Re: [PR] [SPARK-51156][CONNECT] Provide a basic authentication token when running Spark Connect server locally [spark]

Tue, 11 Feb 2025 07:10:05 -0800 


hvanhovell commented on code in PR #49880:
URL: https://github.com/apache/spark/pull/49880#discussion_r1951030425


##########
sql/connect/server/src/main/scala/org/apache/spark/sql/connect/service/SparkConnectService.scala:
##########
@@ -69,6 +70,8 @@ class SparkConnectService(debug: Boolean) extends 
AsyncService with BindableServ
   override def executePlan(
       request: proto.ExecutePlanRequest,
       responseObserver: StreamObserver[proto.ExecutePlanResponse]): Unit = {
+    ConnectCommon.CONNECT_LOCAL_AUTH_TOKEN.foreach(k =>
+      assert(k == request.getUserContext.getLocalAuthToken))

Review Comment:
   A couple of things. Please use a ServerSide Interceptor. This creates a 
narrow waist for authentication. This approach requires forces us to add 
authentication for each RPC, this is a problem when we add new RPCs.
   
   Also do not use asserts. Asserts can be elided. Throw a GRPC Exception with 
status code ``UNAUTHENTICATED`.



##########
sql/connect/server/src/main/scala/org/apache/spark/sql/connect/service/SparkConnectService.scala:
##########
@@ -69,6 +70,8 @@ class SparkConnectService(debug: Boolean) extends 
AsyncService with BindableServ
   override def executePlan(
       request: proto.ExecutePlanRequest,
       responseObserver: StreamObserver[proto.ExecutePlanResponse]): Unit = {
+    ConnectCommon.CONNECT_LOCAL_AUTH_TOKEN.foreach(k =>
+      assert(k == request.getUserContext.getLocalAuthToken))

Review Comment:
   A couple of things. Please use a ServerSide Interceptor. This creates a 
narrow waist for authentication. This approach requires forces us to add 
authentication for each RPC, this is a problem when we add new RPCs.
   
   Also do not use asserts. Asserts can be elided. Throw a GRPC Exception with 
status code `UNAUTHENTICATED`.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to