okumin commented on code in PR #6086:
URL: https://github.com/apache/hive/pull/6086#discussion_r2380865448
##########
standalone-metastore/metastore-common/src/main/java/org/apache/hadoop/hive/metastore/conf/MetastoreConf.java:
##########
@@ -1873,8 +1873,55 @@ public enum ConfVars {
" positive value will be used as-is."
),
CATALOG_SERVLET_AUTH("metastore.catalog.servlet.auth",
- "hive.metastore.catalog.servlet.auth", "jwt", new
StringSetValidator("none", "simple", "jwt"),
- "HMS Catalog servlet authentication method (none, simple, or jwt)."
+ "hive.metastore.catalog.servlet.auth", "jwt", new
StringSetValidator("none", "simple", "jwt", "oauth2"),
+ "HMS Catalog servlet authentication method (none, simple, jwt, or
oauth2)."
+ ),
+
CATALOG_SERVLET_AUTH_OAUTH2_ISSUER("metastore.catalog.servlet.auth.oauth2.issuer",
+ "hive.metastore.catalog.servlet.auth.oauth2.issuer", "",
+ "The issuer(iss)'s URI. This is required when you use
metastore.catalog.servlet.auth=oauth2"
+ ),
+
CATALOG_SERVLET_AUTH_OAUTH2_VALIDATION_METHOD("metastore.catalog.servlet.auth.oauth2.validation.method",
+ "hive.metastore.catalog.servlet.auth.oauth2.validation.method", "jwt",
+ new StringSetValidator("jwt", "introspection"),
+ "How to evaluate an access token. When your authorization server
issues opaque tokens or you need " +
+ "to consider additional security requirements such as token
revocations, use introspection."
+ ),
+
CATALOG_SERVLET_AUTH_OAUTH2_AUDIENCE("metastore.catalog.servlet.auth.oauth2.audience",
+ "hive.metastore.catalog.servlet.auth.oauth2.audience", "",
+ "The acceptable name in the audience(aud) claim. This is required
when you use " +
+ "metastore.catalog.servlet.auth=oauth2"
+ ),
+
CATALOG_SERVLET_AUTH_OAUTH2_CLIENT_ID("metastore.catalog.servlet.auth.oauth2.client.id",
+ "hive.metastore.catalog.servlet.auth.oauth2.client.id", "",
+ "The client ID of HMS as a resource server. This is required to use " +
+
"metastore.catalog.servlet.auth.oauth2.validation.method=introspection."
+ ),
+
CATALOG_SERVLET_AUTH_OAUTH2_CLIENT_SECRET("metastore.catalog.servlet.auth.oauth2.client.secret",
+ "hive.metastore.catalog.servlet.auth.oauth2.client.secret", "",
+ "The client secret of HMS as a resource server. This is required to
use " +
+
"metastore.catalog.servlet.auth.oauth2.validation.method=introspection."
+ ),
+ CATALOG_SERVLET_AUTH_OAUTH2_INTROSPECTION_CACHE_EXPIRY(
Review Comment:
The entire authorization flow is decomposed into two steps: one to obtain an
Access Token and another to access protected resources using the Access Token.
I will skip explaining the first step because HMS is not involved at all.
Anyway, a client exchanges some credentials for an Access Token with a limited
scope and expiration. `authorization_endpoint` and `token_endpoint` are used
there; That's why we don't need to configure them.
In the second step, HMS accepts and validates the Access Token. Token
Introspection is a method to verify the latest state of Access Tokens through
the network. `CATALOG_SERVLET_AUTH_OAUTH2_CLIENT_ID` and
`CATALOG_SERVLET_AUTH_OAUTH2_CLIENT_SECRET` are used here so that only HMS can
validate the access token and get the details.
<img width="796" height="518" alt="image"
src="https://github.com/user-attachments/assets/92bc20f0-87b3-4ecf-8aa9-b64e3eb80b1a";
/>
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
