-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
REST: disallow overriding "credential" in table sessions #10345
base: main
Are you sure you want to change the base?
Conversation
@@ -915,7 +923,13 @@ private FileIO tableFileIO(SessionContext context, Map<String, String> config) { | |||
} | |||
|
|||
private AuthSession tableSession(Map<String, String> tableConf, AuthSession parent) { | |||
Pair<String, Supplier<AuthSession>> newSession = newSession(tableConf, tableConf, parent); | |||
Map<String, String> credentials = Maps.newHashMapWithExpectedSize(tableConf.size()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note: this change still allows overriding credential
from the SessionContext
which I believe is the desired behavior. But I'm happy to also apply the restriction to SessionContext
as well.
@nastra could you have a look at this one as well please? |
if (TABLE_SESSION_ALLOW_LIST.contains(prop)) { | ||
credentials.put(prop, tableConf.get(prop)); | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: newline after the closing }
See apache#10256 for context. This change disallows overriding the "credential" property in table sessions, by introducing an allow-list of auth-related properties that can be overridden in such situations. Only the "token" property and properties used to exchange one token for another ("urn:ietf:params:oauth:token-type:*") are now allowed.
See #10256 for context.
As requested, this change disallows overriding the
credential
property in table sessions, by introducing an allow-list of auth-related properties that can be overridden in such situations.Only the
token
property and properties used to exchange one token for another (urn:ietf:params:oauth:token-type:*
) are now allowed.