Uploaded image for project: 'CDAP'
  1. CDAP
  2. CDAP-4535

Auth server authentication URL should be configurable

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.5.5, 4.0.0
    • Component/s: CDAP, Security
    • Labels:
    • Release Notes:
      Hide
      Authentication server announce address is now configurable with the property "security.auth.server.announce.urls", which are comma-separated URLs in the form of {{protocol://host:port}}. The property "security.auth.server.announce.address" is now deprecated. It is only used if it is set but "security.auth.server.announce.urls" has not been set. "security.auth.server.announce.address" now takes a single address in the form of either {{host:port}} or {{host}}. Protocol and port (if not specified) will be added by the Authentication Server to form the URL. A default URL will be generated by the Authentication Serve if either property is not set.
      Show
      Authentication server announce address is now configurable with the property "security.auth.server.announce.urls", which are comma-separated URLs in the form of {{ protocol://host:port }}. The property "security.auth.server.announce.address" is now deprecated. It is only used if it is set but "security.auth.server.announce.urls" has not been set. "security.auth.server.announce.address" now takes a single address in the form of either {{host:port}} or {{host}}. Protocol and port (if not specified) will be added by the Authentication Server to form the URL. A default URL will be generated by the Authentication Serve if either property is not set.
    • Rank:
      1|hzz4p3:

      Description

      It appears there is no way to configure the Authentication URI returned on an auth-enabled cluster. I'm assuming it uses whatever hostname auth-server determines and announces itself as. But this 1) forces the user to rely on DNS, and 2) prevents the user from referring users to a LB or similar they might have setup in front of auth-server.

      build	23-Dec-2015 08:08:41	2015-12-23 08:08:41,883 - DEBUG [main:c.c.c.s.a.c.AbstractAuthenticationClient@161] - Got response 401 - Unauthorized from http://104.196.14.124:10000/ping
      build	23-Dec-2015 08:08:41	2015-12-23 08:08:41,898 - DEBUG [main:c.c.c.s.a.c.AbstractAuthenticationClient@168] - Response map from gateway server: {auth_uri=[http://cdap-itn9-dstc54-22-4830-1000.dev.continuuity.net:10009/token]}
      

      I have searched the docs on how to update this url and come up empty, so either it is not possible, or the docs need updating.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mao Chengfeng Mao
                Reporter:
                derek Derek Wood
              • Votes:
                1 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: