[jira] [Work logged] (KNOX-2579) Make token passcode secure in DB token state backend

[ASF GitHub Bot (Jira)]

     [ 
https://issues.apache.org/jira/browse/KNOX-2579?focusedWorklogId=594705&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-594705
 ]

ASF GitHub Bot logged work on KNOX-2579:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 11/May/21 19:00
            Start Date: 11/May/21 19:00
    Worklog Time Spent: 10m 
      Work Description: smolnar82 merged pull request #437:
URL: https://github.com/apache/knox/pull/437


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Issue Time Tracking
-------------------

    Worklog Id:     (was: 594705)
    Time Spent: 1h 20m  (was: 1h 10m)

> Make token passcode secure in DB token state backend
> ----------------------------------------------------
>
>                 Key: KNOX-2579
>                 URL: https://issues.apache.org/jira/browse/KNOX-2579
>             Project: Apache Knox
>          Issue Type: New Feature
>          Components: Server
>    Affects Versions: 1.6.0
>            Reporter: Sandor Molnar
>            Assignee: Sandor Molnar
>            Priority: Major
>             Fix For: 1.6.0
>
>          Time Spent: 1h 20m
>  Remaining Estimate: 0h
>
> With KNOX-2554, we now have the ability to store passcode tokens in 
> relational databases. However, it indicates poor security practice if 
> sensitive data is stored in plain text format. Since the {{token_id}} JWT 
> claim can be used as a passcode, we need to make sure it's saved in a hashed 
> format. To be able to do this, the following is going to be implemented:
>  * add a new column called {{id}} which will serve as the primary key of the 
> {{KNOX_TOKENS}} table (this is also going to be a UUID)
>  * keep the current {{token_id}} column as is, and store the {{token.id}} 
> claim in a hashed form in this column
> By default, {{HS256}} is going to be used as a hash algorithm, but end-users 
> can configure it via the {{gateway.database.hash.alg}} gateway level 
> configuration. A new pre-defined alias name is to be introduced too: 
> {{gateway_database_hash_key}}. End-users must save the desired key using this 
> alias if they use the new {{JDBCTokenStateService}} as the token management 
> backend. Please note that key size it's very important for hash-based 
> algorithms so using the {{master secret}} is not an option here.
> The token verification logic has to be changed too (need to hash {{token.id}} 
> before getting expiration from the database).



--
This message was sent by Atlassian Jira
(v8.3.4#803005)