Re: [PR] HIVE-29020: Support OAuth 2 in Iceberg REST Catalog [hive]

via GitHub Thu, 25 Sep 2025 02:48:13 -0700


deniskuzZ commented on code in PR #6086:
URL: https://github.com/apache/hive/pull/6086#discussion_r2378404362



##########
standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java:
##########
@@ -1873,8 +1873,55 @@ public enum ConfVars {
             " positive value will be used as-is."
     ),
     CATALOG_SERVLET_AUTH("metastore.catalog.servlet.auth",
-        "hive.metastore.catalog.servlet.auth", "jwt", new 
StringSetValidator("none", "simple", "jwt"),
-        "HMS Catalog servlet authentication method (none, simple, or jwt)."
+        "hive.metastore.catalog.servlet.auth", "jwt", new 
StringSetValidator("none", "simple", "jwt", "oauth2"),
+        "HMS Catalog servlet authentication method (none, simple, jwt, or 
oauth2)."
+    ),
+    
CATALOG_SERVLET_AUTH_OAUTH2_ISSUER("metastore.catalog.servlet.auth.oauth2.issuer",
+        "hive.metastore.catalog.servlet.auth.oauth2.issuer", "",
+        "The issuer(iss)'s URI. This is required when you use 
metastore.catalog.servlet.auth=oauth2"
+    ),
+    
CATALOG_SERVLET_AUTH_OAUTH2_VALIDATION_METHOD("metastore.catalog.servlet.auth.oauth2.validation.method",
+        "hive.metastore.catalog.servlet.auth.oauth2.validation.method", "jwt",
+        new StringSetValidator("jwt", "introspection"),
+        "How to evaluate an access token. When your authorization server 
issues opaque tokens or you need " +
+        "to consider additional security requirements such as token 
revocations, use introspection."
+    ),
+    
CATALOG_SERVLET_AUTH_OAUTH2_AUDIENCE("metastore.catalog.servlet.auth.oauth2.audience",
+        "hive.metastore.catalog.servlet.auth.oauth2.audience", "",
+        "The acceptable name in the audience(aud) claim.  This is required 
when you use " +
+        "metastore.catalog.servlet.auth=oauth2"
+    ),
+    
CATALOG_SERVLET_AUTH_OAUTH2_CLIENT_ID("metastore.catalog.servlet.auth.oauth2.client.id",
+        "hive.metastore.catalog.servlet.auth.oauth2.client.id", "",
+        "The client ID of HMS as a resource server. This is required to use " +
+        
"metastore.catalog.servlet.auth.oauth2.validation.method=introspection."
+    ),
+    
CATALOG_SERVLET_AUTH_OAUTH2_CLIENT_SECRET("metastore.catalog.servlet.auth.oauth2.client.secret",
+        "hive.metastore.catalog.servlet.auth.oauth2.client.secret", "",
+        "The client secret of HMS as a resource server. This is required to 
use " +
+        
"metastore.catalog.servlet.auth.oauth2.validation.method=introspection."
+    ),
+    CATALOG_SERVLET_AUTH_OAUTH2_INTROSPECTION_CACHE_EXPIRY(

Review Comment:
   btw, don't we need to define these as well or that would be client's(caller) 
responsibility
   https://datatracker.ietf.org/doc/html/rfc8414#section-2
   
   - authorization_endpoint
   redirects end-users to authenticate.
   
   - token_endpoint – REQUIRED unless the AS supports only implicit.
   to exchange codes for tokens.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: gitbox-unsubscr...@hive.apache.org
For additional commands, e-mail: gitbox-h...@hive.apache.org

Re: [PR] HIVE-29020: Support OAuth 2 in Iceberg REST Catalog [hive]

Reply via email to