Jason Fehr has uploaded this change for review. ( http://gerrit.cloudera.org:8080/19503
Change subject: IMPALA-11922 Verify JWKS URL server TLS certificate by default. ...................................................................... IMPALA-11922 Verify JWKS URL server TLS certificate by default. **** BREAKING CHANGE **** JWT Auth has an option to specify the location of the JSON Web Key Set (JWKS) using a URL. If that URL is accessed over https, the TLS certificate presented by the server is not verified. This means that Impala only requires the server to return a TLS certificate, whether or not Impala trusts the signing certificate chain. The implications of this setup is that a fully secure chain of trust cannot be established throughout the entire JWT authentication lifecycle and thus creates an attack vector where a bad actor could trick Impala into trusting an actor-controlled JWKS. The bad actor can then generate a JWT with any claims they chose and Impala will accept it. This change introduces: 1. verification of JWKS server TLS certificate by default 2. jwks_insecure_tls Impala startup flag 3. jwks_ca_certificate Impala startup flag 1. While previously, the JWKS URL was always called without verifying its TLS certificate, the default is to now to verify that cert. Thus, any cases where the JWKS was retrieved from an untrusted URL will now cause Impala to fail to start. 2. The new flag jwks_insecure_tls controls whether or not Impala verifies the TLS certificate presented by the JWKS server. It defaults to "false" meaning that the certificate will be verified. Setting this value to "true" will restore the previous behavior where untrusted TLS certificates are accepted. 3. The new flag jwks_ca_certificate enables specifying a pem bundle of certificates to trust when calling to the JWKS URL. Change-Id: I5f1e887fae39b5fb82fa9a40352e4b507b7d8d35 --- M be/src/kudu/util/curl_util.cc M be/src/kudu/util/curl_util.h M be/src/rpc/authentication.cc M be/src/service/impala-server.cc M be/src/util/jwt-util-internal.h M be/src/util/jwt-util-test.cc M be/src/util/jwt-util.cc M be/src/util/jwt-util.h M fe/src/test/java/org/apache/impala/customcluster/JwtHttpTest.java 9 files changed, 200 insertions(+), 56 deletions(-) git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/03/19503/1 -- To view, visit http://gerrit.cloudera.org:8080/19503 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: newchange Gerrit-Change-Id: I5f1e887fae39b5fb82fa9a40352e4b507b7d8d35 Gerrit-Change-Number: 19503 Gerrit-PatchSet: 1 Gerrit-Owner: Jason Fehr <[email protected]>
