apache /
kudu /
72b3253124d009514526402ab259296881bc63ae [rpc] tighten TLS cert requirements for JWT authn
This patch addresses a few JWT-related issues in the context of RPC
connection negotiation:
* At the client side (C++), the negotiating actor now requires the
server to have a trusted TLS certificate. That's to address one
of the TODOs in the code which is very important from the security
standpoint. Without verifying the authenticity of the negotiating
server-side party, the client might send its bearer token to
a malicious impostor that would be able to hijack the client's
credentials, which would be is a serious security flaw in real world
scenarios. With the stricter requirements introduced, JWT
authentication is now available only when the Kudu's IPKI CA cert
is in the client's certificate bundle, or Kudu servers are run with
TLS certificates that are signed by a reputable CA that is present
in the client's certificate bundle. A test-only
--jwt_client_require_trusted_tls_cert flag is added to relax this
requirement for test scenario simplification, abstracting away
from certificate deployment issues (the latter is not in the scope
of this patch).
* At the server side, JWT authn mechanism is now advertised to the
client only when the server has a CA-signed TLS certificate,
so the client at least has an ability to verify the server's
certificate. That's similar to the part of the policy used for
advertising the TOKEN (Kudu authentication token) mechanism.
I updated the existing JWT-related C++ tests to pass with these changes.
Correspondingly, since there isn't a way to control the newly introduced
--jwt_client_require_trusted_tls_cert flag in the Python client,
and the functionality to customize the client's CA certificate
chain/bundle is missing as of now, the TestJwt is skipped.
I hadn't touched the Java client and the existing tests didn't fail,
so I didn't look deeper. Anyways, I was not going to update the
corresponding parts of the Java client in this patch.
There isn't currently a means to provide a bundle of trusted CA
certificates in Kudu client API, and that deficiency should be
addressed in follow-up changelists.
Change-Id: Id2b45227cc4d827b8fab2d9517c09b62135fd757
Reviewed-on: http://gerrit.cloudera.org:8080/19896
Tested-by: Kudu Jenkins
Reviewed-by: Wenzhe Zhou <wzhou@cloudera.com>
Reviewed-by: Zoltan Chovan <zchovan@cloudera.com>
Reviewed-by: Abhishek Chennaka <achennaka@cloudera.com>
5 files changed