Skip to content

Improve internal communication authentication #26000

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Improve internal communication authentication #26000

wants to merge 1 commit into from

Conversation

wendigo
Copy link
Contributor

@wendigo wendigo commented Jun 12, 2025
edited
Loading

By generating and validating request signatures rather then creating and parsing JWT tokens.

This makes it harder to spoof request even if internal signature is captured, as it allows only to call a given URI with a given timestamp validity. This was not the case for JWT token.

Description

Additional context and related issues

Release notes

(x) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
( ) Release notes are required, with the following suggested text:

## Section
* Fix some things. ({issue}`issuenumber`)

@wendigo
Improve internal communication authentication
59e8a2b 
By generating and validating request signatures rather then creating and parsing JWT tokens.

This makes it harder to spoof request even if internal signature is captured,
as it allows only to call a given URI with a given timestamp validity. This was
not the case for JWT token.
@cla-bot cla-bot bot added the cla-signed label Jun 12, 2025
@wendigo wendigo requested a review from losipiuk June 12, 2025 13:10
@martint martint requested a review from dain June 12, 2025 14:25
dain
dain reviewed Jun 13, 2025
View reviewed changes
core/trino-main/src/main/java/io/trino/server/InternalAuthenticationManager.java
return Base64.getEncoder()
.encodeToString(hashing.newHasher()
.putUnencodedChars(nodeId)
.putUnencodedChars(uri.toString())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure the full URI is maintained perfectly across the HTTP protocol. I'd think about using just the path and maybe the query string.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dain dain dain left review comments

@losipiuk losipiuk Awaiting requested review from losipiuk

Assignees
No one assigned
Labels
cla-signed
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@wendigo @dain