[jira] [Work logged] (HIVE-26071) JWT authentication for Thrift over HTTP in HiveMetaStore

Fri, 29 Apr 2022 10:19:07 -0700 


     [ 
https://issues.apache.org/jira/browse/HIVE-26071?focusedWorklogId=764374&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-764374
 ]

ASF GitHub Bot logged work on HIVE-26071:
-----------------------------------------

                Author: ASF GitHub Bot
            Created on: 29/Apr/22 17:18
            Start Date: 29/Apr/22 17:18
    Worklog Time Spent: 10m 
      Work Description: hsnusonic commented on code in PR #3233:
URL: https://github.com/apache/hive/pull/3233#discussion_r861974843


##########
standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java:
##########
@@ -605,27 +608,44 @@ private THttpClient createHttpClient(URI store, boolean 
useSSL) throws MetaExcep
     String path = MetaStoreUtils.getHttpPath(MetastoreConf.getVar(conf, 
ConfVars.THRIFT_HTTP_PATH));
     String httpUrl = (useSSL ? "https://"; : "http://";) + store.getHost() + ":" 
+ store.getPort() + path;
 
-    String user = MetastoreConf.getVar(conf, 
ConfVars.METASTORE_CLIENT_PLAIN_USERNAME);
-    if (user == null || user.equals("")) {
-      try {
-        LOG.debug("No username passed in config " + 
ConfVars.METASTORE_CLIENT_PLAIN_USERNAME.getHiveName() +
-            ". Trying to get the current user from UGI" );
-        user = UserGroupInformation.getCurrentUser().getShortUserName();
-      } catch (IOException e) {
-        throw new MetaException("Failed to get client username from UGI");
+    HttpClientBuilder httpClientBuilder = HttpClientBuilder.create();
+    String authType = MetastoreConf.getAsString(conf, 
ConfVars.METASTORE_CLIENT_AUTH_MODE).toLowerCase(
+        Locale.ROOT);
+    String user = null;

Review Comment:
   nit: do we need to declare `user` here?



##########
standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java:
##########
@@ -605,27 +608,44 @@ private THttpClient createHttpClient(URI store, boolean 
useSSL) throws MetaExcep
     String path = MetaStoreUtils.getHttpPath(MetastoreConf.getVar(conf, 
ConfVars.THRIFT_HTTP_PATH));
     String httpUrl = (useSSL ? "https://"; : "http://";) + store.getHost() + ":" 
+ store.getPort() + path;
 
-    String user = MetastoreConf.getVar(conf, 
ConfVars.METASTORE_CLIENT_PLAIN_USERNAME);
-    if (user == null || user.equals("")) {
-      try {
-        LOG.debug("No username passed in config " + 
ConfVars.METASTORE_CLIENT_PLAIN_USERNAME.getHiveName() +
-            ". Trying to get the current user from UGI" );
-        user = UserGroupInformation.getCurrentUser().getShortUserName();
-      } catch (IOException e) {
-        throw new MetaException("Failed to get client username from UGI");
+    HttpClientBuilder httpClientBuilder = HttpClientBuilder.create();
+    String authType = MetastoreConf.getAsString(conf, 
ConfVars.METASTORE_CLIENT_AUTH_MODE).toLowerCase(

Review Comment:
   Why we need `getAsString` instead of `getVar`?



##########
standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/auth/jwt/JWTValidator.java:
##########
@@ -0,0 +1,112 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.hadoop.hive.metastore.auth.jwt;
+
+import com.google.common.base.Preconditions;
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSHeader;
+import com.nimbusds.jose.JWSObject;
+import com.nimbusds.jose.JWSVerifier;
+import com.nimbusds.jose.crypto.factories.DefaultJWSVerifierFactory;
+import com.nimbusds.jose.jwk.AsymmetricJWK;
+import com.nimbusds.jose.jwk.JWK;
+import com.nimbusds.jwt.JWTClaimsSet;
+import com.nimbusds.jwt.SignedJWT;
+import org.apache.hadoop.conf.Configuration;
+import org.apache.hadoop.hive.metastore.conf.MetastoreConf;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.security.sasl.AuthenticationException;
+import java.io.IOException;
+import java.security.Key;
+import java.text.ParseException;
+import java.util.Date;
+import java.util.List;
+
+/**
+ * This class is used to validate JWT. JWKS is fetched during instantiation 
and kept in the memory.
+ * We disallow JWT signature verification with symmetric key, because that 
means anyone can get the same key
+ * and use it to sign a JWT.
+ */
+public class JWTValidator {

Review Comment:
   Is it possible to have an unified class `JWTValidator`? If that needs too 
much effort, can we at least add TODO or create a Jira to track it?



##########
standalone-metastore/metastore-server/pom.xml:
##########
@@ -311,6 +311,22 @@
       <artifactId>curator-test</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>com.nimbusds</groupId>
+      <artifactId>nimbus-jose-jwt</artifactId>
+      <version>9.20</version>

Review Comment:
   We now use this in two packages, can we define the version in root pom's  
`<dependencyManagement>`?



##########
standalone-metastore/metastore-server/pom.xml:
##########
@@ -311,6 +311,22 @@
       <artifactId>curator-test</artifactId>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>com.nimbusds</groupId>
+      <artifactId>nimbus-jose-jwt</artifactId>
+      <version>9.20</version>
+    </dependency>
+    <dependency>
+      <groupId>org.pac4j</groupId>
+      <artifactId>pac4j-core</artifactId>
+      <version>4.5.5</version>
+    </dependency>
+    <dependency>
+      <groupId>com.github.tomakehurst</groupId>
+      <artifactId>wiremock-jre8-standalone</artifactId>
+      <version>2.32.0</version>

Review Comment:
   Same as nimbus-jose-jwt, can we define the version in root pom?





Issue Time Tracking
-------------------

    Worklog Id:     (was: 764374)
    Time Spent: 2h  (was: 1h 50m)

> JWT authentication for Thrift over HTTP in HiveMetaStore
> --------------------------------------------------------
>
>                 Key: HIVE-26071
>                 URL: https://issues.apache.org/jira/browse/HIVE-26071
>             Project: Hive
>          Issue Type: New Feature
>          Components: Standalone Metastore
>            Reporter: Sourabh Goyal
>            Assignee: Sourabh Goyal
>            Priority: Major
>              Labels: pull-request-available
>          Time Spent: 2h
>  Remaining Estimate: 0h
>
> HIVE-25575 recently added a support for JWT authentication in HS2. This Jira 
> aims to add the same feature in HMS



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

Reply via email to