KNOX-2527 - Added support for HMAC signature/verification in JWT token authority

[smolnar82]

What changes were proposed in this pull request?

In this change, I'm extending the current RSA based token signing with the use of HMAC. As described in the corresponding JIRA, from now on end-users are able to configure an HMAC secret in the gateway's alias service which then will be used as a signature secret (pay attention to the key size requirements!).

How was this patch tested?

Updated and ran a full maven build successfully and executed E2E tests:

1. configured the gateway.signing.hmac.secret alias:

$ bin/knoxcli.sh list-alias
Listing aliases for: __gateway
gateway.signing.hmac.secret

2. Added the KNOXTOKEN service in the sandbox topology:

<service>
   <role>KNOXTOKEN</role>
   <param>
      <name>knox.token.ttl</name>
      <value>36000000</value>
   </param>
   <param>
      <name>knox.token.audiences</name>
      <value>tokenbased</value>
   </param>
   <param>
      <name>knox.token.target.url</name>
      <value>https://localhost:8443/gateway/tokenbased</value>
   </param>
<!--
   <param>
      <name>knox.token.sigalg</name>
      <value>HS256</value>
   </param>
-->
</service>

3. Added a new topology - called tokenbased - to be able to test the generated tokens
4. Acquired a Knox token:

curl -iku admin:admin-password https://localhost:8443/gateway/sandbox/knoxtoken/api/v1/token
...
HTTP/1.1 200 OK
Date: Mon, 11 Jan 2021 15:08:34 GMT
Set-Cookie: KNOXSESSIONID=node01eow5gtl4jq0z68xpcuoo9cut0.node0; Path=/gateway/sandbox; Secure; HttpOnly
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Set-Cookie: rememberMe=deleteMe; Path=/gateway/sandbox; Max-Age=0; Expires=Sun, 10-Jan-2021 15:08:34 GMT; SameSite=lax
Content-Type: application/json
Content-Length: 1862

{"access_token":"eyJhbGciOiJSUzI1NiJ9...FN7RE8Xsw","target_url":"https://localhost:8443/gateway/tokenbased","endpoint_public_cert":"MIIDe...W6Z2nJarXg==","token_type":"Bearer","expires_in":1610413714993}

5. Tested the acquired token by invoking the HDFS UI service in tokenbased:

curl -ik -H "Authorization: Bearer eyJhbGciOiJSUzI1NiJ9...FN7RE8Xsw" https://localhost:8443/gateway/tokenbased/hdfs

6. Changed the value of knox.token.sigalg parameter to HS384, reset the gateway.signing.hmac.secret with an appropriate secret (key length matters) and repeated steps 4-5. The call finished successfully.
7. Changed the value of knox.token.sigalg parameter to HS512, reset the gateway.signing.hmac.secret with an appropriate secret (key length matters) and repeated steps 4-5. The call finished successfully.
8. Changed the value of knox.token.sigalg parameter to HS123 and repeated steps 4-5. Call failed as expected.
9. Removed the gateway.signing.hmac.secret and re-tried the get/verify steps; all were OK.

Logged into the Knox home page successfully (the hadoop-jwt cookie was added properly)
Also tested the case when the gateway.signing.keystore.name was set.

[lmccay]

Sandor - this is a great improvement for JWT signing. I think that we make a couple adjustments to allow the mix of both RSA/PKI and HMAC methods though and I've made a couple comments to that end.

[smolnar82]

@lmccay - I tested it with different topologies come with different signature algorithms (HS256 and RS 256) and it was working as expected. Could you please give me another review and let me know if I can merge this PR?

HS256 test

Created a 256 bit HMAC secret:
bin/knoxcli.sh create-alias gateway.signing.hmac.secret --value 6w9zAB-E_H-McQfTjWnZr4u7x_A7D8F-

curl -iku admin:admin-password https://localhost:8443/gateway/tokenhs256/knoxtoken/api/v1/token

{"access_token":"eyJhbG...RI2hKM",...,"token_type":"Bearer","expires_in":1611689480150}

gateway.log:
2021-01-26 10:35:24,158 INFO service.knoxtoken (TokenResource.java:getAuthenticationToken(407)) - Knox Token service (tokenhs256) issued token eyJhbG...RI2hKM (7794004b-c3e8-4aea-9d69-226786948ace)

Testing the acquired token: curl -ik -H "Authorization: Bearer eyJhbG...RI2hKM" https://localhost:8443/gateway/tokenbased/hdfs

gateway-audit.log:

21/01/26 10:37:27 ||8e4bcfe0-4a26-4f0c-a74b-857217ffeae7|audit|[0:0:0:0:0:0:0:1]|HDFSUI||||access|uri|/gateway/tokenbased/hdfs|unavailable|Request method: GET
21/01/26 10:37:27 ||8e4bcfe0-4a26-4f0c-a74b-857217ffeae7|audit|[0:0:0:0:0:0:0:1]|HDFSUI|admin|||authentication|uri|/gateway/tokenbased/hdfs|success|

RS256 test

curl -iku admin:admin-password https://localhost:8443/gateway/tokenrs256/knoxtoken/api/v1/token

{"access_token":"eyJhbG...xukCHw",...,"token_type":"Bearer","expires_in":1611690064630}

gateway.log:
2021-01-26 10:41:04,638 INFO service.knoxtoken (TokenResource.java:getAuthenticationToken(407)) - Knox Token service (tokenrs256) issued token eyJhbG...xukCHw (fffd212d-dba7-40c5-8325-3512203ffde2)

Testing the acquired token: curl -ik -H "Authorization: Bearer eyJhbG...xukCHw" https://localhost:8443/gateway/tokenbased/hdfs

gateway-audit.log:

21/01/26 10:44:35 ||1bac63c9-1c15-4673-a592-2072f9235d53|audit|[0:0:0:0:0:0:0:1]|HDFSUI||||access|uri|/gateway/tokenbased/hdfs|unavailable|Request method: GET
21/01/26 10:44:45 ||1bac63c9-1c15-4673-a592-2072f9235d53|audit|[0:0:0:0:0:0:0:1]|HDFSUI|admin|||authentication|uri|/gateway/tokenbased/hdfs|success|

The only difference between the tokenhs256 and tokenrs256` topologies is the configured signature algorithm:

    <service>
       <role>KNOXTOKEN</role>
       <param>
          <name>knox.token.ttl</name>
          <value>36000000</value>
       </param>
       <param>
          <name>knox.token.audiences</name>
          <value>tokenbased</value>
       </param>
       <param>
          <name>knox.token.target.url</name>
          <value>https://localhost:8443/gateway/tokenbased</value>
       </param>
       <param>
          <name>knox.token.sigalg</name>
          <value>HS256</value>
       </param>
    </service>

[lmccay]

Thanks, Sandor!
LGTM!
+1