You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues-all@impala.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2021/07/11 12:59:00 UTC

[jira] [Commented] (IMPALA-10489) Implement JWT support

    [ https://issues.apache.org/jira/browse/IMPALA-10489?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17378652#comment-17378652 ] 

ASF subversion and git services commented on IMPALA-10489:
----------------------------------------------------------

Commit 025500ccb5fed088e58da7bb7a8021088a9bba98 in impala's branch refs/heads/master from wzhou-code
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=025500c ]

IMPALA-10489: Implement JWT support

This patch added JWT support with following functionality:
 * Load and parse JWKS from pre-installed JSON file.
 * Read the JWT token from the HTTP Header.
 * Verify the JWT's signature with public key in JWKS.
 * Get the username out of the payload of JWT token.
 * Support following JSON Web Algorithms (JWA):
   HS256, HS384, HS512, RS256, RS384, RS512.

We use third party library jwt-cpp to verify JWT token. jwt-cpp is a
headers only C++ library. It was added to native-toolchain.
This patch modified bootstrap_toolchain.py to download jwt-cpp from
toolchain s3 bucket, and modified makefiles to add jwt-cpp/include
in the include path.

Added BE unit-tests for loading JWKS file and verifying JWT token.
Also added FE custom cluster test for JWT authentication.

Testing:
 - Passed core run.

Change-Id: I6b71fa854c9ddc8ca882878853395e1eb866143c
Reviewed-on: http://gerrit.cloudera.org:8080/17435
Reviewed-by: Joe McDonnell <jo...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>


> Implement JWT support
> ---------------------
>
>                 Key: IMPALA-10489
>                 URL: https://issues.apache.org/jira/browse/IMPALA-10489
>             Project: IMPALA
>          Issue Type: Improvement
>          Components: Backend, Clients
>    Affects Versions: Impala 4.0
>            Reporter: Joe McDonnell
>            Assignee: Wenzhe Zhou
>            Priority: Major
>
> JWT support entails:
>  # Reading the JWT out of the HTTP Header
>  # Verifying the JWT's signature
>  # Getting the username out of the JWT contents
> For #1, we can assume that it comes in via the Authorization: Bearer header. If this is not uniform, this may need to be configurable.
> For #2, we need the public key of the entity that produced the JWT. This will need to be passed in at startup. 
> For #3, there is no standardized name for the username field on a JWT. This should be configurable.
> Subsequent tasks may provide other ways to specify the public key and parse out other pieces of information from the JWT.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org