You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "Joe McDonnell (Jira)" <ji...@apache.org> on 2021/02/25 02:50:00 UTC

[jira] [Commented] (IMPALA-10489) Implement JWT support

    [ https://issues.apache.org/jira/browse/IMPALA-10489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17290630#comment-17290630 ] 

Joe McDonnell commented on IMPALA-10489:
----------------------------------------

Other things that may need to be verified:
 # The issuer "iss" claim of the JWT
 # The audience "aud" claim of the JWT

The issuer may be implicit given that we are also verifying the signature. The audience seems more relevant. If there is a single JWT issuer for multiple Impala clusters, a JWT for one Impala cluster should not work on a different one. Using different audiences for the different Impala clusters and verifying the value seems like one way to avoid that problem.

> Implement JWT support
> ---------------------
>
>                 Key: IMPALA-10489
>                 URL: https://issues.apache.org/jira/browse/IMPALA-10489
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Backend, Clients
>    Affects Versions: Impala 4.0
>            Reporter: Joe McDonnell
>            Priority: Major
>
> JWT support entails:
>  # Reading the JWT out of the HTTP Header
>  # Verifying the JWT's signature
>  # Getting the username out of the JWT contents
> For #1, we can assume that it comes in via the Authorization: Bearer header. If this is not uniform, this may need to be configurable.
> For #2, we need the public key of the entity that produced the JWT. This will need to be passed in at startup. 
> For #3, there is no standardized name for the username field on a JWT. This should be configurable.
> Subsequent tasks may provide other ways to specify the public key and parse out other pieces of information from the JWT.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org