Giters

trinodb / trino-gateway

Home Page:https://trinodb.github.io/trino-gateway/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Support certificate authentication on Trino

oneonestar opened this issue · comments

commented

(Feature request)
Trino Gateway currently doesn't work if the backend Trino is using certificate authentication.

There are a few ways that I could think of to solve this issue. Discussion is needed before moving to implementation.

  1. TLS Termination at Trino Proxy.
    Perform authentication on Trino Proxy. Forward the request to coordinator base on the routing policies.
    Perform authentication between Trino Proxy and Coordinator.
    Allow Trino Proxy to "impersonate" the user.
  2. Return HTTP 307 Redirect
    First decrypt the request, select coordinator base on routing policies.
    Return HTTP 307 Redirect to the selected coordinator.
    Client directly connect to the Trino coordinator.
  3. TLS Passthrough
    (I don't think this will work since hostname wont't match)

Discussion about automatic retry of queries in the future, will need storage of submitted queries and state, and more, will work on that at a later stage

Looking at the dev sync's meeting notes, method 1 seems a reasonable choice.

Support Certificate Authentication in Trino Gateway (draft)

commented

In trino-proxy, we handled this by creating a JWT bearer token using the certificate principal . trino-proxy is configured with a key to generate the JWT that is trusted by the Trino coordinator. In other words, we convert the TLS certificate into a bearer token.

Another potential option is to support the Client-Certificate header from RFC 9440. This would require support in Trino. It's similar to the standard Forwarded in that it requires opt-in configuration to be trusted, as we do with the http-server.process-forwarded config.

commented

@electrum for the RFC 9440 do we need to touch jetty at all? We have an access to the headers in the public Identity authenticate(ContainerRequestContext request) so we can get the cert chain there

commented

for the RFC 9440 do we need to touch jetty at all?

No. ContainerRequestContext is enough.

I think the flow would be:

  1. During TLS handshake, Gateway ask for client certificate
  2. Client present and proof they have the client certificate.
  3. Gateway verify the certificate is valid
  4. Gateway extract the cert chain from ContainerRequestContext.
  5. Gateway send request with Client-Certificate header to Trino, along with a JWT to proof itself is from gateway
  6. Trino verify the JWT token, extract cert chain from Client-Certificate header and pass it to CertificateAuthenticator