You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2019/08/25 17:13:00 UTC

[jira] [Commented] (IMPALA-8584) Add support for cookie-based authentication

    [ https://issues.apache.org/jira/browse/IMPALA-8584?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16915299#comment-16915299 ] 

ASF subversion and git services commented on IMPALA-8584:
---------------------------------------------------------

Commit 5fde84a7aba9284004b481b41fe6f23d11527b6f in impala's branch refs/heads/master from Thomas Tauber-Marshall
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=5fde84a ]

IMPALA-8584: Add cookie support to the HTTP HS2 server

This patch modifies the HTTP HS2 server to accept cookies for
authentication in order to avoid having to authenticate every request
through LDAP or Kerberos.

It adds a flag, --max_cookie_lifetime_s, that determines how long
generated cookies are valid for. Setting the flag to 0 disables cookie
support.

The cookies include a SHA256 HMAC signature that it used to verify
them. They also have a timestamp that is used to determine if they
have expired. If a cookie is successfully verified and hasn't expired,
the username contained in the cookie is set on the connection.

Each impalad uses its own key to generate the signature, so clients
that reconnect to a different impalad will have to reauthenticate.
On a single impalad cookies are valid across sessions and connections.

A new cookie is generated and sent back with the Set-Cookie header
on each request that was authenticated without using a cookie.

Cookies are of the form:
impala.hs2.auth=<cookie>;HttpOnly;MaxAge=<max_cookie_lifetime_s>
  <optional ';Secure' flag>
where:
cookie = <signature>&<username>&<create timestamp>&<random number>
and 'signature' is the SHA256 HMAC of the rest of the cookie

The 'Secure' flag, which indicates to clients that the cookie should
only be sent over secure connections, is omitted if
'--ldap_passwords_in_clear_ok' is true. This is intended only for
testing.

It also adds the metrics:
impala.thrift-server.hiveserver2-http-frontend.total-cookie-auth-success
impala.thrift-server.hiveserver2-http-frontend.total-cookie-auth-failure

Testing:
- Added tests to the FE LDAP tests that use the metrics to verify
  successful and failed cookie attempts.

Change-Id: I647c06f94ef91aa3b6413e91576c4ec506ed57f4
Reviewed-on: http://gerrit.cloudera.org:8080/13672
Reviewed-by: Thomas Tauber-Marshall <tm...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>


> Add support for cookie-based authentication
> -------------------------------------------
>
>                 Key: IMPALA-8584
>                 URL: https://issues.apache.org/jira/browse/IMPALA-8584
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Backend
>    Affects Versions: Impala 3.3.0
>            Reporter: Thomas Tauber-Marshall
>            Assignee: Thomas Tauber-Marshall
>            Priority: Critical
>
> When IMPALA-8538 goes in, we'll have support for LDAP authentication over http. The initial design will pass the credentials to LDAP for authentication on every rpc. This has the potential to create a significant load on the LDAP server. We can avoid hitting LDAP on every request by adding support for cookie auth.



--
This message was sent by Atlassian Jira
(v8.3.2#803003)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org