[jira] [Commented] (HBASE-26553) OAuth Bearer authentication mech plugin for SASL

2023-12-15 Thread ramkrishna.s.vasudevan (Jira) 


[ 
https://issues.apache.org/jira/browse/HBASE-26553?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17797184#comment-17797184
 ] 

ramkrishna.s.vasudevan commented on HBASE-26553:


[~andor]  - Any idea when this feature is going to land? 

> OAuth Bearer authentication mech plugin for SASL
> 
>
> Key: HBASE-26553
> URL: https://issues.apache.org/jira/browse/HBASE-26553
> Project: HBase
>  Issue Type: New Feature
>  Components: security
>Reporter: Andor Molnar
>Assignee: Andor Molnar
>Priority: Major
> Fix For: HBASE-26553
>
>
> Implementation of a new SASL plugin to add support for OAuth Bearer token 
> authentication for HBase client RPC.
>  * The plugin supports secured (cryptographically signed) JSON Web Token 
> authentication as defined in 
> [RFC-7628|https://datatracker.ietf.org/doc/html/rfc7628]  and the JWT format 
> in [RFC-7519|https://datatracker.ietf.org/doc/html/rfc7519] .
>  * The implementation is inspired by [Apache Kafka's OAuth Bearer 
> token|https://docs.confluent.io/platform/current/kafka/authentication_sasl/authentication_sasl_oauth.html]
>  support with the important difference that HBase version is intended for 
> production usage. The two main differences are that Kafka supports unsecured 
> tokens only and it issues the tokens for itself which breaks the principle of 
> OAuth token authentication.
>  * We use the [Nimbus JOSE + 
> JWT|https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/] Java 
> library for signature verification and token processing and we add it as a 
> new dependency to HBase.
>  * We add secure JWT support and verification of digital signatures with 
> multiple algorithms as supported by Nimbus. Json-formatted JWK set is 
> required for the signature verification as defined in 
> [RFC-7517|https://datatracker.ietf.org/doc/html/rfc7517].
>  * The impl is verified with Apache Knox issued tokens, because that's the 
> primary use case of this new feature.
>  * New client example is added to the hbase-examples project to showcase the 
> feature.
>  * It's important that this Jira does not cover the solution for obtaining a 
> token from Knox. The assumption is that the client already has a valid token 
> in base64 encoded string and we only provide a helper method for adding it to 
> user's credentials.
>  * Renewing expired tokens is also the responsibility of the client. We don't 
> provide a mechanism for that in this Jira, but it's planned to be covered in 
> a follow-up ticket.
> The following new parameters are introduced in hbase-site.xml:
>  * hbase.security.oauth.jwt.jwks.file - Path of a local file for JWK set. 
> (required if URL not specified)
>  * hbase.security.oauth.jwt.jwks.url - URL to download the JWK set. (required 
> if File not specified)
>  * hbase.security.oauth.jwt.audience - Required audience, "aud" claim of the 
> JWT. (optional)
>  * hbase.security.oauth.jwt.issuer - Required issuer, "iss" claim of the JWT. 
> (optional)
> The feature will be behind feature-flag. No code part is executed unless the 
> following configuration is set in hbase-site.xml:
> {noformat}
>   
>     hbase.client.sasl.provider.extras
>     
> org.apache.hadoop.hbase.security.provider.OAuthBearerSaslClientAuthenticationProvider
>   
>   
>     hbase.server.sasl.provider.extras
>     
> org.apache.hadoop.hbase.security.provider.OAuthBearerSaslServerAuthenticationProvider
>   
>   
>     hbase.client.sasl.provider.class
>     
> org.apache.hadoop.hbase.security.provider.OAuthBearerSaslProviderSelector
>   
> {noformat}
> Example of Knox provided JWKS file:
> {noformat}
> {
>   "keys":
>   [{
> "kty": "RSA",
> "e": "",
> "use": "sig",
> "kid": "",
> "alg": "RS256",
> "n": ""
>   }]
> }{noformat}
> Example of Knox issued JWT header:
> {noformat}
> {
> "jku": "https://path/to/homepage/knoxtoken/api/v1/jwks.json;,
> "kid": "",
> "alg": "RS256"
> }{noformat}
> And payload:
> {noformat}
> {
>   "sub": "user_andor",
>   "aud": "knox-proxy-token",
>   "jku": "https://path/to/homepage/knoxtoken/api/v1/jwks.json;,
>   "kid": "",
>   "iss": "KNOXSSO",
>   "exp": 1636644029,
>   "managed.token": "true",
>   "knox.id": ""
> }{noformat}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Commented] (HBASE-26553) OAuth Bearer authentication mech plugin for SASL

2022-01-10 Thread Peter Somogyi (Jira) 


[ 
https://issues.apache.org/jira/browse/HBASE-26553?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17472005#comment-17472005
 ] 

Peter Somogyi commented on HBASE-26553:
---

Created feature branch: https://github.com/apache/hbase/tree/HBASE-26553

> OAuth Bearer authentication mech plugin for SASL
> 
>
> Key: HBASE-26553
> URL: https://issues.apache.org/jira/browse/HBASE-26553
> Project: HBase
>  Issue Type: New Feature
>  Components: security
>Reporter: Andor Molnar
>Assignee: Andor Molnar
>Priority: Major
>
> Implementation of a new SASL plugin to add support for OAuth Bearer token 
> authentication for HBase client RPC.
>  * The plugin supports secured (cryptographically signed) JSON Web Token 
> authentication as defined in 
> [RFC-7628|https://datatracker.ietf.org/doc/html/rfc7628]  and the JWT format 
> in [RFC-7519|https://datatracker.ietf.org/doc/html/rfc7519] .
>  * The implementation is inspired by [Apache Kafka's OAuth Bearer 
> token|https://docs.confluent.io/platform/current/kafka/authentication_sasl/authentication_sasl_oauth.html]
>  support with the important difference that HBase version is intended for 
> production usage. The two main differences are that Kafka supports unsecured 
> tokens only and it issues the tokens for itself which breaks the principle of 
> OAuth token authentication.
>  * We use the [Nimbus JOSE + 
> JWT|https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/] Java 
> library for signature verification and token processing and we add it as a 
> new dependency to HBase.
>  * We add secure JWT support and verification of digital signatures with 
> multiple algorithms as supported by Nimbus. Json-formatted JWK set is 
> required for the signature verification as defined in 
> [RFC-7517|https://datatracker.ietf.org/doc/html/rfc7517].
>  * The impl is verified with Apache Knox issued tokens, because that's the 
> primary use case of this new feature.
>  * New client example is added to the hbase-examples project to showcase the 
> feature.
>  * It's important that this Jira does not cover the solution for obtaining a 
> token from Knox. The assumption is that the client already has a valid token 
> in base64 encoded string and we only provide a helper method for adding it to 
> user's credentials.
>  * Renewing expired tokens is also the responsibility of the client. We don't 
> provide a mechanism for that in this Jira, but it's planned to be covered in 
> a follow-up ticket.
> The following new parameters are introduced in hbase-site.xml:
>  * hbase.security.oauth.jwt.jwks.file - Path of a local file for JWK set. 
> (required if URL not specified)
>  * hbase.security.oauth.jwt.jwks.url - URL to download the JWK set. (required 
> if File not specified)
>  * hbase.security.oauth.jwt.audience - Required audience, "aud" claim of the 
> JWT. (optional)
>  * hbase.security.oauth.jwt.issuer - Required issuer, "iss" claim of the JWT. 
> (optional)
> The feature will be behind feature-flag. No code part is executed unless the 
> following configuration is set in hbase-site.xml:
> {noformat}
>   
>     hbase.client.sasl.provider.extras
>     
> org.apache.hadoop.hbase.security.provider.OAuthBearerSaslClientAuthenticationProvider
>   
>   
>     hbase.server.sasl.provider.extras
>     
> org.apache.hadoop.hbase.security.provider.OAuthBearerSaslServerAuthenticationProvider
>   
>   
>     hbase.client.sasl.provider.class
>     
> org.apache.hadoop.hbase.security.provider.OAuthBearerSaslProviderSelector
>   
> {noformat}
> Example of Knox provided JWKS file:
> {noformat}
> {
>   "keys":
>   [{
> "kty": "RSA",
> "e": "",
> "use": "sig",
> "kid": "",
> "alg": "RS256",
> "n": ""
>   }]
> }{noformat}
> Example of Knox issued JWT header:
> {noformat}
> {
> "jku": "https://path/to/homepage/knoxtoken/api/v1/jwks.json;,
> "kid": "",
> "alg": "RS256"
> }{noformat}
> And payload:
> {noformat}
> {
>   "sub": "user_andor",
>   "aud": "knox-proxy-token",
>   "jku": "https://path/to/homepage/knoxtoken/api/v1/jwks.json;,
>   "kid": "",
>   "iss": "KNOXSSO",
>   "exp": 1636644029,
>   "managed.token": "true",
>   "knox.id": ""
> }{noformat}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Commented] (HBASE-26553) OAuth Bearer authentication mech plugin for SASL

2021-12-09 Thread Josh Elser (Jira) 


[ 
https://issues.apache.org/jira/browse/HBASE-26553?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17456497#comment-17456497
 ] 

Josh Elser commented on HBASE-26553:


Hooray! I've been talking with Andor in the background about implementing this 
functionality. I'm very excited to see this issue and the incoming PR.

One of the things we've been trying to figure out is how to build an 
appropriate "some batteries included" version of this for others to pick up in 
Apache. If anyone has input/motivation to also get involved, happy to chat. We 
can also discuss on email (probably a better way than here).

> OAuth Bearer authentication mech plugin for SASL
> 
>
> Key: HBASE-26553
> URL: https://issues.apache.org/jira/browse/HBASE-26553
> Project: HBase
>  Issue Type: New Feature
>  Components: security
>Reporter: Andor Molnar
>Assignee: Andor Molnar
>Priority: Major
>
> Implementation of a new SASL plugin to add support for OAuth Bearer token 
> authentication for HBase client RPC.
>  * The plugin supports secured (cryptographically signed) JSON Web Token 
> authentication as defined in 
> [RFC-7628|https://datatracker.ietf.org/doc/html/rfc7628]  and the JWT format 
> in [RFC-7519|https://datatracker.ietf.org/doc/html/rfc7519] .
>  * The implementation is inspired by [Apache Kafka's OAuth Bearer 
> token|https://docs.confluent.io/platform/current/kafka/authentication_sasl/authentication_sasl_oauth.html]
>  support with the important difference that HBase version is intended for 
> production usage. The two main differences are that Kafka supports unsecured 
> tokens only and it issues the tokens for itself which breaks the principle of 
> OAuth token authentication.
>  * We use the [Nimbus JOSE + 
> JWT|https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/] Java 
> library for signature verification and token processing and we add it as a 
> new dependency to HBase.
>  * We add secure JWT support and verification of digital signatures with 
> multiple algorithms as supported by Nimbus. Json-formatted JWK set is 
> required for the signature verification as defined in 
> [RFC-7517|https://datatracker.ietf.org/doc/html/rfc7517].
>  * The impl is verified with Apache Knox issued tokens, because that's the 
> primary use case of this new feature.
>  * New client example is added to the hbase-examples project to showcase the 
> feature.
>  * It's important that this Jira does not cover the solution for obtaining a 
> token from Knox. The assumption is that the client already has a valid token 
> in base64 encoded string and we only provide a helper method for adding it to 
> user's credentials.
>  * Renewing expired tokens is also the responsibility of the client. We don't 
> provide a mechanism for that in this Jira, but it's planned to be covered in 
> a follow-up ticket.
> The following new parameters are introduced in hbase-site.xml:
>  * hbase.security.oauth.jwt.jwks.file - Path of a local file for JWK set. 
> (required if URL not specified)
>  * hbase.security.oauth.jwt.jwks.url - URL to download the JWK set. (required 
> if File not specified)
>  * hbase.security.oauth.jwt.requiredaudience - Required audience of the JWT. 
> (optional)
> The feature will be behind feature-flag. No code part is executed unless the 
> following configuration is set in hbase-site.xml:
> {noformat}
>   
>     hbase.client.sasl.provider.extras
>     
> org.apache.hadoop.hbase.security.provider.OAuthBearerSaslClientAuthenticationProvider
>   
>   
>     hbase.server.sasl.provider.extras
>     
> org.apache.hadoop.hbase.security.provider.OAuthBearerSaslServerAuthenticationProvider
>   
>   
>     hbase.client.sasl.provider.class
>     
> org.apache.hadoop.hbase.security.provider.OAuthBearerSaslProviderSelector
>   
> {noformat}
> Example of Knox provided JWKS file:
> {noformat}
> {
>   "keys":
>   [{
> "kty": "RSA",
> "e": "",
> "use": "sig",
> "kid": "",
> "alg": "RS256",
> "n": ""
>   }]
> }{noformat}
> Example of Knox issued JWT header:
> {noformat}
> {
> "jku": "https://path/to/homepage/knoxtoken/api/v1/jwks.json;,
> "kid": "",
> "alg": "RS256"
> }{noformat}
> And payload:
> {noformat}
> {
>   "sub": "user_andor",
>   "aud": "knox-proxy-token",
>   "jku": "https://path/to/homepage/knoxtoken/api/v1/jwks.json;,
>   "kid": "",
>   "iss": "KNOXSSO",
>   "exp": 1636644029,
>   "managed.token": "true",
>   "knox.id": ""
> }{noformat}



--
This message was sent by Atlassian Jira
(v8.20.1#820001)