You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2022/10/27 08:31:00 UTC

[jira] [Commented] (HADOOP-18510) Azure RefreshTokenBasedTokenProvider is only supporting public client

    [ https://issues.apache.org/jira/browse/HADOOP-18510?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17624951#comment-17624951 ] 

ASF GitHub Bot commented on HADOOP-18510:
-----------------------------------------

qcastel opened a new pull request, #5082:
URL: https://github.com/apache/hadoop/pull/5082

   ### Description of PR
   
   Enforcing public client is a bad idea. We should not weaker our software just so the hadoop connector is able to refresh the token.
   Therefore the idea would be to support both public and confidential OAuth2 client.
   
   The fix is pretty straight forward, it consist of transiting the client secret to the azure refresh token grant flow and inject it into the request if present.
   
   ### How was this patch tested?
   
   Not yet, will see how I can test it quickly on our side with a patch.
   
   ### For code changes:
   
   - [ x ] Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
   - [ ] Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
   
   
   




> Azure RefreshTokenBasedTokenProvider is only supporting public client
> ---------------------------------------------------------------------
>
>                 Key: HADOOP-18510
>                 URL: https://issues.apache.org/jira/browse/HADOOP-18510
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: fs/azure
>    Affects Versions: 3.3.4
>            Reporter: Quentin Castel
>            Priority: Major
>              Labels: security
>
> The Azure RefreshTokenBasedTokenProvider is assuming the client is public, meaning it's not exchanging the refresh token to an access token with the client secret.
>  
> This limitation is not really justify and the RefreshTokenBasedTokenProvider should use the client secret if present.
>  
> From my understanding, there is no particular reason to think that hadoop is not able to store secrets securely, especially as I see the client credential flow, which require a confidential client, is supported by the library.
>  
> The fix is to simply inject the client secret in the request, using client basic auth method or client Post auth method, when the client secret is present.
>  
> https://github.com/apache/hadoop/blob/trunk/hadoop-tools/hadoop-azure/src/main/java/org/apache/hadoop/fs/azurebfs/oauth2/RefreshTokenBasedTokenProvider.java#L61



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscribe@hadoop.apache.org
For additional commands, e-mail: common-issues-help@hadoop.apache.org