[GitHub] [hive] hsnusonic commented on a diff in pull request #3473: HIVE-26425: Skip SSL cert verification for downloading JWKS in HS2

Tue, 26 Jul 2022 05:29:56 -0700 


hsnusonic commented on code in PR #3473:
URL: https://github.com/apache/hive/pull/3473#discussion_r929902912


##########
service/src/java/org/apache/hive/service/auth/jwt/URLBasedJWKSProvider.java:
##########
@@ -52,12 +62,42 @@ public URLBasedJWKSProvider(HiveConf conf) throws 
IOException, ParseException {
    * Fetches the JWKS and stores into memory. The JWKS are expected to be in 
the standard form as defined here -
    * https://datatracker.ietf.org/doc/html/rfc7517#appendix-A.
    */
-  private void loadJWKSets() throws IOException, ParseException {
+  private void loadJWKSets() throws IOException, ParseException, 
GeneralSecurityException {
     String jwksURL = HiveConf.getVar(conf, 
HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION_JWT_JWKS_URL);
+    if (jwksURL == null || jwksURL.isEmpty()) {
+      throw new IOException("Invalid value of property: " + 
+          HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION_JWT_JWKS_URL.varname);
+    }
     String[] jwksURLs = jwksURL.split(",");
     for (String urlString : jwksURLs) {
-      URL url = new URL(urlString);
-      jwkSets.add(JWKSet.load(url));
+      SSLContext context = null;
+      if (HiveConf.getBoolVar(conf, 
HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION_JWT_JWKS_SKIP_SSL_CERT, false)) {
+        context = SSLContext.getInstance("TLS");
+        X509TrustManager trustAllManager = new X509TrustManager() {
+          @Override
+          public void checkClientTrusted(X509Certificate[] chain, String 
authType)
+              throws CertificateException {
+          }
+          @Override
+          public void checkServerTrusted(X509Certificate[] chain, String 
authType)
+              throws CertificateException {
+          }
+          @Override
+          public X509Certificate[] getAcceptedIssuers() {
+            return new X509Certificate[0];
+          }
+        };
+        context.init(null, new X509TrustManager[]{trustAllManager}, new 
SecureRandom());
+      }
+      HttpGet get = new HttpGet(urlString);
+      try (CloseableHttpClient httpClient = (context == null) ?

Review Comment:
   Thanks for the suggestion!



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to