Michael Smith created IMPALA-13687:
--------------------------------------
Summary: Support providing a cookie secret file for validation
Key: IMPALA-13687
URL: https://issues.apache.org/jira/browse/IMPALA-13687
Project: IMPALA
Issue Type: Improvement
Components: Security
Reporter: Michael Smith
Support providing a cookie secret file for cookie HMAC validation rather than
generating it during startup. This allows multiple coordinators - situated
behind a load balancer - to generate cookies that will be trusted by other
coordinators.
This is beneficial when a tool - such as the Simba ODBC driver - caches Cookie
headers for re-use across multiple connections. A single connection/session
will be routed to the same coordinator for all communication, but a later
connection may route to a different coordinator. When it tries to re-use the
cached cookie, that cookie will currently be considered invalid and require the
user to re-authenticate. When using SAML - which requires direct user
interaction - and a tool that initiates many connections - such as Excel with
ODBC integration - this results in constant requests to re-authenticate, making
the workflow unusable.
Modify Impala to accept a {{cookie_secret_file}} parameter. The contents of the
file should be read as a byte array, and used to initialize AuthenticationHash
of both Webserver and SecureAuthProvider classes, so that cookies used for Web
UI interaction and Thrift client connections can be shared across coordinators.
Implement automatic reloading of the file contents with
[inotify|https://man7.org/linux/man-pages/man7/inotify.7.html] in a monitoring
thread.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
