[Impala-ASF-CR] IMPALA-13687: Support shared secret key for cookies

Thu, 10 Jul 2025 16:08:25 -0700 

Jason Fehr has posted comments on this change. ( 
http://gerrit.cloudera.org:8080/22462 )

Change subject: IMPALA-13687: Support shared secret key for cookies
......................................................................


Patch Set 3:

(2 comments)

Did a quick pass, need to review again though.

http://gerrit.cloudera.org:8080/#/c/22462/3/be/src/rpc/auth-provider.h
File be/src/rpc/auth-provider.h:

http://gerrit.cloudera.org:8080/#/c/22462/3/be/src/rpc/auth-provider.h@179
PS3, Line 179:   std::unique_ptr<AuthenticationHash> hash_;
When the file-based authentication hash is rotated, there will be a period of 
time (equal to the --idle_session_timeout flag) when cookies from both the old 
and the new hash are still valid.  The tricky part comes when 
--idle_session_timeout is 0 (indicating never timeout).  In that case, maybe we 
always allow the current and next most recent hashes?

Also, when the file-based hash is rotated, the old cookie will become invalid 
and a new cookie will need to be generated.


http://gerrit.cloudera.org:8080/#/c/22462/3/be/src/util/openssl-util.cc
File be/src/util/openssl-util.cc:

http://gerrit.cloudera.org:8080/#/c/22462/3/be/src/util/openssl-util.cc@218
PS3, Line 218:   std::lock_guard<std::mutex> l(key_lock_);
There is going to be a lot of contention on this lock since each incoming 
request that either has a cookie or needs one generated will call into this 
function.  Not sure if there is any way to make that more performant though.



--
To view, visit http://gerrit.cloudera.org:8080/22462
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings

Gerrit-Project: Impala-ASF
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: Ie2e2345f771608069407e9dcf7ed4697fc0214e7
Gerrit-Change-Number: 22462
Gerrit-PatchSet: 3
Gerrit-Owner: Michael Smith <michael.sm...@cloudera.com>
Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com>
Gerrit-Reviewer: Jason Fehr <jf...@cloudera.com>
Gerrit-Reviewer: Joe McDonnell <joemcdonn...@cloudera.com>
Gerrit-Reviewer: Michael Smith <michael.sm...@cloudera.com>
Gerrit-Reviewer: Yida Wu <wydbaggio...@gmail.com>
Gerrit-Comment-Date: Thu, 10 Jul 2025 23:08:14 +0000
Gerrit-HasComments: Yes

Reply via email to