Hello Zoltan Chovan, Attila Bukor, Kudu Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/19896
to look at the new patch set (#3).
Change subject: [rpc] tighten TLS cert requirements for JWT authn
......................................................................
[rpc] tighten TLS cert requirements for JWT authn
This patch addresses a few JWT-related issues in the context of RPC
connection negotiation:
* At the client side (C++), the negotiating actor requires the server
to have a trusted TLS certificate. That's to address one of the
TODOs in the code which is very important from the security
standpoint. Without verifying the authenticity of the negotiating
server-side party, client might send its bearer token to a malicious
impostor that would be able to hijack the client's authn token:
that would be is a serious security flaw in various real world
scenarios. With the stricter requirements introduced, JWT
authentication is now available only when the Kudu's IPKI CA cert
is in the client's certificate bundle, or Kudu servers are run with
TLS certificates that are signed by a reputable CA that in the
client's certificate bundle. A test-only
--jwt_client_require_trusted_tls_cert flag is added to relax this
requirement to abstract away from certificate deployment issues.
* At the server side, JWT authn mechanism is advertised to the client
only when the server has a CA-signed TLS certificate, so the client
at least have an ability to verify the server's certificate. That's
similar to the part of the policy used for advertising the TOKEN
(Kudu authentication token) mechanism.
I updated the existing JWT-related tests (C++) to pass with these
changes.
I hadn't touched the Java client and the existing tests didn't fail,
so I didn't look deeper. Anyways, I was not going to update the
corresponding parts of the Java client in this patch.
Change-Id: Id2b45227cc4d827b8fab2d9517c09b62135fd757
---
M src/kudu/integration-tests/security-itest.cc
M src/kudu/rpc/client_negotiation.cc
M src/kudu/rpc/server_negotiation.cc
3 files changed, 74 insertions(+), 19 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/96/19896/3
--
To view, visit http://gerrit.cloudera.org:8080/19896
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: Id2b45227cc4d827b8fab2d9517c09b62135fd757
Gerrit-Change-Number: 19896
Gerrit-PatchSet: 3
Gerrit-Owner: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Attila Bukor <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Zoltan Chovan <[email protected]>
