[GitHub] [pinot] apucher opened a new pull request, #8670: Support pluggable auth provider

Tue, 10 May 2022 01:34:18 -0700 


apucher opened a new pull request, #8670:
URL: https://github.com/apache/pinot/pull/8670

   This PR adds support for a pluggable client auth providers which enables 
pinot components (controller, server, minion) to use dynamically changing 
tokens such as kubernetes service account JWTs. The implementation is generic 
and enables the development of third-party auth providers to support virtually 
any cloud-native environment.
   
   Previously, pinot components were stuck with statically pre-configured auth 
tokens. While authentication for the server-side (e.g. restlets responses) was 
pluggable already, the client-side auth (e.g. segment fetcher http requests) 
was static. This would necessitate a full restart of pinot components to 
address token rotation. This PR removes this limitation while preserving legacy 
behavior for static `auth.token` values if configured.
   
   *Potentially backwards-incompatible changes:*
   
   `TableDataManager.init()` adds an AuthProvider param
   `AddTableCommand.setAuthToken()` removed (same for other commands)
   
   *Release Notes:*
   
   Add pluggable auth providers to pinot to enable dynamic client token 
rotation:
   - `StaticTokenAuthProvider` legacy behavior, job specs
   - `UrlTokenAuthProvider` dynamic file- or url-based token retrieval
   - `AuthProvider` interface for generic third-party implementations
   
   New configuration options:
   `...auth.provider.class` provider class name for dynamic loading
   `...auth.token` StaticTokenAuthProvider token, legacy behavior
   `...auth.url` UrlTokenAuthProvider source URL
   `...auth.prefix` StaticTokenAuthProvider and UrlTokenAuthProvider token 
prefix (typically `Basic` or `Bearer`)
   `...auth.header` StaticTokenAuthProvider and UrlTokenAuthProvider http 
header name (typically `Authorization`)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For additional commands, e-mail: commits-h...@pinot.apache.org

Reply via email to