HIVE-26071: JWT authentication mechanism for Thrift over HTTP in HiveMetastore (...
authorSourabh Goyal <sourabhg@cloudera.com>
Thu, 12 May 2022 18:40:56 +0000 (11:40 -0700)
committerGitHub <noreply@github.com>
Thu, 12 May 2022 18:40:56 +0000 (14:40 -0400)
commitd30db8cbafba110f6519354df7504b36643a8e60
tree8b1c77dc4c8f8ea8d711cf5cc4472591eb111eb2
parenta1906b9f00a2ac182d10951cbc5e4c30b40aadc9
HIVE-26071: JWT authentication mechanism for Thrift over HTTP in HiveMetastore (#3233) (Sourabh Goyal, reviewed by Yu-wen, Deng and Sai)

What changes were proposed in this pull request?
This PR is a follow up of #3105. It adds a support for JWT authentication in HiveMetastore server when run in HTTP transport mode.

Why are the changes needed?
It supports a new authentication mechanism ie JWT in HiveMetastore server.

Does this PR introduce any user-facing change?
No

How was this patch tested?
Added new unit tests that cover cases like

successfully authenticating valid JWT
failing to authenticate expired, invalid JWTs

* Add JWTValidator and URLBasedJWKSProvider code from HS2

Change-Id: I969f57daf640adb16f228e95b1b522f8ffc24ffe

* Add JWT authentication in HiveMetastore

Change-Id: I6d84517a1ee97df492ad3816ec866c0b785ed5ed

* Better error handling for authentication failures. Added integration tests for validating JWT

Change-Id: I6b9da531db4e4a805d8daa1ba6d941c5643bf514

* Added test JWTs for jwt authentication tests

Change-Id: Ice36a703d8af7d4dbf28a48c9bb96127100fd8c7

* moved jwt test keys under jwt directory

Change-Id: I8bf0b4bbc101a0acb3f69bb1963b9c4bcda5b719

* Fixes failures in metastore jwt unit tests

Change-Id: I2877730a34dff7d3184b100ec04031032611838a

* Addresses review comments

Change-Id: I8498e85212476c663cf735211848a28baaa3bad5

* Addresses nits from review comments

Change-Id: Id67588c106104732a0f6e49e5c983cb5f7287c3e

* Added more comments in the code

Change-Id: Ia51f490362985d109778a6a0aa92a281436d5d21

* removes unsed import statement

Change-Id: I94633bdce0db87a9085968dde79d8ff6cd9bf4a3
13 files changed:
standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStoreClient.java
standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java
standalone-metastore/metastore-server/pom.xml
standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/HiveMetaStore.java
standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/HmsThriftHttpServlet.java
standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/auth/HttpAuthenticationException.java [new file with mode: 0644]
standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/auth/jwt/JWTValidator.java [new file with mode: 0644]
standalone-metastore/metastore-server/src/main/java/org/apache/hadoop/hive/metastore/auth/jwt/URLBasedJWKSProvider.java [new file with mode: 0644]
standalone-metastore/metastore-server/src/test/java/org/apache/hadoop/hive/metastore/TestRemoteHiveMetastoreWithHttpJwt.java [new file with mode: 0644]
standalone-metastore/metastore-server/src/test/resources/auth/jwt/jwt-authorized-key.json [new file with mode: 0644]
standalone-metastore/metastore-server/src/test/resources/auth/jwt/jwt-unauthorized-key.json [new file with mode: 0644]
standalone-metastore/metastore-server/src/test/resources/auth/jwt/jwt-verification-jwks.json [new file with mode: 0644]
standalone-metastore/pom.xml