Anubhav Jindal has uploaded this change for review. ( http://gerrit.cloudera.org:8080/24472
Change subject: IMPALA-12232: Validate JWT aud/iss claims ...................................................................... IMPALA-12232: Validate JWT aud/iss claims Validate configured audienceClaims and issuerClaims after token signature verification for both JWT and OAuth auth flows, including HS2 HTTP and debug webserver paths. Extend oauth_servers parsing to accept audienceClaims/issuerClaims and map deprecated jwt_audience_claims/jwt_issuer_claims and oauth_jwt_audience_claims/oauth_jwt_issuer_claims into per-server config. Add claim-validation helpers in JWTHelper plus authentication audit logging, and expand coverage with jwt-util unit tests and JwtHttpTest custom-cluster tests for issuer success and audience failure behavior. Testing: - be/build/latest/util/jwt-util-test (26/26 passing) - be/build/latest/util/oauth-server-config-test (11/11 passing) - be/build/latest/util/oauth-servers-manager-test (4/4 passing) - fe: ../bin/mvn-quiet.sh test -Dtest=org.apache.impala.customcluster.JwtHttpTest (10/10 passing) - CLUSTER_TEST_FILES=custom_cluster/test_shell_oauth_servers_auth.py tests/run-custom-cluster-tests.sh (2/2 passing) Change-Id: I0a00b126359f2bc7e2f73d894cebc2b9014c7375 Assisted-by: GPT-5.3 (Cursor) --- M be/src/rpc/authentication.cc M be/src/util/jwt-util-test.cc M be/src/util/jwt-util.cc M be/src/util/jwt-util.h M be/src/util/oauth-server-config-test.cc M be/src/util/oauth-server-config.cc M be/src/util/oauth-server-config.h M be/src/util/webserver.cc M fe/src/test/java/org/apache/impala/customcluster/JwtHttpTest.java 9 files changed, 615 insertions(+), 92 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/72/24472/1 -- To view, visit http://gerrit.cloudera.org:8080/24472 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: I0a00b126359f2bc7e2f73d894cebc2b9014c7375 Gerrit-Change-Number: 24472 Gerrit-PatchSet: 1 Gerrit-Owner: Anubhav Jindal <[email protected]>
