Skip to content

KNOX-2602 - Added the enabled flag and related token service API into the tokens' metadata. #447

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
smolnar82 merged 1 commit into from
May 5, 2021
Merged

KNOX-2602 - Added the enabled flag and related token service API into the tokens' metadata. #447

smolnar82 merged 1 commit into from
May 5, 2021

Conversation

@smolnar82
Copy link
Contributor

@smolnar82 smolnar82 commented May 4, 2021
edited
Loading

What changes were proposed in this pull request?

There is a new KNOXTOKEN service API to enable/disable a Knox-generated token.
Instead of adding another column in the KNOX_TOKENS table, a brand new DB table was introduced where an arbitrary number of token metadata can be stored (identified by the given token's ID and the metadata name).
In our alias-based token state management implementations, this is stored as a new JSON field whereas in the file journal-based implementation the new flag is added before the user name.

How was this patch tested?

Updated and executed JUnit tests.

Additionally, the following manual test steps were executed:

  1. Created a token using the tokengen application:

Screen Shot 2021-05-04 at 9 45 52 PM

postgres=# select * from knox_tokens kt, knox_token_metadata ktm WHERE kt.token_id = ktm.token_id;
               token_id               |  issue_time   |  expiration   | max_lifetime  |               token_id               | md_name  |                                 md_value                                  
--------------------------------------+---------------+---------------+---------------+--------------------------------------+----------+---------------------------------------------------------------------------
 1e2f286e-9df1-4123-8d41-e6af523d6923 | 1620155983024 | 1620249883013 | 1620760783024 | 1e2f286e-9df1-4123-8d41-e6af523d6923 | enabled  | true
 1e2f286e-9df1-4123-8d41-e6af523d6923 | 1620155983024 | 1620249883013 | 1620760783024 | 1e2f286e-9df1-4123-8d41-e6af523d6923 | userName | admin
 1e2f286e-9df1-4123-8d41-e6af523d6923 | 1620155983024 | 1620249883013 | 1620760783024 | 1e2f286e-9df1-4123-8d41-e6af523d6923 | comment  | comment with a question mark ? and my favorite cartoon tom & jerry !!! :)
(3 rows)
  1. Tried to enable an already enabled token
$ curl -ku admin:admin-password -d "1e2f286e-9df1-4123-8d41-e6af523d6923" -X POST https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token/enable
{
  "setEnabledFlag": "false",
  "error": "Token is already enabled"
}
  1. Disabled the token
$ curl -ku admin:admin-password -d "1e2f286e-9df1-4123-8d41-e6af523d6923" -X POST https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token/disable
{
  "setEnabledFlag": "true",
  "isEnabled": "false"
}

postgres=# select * from knox_tokens kt, knox_token_metadata ktm WHERE kt.token_id = ktm.token_id AND ktm.md_name = 'enabled';
               token_id               |  issue_time   |  expiration   | max_lifetime  |               token_id               | md_name | md_value 
--------------------------------------+---------------+---------------+---------------+--------------------------------------+---------+----------
 1e2f286e-9df1-4123-8d41-e6af523d6923 | 1620155983024 | 1620249883013 | 1620760783024 | 1e2f286e-9df1-4123-8d41-e6af523d6923 | enabled | false
(1 row)
  1. Tried to disable an already disabled token
$ curl -ku admin:admin-password -d "1e2f286e-9df1-4123-8d41-e6af523d6923" -X POST https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token/disable
{
  "setEnabledFlag": "false",
  "error": "Token is already disabled"
}
  1. Enabled the token
$ curl -ku admin:admin-password -d "1e2f286e-9df1-4123-8d41-e6af523d6923" -X POST https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token/enable
{
  "setEnabledFlag": "true",
  "isEnabled": "true"
}

postgres=# select * from knox_tokens kt, knox_token_metadata ktm WHERE kt.token_id = ktm.token_id AND ktm.md_name = 'enabled';
               token_id               |  issue_time   |  expiration   | max_lifetime  |               token_id               | md_name | md_value 
--------------------------------------+---------------+---------------+---------------+--------------------------------------+---------+----------
 1e2f286e-9df1-4123-8d41-e6af523d6923 | 1620155983024 | 1620249883013 | 1620760783024 | 1e2f286e-9df1-4123-8d41-e6af523d6923 | enabled | true
(1 row)
  1. Renewed the token
$ curl -ku admin:admin-password -d "@token.txt" -X POST https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token/renew
{
  "renewed": "true",
  "expires": "1620243157437"
}

postgres=# select * from knox_tokens;
               token_id               |  issue_time   |  expiration   | max_lifetime  
--------------------------------------+---------------+---------------+---------------
 1e2f286e-9df1-4123-8d41-e6af523d6923 | 1620155983024 | 1620243157437 | 1620760783024
(1 row)
  1. Revoked the token
$ curl -ku admin:admin-password -d "@token.txt" -X POST https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token/revoke
{
  "revoked": "true"
}

postgres=# select * from knox_tokens kt, knox_token_metadata ktm WHERE kt.token_id = ktm.token_id;
 token_id | issue_time | expiration | max_lifetime | token_id | md_name | md_value 
----------+------------+------------+--------------+----------+---------+----------
(0 rows)

@smolnar82 smolnar82 requested review from lmccay, moresandeep and pzampino and removed request for lmccay and pzampino May 4, 2021 19:49
@smolnar82 smolnar82 self-assigned this May 4, 2021
@smolnar82 smolnar82 requested a review from pzampino May 4, 2021 19:50
@smolnar82 smolnar82 force-pushed the KNOX-2602 branch 2 times, most recently from 8c86905 to eb6c808 Compare May 4, 2021 21:13
moresandeep
moresandeep requested changes May 4, 2021
View reviewed changes
Copy link
Contributor

@moresandeep moresandeep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just minor concurrency issue but looks great

@smolnar82
KNOX-2602 - Added the enabled flag and related token service API into…
2f905bd 
… the tokens' metadata.

Instead of adding another column in KNOX_TABLES, a brand new DB table was introduced where an arbitrary number of token metadata can be stored (identified by the given token's ID and the metadata name).
@smolnar82 smolnar82 requested a review from moresandeep May 5, 2021 06:24
moresandeep
moresandeep approved these changes May 5, 2021
View reviewed changes
Copy link
Contributor

@moresandeep moresandeep left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Loog good!

@smolnar82 smolnar82 merged commit dd716ea into apache:master May 5, 2021
@smolnar82 smolnar82 deleted the KNOX-2602 branch May 5, 2021 13:49
@smolnar82 smolnar82 mentioned this pull request Feb 2, 2024
Merged
stoty pushed a commit to stoty/knox that referenced this pull request May 14, 2024
@smolnar82
CDPD-25826 KNOX-2602 - Added the enabled flag and related token servi…
a31bc2e 
…ce API into the tokens' metadata. (apache#447)

Instead of adding another column in KNOX_TABLES, a brand new DB table was introduced where an arbitrary number of token metadata can be stored (identified by the given token's ID and the metadata name).

Change-Id: I952d47b4a676337e51e3d435362012e135147d96
stoty pushed a commit to stoty/knox that referenced this pull request May 14, 2024
@smolnar82
Merge changes I952d47b4,I7c8ef359,I2c5cb002,I2d16508f,I54541e03 into …
d44a975 
…cdpd-master

* changes:
  CDPD-25826 KNOX-2602 - Added the enabled flag and related token service API into the tokens' metadata. (apache#447)
  CDPD-25826 KNOX-2600 - It's now possible to setup a PostgreSQL connection using a JDBC URL (apache#444)
  CDPD-25826 KNOX-2599 - Improve tokengen UI (apache#443)
  CDPD-25826 KNOX-2598 - Added SSL connection support for PostgreSQL database type in JDBC token state management (apache#442)
  CDPD-25826 KNOX-2597 - Falling back to AliasBasedTokenStateService in case of DB configuration issues (apache#441)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@moresandeep moresandeep moresandeep approved these changes

@lmccay lmccay Awaiting requested review from lmccay

@pzampino pzampino Awaiting requested review from pzampino

Assignees

No one assigned

Labels

knoxtoken

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@smolnar82 @moresandeep