Google Git
Sign in
apache / kudu / 72b3253124d009514526402ab259296881bc63ae
commit72b3253124d009514526402ab259296881bc63ae[log] [tgz]
authorAlexey Serbin <alexey@apache.org>Mon May 15 23:55:32 2023 -0700
committerAlexey Serbin <alexey@apache.org>Tue May 23 07:19:11 2023 +0000
tree096369a29fd5754282eea63d7773807af9a8f881
parenteae0ebf91e94be8341a18cfbb8e4c9dca5d6ef47 [diff]
[rpc] tighten TLS cert requirements for JWT authn

This patch addresses a few JWT-related issues in the context of RPC
connection negotiation:

  * At the client side (C++), the negotiating actor now requires the
    server to have a trusted TLS certificate.  That's to address one
    of the TODOs in the code which is very important from the security
    standpoint.  Without verifying the authenticity of the negotiating
    server-side party, the client might send its bearer token to
    a malicious impostor that would be able to hijack the client's
    credentials, which would be is a serious security flaw in real world
    scenarios.  With the stricter requirements introduced, JWT
    authentication is now available only when the Kudu's IPKI CA cert
    is in the client's certificate bundle, or Kudu servers are run with
    TLS certificates that are signed by a reputable CA that is present
    in the client's certificate bundle.  A test-only
    --jwt_client_require_trusted_tls_cert flag is added to relax this
    requirement for test scenario simplification, abstracting away
    from certificate deployment issues (the latter is not in the scope
    of this patch).

  * At the server side, JWT authn mechanism is now advertised to the
    client only when the server has a CA-signed TLS certificate,
    so the client at least has an ability to verify the server's
    certificate.  That's similar to the part of the policy used for
    advertising the TOKEN (Kudu authentication token) mechanism.

I updated the existing JWT-related C++ tests to pass with these changes.
Correspondingly, since there isn't a way to control the newly introduced
--jwt_client_require_trusted_tls_cert flag in the Python client,
and the functionality to customize the client's CA certificate
chain/bundle is missing as of now, the TestJwt is skipped.

I hadn't touched the Java client and the existing tests didn't fail,
so I didn't look deeper.  Anyways, I was not going to update the
corresponding parts of the Java client in this patch.

There isn't currently a means to provide a bundle of trusted CA
certificates in Kudu client API, and that deficiency should be
addressed in follow-up changelists.

Change-Id: Id2b45227cc4d827b8fab2d9517c09b62135fd757
Reviewed-on: http://gerrit.cloudera.org:8080/19896
Tested-by: Kudu Jenkins
Reviewed-by: Wenzhe Zhou <wzhou@cloudera.com>
Reviewed-by: Zoltan Chovan <zchovan@cloudera.com>
Reviewed-by: Abhishek Chennaka <achennaka@cloudera.com>
5 files changed
tree: 096369a29fd5754282eea63d7773807af9a8f881
  1. build-support/
  2. cmake_modules/
  3. docker/
  4. docs/
  5. examples/
  6. java/
  7. kubernetes/
  8. python/
  9. src/
  10. thirdparty/
  11. www/
  12. .dockerignore
  13. .gitignore
  14. .ycm_extra_conf.py
  15. CMakeLists.txt
  16. CONTRIBUTING.adoc
  17. LICENSE.txt
  18. NOTICE.txt
  19. README.adoc
  20. RELEASING.adoc
  21. version.txt