[PR] Configurable Authorization [arrow-ballista]

Mon, 02 Oct 2023 20:23:10 -0700 


ehenry2 opened a new pull request, #885:
URL: https://github.com/apache/arrow-ballista/pull/885

   # Which issue does this PR close?
   
   <!--
   We generally require a GitHub issue to be filed for all bug fixes and 
enhancements and this helps us generate change logs for our releases. You can 
link an issue to this PR using the GitHub syntax. For example `Closes #123` 
indicates that this PR will close issue #123.
   -->
   
   Closes #835
   
    # Rationale for this change
   <!--
    Why are you proposing this change? If this is already explained clearly in 
the issue then this section is not needed.
    Explaining clearly why changes are proposed helps reviewers understand your 
changes and offer better suggestions for fixes.  
   -->
   In the current state, the flight sql do handshake method uses a hardcoded 
username and password for authorization. One of the essential features for 
production readiness is to improve the security posture by having configurable 
authorization. The goal of this PR is to add a simple abstraction (the 
"Authorizer" trait) that allows for implementations of a variety of commonly 
used authorization schemes (basic auth, jwt, ldap, etc.). I only implemented 
basic auth for now in a backwards-compatible way so I can get feedback on the 
approach.
   
   
   # What changes are included in this PR?
   <!--
   There is no need to duplicate the description in the issue here but it is 
sometimes worth providing a summary of the individual changes in this PR.
   -->
   This PR adds a new trait "Authorizer" that has a simple validate method that 
is passed the value of the authorization metadata the client sends with the 
request. Implementations can be created for basic authentication, jwt, ldap, 
etc. I've made the validate function async so if implementations require http 
requests over the network, this is supported.
   
   # Are there any user-facing changes?
   <!--
   If there are user-facing changes then we may require documentation to be 
updated before approving the PR.
   -->
   The PR is meant to be backwards compatible, defaulting to basic auth with 
same username/password.
   
   <!--
   If there are any breaking changes to public APIs, please add the `api 
change` label.
   -->
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to