Re: [PR] HIVE-29020: Support OAuth 2 in Iceberg REST Catalog [hive]

Wed, 24 Sep 2025 08:03:35 -0700 


deniskuzZ commented on code in PR #6086:
URL: https://github.com/apache/hive/pull/6086#discussion_r2376105210


##########
standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java:
##########
@@ -1873,8 +1873,55 @@ public enum ConfVars {
             " positive value will be used as-is."
     ),
     CATALOG_SERVLET_AUTH("metastore.catalog.servlet.auth",
-        "hive.metastore.catalog.servlet.auth", "jwt", new 
StringSetValidator("none", "simple", "jwt"),
-        "HMS Catalog servlet authentication method (none, simple, or jwt)."
+        "hive.metastore.catalog.servlet.auth", "jwt", new 
StringSetValidator("none", "simple", "jwt", "oauth2"),
+        "HMS Catalog servlet authentication method (none, simple, jwt, or 
oauth2)."
+    ),
+    
CATALOG_SERVLET_AUTH_OAUTH2_ISSUER("metastore.catalog.servlet.auth.oauth2.issuer",
+        "hive.metastore.catalog.servlet.auth.oauth2.issuer", "",
+        "The issuer(iss)'s URI. This is required when you use 
metastore.catalog.servlet.auth=oauth2"
+    ),
+    
CATALOG_SERVLET_AUTH_OAUTH2_VALIDATION_METHOD("metastore.catalog.servlet.auth.oauth2.validation.method",

Review Comment:
   should we define token type instead:
   
   There are two types of access tokens, depending on how they are encoded:
   
   **Identifier-based**: The token represents a random, hard-to-guess 
identifier associated with the authorization in the authorization server’s 
database.
   
   **Self-contained**: The authorization is encoded within the token itself and 
is protected through cryptography to prevent tampering. JSON Web Token (JWT) is 
the common standard for this method.
   
   For self-contained tokens, the authorization-related metadata can be 
directly parsed from the access token. **However, for identifier-based tokens, 
the authorization server’s token introspection functionality must be used to 
validate/retrieve the metadata**.
   



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to