Behavioral Changes in Knox

Behavioral changes denote a marked change in behavior from the previously released version to this version of Apache Knox.

Behavioral Changes in Cloudera Runtime 7.3.1.400 SP2

There are no behavioral changes in this release.

There are no behavioral changes in this release.

There are no behavioral changes in this release.

There are no behavioral changes in this release.

Knox token impersonation config

Summary

Knox token service has been changed to use the identity assertion provider configuration for impersonation.

Previous behaviour

The token service had its own impersonation configuration.

New behaviour

The token service relies on the identity assertion provider for impersonation configuration.

PEM file name change

Summary

The name of the pem file generated through knoxcli.sh has been changed.

Previous behaviour

The name of the file was gateway-identity.pem.

New behaviour

The name of the file is now gateway-client-trust.pem.

Composite authorization provider misconfiguration

Summary

Composite authorization provider misconfiguration behavior

Previous behaviour

If composite.provider.names is empty, the topology would fail deployment.
If composite.provider.names has an invalid value, the topology would fail deployment.

New behaviour

Deployment succeeds, and Knox allows access with no authorization since none is configured.
Deployment succeeds, but Knox rejects requests with a HTTP 403 response because the configuration is present (indicating that authorization is expected) but invalid.

Inactive topologies

Summary

Knox distinguishes inactive topologies from undeployed topologies.

Previous behaviour

Requests for topologies which are not yet fully deployed result in HTTP 404 responses.

New behaviour

Requests for topologies which are not yet fully deployed result in HTTP 503 responses.