[
https://issues.apache.org/jira/browse/HADOOP-19612?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18011006#comment-18011006
]
ASF GitHub Bot commented on HADOOP-19612:
-----------------------------------------
mccormickt12 opened a new pull request, #7844:
URL: https://github.com/apache/hadoop/pull/7844
Add a new auth header to the rpc header proto for access token support. This
should support different access tokens within the same connection.
Contributed-by: Tom McCormick <[email protected]>
<!--
Thanks for sending a pull request!
1. If this is your first time, please read our contributor guidelines:
https://cwiki.apache.org/confluence/display/HADOOP/How+To+Contribute
2. Make sure your PR title starts with JIRA issue id, e.g.,
'HADOOP-17799. Your PR title ...'.
-->
### Description of PR
### How was this patch tested?
### For code changes:
- [ ] Does the title or this PR starts with the corresponding JIRA issue id
(e.g. 'HADOOP-17799. Your PR title ...')?
- [ ] Object storage: have the integration tests been executed and the
endpoint declared according to the connector-specific documentation?
- [ ] If adding new dependencies to the code, are these dependencies
licensed in a way that is compatible for inclusion under [ASF
2.0](http://www.apache.org/legal/resolved.html#category-a)?
- [ ] If applicable, have you updated the `LICENSE`, `LICENSE-binary`,
`NOTICE-binary` files?
> Add Support for Propagating Access Token via RPC Header in HDFS
> ---------------------------------------------------------------
>
> Key: HADOOP-19612
> URL: https://issues.apache.org/jira/browse/HADOOP-19612
> Project: Hadoop Common
> Issue Type: New Feature
> Components: hadoop-common
> Reporter: Tom McCormick
> Assignee: Tom McCormick
> Priority: Major
> Labels: pull-request-available
> Fix For: 3.5.0
>
>
> *Description:*
> To support modern authentication models (e.g., bearer tokens, OAuth2), we
> propose adding support in HDFS to propagate an access token via the RPC
> request header. This enables downstream services (e.g., NameNode, Router) to
> validate access tokens in a secure and standardized way.
> The token will be passed in a dedicated field in the
> {{{}RpcRequestHeaderProto{}}}, mimicking the behavior of an HTTP
> {{Authorization: Bearer <token>}} header. The caller context or UGI may
> extract this token and use it for authorization decisions or auditing.
> *Benefits:*
> * Enables secure, token-based authentication in multi-tenant environments
> * Lays the foundation for fine-grained, per-request authorization
> *Scope:*
> * Add optional {{authorization_token}} field to RPC header
> * Ensure token is thread-local or caller-context scoped
> * Wire it through relevant client and server code paths
> * Provide configuration to enable/disable this feature
> *Notes:*
> This feature is intended to be backward-compatible with existing HDFS
> clients. If the token is not set, behavior will remain unchanged.
> At Linkedin, we plan to delegate auth to a custom enforcement point in RBF.
> The workflow is the client will get an access token and pass that in the RPC.
> The request and access token will be authorized in the custom authorizer.
>
>
> *PR*
> [https://github.com/apache/hadoop/pull/7803/files#diff-55740268215623b4037dd1bd35200c383576bee23d444096eb9cee751e3728f3]
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
