[kudu-CR](branch-1.17.x) [jwt] Verify JWKS URL server TLS certificate by default

Mon, 05 Jun 2023 09:27:27 -0700 

Alexey Serbin has submitted this change and it was merged. ( 
http://gerrit.cloudera.org:8080/19971 )

Change subject: [jwt] Verify JWKS URL server TLS certificate by default
......................................................................

[jwt] Verify JWKS URL server TLS certificate by default

This commit is to pull IMPALA-11922 code into the Kudu jwt handling,
with some modifications.

This change introduces:
  1. verification of JWKS server TLS certificate by default
  2. jwks_verify_server_certificate Kudu startup flag

Instead of introducing a new flag such as 'jwks_ca_certificate' the
already existing 'trusted_certificate_file' flag is reused.

The TLS certificate verification is not used in unit-tests, however
security-itest is set up with the verification enabled.

Change-Id: I0fd7b53d651786bbe57642dd14cd477055b80c78
Reviewed-on: http://gerrit.cloudera.org:8080/19709
Reviewed-by: Attila Bukor <[email protected]>
Tested-by: Kudu Jenkins
(cherry picked from commit 8595384de007963181cca59b0248b85169f18792)
Reviewed-on: http://gerrit.cloudera.org:8080/19971
Reviewed-by: Alexey Serbin <[email protected]>
---
M src/kudu/integration-tests/CMakeLists.txt
M src/kudu/integration-tests/security-itest.cc
M src/kudu/mini-cluster/CMakeLists.txt
M src/kudu/mini-cluster/external_mini_cluster.cc
M src/kudu/security/test/test_certs.cc
M src/kudu/security/test/test_certs.h
M src/kudu/server/server_base.cc
M src/kudu/util/jwt-util-internal.h
M src/kudu/util/jwt-util-test.cc
M src/kudu/util/jwt-util.cc
M src/kudu/util/jwt-util.h
M src/kudu/util/mini_oidc.cc
M src/kudu/util/mini_oidc.h
13 files changed, 421 insertions(+), 52 deletions(-)

Approvals:
  Kudu Jenkins: Verified
  Alexey Serbin: Looks good to me, approved

--
To view, visit http://gerrit.cloudera.org:8080/19971
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: kudu
Gerrit-Branch: branch-1.17.x
Gerrit-MessageType: merged
Gerrit-Change-Id: I0fd7b53d651786bbe57642dd14cd477055b80c78
Gerrit-Change-Number: 19971
Gerrit-PatchSet: 2
Gerrit-Owner: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Alexey Serbin <[email protected]>
Gerrit-Reviewer: Attila Bukor <[email protected]>
Gerrit-Reviewer: Kudu Jenkins (120)
Gerrit-Reviewer: Yingchun Lai <[email protected]>
Gerrit-Reviewer: Zoltan Chovan <[email protected]>

Reply via email to