Behavioral Changes in Knox

Behavioral changes denote a marked change in behavior from the previously released version to this version of Apache Knox.

Behavioral Changes in Cloudera Runtime 7.3.1.400 SP2

There are no behavioral changes in this release.

There are no behavioral changes in this release.

There are no behavioral changes in this release.

There are no behavioral changes in this release.

Knox token impersonation config

Summary

Knox token service has been changed to use the identity assertion provider configuration for impersonation.

Previous behavior

The token service had its own impersonation configuration.

New behavior

The token service relies on the identity assertion provider for impersonation configuration.

PEM file name change

Summary

The name of the pem file generated through knoxcli.sh has been changed.

Previous behavior

The name of the file was gateway-identity.pem.

New behavior

The name of the file is now gateway-client-trust.pem.

Composite authorization provider misconfiguration

Summary

Composite authorization provider misconfiguration behavior

Previous behavior

If composite.provider.names is empty, the topology would fail deployment.
If composite.provider.names has an invalid value, the topology would fail deployment.

New behavior

Deployment succeeds, and Knox allows access with no authorization since none is configured.
Deployment succeeds, but Knox rejects requests with a HTTP 403 response because the configuration is present (indicating that authorization is expected) but invalid.

Inactive topologies

Summary

Knox distinguishes inactive topologies from undeployed topologies.

Previous behavior

Requests for topologies which are not yet fully deployed result in HTTP 404 responses.

New behavior

Requests for topologies which are not yet fully deployed result in HTTP 503 responses.