Package org.apache.arrow.flight.auth2

Interface CallHeaderAuthenticator

All Known Implementing Classes:
BasicCallHeaderAuthenticator, BearerTokenAuthenticator, GeneratedBearerTokenAuthenticator
public interface CallHeaderAuthenticator
Interface for Server side authentication handlers.

A CallHeaderAuthenticator is used by ServerCallHeaderAuthMiddleware to validate headers sent by a Flight client for authentication purposes. The headers validated do not necessarily have to be Authorization headers.

The workflow is that the FlightServer will intercept headers on a request, validate the headers, and either send back an UNAUTHENTICATED error, or succeed and potentially send back additional headers to the client.

Implementations of CallHeaderAuthenticator should take care not to provide leak confidential details (such as indicating if usernames are valid or not) for security reasons when reporting errors back to clients.

Example CallHeaderAuthenticators provided include: The BasicCallHeaderAuthenticator will authenticate basic HTTP credentials.

The BearerTokenAuthenticator will authenticate basic HTTP credentials initially, then also send back a bearer token that the client can use for subsequent requests. The GeneratedBearerTokenAuthenticator will provide internally generated bearer tokens and maintain a cache of them.

  • Field Details

  • Method Details

    • authenticate

      CallHeaderAuthenticator.AuthResult authenticate(CallHeaders incomingHeaders)
      Validate the auth headers sent by the client.
      Parameters:
      incomingHeaders - The incoming headers to authenticate.
      Returns:
      an auth result containing a peer identity and optionally a bearer token.
      Throws:
      FlightRuntimeException - with CallStatus.UNAUTHENTICATED if credentials were not supplied or if credentials were supplied but were not valid.