Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support passing groups in OAuth access token claim #10262

Merged
merged 11 commits into from Jan 24, 2022
Merged

Support passing groups in OAuth access token claim #10262

merged 11 commits into from Jan 24, 2022

Conversation

lukasz-walkiewicz
Copy link
Member

@lukasz-walkiewicz lukasz-walkiewicz commented Dec 10, 2021
edited

Resolves: #10220

@cla-bot cla-bot bot added the cla-signed label Dec 10, 2021
kokosing
kokosing reviewed Dec 10, 2021
View reviewed changes
Copy link
Member

@kokosing kokosing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add a product tests that would call current_groups() To make sure it works end to end.

Looks nice!

core/trino-main/src/test/java/io/trino/server/security/TestResourceSecurity.java Outdated Show resolved Hide resolved
core/trino-main/src/test/java/io/trino/server/security/TestResourceSecurity.java Show resolved Hide resolved
core/trino-main/src/test/java/io/trino/server/security/TestResourceSecurity.java Show resolved Hide resolved
core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2Authenticator.java Outdated Show resolved Hide resolved
core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2Authenticator.java Outdated
.withPrincipal(new BasicPrincipal(principal))
.build());
Identity.Builder identity = Identity.forUser(userMapping.mapUser(principal));
identity.withPrincipal(new BasicPrincipal(principal));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

identity = identity.withPrincipal(new BasicPrincipal(principal));?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

withPrincipal just modifies the builder and returns this, thus reassignment is unnecessary.

core/trino-main/src/test/java/io/trino/server/security/TestResourceSecurity.java Outdated Show resolved Hide resolved
core/trino-main/src/test/java/io/trino/server/security/TestResourceSecurity.java Show resolved Hide resolved
core/trino-main/src/test/java/io/trino/server/security/TestResourceSecurity.java
.toInstance(tokenServer.getOAuth2Client());
})
.build()) {
server.getInstance(Key.get(AccessControlManager.class)).addSystemAccessControl(TestSystemAccessControl.NO_IMPERSONATION);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why no impersonation?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not important actually whether it allows impersonation or not but I think it's better to deny by default.
The important part is:

@Override
public void checkCanReadSystemInformation(SystemSecurityContext context)
{
    if (!context.getIdentity().getUser().equals(MANAGEMENT_USER)) {
        denyReadSystemInformationAccess();
    }
}

as it's being tested by assertAuthenticationAutomatic

mat3e
mat3e approved these changes Dec 13, 2021
View reviewed changes
core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2Authenticator.java
this.service = requireNonNull(service, "service is null");
this.principalField = config.getPrincipalField();
groupsField = requireNonNull(config.getGroupsField(), "groupsField is null");
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: we can skip this rnn here and in other places as groups field is an empty Optional by default in the config.

core/trino-main/src/main/java/io/trino/server/ui/OAuth2WebUiAuthenticationFilter.java Outdated
identity.withPrincipal(new BasicPrincipal(principalName));
groupsField.flatMap(field -> Optional.ofNullable((List<String>) claims.get().get(field)))
.ifPresent(groups -> identity.withGroups(ImmutableSet.copyOf(groups)));
setAuthenticatedIdentity(request, identity.build());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe not for this PR, but would it be possible to make this filter using OAuth2Authenticator? Seems they share more logic now than previously.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I initially thought about it and I think it's generally a good idea but it would require a bit broader refactor. The important difference between OAuth2Authenticator and this filter is that protocol authenticator throws an Authentication exception (401 Unauthorized) whereas this filter redirects the browser to authentication url (303 See Other). It's doable ofc but as I said, it requires a bit of refactoring.

11xor6
11xor6 approved these changes Dec 14, 2021
View reviewed changes
Copy link
Member

@11xor6 11xor6 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, a few minor changes.

core/trino-main/src/main/java/io/trino/server/security/jwt/JwtAuthenticator.java
Comment on lines +66 to +71
if (principal.isEmpty()) {
return Optional.empty();
}
return Optional.of(Identity.forUser(userMapping.mapUser(principal.get()))
.withPrincipal(new BasicPrincipal(principal.get()))
.build());
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can continue the chain and avoid the if statement here by using map.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm afraid it would not work. User mapping throws UserMappingException which is checked exception.

core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2Authenticator.java
String principal = (String) claims.get().get(principalField);
Identity.Builder identity = Identity.forUser(userMapping.mapUser(principal));
identity.withPrincipal(new BasicPrincipal(principal));
groupsField.flatMap(field -> Optional.ofNullable((List<String>) claims.get().get(field)))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No need for flatMap as map handles null correctly.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Optional.map(o -> Optional.of(o)) returns Optional<Optional<>>
whereas
Optional.flatMap(o -> Optional.of(o)) returns Optional<>

core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2Authenticator.java Outdated
.withPrincipal(new BasicPrincipal(principal))
.build());
Identity.Builder identity = Identity.forUser(userMapping.mapUser(principal));
identity.withPrincipal(new BasicPrincipal(principal));
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

withPrincipal just modifies the builder and returns this, thus reassignment is unnecessary.

core/trino-main/src/main/java/io/trino/server/ui/OAuth2WebUiAuthenticationFilter.java
.build());
Identity.Builder identity = Identity.forUser(userMapping.mapUser(principalName));
identity.withPrincipal(new BasicPrincipal(principalName));
groupsField.flatMap(field -> Optional.ofNullable((List<String>) claims.get().get(field)))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Again map here is cleaner and clearer.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

userMapping.mapUser(principalName) throws checked UserMappingException

kokosing
kokosing approved these changes Jan 6, 2022
View reviewed changes
testing/trino-product-tests/pom.xml Show resolved Hide resolved
testing/trino-product-tests/pom.xml Show resolved Hide resolved
core/trino-main/src/main/java/io/trino/server/security/oauth2/OAuth2Config.java
return groupsField;
}

@Config("http-server.authentication.oauth2.groups-field")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add changes to docs too

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's already done:

   * - ``http-server.authentication.oauth2.groups-field``
     - The field of the access token used for Trino groups. The corresponding claim value must be an array.

Would like to add something?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No. Thanks.

@kokosing kokosing mentioned this pull request Jan 10, 2022
Closed
@kokosing
Copy link
Member 

2022-01-18T00:22:24.5270305Z 2022-01-18T00:22:24.526Z	INFO	testcontainers-lifecycle-4	🐳 [postgres:14.0]	Container postgres:14.0 started in PT2.019499S
2022-01-18T00:22:24.5271614Z 2022-01-18T00:22:24.526Z	INFO	environment-listener-1	io.trino.tests.product.launcher.env.EnvironmentListener	Container started: hydra-db
2022-01-18T00:22:24.5279573Z 2022-01-18T00:22:24.527Z	INFO	environment-listener-1	io.trino.tests.product.launcher.env.StatisticsFetcher	Started listening for container hydra-db statistics stream...
2022-01-18T00:22:24.5322747Z 2022-01-18T00:22:24.529Z	INFO	testcontainers-lifecycle-5	🐳 [oryd/hydra:v1.10.6]	Creating container for image: oryd/hydra:v1.10.6
2022-01-18T00:22:24.5546992Z 2022-01-18T00:22:24.554Z	INFO	testcontainers-lifecycle-5	🐳 [oryd/hydra:v1.10.6]	Starting container with ID: 6107e37d2ef6e8eed6e56332933fe3995eee4961c4d45e340b4f025ec591afb5
2022-01-18T00:22:24.8529639Z 2022-01-18T00:22:24.851Z	INFO	testcontainers-lifecycle-5	🐳 [oryd/hydra:v1.10.6]	Container oryd/hydra:v1.10.6 is starting: 6107e37d2ef6e8eed6e56332933fe3995eee4961c4d45e340b4f025ec591afb5
2022-01-18T00:22:24.8585668Z 2022-01-18T00:22:24.858Z	INFO	environment-listener-1	io.trino.tests.product.launcher.env.EnvironmentListener	Container starting: hydra-db-migration
2022-01-18T00:22:24.8806071Z hydra-db-migration  | time=2022-01-18T00:22:24Z level=info msg=No tracer configured - skipping tracing setup audience=application service_name=ORY Hydra service_version=v1.10.6
2022-01-18T00:22:24.8938883Z hydra-db            | 2022-01-18 00:22:24.893 UTC [124] ERROR:  relation "hydra_client_migration" does not exist at character 15
2022-01-18T00:22:24.8939408Z hydra-db            | 2022-01-18 00:22:24.893 UTC [124] STATEMENT:  SELECT * FROM hydra_client_migration
2022-01-18T00:22:24.8939807Z hydra-db-migration  | The following migration is planned:
2022-01-18T00:22:24.8944550Z hydra-db-migration  | 
2022-01-18T00:22:24.8950870Z hydra-db            | 2022-01-18 00:22:24.894 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.8952264Z hydra-db            | 2022-01-18 00:22:24.894 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.8955173Z hydra-db            | 2022-01-18 00:22:24.895 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.8955760Z hydra-db            | 2022-01-18 00:22:24.895 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.8961134Z hydra-db            | 2022-01-18 00:22:24.895 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.8961720Z hydra-db            | 2022-01-18 00:22:24.895 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.8968153Z hydra-db            | 2022-01-18 00:22:24.896 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.8968749Z hydra-db            | 2022-01-18 00:22:24.896 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.8974168Z hydra-db            | 2022-01-18 00:22:24.897 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.8974758Z hydra-db            | 2022-01-18 00:22:24.897 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9090873Z hydra-db            | 2022-01-18 00:22:24.897 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9091467Z hydra-db            | 2022-01-18 00:22:24.897 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9096787Z hydra-db            | 2022-01-18 00:22:24.897 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9097375Z hydra-db            | 2022-01-18 00:22:24.897 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9097897Z hydra-db            | 2022-01-18 00:22:24.898 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9098457Z hydra-db            | 2022-01-18 00:22:24.898 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9098977Z hydra-db            | 2022-01-18 00:22:24.898 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9099538Z hydra-db            | 2022-01-18 00:22:24.898 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9100037Z hydra-db            | 2022-01-18 00:22:24.898 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9100593Z hydra-db            | 2022-01-18 00:22:24.898 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9101118Z hydra-db            | 2022-01-18 00:22:24.899 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9101670Z hydra-db            | 2022-01-18 00:22:24.899 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9102187Z hydra-db            | 2022-01-18 00:22:24.899 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9102724Z hydra-db            | 2022-01-18 00:22:24.899 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9103245Z hydra-db            | 2022-01-18 00:22:24.899 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9103803Z hydra-db            | 2022-01-18 00:22:24.899 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9104321Z hydra-db            | 2022-01-18 00:22:24.899 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9104858Z hydra-db            | 2022-01-18 00:22:24.899 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9105366Z hydra-db            | 2022-01-18 00:22:24.900 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9105924Z hydra-db            | 2022-01-18 00:22:24.900 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9106435Z hydra-db            | 2022-01-18 00:22:24.900 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9106984Z hydra-db            | 2022-01-18 00:22:24.900 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9107586Z hydra-db            | 2022-01-18 00:22:24.900 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9108138Z hydra-db            | 2022-01-18 00:22:24.900 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9108651Z hydra-db            | 2022-01-18 00:22:24.900 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9109258Z hydra-db            | 2022-01-18 00:22:24.900 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9109774Z hydra-db            | 2022-01-18 00:22:24.901 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9110302Z hydra-db            | 2022-01-18 00:22:24.901 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9110818Z hydra-db            | 2022-01-18 00:22:24.901 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9111376Z hydra-db            | 2022-01-18 00:22:24.901 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9111890Z hydra-db            | 2022-01-18 00:22:24.901 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9112419Z hydra-db            | 2022-01-18 00:22:24.901 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9112929Z hydra-db            | 2022-01-18 00:22:24.902 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9113481Z hydra-db            | 2022-01-18 00:22:24.902 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9113991Z hydra-db            | 2022-01-18 00:22:24.902 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9114541Z hydra-db            | 2022-01-18 00:22:24.902 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9115178Z hydra-db            | 2022-01-18 00:22:24.902 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9115745Z hydra-db            | 2022-01-18 00:22:24.902 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9116263Z hydra-db            | 2022-01-18 00:22:24.902 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9116816Z hydra-db            | 2022-01-18 00:22:24.902 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9117328Z hydra-db            | 2022-01-18 00:22:24.902 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9117861Z hydra-db            | 2022-01-18 00:22:24.902 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9118375Z hydra-db            | 2022-01-18 00:22:24.902 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9118921Z hydra-db            | 2022-01-18 00:22:24.902 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9119434Z hydra-db            | 2022-01-18 00:22:24.903 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9120048Z hydra-db            | 2022-01-18 00:22:24.903 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9120556Z hydra-db            | 2022-01-18 00:22:24.903 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9121108Z hydra-db            | 2022-01-18 00:22:24.903 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9121685Z hydra-db            | 2022-01-18 00:22:24.903 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9122239Z hydra-db            | 2022-01-18 00:22:24.903 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9122735Z hydra-db            | 2022-01-18 00:22:24.903 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9123288Z hydra-db            | 2022-01-18 00:22:24.903 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9123799Z hydra-db            | 2022-01-18 00:22:24.903 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9124439Z hydra-db            | 2022-01-18 00:22:24.903 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9124942Z hydra-db            | 2022-01-18 00:22:24.904 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9125489Z hydra-db            | 2022-01-18 00:22:24.904 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9126006Z hydra-db            | 2022-01-18 00:22:24.904 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9126566Z hydra-db            | 2022-01-18 00:22:24.904 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9127077Z hydra-db            | 2022-01-18 00:22:24.904 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9127609Z hydra-db            | 2022-01-18 00:22:24.904 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9128129Z hydra-db            | 2022-01-18 00:22:24.904 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9128676Z hydra-db            | 2022-01-18 00:22:24.904 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9129190Z hydra-db            | 2022-01-18 00:22:24.904 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9129719Z hydra-db            | 2022-01-18 00:22:24.904 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9130228Z hydra-db            | 2022-01-18 00:22:24.905 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9130779Z hydra-db            | 2022-01-18 00:22:24.905 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9131294Z hydra-db            | 2022-01-18 00:22:24.905 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9131841Z hydra-db            | 2022-01-18 00:22:24.905 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9132410Z hydra-db            | 2022-01-18 00:22:24.905 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9132959Z hydra-db            | 2022-01-18 00:22:24.905 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9133482Z hydra-db            | 2022-01-18 00:22:24.905 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9134089Z hydra-db            | 2022-01-18 00:22:24.905 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9134605Z hydra-db            | 2022-01-18 00:22:24.906 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9135140Z hydra-db            | 2022-01-18 00:22:24.906 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9135654Z hydra-db            | 2022-01-18 00:22:24.906 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9136205Z hydra-db            | 2022-01-18 00:22:24.906 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9136717Z hydra-db            | 2022-01-18 00:22:24.906 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9137248Z hydra-db            | 2022-01-18 00:22:24.906 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9137754Z hydra-db            | 2022-01-18 00:22:24.906 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9138308Z hydra-db            | 2022-01-18 00:22:24.906 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9138822Z hydra-db            | 2022-01-18 00:22:24.907 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9139372Z hydra-db            | 2022-01-18 00:22:24.907 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9139870Z hydra-db            | 2022-01-18 00:22:24.907 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9140422Z hydra-db            | 2022-01-18 00:22:24.907 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9140934Z hydra-db            | 2022-01-18 00:22:24.907 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9141496Z hydra-db            | 2022-01-18 00:22:24.907 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9142015Z hydra-db            | 2022-01-18 00:22:24.907 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9142548Z hydra-db            | 2022-01-18 00:22:24.907 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9143069Z hydra-db            | 2022-01-18 00:22:24.907 UTC [124] ERROR:  relation "schema_migration" does not exist at character 47
2022-01-18T00:22:24.9143625Z hydra-db            | 2022-01-18 00:22:24.907 UTC [124] STATEMENT:  SELECT EXISTS (SELECT schema_migration.* FROM schema_migration AS schema_migration WHERE version = $1)
2022-01-18T00:22:24.9298981Z hydra-db-migration  | Version                Name                                              Status    
2022-01-18T00:22:24.9299586Z hydra-db-migration  | 20190100000001000000   client                                            Pending   
2022-01-18T00:22:24.9300176Z hydra-db-migration  | 20190100000002000000   client                                            Pending   
2022-01-18T00:22:24.9300581Z hydra-db-migration  | 20190100000003000000   client                                            Pending   
2022-01-18T00:22:24.9300988Z hydra-db-migration  | 20190100000004000000   client                                            Pending   
2022-01-18T00:22:24.9301564Z hydra-db-migration  | 20190100000005000000   client                                            Pending   
2022-01-18T00:22:24.9447510Z hydra-db-migration  | 20190100000006000000   client                                            Pending   
2022-01-18T00:22:24.9449138Z hydra-db-migration  | 20190100000007000000   client                                            Pending   
2022-01-18T00:22:24.9450484Z hydra-db-migration  | 20190100000008000000   client                                            Pending   
2022-01-18T00:22:24.9451816Z hydra-db-migration  | 20190100000009000000   client                                            Pending   
2022-01-18T00:22:24.9453132Z hydra-db-migration  | 20190100000010000000   client                                            Pending   
2022-01-18T00:22:24.9454751Z hydra-db-migration  | 20190100000011000000   client                                            Pending   
2022-01-18T00:22:24.9456227Z hydra-db-migration  | 20190100000012000000   client                                            Pending   
2022-01-18T00:22:24.9456829Z hydra-db-migration  | 20190100000013000000   client                                            Pending   
2022-01-18T00:22:24.9457517Z hydra-db-migration  | 20190100000014000000   client                                            Pending   
2022-01-18T00:22:24.9460209Z hydra-db-migration  | 20190200000001000000   jwk                                               Pending   
2022-01-18T00:22:24.9461019Z hydra-db-migration  | 20190200000002000000   jwk                                               Pending   
2022-01-18T00:22:24.9461591Z hydra-db-migration  | 20190200000003000000   jwk                                               Pending   
2022-01-18T00:22:24.9462040Z hydra-db-migration  | 20190200000004000000   jwk                                               Pending   
2022-01-18T00:22:24.9462780Z hydra-db-migration  | 20190300000001000000   consent                                           Pending   
2022-01-18T00:22:24.9463689Z hydra-db-migration  | 20190300000002000000   consent                                           Pending   
2022-01-18T00:22:24.9464245Z hydra-db-migration  | 20190300000003000000   consent                                           Pending   
2022-01-18T00:22:24.9464664Z hydra-db-migration  | 20190300000004000000   consent                                           Pending   
2022-01-18T00:22:24.9465050Z hydra-db-migration  | 20190300000005000000   consent                                           Pending   
2022-01-18T00:22:24.9465445Z hydra-db-migration  | 20190300000006000000   consent                                           Pending   
2022-01-18T00:22:24.9465842Z hydra-db-migration  | 20190300000007000000   consent                                           Pending   
2022-01-18T00:22:24.9466234Z hydra-db-migration  | 20190300000008000000   consent                                           Pending   
2022-01-18T00:22:24.9466628Z hydra-db-migration  | 20190300000009000000   consent                                           Pending   
2022-01-18T00:22:24.9467009Z hydra-db-migration  | 20190300000010000000   consent                                           Pending   
2022-01-18T00:22:24.9467398Z hydra-db-migration  | 20190300000011000000   consent                                           Pending   
2022-01-18T00:22:24.9467795Z hydra-db-migration  | 20190300000012000000   consent                                           Pending   
2022-01-18T00:22:24.9468184Z hydra-db-migration  | 20190300000013000000   consent                                           Pending   
2022-01-18T00:22:24.9468787Z hydra-db-migration  | 20190300000014000000   consent                                           Pending   
2022-01-18T00:22:24.9469181Z hydra-db-migration  | 20190400000001000000   oauth2                                            Pending   
2022-01-18T00:22:24.9469571Z hydra-db-migration  | 20190400000002000000   oauth2                                            Pending   
2022-01-18T00:22:24.9469965Z hydra-db-migration  | 20190400000003000000   oauth2                                            Pending   
2022-01-18T00:22:24.9470344Z hydra-db-migration  | 20190400000004000000   oauth2                                            Pending   
2022-01-18T00:22:24.9470807Z hydra-db-migration  | 20190400000005000000   oauth2                                            Pending   
2022-01-18T00:22:24.9471314Z hydra-db-migration  | 20190400000006000000   oauth2                                            Pending   
2022-01-18T00:22:24.9471714Z hydra-db-migration  | 20190400000007000000   oauth2                                            Pending   
2022-01-18T00:22:24.9472096Z hydra-db-migration  | 20190400000008000000   oauth2                                            Pending   
2022-01-18T00:22:24.9472505Z hydra-db-migration  | 20190400000009000000   oauth2                                            Pending   
2022-01-18T00:22:24.9472973Z hydra-db-migration  | 20190400000010000000   oauth2                                            Pending   
2022-01-18T00:22:24.9473366Z hydra-db-migration  | 20190400000011000000   oauth2                                            Pending   
2022-01-18T00:22:24.9473753Z hydra-db-migration  | 20200521071434000000   consent                                           Pending   
2022-01-18T00:22:24.9474154Z hydra-db-migration  | 20200527215731000000   client                                            Pending   
2022-01-18T00:22:24.9474547Z hydra-db-migration  | 20200527215732000000   client                                            Pending   
2022-01-18T00:22:24.9474969Z hydra-db-migration  | 20200819163013000000   add_client_id_subject_idx_to_access_and_refresh   Pending   
2022-01-18T00:22:24.9475381Z hydra-db-migration  | 20200913192340000000   initial_sqlite                                    Pending   
2022-01-18T00:22:24.9475785Z hydra-db-migration  | 20201110104000000000   drop_uq_oauth2                                    Pending   
2022-01-18T00:22:24.9476188Z hydra-db-migration  | 20201116133000000000   set_null_time                                     Pending   
2022-01-18T00:22:24.9476656Z hydra-db            | 2022-01-18 00:22:24.908 UTC [124] ERROR:  relation "hydra_client_migration" does not exist at character 15
2022-01-18T00:22:24.9477102Z hydra-db            | 2022-01-18 00:22:24.908 UTC [124] STATEMENT:  SELECT * FROM hydra_client_migration
2022-01-18T00:22:24.9477560Z hydra-db            | 2022-01-18 00:22:24.909 UTC [124] ERROR:  relation "schema_migration" does not exist at character 21
2022-01-18T00:22:24.9478012Z hydra-db            | 2022-01-18 00:22:24.909 UTC [124] STATEMENT:  select version from schema_migration
2022-01-18T00:22:25.1269220Z hydra-db-migration  | Successfully applied migrations!
2022-01-18T00:22:25.1491922Z hydra-db-migration  | (exited)
2022-01-18T00:22:54.8612233Z 2022-01-18T00:22:54.859Z	ERROR	testcontainers-lifecycle-5	🐳 [oryd/hydra:v1.10.6]	Could not start container
2022-01-18T00:22:54.8612893Z org.rnorth.ducttape.TimeoutException: Timeout waiting for result with exception
2022-01-18T00:22:54.8613612Z 	at org.rnorth.ducttape.unreliables.Unreliables.retryUntilSuccess(Unreliables.java:54)
2022-01-18T00:22:54.8668801Z 	at org.rnorth.ducttape.unreliables.Unreliables.retryUntilTrue(Unreliables.java:100)
2022-01-18T00:22:54.8669489Z 	at org.testcontainers.containers.startupcheck.StartupCheckStrategy.waitUntilStartupSuccessful(StartupCheckStrategy.java:35)
2022-01-18T00:22:54.8670121Z 	at org.testcontainers.containers.GenericContainer.tryStart(GenericContainer.java:460)
2022-01-18T00:22:54.8670625Z 	at org.testcontainers.containers.GenericContainer.lambda$doStart$0(GenericContainer.java:331)
2022-01-18T00:22:54.8671410Z 	at org.rnorth.ducttape.unreliables.Unreliables.retryUntilSuccess(Unreliables.java:81)
2022-01-18T00:22:54.8671895Z 	at org.testcontainers.containers.GenericContainer.doStart(GenericContainer.java:329)
2022-01-18T00:22:54.8672369Z 	at org.testcontainers.containers.GenericContainer.start(GenericContainer.java:317)
2022-01-18T00:22:54.8672825Z 	at java.base/java.util.concurrent.CompletableFuture$UniRun.tryFire(CompletableFuture.java:783)
2022-01-18T00:22:54.8673247Z 	at java.base/java.util.concurrent.CompletableFuture$Completion.run(CompletableFuture.java:478)
2022-01-18T00:22:54.8673824Z 	at java.base/java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1128)
2022-01-18T00:22:54.8674283Z 	at java.base/java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:628)
2022-01-18T00:22:54.8674637Z 	at java.base/java.lang.Thread.run(Thread.java:829)
2022-01-18T00:22:54.8675091Z Caused by: com.github.dockerjava.api.exception.NotFoundException: Status 404: {"message":"No such container: 6107e37d2ef6e8eed6e56332933fe3995eee4961c4d45e340b4f025ec591afb5"}
2022-01-18T00:22:54.8675433Z 
2022-01-18T00:22:54.8675885Z 	at org.testcontainers.shaded.com.github.dockerjava.core.DefaultInvocationBuilder.execute(DefaultInvocationBuilder.java:241)
2022-01-18T00:22:54.8676601Z 	at org.testcontainers.shaded.com.github.dockerjava.core.DefaultInvocationBuilder.get(DefaultInvocationBuilder.java:202)
2022-01-18T00:22:54.8677287Z 	at org.testcontainers.shaded.com.github.dockerjava.core.DefaultInvocationBuilder.get(DefaultInvocationBuilder.java:74)
2022-01-18T00:22:54.8678016Z 	at org.testcontainers.shaded.com.github.dockerjava.core.exec.InspectContainerCmdExec.execute(InspectContainerCmdExec.java:31)
2022-01-18T00:22:54.8678763Z 	at org.testcontainers.shaded.com.github.dockerjava.core.exec.InspectContainerCmdExec.execute(InspectContainerCmdExec.java:13)
2022-01-18T00:22:54.8679495Z 	at org.testcontainers.shaded.com.github.dockerjava.core.exec.AbstrSyncDockerCmdExec.exec(AbstrSyncDockerCmdExec.java:21)
2022-01-18T00:22:54.8680161Z 	at org.testcontainers.shaded.com.github.dockerjava.core.command.AbstrDockerCmd.exec(AbstrDockerCmd.java:35)
2022-01-18T00:22:54.8680859Z 	at org.testcontainers.shaded.com.github.dockerjava.core.command.InspectContainerCmdImpl.exec(InspectContainerCmdImpl.java:52)
2022-01-18T00:22:54.8681578Z 	at org.testcontainers.containers.startupcheck.StartupCheckStrategy.getCurrentState(StartupCheckStrategy.java:54)
2022-01-18T00:22:54.8682325Z 	at org.testcontainers.containers.startupcheck.IsRunningStartupCheckStrategy.checkStartupState(IsRunningStartupCheckStrategy.java:15)
2022-01-18T00:22:54.8683032Z 	at org.testcontainers.containers.startupcheck.StartupCheckStrategy.lambda$null$0(StartupCheckStrategy.java:38)
2022-01-18T00:22:54.8683545Z 	at org.rnorth.ducttape.ratelimits.RateLimiter.getWhenReady(RateLimiter.java:51)
2022-01-18T00:22:54.8684263Z 	at org.testcontainers.containers.startupcheck.StartupCheckStrategy.lambda$waitUntilStartupSuccessful$1(StartupCheckStrategy.java:37)
2022-01-18T00:22:54.8684852Z 	at org.rnorth.ducttape.unreliables.Unreliables.lambda$retryUntilTrue$1(Unreliables.java:101)
2022-01-18T00:22:54.8685315Z 	at org.rnorth.ducttape.unreliables.Unreliables.lambda$retryUntilSuccess$0(Unreliables.java:43)
2022-01-18T00:22:54.8685718Z 	at java.base/java.util.concurrent.FutureTask.run(FutureTask.java:264)
2022-01-18T00:22:54.8685984Z 	... 3 more
2022-01-18T00:22:54.8686090Z 
2022-01-18T00:22:54.8686184Z

Is this related?

@lukasz-walkiewicz
Copy link
Member Author

I don't why this happend tbh. The container simply didn't start. Let's give it another try.

@kokosing
Copy link
Member

I don't why this happend tbh. The container simply didn't start. Let's give it another try.

This is not an option. It seems that the environment is flaky. Please stress it out instead to see how frequent it is. Also IIRC we do retry setup of each environment which may suggest that this env failed couple times in row. I am not sure if retry happened here.

@lukasz-walkiewicz
Copy link
Member Author

Fair point. I'll stress test it.

@kokosing
Copy link
Member

Fair point. I'll stress test it.

Also you can stress test the master to see if it is something or pre-existing issue.

@lukasz-walkiewicz
Copy link
Member Author

I was able to reproduce it locally and it looks like the problem is that hydra-migration, container which migrates the database and immidately exits (which is ok and expected), is doing that too fast and startup gets lost and checks for the status of the container which no longer exists. I'll take a closer look at why this happens.

@kokosing
Copy link
Member

I was able to reproduce it locally

👍 Thank you!

@lukasz-walkiewicz lukasz-walkiewicz force-pushed the oauth-groups-claim branch 3 times, most recently from 26c8c76 to a79ca06 Compare January 23, 2022 12:07
@lukasz-walkiewicz
Copy link
Member Author

I've fixed problems with the startup check. Stress tested in: https://github.com/trinodb/trino/actions/runs/1735765630

@lukasz-walkiewicz
Move TestResource
27117b2
@lukasz-walkiewicz
Extract token server from OAuth2 test
1287cba
@lukasz-walkiewicz
Return groups in indentity response
6632601
@lukasz-walkiewicz
Do not return groups=[username] from group provider
b0c9db1
@lukasz-walkiewicz
Add WebUI identity endpoint to TestResource
c1b94b5
@lukasz-walkiewicz
Use one shot startup strategy for hydra migrations
791afaa
@lukasz-walkiewicz
Do not remove temporal containers automatically
b1474b1 
Temporal containers can finish faster than the startup probe can check.
The check interval comes from the docker client with rate limiting which
queries the docker service at most once per second. This can create a
race condition if the container can complete it's job in less or around
1 second.
@lukasz-walkiewicz
Use login & consent server accepting all requests
0e004f5 
Instead of using selenium driver to log in and accept the consent request
use a simple python implementation which accepts all requests thus
eliminating the need of web driver entirely.
Fixes trinodb#6991
@lukasz-walkiewicz
Support passing groups in OAuth access token claim
d842185
@kokosing kokosing merged commit 8b8b0be into trinodb:master Jan 24, 2022
@lukasz-walkiewicz lukasz-walkiewicz deleted the oauth-groups-claim branch January 24, 2022 20:19
@mosabua mosabua mentioned this pull request Jan 24, 2022
Merged
@github-actions github-actions bot added this to the 369 milestone Jan 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kokosing kokosing kokosing approved these changes

@11xor6 11xor6 11xor6 approved these changes

@mat3e mat3e mat3e approved these changes

@dain dain Awaiting requested review from dain

Assignees
No one assigned
Labels
cla-signed docs
Milestone
369
Development

Successfully merging this pull request may close these issues.

Support for groups in OAuth2 authenticator
4 participants
@lukasz-walkiewicz @kokosing @11xor6 @mat3e