[
https://issues.apache.org/jira/browse/HIVE-26425?focusedWorklogId=795121&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-795121
]
ASF GitHub Bot logged work on HIVE-26425:
-----------------------------------------
Author: ASF GitHub Bot
Created on: 26/Jul/22 04:18
Start Date: 26/Jul/22 04:18
Worklog Time Spent: 10m
Work Description: dengzhhu653 commented on code in PR #3473:
URL: https://github.com/apache/hive/pull/3473#discussion_r929509259
##########
service/src/java/org/apache/hive/service/auth/jwt/URLBasedJWKSProvider.java:
##########
@@ -52,12 +62,42 @@ public URLBasedJWKSProvider(HiveConf conf) throws
IOException, ParseException {
* Fetches the JWKS and stores into memory. The JWKS are expected to be in
the standard form as defined here -
* https://datatracker.ietf.org/doc/html/rfc7517#appendix-A.
*/
- private void loadJWKSets() throws IOException, ParseException {
+ private void loadJWKSets() throws IOException, ParseException,
GeneralSecurityException {
String jwksURL = HiveConf.getVar(conf,
HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION_JWT_JWKS_URL);
+ if (jwksURL == null || jwksURL.isEmpty()) {
+ throw new IOException("Invalid value of property: " +
+ HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION_JWT_JWKS_URL.varname);
+ }
String[] jwksURLs = jwksURL.split(",");
for (String urlString : jwksURLs) {
- URL url = new URL(urlString);
- jwkSets.add(JWKSet.load(url));
+ SSLContext context = null;
+ if (HiveConf.getBoolVar(conf,
HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION_JWT_JWKS_SKIP_SSL_CERT, false)) {
+ context = SSLContext.getInstance("TLS");
+ X509TrustManager trustAllManager = new X509TrustManager() {
+ @Override
+ public void checkClientTrusted(X509Certificate[] chain, String
authType)
+ throws CertificateException {
+ }
+ @Override
+ public void checkServerTrusted(X509Certificate[] chain, String
authType)
+ throws CertificateException {
+ }
+ @Override
+ public X509Certificate[] getAcceptedIssuers() {
+ return new X509Certificate[0];
+ }
+ };
+ context.init(null, new X509TrustManager[]{trustAllManager}, new
SecureRandom());
+ }
+ HttpGet get = new HttpGet(urlString);
+ try (CloseableHttpClient httpClient = (context == null) ?
Review Comment:
So the `context` is only used for downloading JWT(?) in test/staging, can we
create `httpClient` by `HttpClients.custom().setSSLContext(context).build()`
regardless of the nullable `context`?
Issue Time Tracking
-------------------
Worklog Id: (was: 795121)
Time Spent: 40m (was: 0.5h)
> Skip SSL cert verification for downloading JWKS in HS2
> ------------------------------------------------------
>
> Key: HIVE-26425
> URL: https://issues.apache.org/jira/browse/HIVE-26425
> Project: Hive
> Issue Type: New Feature
> Reporter: Yu-Wen Lai
> Assignee: Yu-Wen Lai
> Priority: Major
> Labels: pull-request-available
> Time Spent: 40m
> Remaining Estimate: 0h
>
> In a dev/test/staging environment, we would probably use letsencrypt staging
> certificate for a token generation service. However, its certificate is not
> accepted by JVM by default. To ease JWT testing in those kind of
> environments, we can introduce a property to disable the certificate
> verification just for JWKS downloads.
> Ref: https://letsencrypt.org/docs/staging-environment/
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
