[ https://issues.apache.org/jira/browse/HBASE-26553?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17797184#comment-17797184 ]
ramkrishna.s.vasudevan commented on HBASE-26553: ------------------------------------------------ [~andor] - Any idea when this feature is going to land? > OAuth Bearer authentication mech plugin for SASL > ------------------------------------------------ > > Key: HBASE-26553 > URL: https://issues.apache.org/jira/browse/HBASE-26553 > Project: HBase > Issue Type: New Feature > Components: security > Reporter: Andor Molnar > Assignee: Andor Molnar > Priority: Major > Fix For: HBASE-26553 > > > Implementation of a new SASL plugin to add support for OAuth Bearer token > authentication for HBase client RPC. > * The plugin supports secured (cryptographically signed) JSON Web Token > authentication as defined in > [RFC-7628|https://datatracker.ietf.org/doc/html/rfc7628] and the JWT format > in [RFC-7519|https://datatracker.ietf.org/doc/html/rfc7519] . > * The implementation is inspired by [Apache Kafka's OAuth Bearer > token|https://docs.confluent.io/platform/current/kafka/authentication_sasl/authentication_sasl_oauth.html] > support with the important difference that HBase version is intended for > production usage. The two main differences are that Kafka supports unsecured > tokens only and it issues the tokens for itself which breaks the principle of > OAuth token authentication. > * We use the [Nimbus JOSE + > JWT|https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/] Java > library for signature verification and token processing and we add it as a > new dependency to HBase. > * We add secure JWT support and verification of digital signatures with > multiple algorithms as supported by Nimbus. Json-formatted JWK set is > required for the signature verification as defined in > [RFC-7517|https://datatracker.ietf.org/doc/html/rfc7517]. > * The impl is verified with Apache Knox issued tokens, because that's the > primary use case of this new feature. > * New client example is added to the hbase-examples project to showcase the > feature. > * It's important that this Jira does not cover the solution for obtaining a > token from Knox. The assumption is that the client already has a valid token > in base64 encoded string and we only provide a helper method for adding it to > user's credentials. > * Renewing expired tokens is also the responsibility of the client. We don't > provide a mechanism for that in this Jira, but it's planned to be covered in > a follow-up ticket. > The following new parameters are introduced in hbase-site.xml: > * hbase.security.oauth.jwt.jwks.file - Path of a local file for JWK set. > (required if URL not specified) > * hbase.security.oauth.jwt.jwks.url - URL to download the JWK set. (required > if File not specified) > * hbase.security.oauth.jwt.audience - Required audience, "aud" claim of the > JWT. (optional) > * hbase.security.oauth.jwt.issuer - Required issuer, "iss" claim of the JWT. > (optional) > The feature will be behind feature-flag. No code part is executed unless the > following configuration is set in hbase-site.xml: > {noformat} > <property> > <name>hbase.client.sasl.provider.extras</name> > > <value>org.apache.hadoop.hbase.security.provider.OAuthBearerSaslClientAuthenticationProvider</value> > </property> > <property> > <name>hbase.server.sasl.provider.extras</name> > > <value>org.apache.hadoop.hbase.security.provider.OAuthBearerSaslServerAuthenticationProvider</value> > </property> > <property> > <name>hbase.client.sasl.provider.class</name> > > <value>org.apache.hadoop.hbase.security.provider.OAuthBearerSaslProviderSelector</value> > </property> > {noformat} > Example of Knox provided JWKS file: > {noformat} > { > "keys": > [{ > "kty": "RSA", > "e": "<RSA_e>", > "use": "sig", > "kid": "<key_id>", > "alg": "RS256", > "n": "<RSA_n>" > }] > }{noformat} > Example of Knox issued JWT header: > {noformat} > { > "jku": "https://path/to/homepage/knoxtoken/api/v1/jwks.json", > "kid": "<key_id>", > "alg": "RS256" > }{noformat} > And payload: > {noformat} > { > "sub": "user_andor", > "aud": "knox-proxy-token", > "jku": "https://path/to/homepage/knoxtoken/api/v1/jwks.json", > "kid": "<key_id>", > "iss": "KNOXSSO", > "exp": 1636644029, > "managed.token": "true", > "knox.id": "<knox_uuid>" > }{noformat} -- This message was sent by Atlassian Jira (v8.20.10#820010)