[PR] [MINOR] fix(auth): Log principal identity on JWKS JWT validation failure [gravitino]

Mon, 30 Mar 2026 17:32:09 -0700 


bharos opened a new pull request, #10592:
URL: https://github.com/apache/gravitino/pull/10592

   <!--
   1. Title: [#<issue>] <type>(<scope>): <subject>
      Examples:
        - "[#123] feat(operator): Support xxx"
        - "[#233] fix: Check null before access result in xxx"
        - "[MINOR] refactor: Fix typo in variable name"
        - "[MINOR] docs: Fix typo in README"
        - "[#255] test: Fix flaky test NameOfTheTest"
      Reference: https://www.conventionalcommits.org/en/v1.0.0/
   2. If the PR is unfinished, please mark this PR as draft.
   -->
   
   ### What changes were proposed in this pull request?
   
   When JWKS JWT validation fails (e.g., expired token), the error log now 
includes the principal identity extracted from the unverified JWT claims, 
making it much easier to identify which user's session is causing repeated 
failures.
   
   Added extractPrincipalForLogging(SignedJWT) (package-private) that safely 
reads the configured principalFields from unverified JWT claims and falls back 
to "unknown".
   
   ### Why are the changes needed?
   
   Previously the log only said JWKS JWT validation error: Expired JWT with no 
indication of who sent the token. With many active sessions this made it 
impossible to identify the source without a full token decode.
   ```
   2026-03-31 00:29:53 ERROR [iceberg-rest-87] JwksTokenValidator:146 - JWKS 
JWT validation error: Expired JWT
   2026-03-31 00:29:54 ERROR [iceberg-rest-44] JwksTokenValidator:146 - JWKS 
JWT validation error: Expired JWT
   2026-03-31 00:29:56 ERROR [iceberg-rest-87] JwksTokenValidator:146 - JWKS 
JWT validation error: Expired JWT
   2026-03-31 00:29:57 ERROR [iceberg-rest-44] JwksTokenValidator:146 - JWKS 
JWT validation error: Expired JWT
   2026-03-31 00:29:58 ERROR [iceberg-rest-87] JwksTokenValidator:146 - JWKS 
JWT validation error: Expired JWT
   2026-03-31 00:29:59 ERROR [iceberg-rest-44] JwksTokenValidator:146 - JWKS 
JWT validation error: Expired JWT
   ```
   
   Fix: N/A (MINOR improvement)
   
   ### Does this PR introduce _any_ user-facing change?
   
   No. Log output changes only (internal diagnostic improvement).
   
   ### How was this patch tested?
   
   Three unit tests added in TestJwksTokenValidator


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to