Support set roles using OAuth claims
oneonestar opened this issue · comments
Currently, we authenticate an user and get the userId from OAuth provider.
The mapping between userId and role is done by setting the presetUsers
.
If userId exists in presetUsers
, we'll use the privileges set for the user and match it in authorization.
It's inconvenient to set every account in presetUsers in order to perform a userId to role mapping.
We can improve this by getting the info from OAuth claims.
A similar feature already exist in LDAP (lbLdapClient.getMemberOf(username)
).
This feature also exists in Trino (trinodb/trino#15669), although it's discouraged due to the conflict with impersonation. We don't have impersonation in gateway, so this won't be a concert.
Ref:
authentication:
defaultType: "oauth"
oauth:
issuer: ....
authorization:
admin: (.*)ADMIN(.*)
user: (.*)USER(.*)
api: (.*)API(.*)
presetUsers:
alice:
privileges: ADMIN_USER_API