Hello Impala Public Jenkins,
I'd like you to do a code review. Please visit
http://gerrit.cloudera.org:8080/22970
to review the following change.
Change subject: IMPALA-14066 (Part 3): Re-applying IMPALA-11922 Verify JWKS URL
server TLS certificate by default after Kudu rebase
......................................................................
IMPALA-14066 (Part 3): Re-applying IMPALA-11922 Verify JWKS URL server TLS
certificate by default after Kudu rebase
This commit re-applies IMPALA-11922 to the Kudu files after the Kudu
rebase to v1.17.1. The original commit message is below:
**** BREAKING CHANGE ****
If using JWT authentication to the Impala engine and the
JWKS is retrieved from a URL, Impala now verifies the
server's TLS certificate. Before, Impala did not verify
the trust chain nor did it verify the CN/SAN.
JWT Auth has an option to specify the location of the
JSON Web Key Set (JWKS) using a URL. If that URL is
accessed over HTTPS, the TLS certificate presented by the
server is not verified.
This means that Impala only requires the server to return
a TLS certificate, whether or not Impala trusts the signing
certificate chain.
The implications of this setup is that a fully secure chain
of trust cannot be established throughout the entire JWT
authentication lifecycle and thus creates an attack vector
where a bad actor could trick Impala into trusting an
actor-controlled JWKS. The bad actor can then generate
a JWT with any claims they chose and Impala will accept it.
This change introduces:
1. verification of JWKS server TLS certificate by default
2. jwks_verify_server_certificate Impala startup flag
3. jwks_ca_certificate Impala startup flag
1. While previously, the JWKS URL was always called without
verifying its TLS certificate, the default is to now to
verify that cert. Thus, any cases where the JWKS was
retrieved from an untrusted URL will now cause Impala
to fail to start.
2. The new flag jwks_verify_server_certificate controls
whether or not Impala verifies the TLS certificate
presented by the JWKS server. It defaults to "false"
meaning that the certificate will be verified. Setting
this value to "false" will restore the previous behavior
where untrusted TLS certificates are accepted.
3. The new flag jwks_ca_certificate enables specifying
a PEM certificate bundle that contains certificates
to trust when calling to the JWKS URL.
Testing was achieved in the front-end Java custom cluster
tests. An existing test was modified and three new tests
were created. The following test cases are covered:
1. Insecurely retrieve a JWKS from a server with an
untrusted TLS certificate. This test case is expected
to pass.
2. Securely retrieve a JWKS from a server with an
untrusted TLS certificate. This test case is expected
to fail. The Impala coordinator logs are checked to
ensure the cause was an untrusted certificate
presented by the JWKS server.
3. Retrieve a JWKS from a server where the root CA is
trusted, but the cert contains the wrong CN. This
test is expected to fail. The Impala logs are checked
to ensure the cause was a certificate with an
incorrect CN.
4. Securely retrieve a JWKS from a server with a trusted
TLS certificate. This test case is expected to pass.
Change-Id: Ia7a648da9d65cc50caeedda75ca8b98912db4ae0
Reviewed-on: http://gerrit.cloudera.org:8080/19503
Reviewed-by: Impala Public Jenkins <[email protected]>
Tested-by: Impala Public Jenkins <[email protected]>
---
M be/src/kudu/util/curl_util.cc
M be/src/kudu/util/curl_util.h
2 files changed, 31 insertions(+), 8 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/70/22970/2
--
To view, visit http://gerrit.cloudera.org:8080/22970
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ia7a648da9d65cc50caeedda75ca8b98912db4ae0
Gerrit-Change-Number: 22970
Gerrit-PatchSet: 2
Gerrit-Owner: Daniel Becker <[email protected]>
Gerrit-Reviewer: Csaba Ringhofer <[email protected]>
Gerrit-Reviewer: Impala Public Jenkins <[email protected]>
Gerrit-Reviewer: Jason Fehr <[email protected]>
