Critical Description
When the dispatch whitelist is not explicitly configured, Knox attempts to derive this whitelist based on the domain of the knox host. We can see this in the logs as follows:
2018-11-08 20:57:34,173 INFO knox.gateway (WhitelistUtils.java:getDispatchWhitelist(63)) - Applying a derived dispatch whitelist because none is configured in gateway-site: ^/.*$;^https?://(.+\.honeypot\.hortonworks\.site):[0-9]+/?.*$
However, login via knox sso with this configuration is not possible. Upon closer inspection (with a regex editor) we see there are 4 unescaped forward slashes which cause the knox hostname (or hostname of another host on the same domain as knox) to not match the auto-configured whitelist.
(Thanks vrathor-hw helping find this)
Escaping the forward slashes and explicitly configuring the whitelist with following example values seems to solve the problem, and allow login via knox sso.
<param> <name>knoxsso.redirect.whitelist.regex</name> <value>^https?:\/\/(.*\.honeypot\.hortonworks\.site|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value> </param>
If escaping the / as I did above is the correct workaround for this solution, should we configure the automatically derived whitelists to do this also?
