Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 31 additions & 0 deletions .github/workflows/compose/docker-compose.single-eku-no-mtls.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with this
# work for additional information regarding copyright ownership. The ASF
# licenses this file to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# KNOX-3359: single-EKU WITHOUT mTLS compose OVERRIDE.
#
# single-EKU on, inbound client-auth OFF, outbound two-way SSL OFF. No keystores
# are mounted: Knox self-generates a serverAuth-only server identity at startup,
# so the default baked /gateway.sh entrypoint is used as-is.
services:
knox:
volumes:
- ./single-eku-no-mtls/gateway-site.xml:/knox-runtime/conf/gateway-site.xml:ro

tests:
volumes:
- ../tests:/tests
environment:
- KNOX_GATEWAY_URL=https://knox:8443/
- KNOX_SINGLE_EKU_NO_MTLS=true
62 changes: 62 additions & 0 deletions .github/workflows/compose/docker-compose.single-eku.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with this
# work for additional information regarding copyright ownership. The ASF
# licenses this file to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# KNOX-3359: single-EKU compose OVERRIDE.
#
# This file is intentionally separate from docker-compose.yml. The default
# stack's existing integration tests make requests WITHOUT a client cert, so
# turning on gateway.client.auth.needed=true on the shared `knox` service would
# break every one of them. This override is only applied for the single-EKU
# test run.
#
# Run the single-EKU integration test (from repo root):
#
# docker compose \
# -f .github/workflows/compose/docker-compose.yml \
# -f .github/workflows/compose/docker-compose.single-eku.yml \
# up -d knox
# docker compose \
# -f .github/workflows/compose/docker-compose.yml \
# -f .github/workflows/compose/docker-compose.single-eku.yml \
# run --rm tests python -m unittest test_single_eku_mtls -v
# docker compose \
# -f .github/workflows/compose/docker-compose.yml \
# -f .github/workflows/compose/docker-compose.single-eku.yml down
#
# The override:
# - mounts the single-EKU gateway-site.xml over the baked one,
# - mounts the dev keystores into /knox-runtime/conf/single-eku-keystores,
# - sets KNOX_SINGLE_EKU=true on the tests service so test_single_eku_mtls.py
# un-skips (it is skipped by default in the normal stack), and
# - mounts + points the PEM client material for the mTLS happy-path test.
services:
knox:
# Create the keystore-password aliases (so the dev "horton" password is
# resolved deterministically) before starting the gateway.
command: /gateway-single-eku.sh
volumes:
- ./single-eku/gateway-site.xml:/knox-runtime/conf/gateway-site.xml:ro
- ./single-eku/keystores:/knox-runtime/conf/single-eku-keystores:ro
- ./single-eku/gateway-single-eku.sh:/gateway-single-eku.sh:ro

tests:
volumes:
- ../tests:/tests
- ./single-eku/keystores:/single-eku-keystores:ro
environment:
- KNOX_GATEWAY_URL=https://knox:8443/
- KNOX_SINGLE_EKU=true
- KNOX_CLIENT_CERT=/single-eku-keystores/client-cert.pem
- KNOX_CLIENT_KEY=/single-eku-keystores/client-key.pem
2 changes: 1 addition & 1 deletion .github/workflows/compose/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,7 @@ services:
&& pylint *.py
&& echo 'Waiting for knox...'
&& sleep 30
&& pytest --junitxml=test-results.xml"
&& pytest --ignore=test_single_eku_mtls.py --ignore=test_single_eku_no_mtls.py --junitxml=test-results.xml"
depends_on:
- knox

Expand Down
75 changes: 75 additions & 0 deletions .github/workflows/compose/gen-single-eku-keystores.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,75 @@
#!/usr/bin/env bash
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with this
# work for additional information regarding copyright ownership. The ASF
# licenses this file to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
# Generates the dev-only single-EKU keystore fixtures used by the
# test_single_eku_mtls.py integration test:
# - host-client_keystore.jks : a key pair whose certificate carries ONLY the
# clientAuth EKU (the single-EKU client identity)
# - server-identity_keystore.jks: a key pair whose certificate carries ONLY the
# serverAuth EKU (the single-EKU server identity).
# single-EKU mode refuses to start unless the
# server identity is serverAuth-only, and the
# image's auto-generated identity cert has no
# EKU at all, so a dedicated fixture is required.
# - global_truststore.jks : the server truststore trusting that client cert
#
# These are committed, self-signed, dev-only fixtures (NOT secrets). The store
# password is the same dev password the apache/knox-dev keystores use so the
# master-secret fallback can resolve them. JKS is used only for this dev
# fixture; production keystore type comes from config and is never hardcoded in
# Knox Java code.
set -euo pipefail
DIR="${1:?usage: gen-single-eku-keystores.sh <output-dir>}"
PASS="horton"
mkdir -p "$DIR"

# Client identity: a key pair whose cert carries ONLY the clientAuth EKU
keytool -genkeypair -alias gateway-httpclient-key -keyalg RSA -keysize 2048 \
-dname "CN=knox-client" -ext "eku=clientAuth" -validity 3650 \
-keystore "$DIR/host-client_keystore.jks" -storetype JKS \
-storepass "$PASS" -keypass "$PASS"

# Server identity: a key pair whose cert carries ONLY the serverAuth EKU. The
# alias must match the gateway identity key alias (gateway-identity) so Knox
# uses it as the inbound TLS server certificate. SANs cover the compose
# hostname so it is a valid (if self-signed) cert for https://knox:8443.
keytool -genkeypair -alias gateway-identity -keyalg RSA -keysize 2048 \
-dname "CN=knox" -ext "eku=serverAuth" -ext "san=dns:knox,dns:localhost" \
-validity 3650 \
-keystore "$DIR/server-identity_keystore.jks" -storetype JKS \
-storepass "$PASS" -keypass "$PASS"

# Export the client cert and import it into the server truststore (clients trusted by Knox)
keytool -exportcert -alias gateway-httpclient-key -rfc \
-keystore "$DIR/host-client_keystore.jks" -storepass "$PASS" \
-file "$DIR/client.cer"
keytool -importcert -noprompt -alias knox-client \
-keystore "$DIR/global_truststore.jks" -storetype JKS -storepass "$PASS" \
-file "$DIR/client.cer"
rm -f "$DIR/client.cer"

# PEM client material for the Python tests container (requests cert=(cert, key)).
keytool -exportcert -alias gateway-httpclient-key -rfc \
-keystore "$DIR/host-client_keystore.jks" -storepass "$PASS" \
-file "$DIR/client-cert.pem"
keytool -importkeystore -srckeystore "$DIR/host-client_keystore.jks" \
-srcstoretype JKS -srcstorepass "$PASS" -srcalias gateway-httpclient-key \
-destkeystore "$DIR/client.p12" -deststoretype PKCS12 -deststorepass "$PASS"
openssl pkcs12 -in "$DIR/client.p12" -nocerts -nodes -passin pass:"$PASS" \
| openssl pkey -out "$DIR/client-key.pem"
rm -f "$DIR/client.p12"

echo "Generated single-EKU dev keystores in $DIR"
207 changes: 207 additions & 0 deletions .github/workflows/compose/single-eku-no-mtls/gateway-site.xml
Original file line number Diff line number Diff line change
@@ -0,0 +1,207 @@
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one
or more contributor license agreements. See the NOTICE file
distributed with this work for additional information
regarding copyright ownership. The ASF licenses this file
to you under the Apache License, Version 2.0 (the
"License"); you may not use this file except in compliance
with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<configuration>

<!--
KNOX-3359 single-EKU WITHOUT mTLS. single-EKU is enabled; inbound client
authentication and outbound two-way SSL are both OFF. No keystores are
provided: Knox self-generates a serverAuth-only server identity at
startup (default keystore, default alias/password). Proves single-EKU no
longer forces mTLS and self-bootstraps its identity.
-->
<property>
<name>gateway.tls.single.eku.enabled</name>
<value>true</value>
</property>

<property>
<name>gateway.service.alias.impl</name>
<value>org.apache.knox.gateway.services.security.impl.DefaultAliasService</value>
</property>
<property>
<name>gateway.port</name>
<value>8443</value>
<description>The HTTP port for the Gateway.</description>
</property>

<property>
<name>gateway.path</name>
<value>gateway</value>
<description>The default context path for the gateway.</description>
</property>

<property>
<name>gateway.gateway.conf.dir</name>
<value>deployments</value>
<description>The directory within GATEWAY_HOME that contains gateway topology files and deployments.</description>
</property>

<!-- @since 0.10 Websocket configs -->
<property>
<name>gateway.websocket.feature.enabled</name>
<value>true</value>
<description>Enable/Disable websocket feature.</description>
</property>

<property>
<name>gateway.scope.cookies.feature.enabled</name>
<value>false</value>
<description>Enable/Disable cookie scoping feature.</description>
</property>

<!-- @since 2.0.0 WebShell configs -->
<!-- must have websocket enabled to use webshell -->
<property>
<name>gateway.webshell.feature.enabled</name>
<value>true</value>
<description>Enable/Disable webshell feature.</description>
</property>
<property>
<name>gateway.webshell.max.concurrent.sessions</name>
<value>20</value>
<description>Maximum number of total concurrent webshell sessions</description>
</property>
<property>
<name>gateway.webshell.read.buffer.size</name>
<value>1024</value>
<description>Web Shell buffer size for reading</description>
</property>

<!-- @since 2.0.0 websocket JWT validation configs -->
<property>
<name>gateway.websocket.JWT.validation.feature.enabled</name>
<value>true</value>
<description>Enable/Disable websocket JWT validation at websocket layer.</description>
</property>

<!-- @since 1.5.0 homepage logout -->
<property>
<name>knox.homepage.logout.enabled</name>
<value>true</value>
<description>Enable/disable logout from the Knox Homepage.</description>
</property>

<!-- @since 1.6.0 token management related properties -->
<property>
<name>gateway.knox.token.eviction.grace.period</name>
<value>0</value>
<description>A duration (in seconds) beyond a token’s expiration to wait before evicting its state. This configuration only applies when server-managed token state is enabled either in gateway-site or at the topology level.</description>
</property>

<!-- Knox Admin related config -->
<property>
<name>gateway.knox.admin.groups</name>
<value>admin</value>
</property>

<!-- DEMO LDAP config for Hadoop Group Provider -->
<property>
<name>gateway.group.config.hadoop.security.group.mapping</name>
<value>org.apache.hadoop.security.LdapGroupsMapping</value>
</property>
<property>
<name>gateway.group.config.use.ldap.service</name>
<value>true</value>
</property>
<property>
<name>gateway.dispatch.whitelist.services</name>
<value>DATANODE,HBASEUI,HDFSUI,JOBHISTORYUI,NODEUI,YARNUI,knoxauth</value>
<description>The comma-delimited list of service roles for which the gateway.dispatch.whitelist should be applied.</description>
</property>
<property>
<name>gateway.dispatch.whitelist</name>
<value>^https?:\/\/(www\.local\.com|localhost|127\.0\.0\.1|0:0:0:0:0:0:0:1|::1):[0-9].*$</value>
<description>The whitelist to be applied for dispatches associated with the service roles specified by gateway.dispatch.whitelist.services.
If the value is DEFAULT, a domain-based whitelist will be derived from the Knox host.</description>
</property>
<property>
<name>gateway.xforwarded.header.context.append.servicename</name>
<value>LIVYSERVER</value>
<description>Add service name to x-forward-context header for the list of services defined above.</description>
</property>
<property>
<name>gateway.strict.transport.enabled</name>
<value>true</value>
</property>
<property>
<name>gateway.strict.transport.option</name>
<value>max-age=300; includeSubDomains</value>
</property>

<!-- KnoxLDAP Service Configuration -->
<property>
<name>gateway.ldap.enabled</name>
<value>true</value>
</property>
<property>
<name>gateway.ldap.port</name>
<value>33390</value>
</property>
<property>
<name>gateway.ldap.base.dn</name>
<value>dc=hadoop,dc=apache,dc=org</value>
</property>
<property>
<name>gateway.ldap.recursive.group.resolution</name>
<value>true</value>
</property>
<property>
<name>gateway.ldap.interceptor.names</name>
<value>demoldap</value>
</property>

<!-- LDAP Backend specific configuration (proxying to demo ldap) -->
<property>
<name>gateway.ldap.interceptor.demoldap.interceptorType</name>
<value>backend</value>
</property>
<property>
<name>gateway.ldap.interceptor.demoldap.backendType</name>
<value>ldap</value>
</property>
<property>
<name>gateway.ldap.interceptor.demoldap.url</name>
<value>ldap://ldap:33389</value>
</property>
<property>
<name>gateway.ldap.interceptor.demoldap.remoteBaseDn</name>
<value>dc=hadoop,dc=apache,dc=org</value>
</property>
<property>
<name>gateway.ldap.interceptor.demoldap.systemUsername</name>
<value>uid=guest,ou=people,dc=hadoop,dc=apache,dc=org</value>
</property>
<property>
<name>gateway.ldap.interceptor.demoldap.systemPassword</name>
<value>guest-password</value>
</property>
<property>
<name>gateway.ldap.interceptor.demoldap.userSearchBase</name>
<value>ou=people,dc=hadoop,dc=apache,dc=org</value>
</property>
<property>
<name>gateway.ldap.interceptor.demoldap.groupSearchBase</name>
<value>ou=groups,dc=hadoop,dc=apache,dc=org</value>
</property>
<property>
<name>gateway.ldap.interceptor.demoldap.groupMemberAttribute</name>
<value>member</value>
</property>

</configuration>
Loading
Loading