[
https://issues.apache.org/jira/browse/IMPALA-14066?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17979251#comment-17979251
]
ASF subversion and git services commented on IMPALA-14066:
----------------------------------------------------------
Commit 40a72e05d7cf011a6525a69d2b52d19aa5c6477f in impala's branch
refs/heads/master from jasonmfehr
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=40a72e05d ]
IMPALA-14066 (Part 4): Re-applying IMPALA-11922 Verify JWKS URL server TLS
certificate by default after Kudu rebase
This commit re-applies IMPALA-11922 to the Kudu files after the Kudu
rebase to v1.17.1. The original commit message is below:
**** BREAKING CHANGE ****
If using JWT authentication to the Impala engine and the
JWKS is retrieved from a URL, Impala now verifies the
server's TLS certificate. Before, Impala did not verify
the trust chain nor did it verify the CN/SAN.
JWT Auth has an option to specify the location of the
JSON Web Key Set (JWKS) using a URL. If that URL is
accessed over HTTPS, the TLS certificate presented by the
server is not verified.
This means that Impala only requires the server to return
a TLS certificate, whether or not Impala trusts the signing
certificate chain.
The implications of this setup is that a fully secure chain
of trust cannot be established throughout the entire JWT
authentication lifecycle and thus creates an attack vector
where a bad actor could trick Impala into trusting an
actor-controlled JWKS. The bad actor can then generate
a JWT with any claims they chose and Impala will accept it.
This change introduces:
1. verification of JWKS server TLS certificate by default
2. jwks_verify_server_certificate Impala startup flag
3. jwks_ca_certificate Impala startup flag
1. While previously, the JWKS URL was always called without
verifying its TLS certificate, the default is to now to
verify that cert. Thus, any cases where the JWKS was
retrieved from an untrusted URL will now cause Impala
to fail to start.
2. The new flag jwks_verify_server_certificate controls
whether or not Impala verifies the TLS certificate
presented by the JWKS server. It defaults to "false"
meaning that the certificate will be verified. Setting
this value to "false" will restore the previous behavior
where untrusted TLS certificates are accepted.
3. The new flag jwks_ca_certificate enables specifying
a PEM certificate bundle that contains certificates
to trust when calling to the JWKS URL.
Testing was achieved in the front-end Java custom cluster
tests. An existing test was modified and three new tests
were created. The following test cases are covered:
1. Insecurely retrieve a JWKS from a server with an
untrusted TLS certificate. This test case is expected
to pass.
2. Securely retrieve a JWKS from a server with an
untrusted TLS certificate. This test case is expected
to fail. The Impala coordinator logs are checked to
ensure the cause was an untrusted certificate
presented by the JWKS server.
3. Retrieve a JWKS from a server where the root CA is
trusted, but the cert contains the wrong CN. This
test is expected to fail. The Impala logs are checked
to ensure the cause was a certificate with an
incorrect CN.
4. Securely retrieve a JWKS from a server with a trusted
TLS certificate. This test case is expected to pass.
Change-Id: Ia7a648da9d65cc50caeedda75ca8b98912db4ae0
Reviewed-on: http://gerrit.cloudera.org:8080/19503
Reviewed-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Tested-by: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Reviewed-on: http://gerrit.cloudera.org:8080/22970
Reviewed-by: Daniel Becker <daniel.bec...@cloudera.com>
Tested-by: Daniel Becker <daniel.bec...@cloudera.com>
> Rebase the Kudu code in Impala to 1.17.1
> ----------------------------------------
>
> Key: IMPALA-14066
> URL: https://issues.apache.org/jira/browse/IMPALA-14066
> Project: IMPALA
> Issue Type: Improvement
> Components: Backend, Toolchain
> Reporter: Daniel Becker
> Assignee: Daniel Becker
> Priority: Major
>
> Rebase the Kudu code that is copied into Impala to version 1.17.1.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscr...@impala.apache.org
For additional commands, e-mail: issues-all-h...@impala.apache.org
