[
https://issues.apache.org/jira/browse/IMPALA-14799?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jason Fehr updated IMPALA-14799:
--------------------------------
Description:
# Add the string (DEPRECATED) to all startup flags with a name beginning with
jwks_{*}, jwt_{*}, and oauth_* (except for the oauth_token_auth flag). Log a
warning if any of these deprecated flags are specified.
# Add a new oauth_servers flag that accepts the following json structure as
its value. The json structure is an array of objects so that multiple
authorization servers can be specified. Each object must have the following
structure:
##
||Field Name||Type||Default||Description||
|caCertFilePath|URL| |File path of a pem bundle of root ca certificates that
will be trusted when retrieving the JWKS from the specified JWKS URL.|
|verifyServerCert|bool|true|Specifies if the TLS certificate of the JWKS server
is verified when retrieving the JWKS from the specified JWKS URL. A certificate
is considered valid if a trust chain can be established for it, and if the
certificate has a common name or SAN that matches the server's hostname. This
should only be set to false for development / testing.|
|jwksFilePath|string| |File path of the pre-installed JSON Web Key Set (JWKS)
for JWT verification. Cannot be combined with jwksUrl.|
|jwksUrl|URL| |URL of the JSON Web Key Set (JWKS) for JWT verification. Cannot
be combined with jwksFilePath.|
|jwksPullTimeoutSecs|int|10|(Advanced) The time in seconds for connection timed
out when pulling JWKS from the specified URL.|
|jwksUpdateFrequencySecs|int|4400|(Advanced) The time in seconds to wait
between downloading JWKS from the specified URL.|
|validateTokenSignature|bool|true|Determines if the JWT signature is validated
against the public key. Only set to false in dev/test environments.|
|usernameClaim|string|“username”|Name of the token claim that contains the
username.|
# If any of the now deprecated jwks_* or oauth_* startup flags are specified,
create a new instance of the above object and add it to the list of OAuth
servers. If both the jwksFilePath and jwksUrl parameters are specified, then
ignore the JWKS from the jwksUrl parameter (this is how Impala works today).
Note: the ignoring of the jwksUrl parameter must only take place when handling
legacy flags. When using the new oauth_servers flag, specifying both the jwks
file and url is an error.
# The oauth_token_auth flag must be set to true for OAuth to be enabled.
# Sample JSON structure:
##
{code:json}
[
{
"caCertFilePath": "/opt/ca-custom/ca.pem",
"verifyServerCert": true,
"jwksUrl": "https://example.com/jwks.json",
"jwksPullTimeoutSecs": 10,
"jwksUpdateFrequencySecs": 14400,
"usernameClaim": "username"
},
{
"jwksUrl": "https://example.com/jwks.json"
},
{
"jwksFilePath": "/opt/auth-servers/jwks.json"
}
]
{code}
was:
# Add the string (DEPRECATED) to all startup flags with a name beginning with
jwks_{*}, jwt_{*}, and oauth_* (except for the oauth_token_auth flag). Log a
warning if any of these deprecated flags are specified.
# Add a new oauth_servers flag that accepts the following json structure as
its value. The json structure is an array of objects so that multiple
authorization servers can be specified. Each object must have the following
structure:
##
||Field Name||Type||Default||Description||
|caCertFilePath|URL| |File path of a pem bundle of root ca certificates that
will be trusted when retrieving the JWKS from the specified JWKS URL.|
|verifyServerCert|bool|true|Specifies if the TLS certificate of the JWKS server
is verified when retrieving the JWKS from the specified JWKS URL. A certificate
is considered valid if a trust chain can be established for it, and if the
certificate has a common name or SAN that matches the server's hostname. This
should only be set to false for development / testing.|
|jwksFilePath|string| |File path of the pre-installed JSON Web Key Set (JWKS)
for JWT verification. Cannot be combined with jwksUrl.|
|jwksUrl|URL| |URL of the JSON Web Key Set (JWKS) for JWT verification. Cannot
be combined with jwksFilePath.|
|jwksPullTimeoutSecs|int|10|(Advanced) The time in seconds for connection timed
out when pulling JWKS from the specified URL.|
|jwksUpdateFrequencySecs|int|4400|(Advanced) The time in seconds to wait
between downloading JWKS from the specified URL.|
| | | | |
|usernameClaim|string|“username”|Name of the token claim that contains the
username.|
# If any of the now deprecated jwks_* or oauth_* startup flags are specified,
create a new instance of the above object and add it to the list of OAuth
servers. If both the jwksFilePath and jwksUrl parameters are specified, then
ignore the JWKS from the jwksUrl parameter (this is how Impala works today).
Note: the ignoring of the jwksUrl parameter must only take place when handling
legacy flags. When using the new oauth_servers flag, specifying both the jwks
file and url is an error.
# The oauth_token_auth flag must be set to true for OAuth to be enabled.
# Sample JSON structure:
##
{code:json}
[
{
"caCertFilePath": "/opt/ca-custom/ca.pem",
"verifyServerCert": true,
"jwksUrl": "https://example.com/jwks.json",
"jwksPullTimeoutSecs": 10,
"jwksUpdateFrequencySecs": 14400,
"usernameClaim": "username"
},
{
"jwksUrl": "https://example.com/jwks.json"
},
{
"jwksFilePath": "/opt/auth-servers/jwks.json"
}
]
{code}
> Support Multiple Token Identity Providers
> -----------------------------------------
>
> Key: IMPALA-14799
> URL: https://issues.apache.org/jira/browse/IMPALA-14799
> Project: IMPALA
> Issue Type: New Feature
> Affects Versions: Impala 5.0.0
> Reporter: Jason Fehr
> Assignee: Anubhav Jindal
> Priority: Critical
> Labels: backend, impala, security
>
> # Add the string (DEPRECATED) to all startup flags with a name beginning with
> jwks_{*}, jwt_{*}, and oauth_* (except for the oauth_token_auth flag). Log a
> warning if any of these deprecated flags are specified.
> # Add a new oauth_servers flag that accepts the following json structure as
> its value. The json structure is an array of objects so that multiple
> authorization servers can be specified. Each object must have the following
> structure:
> ##
> ||Field Name||Type||Default||Description||
> |caCertFilePath|URL| |File path of a pem bundle of root ca certificates that
> will be trusted when retrieving the JWKS from the specified JWKS URL.|
> |verifyServerCert|bool|true|Specifies if the TLS certificate of the JWKS
> server is verified when retrieving the JWKS from the specified JWKS URL. A
> certificate is considered valid if a trust chain can be established for it,
> and if the certificate has a common name or SAN that matches the server's
> hostname. This should only be set to false for development / testing.|
> |jwksFilePath|string| |File path of the pre-installed JSON Web Key Set (JWKS)
> for JWT verification. Cannot be combined with jwksUrl.|
> |jwksUrl|URL| |URL of the JSON Web Key Set (JWKS) for JWT verification.
> Cannot be combined with jwksFilePath.|
> |jwksPullTimeoutSecs|int|10|(Advanced) The time in seconds for connection
> timed out when pulling JWKS from the specified URL.|
> |jwksUpdateFrequencySecs|int|4400|(Advanced) The time in seconds to wait
> between downloading JWKS from the specified URL.|
> |validateTokenSignature|bool|true|Determines if the JWT signature is
> validated against the public key. Only set to false in dev/test environments.|
> |usernameClaim|string|“username”|Name of the token claim that contains the
> username.|
> # If any of the now deprecated jwks_* or oauth_* startup flags are
> specified, create a new instance of the above object and add it to the list
> of OAuth servers. If both the jwksFilePath and jwksUrl parameters are
> specified, then ignore the JWKS from the jwksUrl parameter (this is how
> Impala works today). Note: the ignoring of the jwksUrl parameter must only
> take place when handling legacy flags. When using the new oauth_servers
> flag, specifying both the jwks file and url is an error.
> # The oauth_token_auth flag must be set to true for OAuth to be enabled.
> # Sample JSON structure:
> ##
> {code:json}
> [
> {
> "caCertFilePath": "/opt/ca-custom/ca.pem",
> "verifyServerCert": true,
> "jwksUrl": "https://example.com/jwks.json",
> "jwksPullTimeoutSecs": 10,
> "jwksUpdateFrequencySecs": 14400,
> "usernameClaim": "username"
> },
> {
> "jwksUrl": "https://example.com/jwks.json"
> },
> {
> "jwksFilePath": "/opt/auth-servers/jwks.json"
> }
> ]
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]