[KNOX-1434] Visiting Knox Admin UI forces subsequent requests to other services redirect to HTTPS - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 1.0.0
Fix Version/s: 1.2.0
Component/s: AdminUI
Labels:
None
Environment:
HDP 3.0
Knox 1.0.0

Description

Problem Description:

Visiting Knox Admin UI in any browser (Firefox / Chrome) sets the HTTP Strict Transport Security (HSTS) header for the host where Knox is running. Any subsequent request to other service on the same host (e.g. Graphana, Ranger etc.) over HTTP would get redirected to HTTPS due to this header.

Please note that, this HSTS header is disabled in all Knox topologies by default.

Ref: https://knox.apache.org/books/knox-1-1-0/user-guide.html#HTTP+Strict+Transport+Security

Impact:

All the non-SSL requests to other services get redirected automatically to HTTPS and would result in SSL errors like: SSL_ERROR_RX_RECORD_TOO_LONG or some other error.

Expected Behavior:

Unless HSTS is specifically enabled for Knox Admin UI, it should not set HSTS header.

Steps to reproduce:

Configure Knox with default topology as one normally would.
Once Knox is up, visit Knox Admin UI
Now, in the same browser session, visit any non-SSL service running on the same Knox host (like Ranger UI on 6080).
Browser will redirect this HTTP request to HTTPS.
If one can carefully clear the HSTS header in browser, then redirection will stop until the next time one visits Knox Admin UI again.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

KNOX-1434.patch
12/Sep/18 23:42
0.8 kB
Vipin Rathor

Activity

People

Assignee:: Unassigned

Reporter:: Vipin Rathor

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 05/Sep/18 20:23

Updated:: 28/Mar/19 13:56

Resolved:: 18/Sep/18 17:59