[LIVY-552][WIP] Add JWTFilter to validate incoming JWT tokens#142
[LIVY-552][WIP] Add JWTFilter to validate incoming JWT tokens#142z-york wants to merge 1 commit into
Conversation
Codecov Report
@@ Coverage Diff @@
## master #142 +/- ##
============================================
+ Coverage 68.34% 68.62% +0.28%
- Complexity 895 913 +18
============================================
Files 100 103 +3
Lines 5604 5664 +60
Branches 840 848 +8
============================================
+ Hits 3830 3887 +57
+ Misses 1225 1220 -5
- Partials 549 557 +8
Continue to review full report at Codecov.
|
|
|
||
| val JWT_FILTER_ENABLED = Entry("livy.jwt.filter.enabled", false) | ||
| val JWT_HEADER_NAME = Entry("livy.jwt.header.name", "Authentication") | ||
| val JWT_SIGNATURE_PUBLIC_KEY_PATH = Entry("livy.jwt.public-key.path", null) |
There was a problem hiding this comment.
Is there any chances we need to support multiple public keys for key rotation?
There was a problem hiding this comment.
Do you mean allowing users to specify a list of public keys to workaround having to restart livy when a particular key is rotated? I think it's an interesting idea, but would require other changes to work (currently the key is read in once from the path and not refreshed, this would require some refresh mechanism). Anyways, I think this can be a separate feature request/JIRA after this one gets in.
|
LIVY-508 #110 will be merged soon and will provide a framework to add custom filters. |
|
Sure, let me try to rebase ontop of that PR |
|
Thanks for the heads up @Tagar! @alex-the-man I took a look at rebasing it ontop (and using) 110 and I think there are a few things that don't make sense with the current approach:
In addition to this, the JWTFilter in my PR requires LivyConf to be passed in when it is created which I assume won't work if it is being instantiated via the Filter Holder (not sure how this is being done, but I would assume reflection). I think it should be fairly simple to change the config to a list of auth types which will solve the first problem, but I'm not sure about how to solve the 2nd issue. Any ideas? |
|
@jerryshao What is your opinion on supporting multiple filters? |
Those config will be passed to the function: Could you change JWTFilter to pass those config to JWSVerifierProvider in that function call? |
|
My apologies for such a long lapse here... I will be picking this back up again. |
|
@z-york Are you planning to continue working on this? Otherwise I can pick up from where you left |
|
@naksh9619 Feel free to continue the work. I have since been pulled onto other work and didn't have the time to address follow-up comments. |
|
This pull request has been automatically marked as stale because it has had no activity for at least 3 months. If you are still working on this change or plan to move it forward, please leave a comment or push a new commit so we know to keep it open. Otherwise, this PR will be closed automatically in about one month. Thank you for your contribution to Apache Livy! |
What changes were proposed in this pull request?
This PR adds JWT Authentication to Livy via a new filter, JWTFilter that validates the JWT and accepts or rejects the request.
https://issues.apache.org/jira/browse/LIVY-552
(Please fill in changes proposed in this fix)
(Include a link to the associated JIRA and make sure to add a link to this pr on the JIRA as well)
How was this patch tested?
Unit Tests passed.
Tested manually as well.
(Please explain how this patch was tested. E.g. unit tests, integration tests, manual tests)
(If this patch involves UI changes, please attach a screenshot; otherwise, remove this)
Please review https://livy.incubator.apache.org/community/ before opening a pull request.