[jira] [Created] (RANGER-5528) Improvements in Ranger Admin JWT Module

[Abhishek Kumar (Jira)]

Abhishek Kumar created RANGER-5528:
--------------------------------------

             Summary: Improvements in Ranger Admin JWT Module
                 Key: RANGER-5528
                 URL: https://issues.apache.org/jira/browse/RANGER-5528
             Project: Ranger
          Issue Type: Bug
          Components: ranger-authn
    Affects Versions: 2.8.0
            Reporter: Abhishek Kumar


Here are a few areas where the JWT processing in Ranger Admin 
({{{}ranger-authn{}}} module) can be improved:
 * For every incoming request, while performing signature validation - a new 
JWT processor is created ({{{}new DefaultJWTProcessor<>() in 
RangerDefaultJwtAuthHandler.java{}}}), it should be avoided. This can 
potentially cause memory issues when Ranger Admin is deployed with JWT as the 
authentication mechanism.

 * Signature verification logic is split and duplicated: 
{{jwtToken.verify(verifier); in RangerJwtAuthHandler.java}} is redundant 
(should be avoided), {{jwtProcessor.process(jwtToken, null);}} is sufficient.

 * Audience Validation is already provided by the default Nimbus 
implementation. {{protected boolean validateAudiences(final SignedJWT 
jwtToken)}} in {{RangerJwtAuthHandler.java}} is redundant - it should be 
avoided.

 * {{protected boolean validateExpiration(final SignedJWT jwtToken)}} in 
{{RangerJwtAuthHandler.java}} should be avoided, this should happen via

 
 {{new DefaultJWTClaimsVerifier<>(        new 
JWTClaimsSet.Builder().issuer(expectedIssuer).build(),        new 
HashSet<>(Arrays.asList("sub", "exp", "iat"))    );}} * Currently, there are no 
checks in {{{}doAs{}}}, it should be revisited.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)