Critical Description
This issue is driven by a [DISCUSS] thread initiated on Knox's DEV mailing list here.
As a result of that discussion, the following needs to be implemented:
- deprecate the following TSS implementations:
- AliasBasedTokenStateService
- ZookeeperTokenStateService
- JournalBasedTokenStateService
- document the deprecation of these TSS implementations in v2.1.0 and highlight that they will be removed in the upcoming release (v2.2.0?).
- implement a DerbyDB storage that will store tokens in $DATA_DIR/security/tokens (encrypted or not, it'll be decided later)
- make sure appropriate file permissions are set on that folder
- have the homepage topology configured with JDBC TSS pointing to this DerbyDB storage
- implement a new KnoxCLI command that migrates existing tokens from credential stores to the DerbyDB storage
- automate this new KnoxCLI command in a way such that it runs when Knox Gateway is started, token management is enabled, and DerbyDB storage is configured
- ensure that the previous automated step can be controlled (E.g. in case of unforeseen errors it can be turned off)
- document possible data replication scenarios when, in the case of HA deployments, existing tokens from one Knox node should be made available in other Knox node(s) and there is no other centralized RDBMS in use (PostgreSQL, MySQL for instance)
Attachments
Issue Links
- links to
