[ https://issues.apache.org/jira/browse/HIVE-26425?focusedWorklogId=795237&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-795237 ]
ASF GitHub Bot logged work on HIVE-26425: ----------------------------------------- Author: ASF GitHub Bot Created on: 26/Jul/22 12:29 Start Date: 26/Jul/22 12:29 Worklog Time Spent: 10m Work Description: hsnusonic commented on code in PR #3473: URL: https://github.com/apache/hive/pull/3473#discussion_r929902912 ########## service/src/java/org/apache/hive/service/auth/jwt/URLBasedJWKSProvider.java: ########## @@ -52,12 +62,42 @@ public URLBasedJWKSProvider(HiveConf conf) throws IOException, ParseException { * Fetches the JWKS and stores into memory. The JWKS are expected to be in the standard form as defined here - * https://datatracker.ietf.org/doc/html/rfc7517#appendix-A. */ - private void loadJWKSets() throws IOException, ParseException { + private void loadJWKSets() throws IOException, ParseException, GeneralSecurityException { String jwksURL = HiveConf.getVar(conf, HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION_JWT_JWKS_URL); + if (jwksURL == null || jwksURL.isEmpty()) { + throw new IOException("Invalid value of property: " + + HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION_JWT_JWKS_URL.varname); + } String[] jwksURLs = jwksURL.split(","); for (String urlString : jwksURLs) { - URL url = new URL(urlString); - jwkSets.add(JWKSet.load(url)); + SSLContext context = null; + if (HiveConf.getBoolVar(conf, HiveConf.ConfVars.HIVE_SERVER2_AUTHENTICATION_JWT_JWKS_SKIP_SSL_CERT, false)) { + context = SSLContext.getInstance("TLS"); + X509TrustManager trustAllManager = new X509TrustManager() { + @Override + public void checkClientTrusted(X509Certificate[] chain, String authType) + throws CertificateException { + } + @Override + public void checkServerTrusted(X509Certificate[] chain, String authType) + throws CertificateException { + } + @Override + public X509Certificate[] getAcceptedIssuers() { + return new X509Certificate[0]; + } + }; + context.init(null, new X509TrustManager[]{trustAllManager}, new SecureRandom()); + } + HttpGet get = new HttpGet(urlString); + try (CloseableHttpClient httpClient = (context == null) ? Review Comment: Thanks for the suggestion! Issue Time Tracking ------------------- Worklog Id: (was: 795237) Time Spent: 1h 10m (was: 1h) > Skip SSL cert verification for downloading JWKS in HS2 > ------------------------------------------------------ > > Key: HIVE-26425 > URL: https://issues.apache.org/jira/browse/HIVE-26425 > Project: Hive > Issue Type: New Feature > Reporter: Yu-Wen Lai > Assignee: Yu-Wen Lai > Priority: Major > Labels: pull-request-available > Time Spent: 1h 10m > Remaining Estimate: 0h > > In a dev/test/staging environment, we would probably use letsencrypt staging > certificate for a token generation service. However, its certificate is not > accepted by JVM by default. To ease JWT testing in those kind of > environments, we can introduce a property to disable the certificate > verification just for JWKS downloads. > Ref: https://letsencrypt.org/docs/staging-environment/ -- This message was sent by Atlassian Jira (v8.20.10#820010)