Hello Gokul Kolady, Abhishek Rawat, Jason Fehr, Impala Public Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/24472
to look at the new patch set (#2).
Change subject: IMPALA-12232: Validate JWT aud/iss claims
......................................................................
IMPALA-12232: Validate JWT aud/iss claims
Validate configured audienceClaims and issuerClaims after token signature
verification for both JWT and OAuth auth flows, including HS2 HTTP and
debug webserver paths.
Extend oauth_servers parsing to accept audienceClaims/issuerClaims and map
deprecated jwt_audience_claims/jwt_issuer_claims and
oauth_jwt_audience_claims/oauth_jwt_issuer_claims into per-server config.
Add claim-validation helpers in JWTHelper plus authentication audit logging,
and expand coverage with jwt-util unit tests and JwtHttpTest custom-cluster
tests for issuer success and audience failure behavior.
Testing:
- be/build/latest/util/jwt-util-test (26/26 passing)
- be/build/latest/util/oauth-server-config-test (11/11 passing)
- be/build/latest/util/oauth-servers-manager-test (4/4 passing)
- fe: ../bin/mvn-quiet.sh test
-Dtest=org.apache.impala.customcluster.JwtHttpTest
(10/10 passing)
- CLUSTER_TEST_FILES=custom_cluster/test_shell_oauth_servers_auth.py
tests/run-custom-cluster-tests.sh (2/2 passing)
- Manual end-to-end validation on a Linux Impala test cluster:
- verified issuer claim allowlist success path with JWT-authenticated
HS2 HTTP sessions and query execution
- verified audience claim enforcement rejects tokens without matching aud
and returns expected authentication failure behavior
- confirmed auth audit logs include username, audience, issuer, and kid
context for both success and failure paths
Change-Id: I0a00b126359f2bc7e2f73d894cebc2b9014c7375
Assisted-by: GPT-5.3 (Cursor)
---
M be/src/rpc/authentication.cc
M be/src/util/jwt-util-test.cc
M be/src/util/jwt-util.cc
M be/src/util/jwt-util.h
M be/src/util/oauth-server-config-test.cc
M be/src/util/oauth-server-config.cc
M be/src/util/oauth-server-config.h
M be/src/util/webserver.cc
M fe/src/test/java/org/apache/impala/customcluster/JwtHttpTest.java
9 files changed, 615 insertions(+), 92 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/72/24472/2
--
To view, visit http://gerrit.cloudera.org:8080/24472
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I0a00b126359f2bc7e2f73d894cebc2b9014c7375
Gerrit-Change-Number: 24472
Gerrit-PatchSet: 2
Gerrit-Owner: Anubhav Jindal <[email protected]>
Gerrit-Reviewer: Abhishek Rawat <[email protected]>
Gerrit-Reviewer: Anubhav Jindal <[email protected]>
Gerrit-Reviewer: Gokul Kolady <[email protected]>
Gerrit-Reviewer: Impala Public Jenkins <[email protected]>
Gerrit-Reviewer: Jason Fehr <[email protected]>
