Jason Fehr has posted comments on this change. ( http://gerrit.cloudera.org:8080/21728 )
Change subject: WIP IMPALA-13288: OAuth AuthN Support for Impala ...................................................................... Patch Set 28: (7 comments) http://gerrit.cloudera.org:8080/#/c/21728/28/be/src/rpc/authentication.cc File be/src/rpc/authentication.cc: http://gerrit.cloudera.org:8080/#/c/21728/28/be/src/rpc/authentication.cc@229 PS28, Line 229: a OAuth Nit: an OAuth what? Token, key, etc? http://gerrit.cloudera.org:8080/#/c/21728/28/be/src/rpc/authentication.cc@234 PS28, Line 234: consists Nit: contains http://gerrit.cloudera.org:8080/#/c/21728/28/be/src/rpc/authentication.cc@260 PS28, Line 260: Custom claim 'username' This flag description needs more description. http://gerrit.cloudera.org:8080/#/c/21728/28/be/src/rpc/authentication.cc@1676 PS28, Line 1676: bool use_oauth = FLAGS_oauth_token_auth; The checks that are done in lines 1663 through 1674 should also be done here. http://gerrit.cloudera.org:8080/#/c/21728/28/be/src/service/impala-server.cc File be/src/service/impala-server.cc: http://gerrit.cloudera.org:8080/#/c/21728/28/be/src/service/impala-server.cc@3130 PS28, Line 3130: if (TestInfo::is_test()) sleep(1); Is there a macro that could be used here so this line only gets included in debug builds? http://gerrit.cloudera.org:8080/#/c/21728/28/be/src/service/impala-server.cc@3136 PS28, Line 3136: return Status("JWKS file is not specified"); Need to differentiate between the JWT JWKS and the OAuth JWKS in these errors. http://gerrit.cloudera.org:8080/#/c/21728/28/be/src/transport/THttpServer.cpp File be/src/transport/THttpServer.cpp: http://gerrit.cloudera.org:8080/#/c/21728/28/be/src/transport/THttpServer.cpp@337 PS28, Line 337: if (metrics_enabled_) http_metrics_->total_oauth_token_auth_failure_->Increment(1); The issue I see here is with OAuth and JWT using the exact same HTTP header, each successful authentication of one method will result in a failure of the other method and the failure metric being falsely incremented. I don't know how we can avoid that though other than a successful auth decrementing the other method's failure metric. -- To view, visit http://gerrit.cloudera.org:8080/21728 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I65dc8db917476b0f0d29b659b9fa51ebaf45b7a6 Gerrit-Change-Number: 21728 Gerrit-PatchSet: 28 Gerrit-Owner: gaurav singh <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Jason Fehr <[email protected]> Gerrit-Comment-Date: Wed, 08 Jan 2025 16:56:08 +0000 Gerrit-HasComments: Yes
