Google Git
Sign in
apache / kudu / 2e81ebd086a151bba821e717a5dd7b7d48fffddd^! / .
commit2e81ebd086a151bba821e717a5dd7b7d48fffddd[log] [tgz]
authorAlexey Serbin <alexey@apache.org>Thu May 11 11:49:19 2023 -0700
committerAlexey Serbin <alexey@apache.org>Wed May 17 05:13:13 2023 +0000
tree39f0e493a9f4d874ba31e6dce8a4517996f19659
parente734ae0216749c6aa7d85756eecf2b8be907de5a [diff]
[server] remove unused JWT-related flags

As it turns out, the following JWT flags aren't used in the code at all:
  * --jwks_discovery_endpoint_base
  * --jwt_allow_without_tls
  * --jwt_validate_signature

This patches removes the definitions of the flags and their usage
in a few tests.

Change-Id: Ib8e688b7c89e24cb5e91f6b6cc89b7ae984b4c35
Reviewed-on: http://gerrit.cloudera.org:8080/19891
Tested-by: Alexey Serbin <alexey@apache.org>
Reviewed-by: Yingchun Lai <laiyingchun@apache.org>

diff --git a/src/kudu/mini-cluster/external_mini_cluster.cc b/src/kudu/mini-cluster/external_mini_cluster.cc
index 0e61192..66bc8d2 100644
--- a/src/kudu/mini-cluster/external_mini_cluster.cc
+++ b/src/kudu/mini-cluster/external_mini_cluster.cc

@@ -739,7 +739,6 @@
   if (opts_.enable_client_jwt) {
     flags.emplace_back("--enable_jwt_token_auth=true");
     flags.emplace_back(Substitute("--jwks_url=$0", oidc_->url()));
-    flags.emplace_back(Substitute("--jwks_discovery_endpoint_base=$0", oidc_->url()));
   }
   if (!opts_.master_alias_prefix.empty()) {
     flags.emplace_back(Substitute("--host_for_tests=$0.$1",

diff --git a/src/kudu/server/server_base.cc b/src/kudu/server/server_base.cc
index baf877b..b19f68c 100644
--- a/src/kudu/server/server_base.cc
+++ b/src/kudu/server/server_base.cc

@@ -254,18 +254,6 @@
     "user name from the token payload.");
 TAG_FLAG(enable_jwt_token_auth, experimental);
 
-DEFINE_bool(jwt_validate_signature, true,
-    "When true, validate the signature of JWT token with pre-installed JWKS.");
-TAG_FLAG(jwt_validate_signature, experimental);
-TAG_FLAG(jwt_validate_signature, unsafe);
-
-DEFINE_bool(jwt_allow_without_tls, false,
-    "When this configuration is set to true, Kudu allows JWT authentication on "
-    "unsecure channel. This should be only enabled for testing, or development "
-    "for which TLS is handled by proxy.");
-TAG_FLAG(jwt_allow_without_tls, experimental);
-TAG_FLAG(jwt_allow_without_tls, unsafe);
-
 DEFINE_string(jwks_file_path, "",
     "File path of the pre-installed JSON Web Key Set (JWKS) for JWT verification.");
 TAG_FLAG(jwks_file_path, experimental);
@@ -285,12 +273,6 @@
 TAG_FLAG(jwks_verify_server_certificate, experimental);
 TAG_FLAG(jwks_verify_server_certificate, unsafe);
 
-DEFINE_string(jwks_discovery_endpoint_base, "",
-              "Base URL of the Discovery Endpoint that points to a JSON Web Key Set "
-              "(JWKS) for JWT verification. Additional query parameters, like 'accountId', "
-              "are taken from received JWTs to get the appropriate Discovery Endpoint.");
-TAG_FLAG(jwks_discovery_endpoint_base, experimental);
-
 // The targeted use-case for the wall clock jump detection is spotting sudden
 // swings of the local clock while it is still reported to be synchronized with
 // reference NTP clock.