Tom McCormick created HADOOP-19612:
--------------------------------------
Summary: Add Support for Propagating Access Token via RPC Header
in HDFS
Key: HADOOP-19612
URL: https://issues.apache.org/jira/browse/HADOOP-19612
Project: Hadoop Common
Issue Type: New Feature
Components: hadoop-common
Reporter: Tom McCormick
Fix For: 3.3.9, 3.5.0
*Description:*
To support modern authentication models (e.g., bearer tokens, OAuth2), we
propose adding support in HDFS to propagate an access token via the RPC request
header. This enables downstream services (e.g., NameNode, Router) to validate
access tokens in a secure and standardized way.
The token will be passed in a dedicated field in the
{{{}RpcRequestHeaderProto{}}}, mimicking the behavior of an HTTP
{{Authorization: Bearer <token>}} header. The caller context or UGI may extract
this token and use it for authorization decisions or auditing.
*Benefits:*
* Enables secure, token-based authentication in multi-tenant environments
* Lays the foundation for fine-grained, per-request authorization
*Scope:*
* Add optional {{authorization_token}} field to RPC header
* Ensure token is thread-local or caller-context scoped
* Wire it through relevant client and server code paths
* Provide configuration to enable/disable this feature
*Notes:*
This feature is intended to be backward-compatible with existing HDFS clients.
If the token is not set, behavior will remain unchanged.
At Linkedin, we plan to delegate auth to a custom enforcement point in RBF. The
workflow is the client will get an access token and pass that in the RPC. The
request and access token will be authorized in the custom authorizer.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: common-dev-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-dev-h...@hadoop.apache.org
