Jason Fehr has uploaded a new patch set (#5). (
http://gerrit.cloudera.org:8080/19503 )
Change subject: IMPALA-11922 Verify JWKS URL server TLS certificate by default.
......................................................................
IMPALA-11922 Verify JWKS URL server TLS certificate by default.
**** BREAKING CHANGE ****
JWT Auth has an option to specify the location of the
JSON Web Key Set (JWKS) using a URL. If that URL is
accessed over HTTPS, the TLS certificate presented by the
server is not verified.
This means that Impala only requires the server to return
a TLS certificate, whether or not Impala trusts the signing
certificate chain.
The implications of this setup is that a fully secure chain
of trust cannot be established throughout the entire JWT
authentication lifecycle and thus creates an attack vector
where a bad actor could trick Impala into trusting an
actor-controlled JWKS. The bad actor can then generate
a JWT with any claims they chose and Impala will accept it.
This change introduces:
1. verification of JWKS server TLS certificate by default
2. jwks_insecure_tls Impala startup flag
3. jwks_ca_certificate Impala startup flag
1. While previously, the JWKS URL was always called without
verifying its TLS certificate, the default is to now to
verify that cert. Thus, any cases where the JWKS was
retrieved from an untrusted URL will now cause Impala
to fail to start.
2. The new flag jwks_insecure_tls controls whether or not
Impala verifies the TLS certificate presented by the
JWKS server. It defaults to "false" meaning that the
certificate will be verified. Setting this value to
"true" will restore the previous behavior where
untrusted TLS certificates are accepted.
3. The new flag jwks_ca_certificate enables specifying
a PEM certificate bundle that contains certificates
to trust when calling to the JWKS URL.
Testing was achieved in the front-end Java custom cluster
tests. An existing test was modified and three new tests
were created. The following test cases are covered:
1. Insecurely retrieve a JWKS from a server with an
untrusted TLS certificate. This test case is expected
to pass.
2. Securely retrieve a JWKS from a server with an
untrusted TLS certificate. This test case is expected
to fail. The Impala coordinator logs are checked to
ensure the cause was an untrusted certificate
presented by the JWKS server.
3. Retrieve a JWKS from a server where the root CA is
trusted, but the cert contains the wrong CN. This
test is expected to fail. The Impala logs are checked
to ensure the cause was a certificate with an
incorrect CN.
4. Securely retrieve a JWKS from a server with a trusted
TLS certificate. This test case is expected to pass.
Change-Id: I5f1e887fae39b5fb82fa9a40352e4b507b7d8d35
---
M be/src/kudu/util/curl_util.cc
M be/src/kudu/util/curl_util.h
M be/src/rpc/authentication.cc
M be/src/service/impala-server.cc
M be/src/util/jwt-util-internal.h
M be/src/util/jwt-util-test.cc
M be/src/util/jwt-util.cc
M be/src/util/jwt-util.h
M fe/pom.xml
M fe/src/test/java/org/apache/impala/customcluster/JwtHttpTest.java
A fe/src/test/java/org/apache/impala/testutil/X509CertChain.java
11 files changed, 564 insertions(+), 54 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/Impala-ASF refs/changes/03/19503/5
--
To view, visit http://gerrit.cloudera.org:8080/19503
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I5f1e887fae39b5fb82fa9a40352e4b507b7d8d35
Gerrit-Change-Number: 19503
Gerrit-PatchSet: 5
Gerrit-Owner: Jason Fehr <[email protected]>
Gerrit-Reviewer: Abhishek Rawat <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Andrew Sherman <[email protected]>
Gerrit-Reviewer: Impala Public Jenkins <[email protected]>
Gerrit-Reviewer: Jason Fehr <[email protected]>
Gerrit-Reviewer: Wenzhe Zhou <[email protected]>
