anmolnar commented on a change in pull request #4064:
URL: https://github.com/apache/hbase/pull/4064#discussion_r806874023
##########
File path:
hbase-client/src/main/java/org/apache/hadoop/hbase/security/token/OAuthBearerTokenUtil.java
##########
@@ -68,8 +74,44 @@ public static void addTokenForUser(User user, String
encodedToken, long lifetime
}
};
subject.getPrivateCredentials().add(jwt);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("JWT token has been added to user credentials with expiry
{}",
+ lifetimeMs == 0 ? "0" :
Instant.ofEpochMilli(lifetimeMs).toString());
+ }
return null;
}
});
}
+
+ /**
+ * Check whether an OAuth Beaerer token is provided in environment variable
HADOOP_JWT.
+ * Parse and add it to user private credentials, but only if another token
is not already present.
+ */
+ public static void addTokenFromEnvironmentVar(User user, String token) {
+ Optional<Token<?>> oauthBearerToken = user.getTokens().stream()
+ .filter((t) -> new Text(OAuthBearerUtils.TOKEN_KIND).equals(t.getKind()))
+ .findFirst();
+
+ if (oauthBearerToken.isPresent()) {
+ return;
+ }
+
+ String[] tokens = token.split(",");
+ if (StringUtils.isEmpty(tokens[0])) {
+ return;
+ }
+ long lifetimeMs = 0;
+ if (tokens.length > 1) {
+ try {
+ ZonedDateTime lifetime = ZonedDateTime.parse(tokens[1]);
+ lifetimeMs = lifetime.toInstant().toEpochMilli();
+ } catch (DateTimeParseException e) {
+ LOG.warn("Unable to parse JWT expiry: {}", tokens[1]);
Review comment:
Lifetime is generally needed for the overlap of token renewal when
you're having 2 tokens at the same time in your subject credentials. In this
case the client have to choose the most recent one for the authentication. This
logic is already implemented, but lifetimeMs is a must for this to work.
Yes, in the Knox response you'll get the base64 encoded token and the
lifetimeMs in the JSON. Theoretically it's also possible to parse the expiry
field from the JWT itself, but the question here is do you want to do that
without signature validation? If not, the client will also have to be capable
of JWT validation like the server.
##########
File path:
hbase-common/src/main/java/org/apache/hadoop/hbase/security/oauthbearer/OAuthBearerUtils.java
##########
@@ -25,6 +25,7 @@
@InterfaceAudience.Private
public final class OAuthBearerUtils {
public static final String OAUTHBEARER_MECHANISM = "OAUTHBEARER";
+ public static final String TOKEN_KIND = "OAUTHBEARER_AUTH_TOKEN";
Review comment:
Makes sense.
##########
File path:
hbase-client/src/main/java/org/apache/hadoop/hbase/client/ConnectionFactory.java
##########
@@ -70,7 +70,11 @@
@InterfaceAudience.Public
public class ConnectionFactory {
- public static final String HBASE_CLIENT_ASYNC_CONNECTION_IMPL =
"hbase.client.async.connection.impl";
+ public static final String HBASE_CLIENT_ASYNC_CONNECTION_IMPL =
+ "hbase.client.async.connection.impl";
+
+ /** Environment variable for OAuth Bearer token */
+ public static final String ENV_OAUTHBEARER_TOKEN = "HADOOP_JWT";
Review comment:
Yeah, let's go with that.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
