" is either unknown or has not been white-listed in the service configuration instead of the more generic HTTP 400 Bad Request.
   
   ## How was this patch tested?
   
   Modified existing TokenServiceResourceTest methods for the affected renew/revoke scenarios.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [knox] lmccay commented on issue #251: KNOX-2215 - Token service should return a 401 response when the renew…

Posted by GitBox <gi...@apache.org>.

lmccay commented on issue #251: KNOX-2215 - Token service should return a 401 response when the renew…
URL: https://github.com/apache/knox/pull/251#issuecomment-581200463
 
 
   I believe 403 is more appropriate but it should align with what hadoop does
   either way.
   
   On Sun, Feb 2, 2020, 6:09 PM Phil Zampino <no...@github.com> wrote:
   
   > @risdenk <https://github.com/risdenk>, my rational for choosing 401 is
   > the definition from
   > https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html:
   >
   > 401: "If the request already included Authorization credentials, then the
   > 401 response indicates that *authorization* has been refused for those
   > credentials."
   >
   > 403: "The server understood the request, but is refusing to fulfill it.
   > Authorization will not help"
   >
   > So, in this case, the renewing/revoking user is *AUTHENTICATED*, but *NOT
   > AUTHORIZED* to perform the requested operation.
   >
   > —
   > You are receiving this because your review was requested.
   > Reply to this email directly, view it on GitHub
   > <https://github.com/apache/knox/pull/251?email_source=notifications&email_token=AARSNOFQJXD5A4CU3RDIHVTRA5HDXA5CNFSM4KONDIC2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKSDUNI#issuecomment-581188149>,
   > or unsubscribe
   > <https://github.com/notifications/unsubscribe-auth/AARSNOHWEWZFDRUJ4KWISNLRA5HDXANCNFSM4KONDICQ>
   > .
   >
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [knox] pzampino merged pull request #251: KNOX-2215 - Token service should return a 401 response when the renew…

Posted by GitBox <gi...@apache.org>.

pzampino merged pull request #251: KNOX-2215 - Token service should return a 401 response when the renew…
URL: https://github.com/apache/knox/pull/251
 
 
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

[GitHub] [knox] pzampino commented on issue #251: KNOX-2215 - Token service should return a 401 response when the renew…

Posted by GitBox <gi...@apache.org>.

pzampino commented on issue #251: KNOX-2215 - Token service should return a 401 response when the renew…
URL: https://github.com/apache/knox/pull/251#issuecomment-581188149
 
 
   @risdenk, my rational for choosing 401 is the definition from https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html:
   
   401: "If the request already included Authorization credentials, then the 401 response indicates that **authorization** has been refused for those credentials."
   
   403: "The server understood the request, but is refusing to fulfill it. Authorization will not help"
   
   So, in this case, the renewing/revoking user is _AUTHENTICATED_, but **NOT AUTHORIZED** to perform the requested operation.

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services