[
https://issues.apache.org/jira/browse/HADOOP-11717?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14362388#comment-14362388
]
Kai Zheng commented on HADOOP-11717:
------------------------------------
I read the non-trivial patch, it's really decent and of very good quality. A
good job !
My comments are so far:
1. Why we need to add BC and nimbus library deps to hadoop-project, since
they're already in hadoop-auth project ?
2. For secure protecting JWT token, we should use SSL for the web flow. We
might need to add such security consideration texts in the new handler header
comment.
3. I'm not sure we could avoid using cookie to pass the JWT token, since it's
not a good practice. By post and putting it in the body instead ?
4. Anyway, please limit cookie just as one method to convey token, so better to
avoid cookie stuffs in the many places (variables, words in logs and etc.).
5. I guess in somewhere we need document how to configure the new
authentication handler, to feed the new properties like the login url.
6. Do we support the new mechanism for the both web UI and web hdfs ? Allow SSO
between the two ? How would you go ? In HADOOP-10671, it allows the same
configurations set for the both, thus SSO effect can be achieved.
7. Do we consider JWT token lifetime ? I thought maybe we should limit the
lifetime of the resultant authentication token (hadoop-auth) to the lifetime of
the JWT token.
8. Where {{originalUrl}} is used ? A constant for it ?
9. Can you construct {{loginURL}} only when necessary ? I thought it makes
sense.
10. I thought {{handleJWTToken}} instead of {{handleJWTCookie}}. Anyway, for it:
1) Why we have a userName parameter ? Looks like not used.
2) Would we rewrite it for better reading and extension. Suggest:
{code}
handleJWTCookie(jwtToken) {
boolean validated = validateToken(jwtToken);
...
}
validateToken(jwtToken) {
validateSignature(jwtToken);
validateAudiences(jwtToken);
validateExpiration(jwtToken);
}
{code}
Other effort like HADOOP-10959 can easily override validateToken method.
3) I thought the coding style here might be a little different from the project.
11. Only {{userName}} is used as the result of web sso, but I'm not sure that's
enough to ensure its uniqueness.
12. Ref. below, the message isn't correct. By the way, looks like we only
support PEM format.
{code}
+ if (pem.startsWith(PEM_HEADER)) {
+ message = "CertificateException - do not include PEM header and
footer";
+ }
{code}
> Add Redirecting WebSSO behavior with JWT Token in Hadoop Auth
> -------------------------------------------------------------
>
> Key: HADOOP-11717
> URL: https://issues.apache.org/jira/browse/HADOOP-11717
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Reporter: Larry McCay
> Assignee: Larry McCay
> Attachments: HADOOP-11717-1.patch, HADOOP-11717-2.patch
>
>
> Extend AltKerberosAuthenticationHandler to provide WebSSO flow for UIs.
> The actual authentication is done by some external service that the handler
> will redirect to when there is no hadoop.auth cookie and no JWT token found
> in the incoming request.
> Using JWT provides a number of benefits:
> * It is not tied to any specific authentication mechanism - so buys us many
> SSO integrations
> * It is cryptographically verifiable for determining whether it can be trusted
> * Checking for expiration allows for a limited lifetime and window for
> compromised use
> This will introduce the use of nimbus-jose-jwt library for processing,
> validating and parsing JWT tokens.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
