[
https://issues.apache.org/jira/browse/IMPALA-13687?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18050422#comment-18050422
]
ASF subversion and git services commented on IMPALA-13687:
----------------------------------------------------------
Commit 5164a8c4196bc6bb3372706acf3658507ce0d5c9 in impala's branch
refs/heads/master from Michael Smith
[ https://gitbox.apache.org/repos/asf?p=impala.git;h=5164a8c41 ]
IMPALA-13687: Support shared secret key for cookies
Adds support for a shared secret key across coordinators for cookie
validation. The key is used with Thrift servers using HTTPS to support
sharing the same cookie across sessions with different coordinators.
It's also used when authentication is enabled on the web UI. The key
path is configured with '--cookie_secret_file=<path>'.
Adds an inotify watcher on the cookie secret key to reload when it's
updated. Inotify failures during startup will cause Impala to exit with
an error. Inotify errors at runtime are fatal and will cause Impala to
exit. Failures reloading the key will be logged as errors for
hash_reload_grace_period_s (default=300) seconds, after which they will
become fatal and cause Impala to exit.
Testing:
- Adds new LdapHS2Test, LdapWebserverTest, and LdapImpalaShellTest
cases for shared cookie.
- Adds AuthenticationHash and AuthenticationHashFromFile unit tests.
- Drops webserver test for new HMAC because the hash in AuthManager is
now re-used. HMAC re-use is better tested in new cases.
Generated-by: Github Copilot (GPT-4.1)
Change-Id: Ie2e2345f771608069407e9dcf7ed4697fc0214e7
Reviewed-on: http://gerrit.cloudera.org:8080/22462
Reviewed-by: Joe McDonnell <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
> Support providing a cookie secret file for validation
> -----------------------------------------------------
>
> Key: IMPALA-13687
> URL: https://issues.apache.org/jira/browse/IMPALA-13687
> Project: IMPALA
> Issue Type: Improvement
> Components: Security
> Reporter: Michael Smith
> Assignee: Michael Smith
> Priority: Major
>
> Support providing a cookie secret file for cookie HMAC validation rather than
> generating it during startup. This allows multiple coordinators - situated
> behind a load balancer - to generate cookies that will be trusted by other
> coordinators.
> This is beneficial when a tool - such as the Simba ODBC driver - caches
> Cookie headers for re-use across multiple connections. A single
> connection/session will be routed to the same coordinator for all
> communication, but a later connection may route to a different coordinator.
> When it tries to re-use the cached cookie, that cookie will currently be
> considered invalid and require the user to re-authenticate. When using SAML -
> which requires direct user interaction - and a tool that initiates many
> connections - such as Excel with ODBC integration - this results in constant
> requests to re-authenticate, making the workflow unusable.
> Modify Impala to accept a {{cookie_secret_file}} parameter. The contents of
> the file should be read as a byte array, and used to initialize
> AuthenticationHash of both Webserver and SecureAuthProvider classes, so that
> cookies used for Web UI interaction and Thrift client connections can be
> shared across coordinators.
> Implement automatic reloading of the file contents with
> [inotify|https://man7.org/linux/man-pages/man7/inotify.7.html] in a
> monitoring thread.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
