You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "Joe McDonnell (Jira)" <ji...@apache.org> on 2021/02/25 02:50:00 UTC
[jira] [Commented] (IMPALA-10489) Implement JWT support
[ https://issues.apache.org/jira/browse/IMPALA-10489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17290630#comment-17290630 ]
Joe McDonnell commented on IMPALA-10489:
----------------------------------------
Other things that may need to be verified:
# The issuer "iss" claim of the JWT
# The audience "aud" claim of the JWT
The issuer may be implicit given that we are also verifying the signature. The audience seems more relevant. If there is a single JWT issuer for multiple Impala clusters, a JWT for one Impala cluster should not work on a different one. Using different audiences for the different Impala clusters and verifying the value seems like one way to avoid that problem.
> Implement JWT support
> ---------------------
>
> Key: IMPALA-10489
> URL: https://issues.apache.org/jira/browse/IMPALA-10489
> Project: IMPALA
> Issue Type: Improvement
> Components: Backend, Clients
> Affects Versions: Impala 4.0
> Reporter: Joe McDonnell
> Priority: Major
>
> JWT support entails:
> # Reading the JWT out of the HTTP Header
> # Verifying the JWT's signature
> # Getting the username out of the JWT contents
> For #1, we can assume that it comes in via the Authorization: Bearer header. If this is not uniform, this may need to be configurable.
> For #2, we need the public key of the entity that produced the JWT. This will need to be passed in at startup.
> For #3, there is no standardized name for the username field on a JWT. This should be configurable.
> Subsequent tasks may provide other ways to specify the public key and parse out other pieces of information from the JWT.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org