Giters

trinodb / trino-gateway

Home Page:https://trinodb.github.io/trino-gateway/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Support set roles using OAuth claims

oneonestar opened this issue · comments

commented

Currently, we authenticate an user and get the userId from OAuth provider.
The mapping between userId and role is done by setting the presetUsers.
If userId exists in presetUsers, we'll use the privileges set for the user and match it in authorization.

It's inconvenient to set every account in presetUsers in order to perform a userId to role mapping.
We can improve this by getting the info from OAuth claims.

A similar feature already exist in LDAP (lbLdapClient.getMemberOf(username)).
This feature also exists in Trino (trinodb/trino#15669), although it's discouraged due to the conflict with impersonation. We don't have impersonation in gateway, so this won't be a concert.

Ref:

authentication:
  defaultType: "oauth"
  oauth:
    issuer: ....

authorization:
  admin: (.*)ADMIN(.*)
  user: (.*)USER(.*)
  api: (.*)API(.*)

presetUsers:
  alice:
    privileges: ADMIN_USER_API

trino-gateway/gateway-ha/src/main/java/io/trino/gateway/ha/security/AuthorizationManager.java

Lines 40 to 53 in 6fb8346

public Optional<String> getPrivileges(String username)
{
//check the preset users
String privs = "";
UserConfiguration user = presetUsers.get(username);
if (user != null) {
privs = user.privileges();
}
else if (lbLdapClient != null) {
privs = lbLdapClient.getMemberOf(username);
}
return Optional.ofNullable(privs);
}