Behavioral Changes in Knox

Behavioral changes denote a marked change in behavior from the previously released version to this version of Apache Knox.

Knox token impersonation config
Summary
Knox token service has been changed to use the identity assertion provider configuration for impersonation.
Previous behaviour
The token service had its own impersonation configuration.
New behaviour
The token service relies on the identity assertion provider for impersonation configuration.
PEM file name change
Summary
The name of the pem file generated through knoxcli.sh has been changed.
Previous behaviour
The name of the file was gateway-identity.pem.
New behaviour
The name of the file is now gateway-client-trust.pem.
Composite authorization provider misconfiguration
Summary
Composite authorization provider misconfiguration behavior
Previous behaviour
  1. If composite.provider.names is empty, the topology would fail deployment.
  2. If composite.provider.names has an invalid value, the topology would fail deployment.
New behaviour
  1. Deployment succeeds, and Knox allows access with no authorization since none is configured.
  2. Deployment succeeds, but Knox rejects requests with a HTTP 403 response because the configuration is present (indicating that authorization is expected) but invalid.
Inactive topologies
Summary
Knox distinguishes inactive topologies from undeployed topologies.
Previous behaviour
Requests for topologies which are not yet fully deployed result in HTTP 404 responses.
New behaviour
Requests for topologies which are not yet fully deployed result in HTTP 503 responses.