Re: [PR] HIVE-29020: Support OAuth 2 in Iceberg REST Catalog [hive]

Wed, 24 Sep 2025 21:55:16 -0700 


okumin commented on code in PR #6086:
URL: https://github.com/apache/hive/pull/6086#discussion_r2377540787


##########
standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java:
##########
@@ -1873,8 +1873,55 @@ public enum ConfVars {
             " positive value will be used as-is."
     ),
     CATALOG_SERVLET_AUTH("metastore.catalog.servlet.auth",
-        "hive.metastore.catalog.servlet.auth", "jwt", new 
StringSetValidator("none", "simple", "jwt"),
-        "HMS Catalog servlet authentication method (none, simple, or jwt)."
+        "hive.metastore.catalog.servlet.auth", "jwt", new 
StringSetValidator("none", "simple", "jwt", "oauth2"),
+        "HMS Catalog servlet authentication method (none, simple, jwt, or 
oauth2)."
+    ),
+    
CATALOG_SERVLET_AUTH_OAUTH2_ISSUER("metastore.catalog.servlet.auth.oauth2.issuer",
+        "hive.metastore.catalog.servlet.auth.oauth2.issuer", "",
+        "The issuer(iss)'s URI. This is required when you use 
metastore.catalog.servlet.auth=oauth2"
+    ),
+    
CATALOG_SERVLET_AUTH_OAUTH2_VALIDATION_METHOD("metastore.catalog.servlet.auth.oauth2.validation.method",

Review Comment:
   Precisely, the format of a token is not tightly coupled with the validation 
method. I know two use cases.
   (1) Some authorization servers can allow end users to revoke existing 
integrations. JWT can't express such a revocation. Resource servers can use the 
introspection endpoint to know the latest status.
   (2) [Some authorization servers may not want to include all information in 
JWT](https://www.keycloak.org/docs/latest/server_admin/#_using_lightweight_access_token),
 not to expose PII or to reduce the token size. A token introspection response 
can contain more details than a JWT.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to