[
https://issues.apache.org/jira/browse/RANGER-5528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Abhishek Kumar updated RANGER-5528:
-----------------------------------
Issue Type: Improvement (was: Bug)
> Improvements in Ranger Admin JWT Module
> ---------------------------------------
>
> Key: RANGER-5528
> URL: https://issues.apache.org/jira/browse/RANGER-5528
> Project: Ranger
> Issue Type: Improvement
> Components: ranger-authn
> Affects Versions: 2.8.0
> Reporter: Abhishek Kumar
> Priority: Major
>
> Here are a few areas where the JWT processing in Ranger Admin
> ({{{}ranger-authn{}}} module) can be improved:
> * For every incoming request, while performing signature validation - a new
> JWT processor is created ({{{}new DefaultJWTProcessor<>() in
> RangerDefaultJwtAuthHandler.java{}}}), it should be avoided. This can
> potentially cause memory issues when Ranger Admin is deployed with JWT as the
> authentication mechanism.
> * Signature verification logic is split and duplicated:
> {{jwtToken.verify(verifier); in RangerJwtAuthHandler.java}} is redundant
> (should be avoided), {{jwtProcessor.process(jwtToken, null);}} is sufficient.
> * Audience Validation is already provided by the default Nimbus
> implementation. {{protected boolean validateAudiences(final SignedJWT
> jwtToken)}} in {{RangerJwtAuthHandler.java}} is redundant - it should be
> avoided.
> * {{protected boolean validateExpiration(final SignedJWT jwtToken)}} in
> {{RangerJwtAuthHandler.java}} should be avoided, this should happen via
>
> {{new DefaultJWTClaimsVerifier<>( new
> JWTClaimsSet.Builder().issuer(expectedIssuer).build(), new
> HashSet<>(Arrays.asList("sub", "exp", "iat")) );}} * Currently, there are
> no checks in {{{}doAs{}}}, it should be revisited.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
