[jira] [Updated] (HADOOP-19612) Add Support for Propagating Access Token via RPC Header in HDFS

Wed, 30 Jul 2025 10:09:04 -0700 


     [ 
https://issues.apache.org/jira/browse/HADOOP-19612?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Chris Trezzo updated HADOOP-19612:
----------------------------------
    Fix Version/s:     (was: 3.3.9)

> Add Support for Propagating Access Token via RPC Header in HDFS
> ---------------------------------------------------------------
>
>                 Key: HADOOP-19612
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19612
>             Project: Hadoop Common
>          Issue Type: New Feature
>          Components: hadoop-common
>            Reporter: Tom McCormick
>            Assignee: Tom McCormick
>            Priority: Major
>              Labels: pull-request-available
>             Fix For: 3.5.0
>
>
> *Description:*
> To support modern authentication models (e.g., bearer tokens, OAuth2), we 
> propose adding support in HDFS to propagate an access token via the RPC 
> request header. This enables downstream services (e.g., NameNode, Router) to 
> validate access tokens in a secure and standardized way.
> The token will be passed in a dedicated field in the 
> {{{}RpcRequestHeaderProto{}}}, mimicking the behavior of an HTTP 
> {{Authorization: Bearer <token>}} header. The caller context or UGI may 
> extract this token and use it for authorization decisions or auditing.
> *Benefits:*
>  * Enables secure, token-based authentication in multi-tenant environments
>  * Lays the foundation for fine-grained, per-request authorization
> *Scope:*
>  * Add optional {{authorization_token}} field to RPC header
>  * Ensure token is thread-local or caller-context scoped
>  * Wire it through relevant client and server code paths
>  * Provide configuration to enable/disable this feature
> *Notes:*
> This feature is intended to be backward-compatible with existing HDFS 
> clients. If the token is not set, behavior will remain unchanged.
> At Linkedin, we plan to delegate auth to a custom enforcement point in RBF. 
> The workflow is the client will get an access token and pass that in the RPC. 
> The request and access token will be authorized in the custom authorizer. 
>  
>  
> *PR*
> [https://github.com/apache/hadoop/pull/7803/files#diff-55740268215623b4037dd1bd35200c383576bee23d444096eb9cee751e3728f3]
>  



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org

Reply via email to