[#9564] fix(authn): Fix Flink connector oauth2 mode #9618
Conversation
...link/src/main/java/org/apache/gravitino/flink/connector/catalog/GravitinoCatalogManager.java
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull request overview
This PR fixes OAuth2 authentication mode configuration in the Flink connector. The changes address issues where OAuth2 configuration keys were not properly handled when building the Gravitino client.
Key changes:
- Adds a constant for the "oauth2" string to improve maintainability
- Fixes OAuth2 client configuration by removing OAuth-specific keys before passing config to GravitinoAdminClient
- Updates documentation example to show correct credential format
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.
| File | Description |
|---|---|
| GravitinoCatalogStoreFactoryOptions.java | Adds OAUTH2 constant to centralize the "oauth2" string value |
| GravitinoCatalogManager.java | Refactors OAuth2 client building logic to remove OAuth config keys from client config map and use the new OAUTH2 constant |
| flink-authentication-with-gravitino.md | Updates documentation to show correct OAuth2 credential format |
| String.format( | ||
| "OAuth2 authentication requires: %s, %s, %s, and %s", | ||
|
|
||
| // Remove OAuth config from client config map, Because |
There was a problem hiding this comment.
The word 'Because' should not be capitalized mid-sentence. Change 'Because' to 'because'.
| // Remove OAuth config from client config map, Because | |
| // Remove OAuth config from client config map, because |
| // Remove OAuth config from client config map, Because | ||
| // GravitinoAdminClient.builder().withClientConfig() does not recognize these keys. |
There was a problem hiding this comment.
The comment should explain why removing these keys is necessary. Consider clarifying that these OAuth2-specific keys would cause validation errors or unexpected behavior if passed to the GravitinoAdminClient builder.
| // Remove OAuth config from client config map, Because | |
| // GravitinoAdminClient.builder().withClientConfig() does not recognize these keys. | |
| // Remove OAuth-specific config entries from the client config map. These keys are only | |
| // used to construct the OAuth2 token provider and are not valid GravitinoAdminClient | |
| // client configuration options; passing them to withClientConfig() could cause validation | |
| // errors or other unexpected behavior. |
|
|
||
| // Remove OAuth config from client config map, Because | ||
| // GravitinoAdminClient.builder().withClientConfig() does not recognize these keys. | ||
| Set<String> oauthConfigKeys = | ||
| Sets.newHashSet( | ||
| GravitinoCatalogStoreFactoryOptions.AUTH_TYPE, | ||
| GravitinoCatalogStoreFactoryOptions.OAUTH2_SERVER_URI, | ||
| GravitinoCatalogStoreFactoryOptions.OAUTH2_CREDENTIAL, | ||
| GravitinoCatalogStoreFactoryOptions.OAUTH2_TOKEN_PATH, | ||
| GravitinoCatalogStoreFactoryOptions.OAUTH2_SCOPE)); | ||
| GravitinoCatalogStoreFactoryOptions.OAUTH2_SCOPE); | ||
| for (String key : oauthConfigKeys) { | ||
| config.remove(key); | ||
| } |
There was a problem hiding this comment.
The new logic for removing OAuth config keys from the client config map lacks test coverage. Add a unit test to verify that these specific keys are properly removed from the config before it's passed to the GravitinoAdminClient builder.
There was a problem hiding this comment.
It's hard to add tests. I test it by hand.
|
@FANNG1 Could u take a look at this pull request? |
|
@jerqi |
No need. The branch 1.1 doesn't have the similar issue. I don't back port the pull request which bring this issue to branch-1.1. |
| // Only OAuth is explicitly configured; otherwise follow Flink security (Kerberos if enabled, | ||
| // simple auth otherwise). | ||
| if (AuthenticatorType.OAUTH.name().equalsIgnoreCase(authType)) { | ||
| if (GravitinoCatalogStoreFactoryOptions.OAUTH2.equalsIgnoreCase(authType)) { |
There was a problem hiding this comment.
Any reason for using a new constant?
There was a problem hiding this comment.
OAUTH name is oauth. We need OAUTH2 here.
Spark use the constants in the catalog-common.
So I defined a new constant here.
I will refactor related code in the future. I can create an issue for this.
| authType, GravitinoCatalogStoreFactoryOptions.AUTH_TYPE)); | ||
| } | ||
|
|
||
| LOG.info("Flink security enabled: {}", UserGroupInformation.isSecurityEnabled()); |
There was a problem hiding this comment.
How about simple by using one log?
There was a problem hiding this comment.
OK, I just feel it will be a little long.
|
LGTM, some minor comments |
|
Shall we backport branch-1.1? |
4 participants
What changes were proposed in this pull request?
Fix Flink connector oauth2 mode.
Why are the changes needed?
This is a follow up PR.
Does this PR introduce any user-facing change?
No.
How was this patch tested?
By hand.