Details
-
New Feature
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
I was testing out creating tokens with HMAC and created a secret which was less than 256 bits. When I tried to create tokens the operation failed with no meaningful message, even the gateway logs were not logging the error. If this happens in prod it would be extremely painful to track down.
This is what I get when I try to create tokens
(base) ➜ ~ curl -iku admin:admin-password 'https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token' HTTP/1.1 200 OK Date: Wed, 07 Apr 2021 19:27:42 GMT Set-Cookie: KNOXSESSIONID=node01hfs7ly3arqcelcoiofnz3de0.node0; Path=/gateway/sandbox; Secure; HttpOnly Expires: Thu, 01 Jan 1970 00:00:00 GMT Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; Expires=Tue, 06-Apr-2021 19:27:42 GMT; SameSite=lax Content-Type: application/json Content-Length: 30 { "Unable to acquire token." }
And this is what I see in the logs
2021-04-07 15:27:42,405 INFO knox.gateway (KnoxLdapRealm.java:getUserDn(688)) - Computed userDn: uid=admin,ou=people,dc=hadoop,dc=apache,dc=org using dnTemplate for principal: admin
2021-04-07 15:29:25,667 INFO service.knoxtoken (TokenResource.java:getAuthenticationToken(453)) - toString
2021-04-07 15:29:28,125 INFO service.knoxtoken (TokenResource.java:getAuthenticationToken(454)) - toString
2021-04-07 15:29:29,671 ERROR service.knoxtoken (TokenResource.java:getAuthenticationToken(454)) - Unable to issue token.
2021-04-07 15:29:29,863 INFO service.knoxtoken (TokenResource.java:getAuthenticationToken(456)) - toString
There were few issues I noticed that needs some attention:
1. Should we even allow creating secrets less than 256 bits? how do we validate it?
2.
Attachments
Issue Links
- is caused by
-
KNOX-2527 Support HMAC signature/verification in JWT token authority
- Resolved
- links to