[
https://issues.apache.org/jira/browse/HBASE-26667?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17481181#comment-17481181
]
Andor Molnar commented on HBASE-26667:
--------------------------------------
In the current implementation the auth provider
(OAuthBearerSaslClientCallbackHandler) expects the OAuth Bearer token to be
present in the subject's private credentials. The question is how to put the
token to the right place before the authentication kicks in. We already have a
helper method (OAuthBearerTokenUtil in hbase-client) to do that, but that needs
to be called by somebody.
One thing I can think of that happens at the right time is AuthUtil which
already handles the login housekeeping for Kerberos before the client gets to a
connection, although this class is currently deprecated for some reason.
I could add a new mechanism here and extend the User class with a method like
"isOAuthTokenAvailable()" that would search for base64-encoded token in an
environment variable and put it to the right place. This would have prefernce
over Kerberos authentication if that's preferrable.
In this case we don't need to modify any of the mentioned clients, they will
just work out of the box.
> Integrate user-experience for hbase-client
> ------------------------------------------
>
> Key: HBASE-26667
> URL: https://issues.apache.org/jira/browse/HBASE-26667
> Project: HBase
> Issue Type: Sub-task
> Reporter: Josh Elser
> Priority: Major
> Fix For: HBASE-26553
>
>
> Today, we have two mechanism in order to get the tokens needed to
> authenticate:
> # Kerberos, we rely on a Kerberos ticket being present in a well-known
> location (defined by JVM properties) or via programmatic invocation of
> UserGroupInformation
> # Delegation tokens, we rely on special API to be called (our mapreduce API)
> which loads the token into the current UserGroupInformation "context" (the
> JAAS PrivilegedAction).
> The JWT bearer token approach is very similar to the delegation token
> mechanism, but HBase does not generate this JWT (as we do with delegation
> tokens). How does a client provide this token to the hbase-client (i.e.
> {{ConnectionFactory.getConnection()}} or a {{UserGroupInformation}} call)? We
> should be mindful of all of the different "entrypoints" to HBase ({{{}hbase
> ...{}}} commands, {{java -cp}} commands, Phoenix commands, Spark comands,
> etc). Our solution should be effective for all of these approaches and not
> require downstream changes.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
