Add JWT for internal communication#19706
Conversation
nmahadevuni
force-pushed
the
internal_communication_auth_fix
branch
3 times, most recently
from
55c39ef to
7cf685a
Compare
nmahadevuni
changed the title
tdcmeehan
left a comment
tdcmeehan
left a comment
There was a problem hiding this comment.
Can you please add documentation of this new configuration parameter in internal-communication.rst? Also I think this warrants release notes.
|
CC some Meta folks as I think this may require some config properties updates in Meta clusters. @ajaygeorge @amitkdutta @neeradsomanchi |
|
Hi @skairali, please also review this PR. Thanks! |
|
A noob question. What's the value of |
There was a problem hiding this comment.
isRequiredSharedSecretSet() contains !isHttpsRequired() so this exception message doesn't match with that. Do we need to set this for http or https?
It can be any value. A large random value is generally recommended. The same value should be added to all nodes' config properties. With this PR, it will become mandatory to use shared secret when HTTPS is enabled(which is the case when external authentication is used or for secure internal communication). The nodes will fail to start if shared secret is not set when HTTPS is used. I will add documentation change soon. |
@nmahadevuni In wangle::SSLContextConfig I see they have following properties Is this shared secret maps to passworkdPath? |
There was a problem hiding this comment.
Curious. Why are we copying stuff over from prestodb/airlift
https://github.com/prestodb/airlift/blob/master/http-server/src/main/java/com/facebook/airlift/http/server/HttpServerModule.java
There was a problem hiding this comment.
Global AuthenticationFilter(part of the airlift module) was bound in the HttpServerModule. We had to enhance this AuthenticationFilter to use the new InternalAuthenticationManager. So I copied over the HttpServerModule to presto and bind the new AuthenticationFilter here.
There was a problem hiding this comment.
I haven't had a chance to read through the entire code, so I maybe completely off here :) .
If binding in a new filter is the concern, can't we do something similar to what ranger module did for wiring in RangerBasicAuthHttpRequestFilter
There was a problem hiding this comment.
I did something similar, added below line of code in ServerSecurityModule to bind the new filter, but it didn't take effect.
newSetBinder(binder, Filter.class, TheServlet.class).addBinding() .to(AuthenticationFilter.class).in(Scopes.SINGLETON);
There is a HttpServerBinder too, but that doesn't have any method to bind Filter class.
passwordPath is not shared secret. JWT is a new kind of authentication which kind of overrides the certificate based authentication. I will try to make this optional. |
nmahadevuni
force-pushed
the
internal_communication_auth_fix
branch
2 times, most recently
from
62550c2 to
3c5f1fd
Compare
|
Please add a release note |
@tdcmeehan Added a release note. Please review. |
|
Will merge tomorrow unless there's any more objections CC: @ajaygeorge @pranjalssh @amitkdutta |
zacw7
left a comment
zacw7
left a comment
There was a problem hiding this comment.
Thanks for making the change. I don't see issues % a couple nits. Will let the experts make the call.
There was a problem hiding this comment.
Is there method used anywhere? Also I'm not sure if this is the right place as I couldn't find similar usage.
There was a problem hiding this comment.
Sorry, this method is annotated with AssertTrue, so it will be checked at server startup. Keeping it.
Adding creation and verification of a JWT signed using HMAC SHA-256. The JWT is used for authentication of internal communication. On the Java side PR prestodb#19706 added authentication for internal communication using a JWT token signed with HMAC SHA-256. Adding this comment enables Prestissimo to to be configured to verify internal communication requests, e.g from a Java coordinator. New system configuration options: - internal-communication.jwt.enabled=[true/false] - internal-communication.shared-secret=<shared-secret-value> - internal-communication.jwt.expiration-seconds=<value in seconds> A new external dependency jet-cpp from the https://github.com/Thalhammer/jwt-cpp repo is added to a new setup-adapter.sh script for Prestissimo. In the dependency directory run "<path to presto-native-execution>/scripts/setup-adapter.sh jwt" to install it The jwt-cpp project handles the creation/parsing/verification of the JWT. A new build options are added to the build environment: PRESTO_ENABLE_JWT - default off, if on adds jet creation and verification capability, turned on during the pipeline build.
Adding creation and verification of a JWT signed using HMAC SHA-256. The JWT is used for authentication of internal communication. On the Java side PR #19706 added authentication for internal communication using a JWT token signed with HMAC SHA-256. Adding this comment enables Prestissimo to to be configured to verify internal communication requests, e.g from a Java coordinator. New system configuration options: - internal-communication.jwt.enabled=[true/false] - internal-communication.shared-secret=<shared-secret-value> - internal-communication.jwt.expiration-seconds=<value in seconds> A new external dependency jet-cpp from the https://github.com/Thalhammer/jwt-cpp repo is added to a new setup-adapter.sh script for Prestissimo. In the dependency directory run "<path to presto-native-execution>/scripts/setup-adapter.sh jwt" to install it The jwt-cpp project handles the creation/parsing/verification of the JWT. A new build options are added to the build environment: PRESTO_ENABLE_JWT - default off, if on adds jet creation and verification capability, turned on during the pipeline build.
Adding creation and verification of a JWT signed using HMAC SHA-256. The JWT is used for authentication of internal communication. On the Java side PR prestodb#19706 added authentication for internal communication using a JWT token signed with HMAC SHA-256. Adding this comment enables Prestissimo to to be configured to verify internal communication requests, e.g from a Java coordinator. New system configuration options: - internal-communication.jwt.enabled=[true/false] - internal-communication.shared-secret=<shared-secret-value> - internal-communication.jwt.expiration-seconds=<value in seconds> A new external dependency jet-cpp from the https://github.com/Thalhammer/jwt-cpp repo is added to a new setup-adapter.sh script for Prestissimo. In the dependency directory run "<path to presto-native-execution>/scripts/setup-adapter.sh jwt" to install it The jwt-cpp project handles the creation/parsing/verification of the JWT. A new build options are added to the build environment: PRESTO_ENABLE_JWT - default off, if on adds jet creation and verification capability, turned on during the pipeline build.
Adding creation and verification of a JWT signed using HMAC SHA-256. The JWT is used for authentication of internal communication. On the Java side PR prestodb#19706 added authentication for internal communication using a JWT token signed with HMAC SHA-256. Adding this comment enables Prestissimo to to be configured to verify internal communication requests, e.g from a Java coordinator. New system configuration options: - internal-communication.jwt.enabled=[true/false] - internal-communication.shared-secret=<shared-secret-value> - internal-communication.jwt.expiration-seconds=<value in seconds> A new external dependency jet-cpp from the https://github.com/Thalhammer/jwt-cpp repo is added to a new setup-adapter.sh script for Prestissimo. In the dependency directory run "<path to presto-native-execution>/scripts/setup-adapter.sh jwt" to install it The jwt-cpp project handles the creation/parsing/verification of the JWT. A new build options are added to the build environment: PRESTO_ENABLE_JWT - default off, if on adds jet creation and verification capability, turned on during the pipeline build.
8 participants
Supports JWT for authentication of internal requests. This is required for secure internal communication, especially when used in conjunction with external
user authentication such as PASSWORD, LDAP etc
Cherry-pick of trinodb/trino#2032 Cherry-pick of trinodb/trino#2093 Cherry-pick of trinodb/trino#2202 Cherry-pick of trinodb/trino#11944
Test plan -