Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 2B721200D01 for ; Fri, 22 Sep 2017 10:59:07 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 2A0591609BE; Fri, 22 Sep 2017 08:59:07 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 6EAAE1609A7 for ; Fri, 22 Sep 2017 10:59:06 +0200 (CEST) Received: (qmail 32709 invoked by uid 500); 22 Sep 2017 08:59:05 -0000 Mailing-List: contact dev-help@atlas.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@atlas.apache.org Delivered-To: mailing list dev@atlas.apache.org Received: (qmail 32698 invoked by uid 99); 22 Sep 2017 08:59:05 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 22 Sep 2017 08:59:05 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id DF1A31A67FD for ; Fri, 22 Sep 2017 08:59:04 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -100.002 X-Spam-Level: X-Spam-Status: No, score=-100.002 tagged_above=-999 required=6.31 tests=[RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_WHITELIST=-100] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id WR0tk5w6aOdA for ; Fri, 22 Sep 2017 08:59:03 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id CDEBB5FD02 for ; Fri, 22 Sep 2017 08:59:02 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 9DEC9E0ECE for ; Fri, 22 Sep 2017 08:59:01 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 54C15241E5 for ; Fri, 22 Sep 2017 08:59:00 +0000 (UTC) Date: Fri, 22 Sep 2017 08:59:00 +0000 (UTC) From: "Sharmadha Sainath (JIRA)" To: dev@atlas.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Created] (ATLAS-2166) On refreshing Atlas page logged in via Knox proxy ,which has ATLASSESSION ID expired (idle for a long time) , logs in as knox user. MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Fri, 22 Sep 2017 08:59:07 -0000 Sharmadha Sainath created ATLAS-2166: ---------------------------------------- Summary: On refreshing Atlas page logged in via Knox proxy ,which has ATLASSESSION ID expired (idle for a long time) , logs in as knox user. Key: ATLAS-2166 URL: https://issues.apache.org/jira/browse/ATLAS-2166 Project: Atlas Issue Type: Bug Components: atlas-intg Affects Versions: 0.9-incubating Reporter: Sharmadha Sainath Attachments: Atlas_knox_proxy_1.mov 1. Added the following topology ui.xml in knox topologies : {code} authentication Anonymous true identity-assertion Default false ATLAS http://atlashost:21000 ATLAS-API http://atlashost:21000 {code} 2. Accessed Atlas UI via knox proxy : {code} https://knoxhost:8443/gateway/ui/atlas/ {code} with user admin. 3.Left the page idle for a long time (approx 60 mins) . When refreshed , expected that it would land in login.jsp and ask for username and password. Instead , it logged in as knox user. Following logs from application logs : {code} 2017-09-22 07:17:23,267 INFO - [Thread-6:] ~ TGT valid starting at: Fri Sep 22 07:17:23 UTC 2017 (Login:302) 2017-09-22 07:17:23,268 INFO - [Thread-6:] ~ TGT expires: Sat Sep 23 07:17:23 UTC 2017 (Login:303) 2017-09-22 07:17:23,268 INFO - [Thread-6:] ~ TGT refresh sleeping until: Sat Sep 23 03:38:59 UTC 2017 (Login:181) 2017-09-22 08:28:23,731 INFO - [pool-2-thread-9:] ~ Logged into Atlas as = knox (AtlasAuthenticationFilter:291) 2017-09-22 08:28:23,732 INFO - [pool-2-thread-9:knox:POST/api/atlas/v2/search/basic] ~ Request from authenticated user: knox, URL=/api/atlas/v2/search/basic (AtlasAuthenticationFilter:305) 2017-09-22 08:28:26,685 INFO - [org.apache.ranger.audit.queue.AuditBatchQueue1:] ~ Audit Status Log: name=atlas.async.multi_dest.batch.solr, interval=01:40:30.245 hours, events=1, succcessCount=1, totalEvents=363, totalSuccessCount=363 (BaseAuditHandler:310) 2017-09-22 08:28:26,706 INFO - [org.apache.ranger.audit.queue.AuditBatchQueue0:] ~ Audit Status Log: name=atlas.async.multi_dest.batch.hdfs, interval=01:40:30.247 hours, events=1, succcessCount=1, totalEvents=363, totalSuccessCount=363 (BaseAuditHandler:310) {code} Note : Accessed Atlas UI at 08:28:23,731 after 07:17:23,268 No suspicious logs from knox gateway.log. 4. Tried to reproduce the issue by deleting the ATLASSESSIONID and refreshed the page. This time it landed in login.jsp correctly. Not sure what other cases can reproduce this issue. Attached the video recording of the scenario explained. Note : Ranger Atlas plugin is enabled. Not sure where Atlas fetches the knox user from. Atlas' users-credentials.properties has only admin and rangertagsync users. -- This message was sent by Atlassian JIRA (v6.4.14#64029)