delta-sharing icon indicating copy to clipboard operation
delta-sharing copied to clipboard

Published 20 hours ago verified publisher icon delta-io

Support for per-share bearer token configs

Open atgabe opened this issue 3 years ago • 3 comments

At the moment authorization is everything or nothing, with a single bearer token providing access to the entire server. This PR expands authorization to support per-share bearer token configs.

  • changes the authorization.bearerToken property to authorization.universalBearerToken, and adds an authorization.shares array to configure additional tokens unique to a share
  • adds an AuthManager trait and two implementations (BearerTokenAuth and NoAuth) to handle authorization
  • expands unit tests to cover per-share authorization cases

There are certainly other approaches to this feature, so let me know if an alternative approach is deemed preferable.

atgabe avatar Jun 15 '22 23:06 atgabe

An alternative approach on this is to introduce Recipient as a first class concept, each with its own token and support fine-grained Share <-> Recipient access control. @atgabe Do you think that approach satisfy your needs?

zhuansunxt avatar Aug 30 '22 17:08 zhuansunxt

@zhuansunxt yup, that approach would work for our use case and sounds like it more closely mirrors the Databricks strategy. Is that approach in development elsewhere or a change you'd like to see on this PR?

atgabe avatar Sep 06 '22 14:09 atgabe

@atgabe It would be great to submit an issue and use it to describe the general approach (like an RFC) so we can agree on design decisions.

zhuansunxt avatar Sep 07 '22 20:09 zhuansunxt