Jason Fehr has posted comments on this change. ( http://gerrit.cloudera.org:8080/22424 )
Change subject: IMPALA-13675: OAuth AuthN Support for Impala Shell ...................................................................... Patch Set 16: (10 comments) We need a custom cluster test where both JWT and OAuth are enabled on the coordinator (with two separate JWKS files and thus two separate JWTs). Given this test will be somewhat complex, I think implementing it in a follow-up patch would be best. http://gerrit.cloudera.org:8080/#/c/22424/16//COMMIT_MSG Commit Message: http://gerrit.cloudera.org:8080/#/c/22424/16//COMMIT_MSG@9 PS16, Line 9: This patch adds the support to fetch access tokens Please include which OAuth flow is being implemented. http://gerrit.cloudera.org:8080/#/c/22424/16/shell/impala_shell.py File shell/impala_shell.py: http://gerrit.cloudera.org:8080/#/c/22424/16/shell/impala_shell.py@1010 PS16, Line 1010: Nit: add : at the end to match line 998 http://gerrit.cloudera.org:8080/#/c/22424/16/shell/impala_shell.py@1028 PS16, Line 1028: print("HTTP Exception:", e) Lines 1027 and 1028 don't provide much extra value. I think it would be better if HTTPException was not caught. http://gerrit.cloudera.org:8080/#/c/22424/16/shell/impala_shell.py@1030 PS16, Line 1030: print("Error getting OAuth access tokens", e) This line will print the error and continue execution. It should re-throw the error with the new message added. Another option would be to not catch any exceptions at all, but I like having the added context message. http://gerrit.cloudera.org:8080/#/c/22424/16/tests/custom_cluster/test_shell_jwt_auth.py File tests/custom_cluster/test_shell_jwt_auth.py: http://gerrit.cloudera.org:8080/#/c/22424/16/tests/custom_cluster/test_shell_jwt_auth.py@26 PS16, Line 26: class TestImpalaShellJWTAuth(CustomClusterTestSuite): flake8 requires having 2 blank lines between imports and the class definition. http://gerrit.cloudera.org:8080/#/c/22424/16/tests/custom_cluster/test_shell_jwt_auth.py@197 PS16, Line 197: IMPALAD_ARGS These args set the coordinator jwt/jwks flags, not the OAuth flags. Shouldn't this test set the OAuth flags instead? http://gerrit.cloudera.org:8080/#/c/22424/16/tests/custom_cluster/test_shell_jwt_auth.py@199 PS16, Line 199: tmp_dir_placeholders=["jwt_auth_success"], These need to be their own log dirs so they do not conflict with the jwt tests (in case the tests are ran in parallel) http://gerrit.cloudera.org:8080/#/c/22424/16/tests/custom_cluster/test_shell_jwt_auth.py@207 PS16, Line 207: '--user', 'user' Why specify the '--user' flag? Shouldn't the user be read out of the oauth token instead? http://gerrit.cloudera.org:8080/#/c/22424/16/tests/custom_cluster/test_shell_jwt_auth.py@219 PS16, Line 219: JWT Should this be OAuth? http://gerrit.cloudera.org:8080/#/c/22424/16/tests/custom_cluster/test_shell_jwt_auth.py@242 PS16, Line 242: Also executes a query to ensure the authentication was successful.""" This test does not test OAuth success, it tests failure and does not run a query. -- To view, visit http://gerrit.cloudera.org:8080/22424 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I84e26d54f6a53696660728efb239ffd43de4c55d Gerrit-Change-Number: 22424 Gerrit-PatchSet: 16 Gerrit-Owner: gaurav singh <gsi...@cloudera.com> Gerrit-Reviewer: Abhishek Rawat <ara...@cloudera.com> Gerrit-Reviewer: Impala Public Jenkins <impala-public-jenk...@cloudera.com> Gerrit-Reviewer: Jason Fehr <jf...@cloudera.com> Gerrit-Reviewer: gaurav singh <gsi...@cloudera.com> Gerrit-Comment-Date: Fri, 04 Apr 2025 20:49:38 +0000 Gerrit-HasComments: Yes
