joshelser commented on a change in pull request #4064:
URL: https://github.com/apache/hbase/pull/4064#discussion_r830680098
##########
File path:
hbase-client/src/main/java/org/apache/hadoop/hbase/security/token/OAuthBearerTokenUtil.java
##########
@@ -68,8 +74,44 @@ public static void addTokenForUser(User user, String
encodedToken, long lifetime
}
};
subject.getPrivateCredentials().add(jwt);
+ if (LOG.isDebugEnabled()) {
+ LOG.debug("JWT token has been added to user credentials with expiry
{}",
+ lifetimeMs == 0 ? "0" :
Instant.ofEpochMilli(lifetimeMs).toString());
+ }
return null;
}
});
}
+
+ /**
+ * Check whether an OAuth Beaerer token is provided in environment variable
HADOOP_JWT.
+ * Parse and add it to user private credentials, but only if another token
is not already present.
+ */
+ public static void addTokenFromEnvironmentVar(User user, String token) {
+ Optional<Token<?>> oauthBearerToken = user.getTokens().stream()
+ .filter((t) -> new Text(OAuthBearerUtils.TOKEN_KIND).equals(t.getKind()))
+ .findFirst();
+
+ if (oauthBearerToken.isPresent()) {
+ return;
+ }
+
+ String[] tokens = token.split(",");
+ if (StringUtils.isEmpty(tokens[0])) {
+ return;
+ }
+ long lifetimeMs = 0;
+ if (tokens.length > 1) {
+ try {
+ ZonedDateTime lifetime = ZonedDateTime.parse(tokens[1]);
+ lifetimeMs = lifetime.toInstant().toEpochMilli();
+ } catch (DateTimeParseException e) {
+ LOG.warn("Unable to parse JWT expiry: {}", tokens[1]);
Review comment:
> Theoretically it's also possible to parse the expiry field from the
JWT itself, but the question here is do you want to do that without signature
validation? If not, the client will also have to be capable of JWT validation
like the server.
Yeah, I would not suggest that we push the validation logic into the client
(at least without a very good reason)
> but lifetimeMs is a must for this to work.
If `lifetimeMs` is going to be important for the token selection to work, I
think we should just throw an Exception if we can't parse the timestamp.
Otherwise, we'll get questions later about why renewal/expiration/selection
logic didn't work correctly.
If we're going to focus on Knox as the authorization server, let's build the
implementation as to how Knox works. As we want to support other authz servers,
it will be easier to codify "supported features" of different authorization
servers.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
