Andor Molnar created HBASE-26553:
------------------------------------
Summary: OAuth Bearer authentication mech plugin for SASL
Key: HBASE-26553
URL: https://issues.apache.org/jira/browse/HBASE-26553
Project: HBase
Issue Type: New Feature
Components: security
Reporter: Andor Molnar
Assignee: Andor Molnar
Implementation of a new SASL plugin to add support for OAuth Bearer token
authentication for HBase client RPC.
* The plugin supports secured (cryptographically signed) JSON Web Token
authentication as defined in
[RFC-7628|https://datatracker.ietf.org/doc/html/rfc7628] and the JWT format in
[RFC-7519|https://datatracker.ietf.org/doc/html/rfc7519] .
* The implementation is inspired by [Apache Kafka's OAuth Bearer
token|https://docs.confluent.io/platform/current/kafka/authentication_sasl/authentication_sasl_oauth.html]
support with the important difference that HBase version is intended for
production usage. The two main differences are that Kafka supports unsecured
tokens only and it issues the tokens for itself which breaks the principle of
OAuth token authentication.
* We use the [Nimbus JOSE +
JWT|https://bitbucket.org/connect2id/nimbus-jose-jwt/src/master/] Java library
for signature verification and token processing and we add it as a new
dependency to HBase.
* We add secure JWT support and verification of digital signatures with
multiple algorithms as supported by Nimbus. Json-formatted JWK set is required
for the signature verification as defined in
[RFC-7517|https://datatracker.ietf.org/doc/html/rfc7517].
* The impl is verified with Apache Knox issued tokens, because that's the
primary use case of this new feature.
* New client example is added to the hbase-examples project to showcase the
feature.
* It's important that this Jira does not cover the solution for obtaining a
token from Knox. The assumption is that the client already has a valid token in
base64 encoded string and we only provide a helper method for adding it to
user's credentials.
* Renewing expired tokens is also the responsibility of the client. We don't
provide a mechanism for that in this Jira, but it's planned to be covered in a
follow-up ticket.
The following new parameters are introduced in hbase-site.xml:
* hbase.security.oauth.jwt.jwks.file - Path of a local file for JWK set.
(required if URL not specified)
* hbase.security.oauth.jwt.jwks.url - URL to download the JWK set. (required
if File not specified)
* hbase.security.oauth.jwt.requiredaudience - Required audience of the JWT.
(optional)
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
