[GitHub] [hbase] anmolnar commented on a change in pull request #4064: HBASE-26667 Integrate user-experience for hbase-client

[GitBox]

anmolnar commented on a change in pull request #4064:
URL: https://github.com/apache/hbase/pull/4064#discussion_r806874023



##########
File path: 
hbase-client/src/main/java/org/apache/hadoop/hbase/security/token/OAuthBearerTokenUtil.java
##########
@@ -68,8 +74,44 @@ public static void addTokenForUser(User user, String 
encodedToken, long lifetime
           }
         };
         subject.getPrivateCredentials().add(jwt);
+        if (LOG.isDebugEnabled()) {
+          LOG.debug("JWT token has been added to user credentials with expiry 
{}",
+            lifetimeMs == 0 ? "0" : 
Instant.ofEpochMilli(lifetimeMs).toString());
+        }
         return null;
       }
     });
   }
+
+  /**
+   * Check whether an OAuth Beaerer token is provided in environment variable 
HADOOP_JWT.
+   * Parse and add it to user private credentials, but only if another token 
is not already present.
+   */
+  public static void addTokenFromEnvironmentVar(User user, String token) {
+    Optional<Token<?>> oauthBearerToken = user.getTokens().stream()
+      .filter((t) -> new Text(OAuthBearerUtils.TOKEN_KIND).equals(t.getKind()))
+      .findFirst();
+
+    if (oauthBearerToken.isPresent()) {
+      return;
+    }
+
+    String[] tokens = token.split(",");
+    if (StringUtils.isEmpty(tokens[0])) {
+      return;
+    }
+    long lifetimeMs = 0;
+    if (tokens.length > 1) {
+      try {
+        ZonedDateTime lifetime = ZonedDateTime.parse(tokens[1]);
+        lifetimeMs = lifetime.toInstant().toEpochMilli();
+      } catch (DateTimeParseException e) {
+        LOG.warn("Unable to parse JWT expiry: {}", tokens[1]);

Review comment:
       Lifetime is generally needed for the overlap of token renewal when 
you're having 2 tokens at the same time in your subject credentials. In this 
case the client have to choose the most recent one for the authentication. This 
logic is already implemented, but lifetimeMs is a must for this to work.
   
   Yes, in the Knox response you'll get the base64 encoded token and the 
lifetimeMs in the JSON. Theoretically it's also possible to parse the expiry 
field from the JWT itself, but the question here is do you want to do that 
without signature validation? If not, the client will also have to be capable 
of JWT validation like the server.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: issues-unsubscr...@hbase.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org