[
https://issues.apache.org/jira/browse/RANGER-5528?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Abhishek Kumar updated RANGER-5528:
-----------------------------------
Description:
Here are a few areas where the JWT processing in Ranger Admin
({{{}ranger-authn{}}} module) can be improved:
* For every incoming request, while performing signature validation - a new
JWT processor is created ({{{}new DefaultJWTProcessor<>() in
RangerDefaultJwtAuthHandler.java{}}}), it should be avoided. This can
potentially cause memory issues when Ranger Admin is deployed with JWT as the
authentication mechanism.
* Signature verification logic is split and duplicated:
{{jwtToken.verify(verifier); in RangerJwtAuthHandler.java}} is redundant
(should be avoided), {{jwtProcessor.process(jwtToken, null);}} is sufficient.
* Audience Validation is already provided by the default Nimbus
implementation. {{protected boolean validateAudiences(final SignedJWT
jwtToken)}} in {{RangerJwtAuthHandler.java}} is redundant - it should be
avoided.
* {{protected boolean validateExpiration(final SignedJWT jwtToken)}} in
{{RangerJwtAuthHandler.java}} should be avoided, this should happen via
**
{code:java}
new DefaultJWTClaimsVerifier<>( new
JWTClaimsSet.Builder().issuer(expectedIssuer).build(), new
HashSet<>(Arrays.asList("sub", "exp", "iat")) ); {code}
* Currently, there are no checks in {{{}doAs{}}}, it should be revisited.
was:
Here are a few areas where the JWT processing in Ranger Admin
({{{}ranger-authn{}}} module) can be improved:
* For every incoming request, while performing signature validation - a new
JWT processor is created ({{{}new DefaultJWTProcessor<>() in
RangerDefaultJwtAuthHandler.java{}}}), it should be avoided. This can
potentially cause memory issues when Ranger Admin is deployed with JWT as the
authentication mechanism.
* Signature verification logic is split and duplicated:
{{jwtToken.verify(verifier); in RangerJwtAuthHandler.java}} is redundant
(should be avoided), {{jwtProcessor.process(jwtToken, null);}} is sufficient.
* Audience Validation is already provided by the default Nimbus
implementation. {{protected boolean validateAudiences(final SignedJWT
jwtToken)}} in {{RangerJwtAuthHandler.java}} is redundant - it should be
avoided.
* {{protected boolean validateExpiration(final SignedJWT jwtToken)}} in
{{RangerJwtAuthHandler.java}} should be avoided, this should happen via
{{new DefaultJWTClaimsVerifier<>( new
JWTClaimsSet.Builder().issuer(expectedIssuer).build(), new
HashSet<>(Arrays.asList("sub", "exp", "iat")) );}} * Currently, there are no
checks in {{{}doAs{}}}, it should be revisited.
> Improvements in Ranger Admin JWT Module
> ---------------------------------------
>
> Key: RANGER-5528
> URL: https://issues.apache.org/jira/browse/RANGER-5528
> Project: Ranger
> Issue Type: Improvement
> Components: ranger-authn
> Affects Versions: 2.8.0
> Reporter: Abhishek Kumar
> Priority: Major
>
> Here are a few areas where the JWT processing in Ranger Admin
> ({{{}ranger-authn{}}} module) can be improved:
> * For every incoming request, while performing signature validation - a new
> JWT processor is created ({{{}new DefaultJWTProcessor<>() in
> RangerDefaultJwtAuthHandler.java{}}}), it should be avoided. This can
> potentially cause memory issues when Ranger Admin is deployed with JWT as the
> authentication mechanism.
> * Signature verification logic is split and duplicated:
> {{jwtToken.verify(verifier); in RangerJwtAuthHandler.java}} is redundant
> (should be avoided), {{jwtProcessor.process(jwtToken, null);}} is sufficient.
> * Audience Validation is already provided by the default Nimbus
> implementation. {{protected boolean validateAudiences(final SignedJWT
> jwtToken)}} in {{RangerJwtAuthHandler.java}} is redundant - it should be
> avoided.
> * {{protected boolean validateExpiration(final SignedJWT jwtToken)}} in
> {{RangerJwtAuthHandler.java}} should be avoided, this should happen via
> **
> {code:java}
> new DefaultJWTClaimsVerifier<>( new
> JWTClaimsSet.Builder().issuer(expectedIssuer).build(), new
> HashSet<>(Arrays.asList("sub", "exp", "iat")) ); {code}
> * Currently, there are no checks in {{{}doAs{}}}, it should be revisited.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
