[
https://issues.apache.org/jira/browse/IMPALA-14799?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Jason Fehr reassigned IMPALA-14799:
-----------------------------------
Assignee: Anubhav Jindal
> Support Multiple Token Identity Providers
> -----------------------------------------
>
> Key: IMPALA-14799
> URL: https://issues.apache.org/jira/browse/IMPALA-14799
> Project: IMPALA
> Issue Type: New Feature
> Affects Versions: Impala 5.0.0
> Reporter: Jason Fehr
> Assignee: Anubhav Jindal
> Priority: Critical
> Labels: backend, impala, security
>
> # Add the string (DEPRECATED) to all startup flags with a name beginning with
> jwks_{*}, jwt_{*}, and oauth_* (except for the oauth_token_auth flag). Log a
> warning if any of these deprecated flags are specified.
> # Add a new oauth_servers flag that accepts the following json structure as
> its value. The json structure is an array of objects so that multiple
> authorization servers can be specified. Each object must have the following
> structure:
> ##
> ||Field Name||Type||Default||Description||
> |caCertFilePath|URL| |File path of a pem bundle of root ca certificates that
> will be trusted when retrieving the JWKS from the specified JWKS URL.|
> |verifyServerCert|bool|true|Specifies if the TLS certificate of the JWKS
> server is verified when retrieving the JWKS from the specified JWKS URL. A
> certificate is considered valid if a trust chain can be established for it,
> and if the certificate has a common name or SAN that matches the server's
> hostname. This should only be set to false for development / testing.|
> |jwksFilePath|string| |File path of the pre-installed JSON Web Key Set (JWKS)
> for JWT verification. Cannot be combined with jwksUrl.|
> |jwksUrl|URL| |URL of the JSON Web Key Set (JWKS) for JWT verification.
> Cannot be combined with jwksFilePath.|
> |jwksPullTimeoutSecs|int|10|(Advanced) The time in seconds for connection
> timed out when pulling JWKS from the specified URL.|
> |jwksUpdateFrequencySecs|int|4400|(Advanced) The time in seconds to wait
> between downloading JWKS from the specified URL.|
> |usernameClaim|string|“username”|Name of the token claim that contains the
> username.|
> # If any of the now deprecated jwks_* or oauth_* startup flags are
> specified, create a new instance of the above object and add it to the list
> of OAuth servers. If both the jwksFilePath and jwksUrl parameters are
> specified, then ignore the JWKS from the jwksUrl parameter (this is how
> Impala works today).
> # The oauth_token_auth flag must be set to true for OAuth to be enabled.
> # Sample JSON structure:
> ##
> {code:json}
> [
> {
> "caCertFilePath": "/opt/ca-custom/ca.pem",
> "verifyServerCert": true,
> "jwksUrl": "https://example.com/jwks.json";,
> "jwksPullTimeoutSecs": 10,
> "jwksUpdateFrequencySecs": 14400,
> "usernameClaim": "username"
> },
> {
> "jwksUrl": "https://example.com/jwks.json";
> },
> {
> "jwksFilePath": "/opt/auth-servers/jwks.json"
> }
> ]
> {code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
