[jira] [Work logged] (KNOX-3101) Change RemoteAuthProvider to use a hash of the Key used for Caching

Tue, 25 Feb 2025 16:00:13 -0800 


     [ 
https://issues.apache.org/jira/browse/KNOX-3101?focusedWorklogId=958843&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-958843
 ]

ASF GitHub Bot logged work on KNOX-3101:
----------------------------------------

                Author: ASF GitHub Bot
            Created on: 25/Feb/25 23:58
            Start Date: 25/Feb/25 23:58
    Worklog Time Spent: 10m 
      Work Description: lmccay opened a new pull request, #996:
URL: https://github.com/apache/knox/pull/996

   ## What changes were proposed in this pull request?
   
   The initial implementation of RemoteAuthProvider caches authenticated 
Subjects locally based on the header that contained the credentials. While the 
cache is designed to provide only a few mins of caching, it is less than ideal 
to use the credentials as keys. This needs to be strengthened to use a hash as 
to not inadvertently risk leaking the credentials.
   
   This will require some overhead involved in the hashing so we may need to 
find something else but we shouldn't use the credentials themselves. We would 
normally have to do a hash for implementing authentication for things like RDMS 
or LDAP based passwords, etc.
   
   ## How was this patch tested?
   
   Refactored and ran existing unit tests to ensure no regression was 
introduced.
   




Issue Time Tracking
-------------------

            Worklog Id:     (was: 958843)
    Remaining Estimate: 0h
            Time Spent: 10m

> Change RemoteAuthProvider to use a hash of the Key used for Caching
> -------------------------------------------------------------------
>
>                 Key: KNOX-3101
>                 URL: https://issues.apache.org/jira/browse/KNOX-3101
>             Project: Apache Knox
>          Issue Type: Improvement
>          Components: Server
>            Reporter: Larry McCay
>            Assignee: Larry McCay
>            Priority: Major
>             Fix For: 2.2.0
>
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> The initial implementation of RemoteAuthProvider caches authenticated 
> Subjects locally based on the header that contained the credentials. While 
> the cache is designed to provide only a few mins of caching, it is less than 
> ideal to use the credentials as keys. This needs to be strengthened to use a 
> hash as to not inadvertently risk leaking the credentials.
> This will require some overhead involved in the hashing so we may need to 
> find something else but we shouldn't use the credentials themselves. We would 
> normally have to do a hash for implementing authentication for things like 
> RDMS or LDAP based passwords, etc.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to