Description
Recent PR #4364 made a change where it is possible to specify private key per cluster.
This got my attention because it implies that different clusters may have different key pairs.
https://github.com/uber/cadence/blob/5191468f2297dc7666c574fe74492fae4e85b58a/common/config/cluster.go#L70
Another thing I noticed that for verification we have only one public key per cluster. https://github.com/uber/cadence/blob/7aca8298408de8ef3b2b4035f31f63b27f3821ed/common/authorization/oauthAuthorizer.go#L65
Here are my concerns:
- If we assume that all of cadence server + worker deployments would fall under single owner, then having multiple key-pairs per cluster does not make sense, single would do.
- Otherwise, I think we got it backwards.
Current setup implies that a cluster have a key-pair with public key on its side to validate JWT tokens. Since it has one public key to validate tokens against, this means that private key counterpart has to be distributed for signing parties. If this falls under single owner it may not be a problem.
But consider several parties. For this case you do not want to share your private key with them, as this is private by definition. Now consider the opposite scenario. Each party generates its own key-pair, keeps their private key for signing and give Cadence server maintainer their public counterpart. Now the maintainer could add the public key, but only one key can be configured, and there are several parties.
Lets review a similar pattern - ssh connection. The host has a config file ~/.ssh/authorized_keys where multiple public keys can be added that are allowed to login.
Another example github itself - you can add multiple public keys to it, that are allowed to login.
I suggest the following:
- we should accept and validate against the list of public keys (not one).
- cluster should contain only one private key for himself (not a list of them per each replication cluster).
@noiarek
@longquanzheng