[
https://issues.apache.org/jira/browse/IMPALA-13687?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Michael Smith resolved IMPALA-13687.
------------------------------------
Fix Version/s: Impala 5.0.0
Resolution: Fixed
> Support providing a cookie secret file for validation
> -----------------------------------------------------
>
> Key: IMPALA-13687
> URL: https://issues.apache.org/jira/browse/IMPALA-13687
> Project: IMPALA
> Issue Type: Improvement
> Components: Security
> Reporter: Michael Smith
> Assignee: Michael Smith
> Priority: Major
> Fix For: Impala 5.0.0
>
>
> Support providing a cookie secret file for cookie HMAC validation rather than
> generating it during startup. This allows multiple coordinators - situated
> behind a load balancer - to generate cookies that will be trusted by other
> coordinators.
> This is beneficial when a tool - such as the Simba ODBC driver - caches
> Cookie headers for re-use across multiple connections. A single
> connection/session will be routed to the same coordinator for all
> communication, but a later connection may route to a different coordinator.
> When it tries to re-use the cached cookie, that cookie will currently be
> considered invalid and require the user to re-authenticate. When using SAML -
> which requires direct user interaction - and a tool that initiates many
> connections - such as Excel with ODBC integration - this results in constant
> requests to re-authenticate, making the workflow unusable.
> Modify Impala to accept a {{cookie_secret_file}} parameter. The contents of
> the file should be read as a byte array, and used to initialize
> AuthenticationHash of both Webserver and SecureAuthProvider classes, so that
> cookies used for Web UI interaction and Thrift client connections can be
> shared across coordinators.
> Implement automatic reloading of the file contents with
> [inotify|https://man7.org/linux/man-pages/man7/inotify.7.html] in a
> monitoring thread.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
