I created the below ticket to add a new field the the rpc header to support passing access token.
Description: To support modern authentication models (e.g., bearer tokens, OAuth2), we propose adding support in HDFS to propagate an access token via the RPC request header. This enables downstream services (e.g., NameNode, Router) to validate access tokens in a secure and standardized way. The token will be passed in a dedicated field in the RpcRequestHeaderProto , mimicking the behavior of an HTTP Authorization: Bearer <token> header. The caller context or UGI may extract this token and use it for authorization decisions or auditing. Benefits: * Enables secure, token-based authentication in multi-tenant environments * Lays the foundation for fine-grained, per-request authorization Scope: * Add optional authorization_token field to RPC header * Ensure token is thread-local or caller-context scoped * Wire it through relevant client and server code paths * Provide configuration to enable/disable this feature Notes: This feature is intended to be backward-compatible with existing HDFS clients. If the token is not set, behavior will remain unchanged. At Linkedin, we plan to delegate auth to a custom enforcement point in RBF. The workflow is the client will get an access token and pass that in the RPC. The request and access token will be authorized in the custom authorizer. I am planning to contribute this to OSS first since this is an API change. Please let me know if there are any questions or concerns with this approach. 1. HADOOP-19612<https://issues.apache.org/jira/browse/HADOOP-19612> Thanks, Tom
