Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support multiple password authentication plugins #7151

Merged
merged 6 commits into from Apr 6, 2021
Merged

Support multiple password authentication plugins #7151

merged 6 commits into from Apr 6, 2021

Conversation

skrzypo987
Copy link
Member

@skrzypo987 skrzypo987 commented Mar 4, 2021
edited by sopel39

Fixes: #1791

@cla-bot cla-bot bot added the cla-signed label Mar 4, 2021
@skrzypo987
Copy link
Member Author

docs still missing

kokosing
kokosing reviewed Mar 4, 2021
View reviewed changes
Copy link
Member

@kokosing kokosing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Skimmed

core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticator.java Outdated Show resolved Hide resolved
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticatorManager.java Outdated
import static java.util.Objects.requireNonNull;

public class PasswordAuthenticatorManager
{
private static final Logger log = Logger.get(PasswordAuthenticatorManager.class);

private static final File CONFIG_FILE = new File("etc/password-authenticator.properties");
private static final File DEFAULT_CONFIG_FILE = new File("etc/password-authenticator.properties");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you move to as default value of password-authenticator.config-files?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is how we do it for similar plugins. If we move it, we need to check here that the list is not empty. (maybe can use bean validation for that)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It appears to be screwing up testing pretty badly as the validation of the existence of the file is done always.

@sopel39
Copy link
Member

sopel39 commented Mar 9, 2021

I agree with @kokosing that we should try to flatten password authenticatiors instead of nesting them.
It seems the biggest magic would be in ServerSecurityModule to allow binding for same type of authenticator (io.trino.server.security.ServerSecurityModule#authenticatorBinder). This could be done similar as in https://stackoverflow.com/questions/49107121/guice-mapbinder-with-list-values

@skrzypo987 skrzypo987 added the WIP label Mar 9, 2021
@skrzypo987
Copy link
Member Author

@kokosing @sopel39
I tried to "flatten password authenticatiors" instead of nesting them. However there is one problem:
The authenticator list is created in the Guice context. However the PasswordAuthenticatorManager is populated with data (authenticator factories) on the later stage in PluginManager, so the information about the types of password authenticators is unknown when the list is made. Do you have any idea how to get around that?

@findepi findepi requested a review from dain March 17, 2021 16:50
@kokosing
Copy link
Member

I was thinking that each file should generate one PasswordAuthenticator binding. Notice that it is already a set multibinder. However I see it is not an easy thing to do... but still I think it is the way to go (or at least to explore).

sopel39
sopel39 reviewed Mar 18, 2021
View reviewed changes
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticatorManager.java Outdated Show resolved Hide resolved
core/trino-main/src/main/java/io/trino/server/security/AuthenticationFilter.java Outdated Show resolved Hide resolved
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticatorManager.java Outdated Show resolved Hide resolved
core/trino-main/src/main/java/io/trino/server/security/ServerSecurityModule.java Outdated
@@ -62,6 +62,7 @@ protected void setup(Binder binder)
.internalOnlyResource(StoreResource.class);

binder.bind(PasswordAuthenticatorManager.class).in(Scopes.SINGLETON);
configBinder(binder).bindConfig(PasswordAuthenticatorConfig.class);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should not be possible to specify password config properties when password authentication is not used.

Maybe PasswordAuthenticatorManager (along with config) can be binded conditionally? Add PasswordAuthenticatorSupportModule as for Jwt and Oauth2.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is not that easy.
PasswordAuthenticatorManager is used by PluginManager and needs to be present even if it is not used. And the config is needed by Guice to create it

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can use https://google.github.io/guice/api-docs/4.1/javadoc/com/google/inject/multibindings/OptionalBinder.html

core/trino-main/src/main/java/io/trino/server/ui/FormUiAuthenticatorModule.java Outdated Show resolved Hide resolved
core/trino-main/src/test/java/io/trino/server/security/TestPasswordAuthenticatorManager.java Show resolved Hide resolved
electrum
electrum reviewed Mar 18, 2021
View reviewed changes
core/trino-main/src/main/java/io/trino/server/security/AuthenticationFilter.java Outdated Show resolved Hide resolved
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticator.java Outdated Show resolved Hide resolved
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticator.java Outdated Show resolved Hide resolved
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticator.java Outdated Show resolved Hide resolved
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticatorManager.java Outdated
import static java.util.Objects.requireNonNull;

public class PasswordAuthenticatorManager
{
private static final Logger log = Logger.get(PasswordAuthenticatorManager.class);

private static final File CONFIG_FILE = new File("etc/password-authenticator.properties");
private static final File DEFAULT_CONFIG_FILE = new File("etc/password-authenticator.properties");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is how we do it for similar plugins. If we move it, we need to check here that the list is not empty. (maybe can use bean validation for that)

@skrzypo987 skrzypo987 force-pushed the skrzypo/022-multiple-password-authenticators branch from 3787dab to 53f041e Compare March 19, 2021 09:31
skrzypo987
skrzypo987 commented Mar 19, 2021
View reviewed changes
Copy link
Member Author

@skrzypo987 skrzypo987 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comments addressed

core/trino-main/src/main/java/io/trino/server/security/ServerSecurityModule.java Outdated
@@ -62,6 +62,7 @@ protected void setup(Binder binder)
.internalOnlyResource(StoreResource.class);

binder.bind(PasswordAuthenticatorManager.class).in(Scopes.SINGLETON);
configBinder(binder).bindConfig(PasswordAuthenticatorConfig.class);
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is not that easy.
PasswordAuthenticatorManager is used by PluginManager and needs to be present even if it is not used. And the config is needed by Guice to create it

core/trino-main/src/test/java/io/trino/server/security/TestPasswordAuthenticatorManager.java Show resolved Hide resolved
@skrzypo987 skrzypo987 removed the WIP label Mar 19, 2021
@skrzypo987 skrzypo987 force-pushed the skrzypo/022-multiple-password-authenticators branch from 41bde08 to 2ab1da2 Compare March 22, 2021 09:03
@skrzypo987
Copy link
Member Author

Commits reordered, tests fixed.
I will update docs in a separate PR

@skrzypo987 skrzypo987 force-pushed the skrzypo/022-multiple-password-authenticators branch from 2ab1da2 to cae545b Compare March 22, 2021 15:09
@skrzypo987 skrzypo987 force-pushed the skrzypo/022-multiple-password-authenticators branch 3 times, most recently from 1395f19 to 60fa2d5 Compare March 24, 2021 08:59
sopel39
sopel39 approved these changes Mar 24, 2021
View reviewed changes
Copy link
Member

@sopel39 sopel39 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm % small comments

core/trino-main/src/test/java/io/trino/server/ui/TestWebUi.java Show resolved Hide resolved
core/trino-main/src/main/java/io/trino/server/security/ServerSecurityModule.java Show resolved Hide resolved
@skrzypo987 skrzypo987 force-pushed the skrzypo/022-multiple-password-authenticators branch from 60fa2d5 to c8d715c Compare March 24, 2021 12:50
@skrzypo987
Copy link
Member Author

Squashed the two "optional binding" commits.
Made validation for password-authenticator.config-files to be non-empty

@skrzypo987 skrzypo987 force-pushed the skrzypo/022-multiple-password-authenticators branch from c8d715c to 1e609a2 Compare March 24, 2021 13:53
@skrzypo987
Copy link
Member Author

@sopel39 Config description added

@skrzypo987 skrzypo987 force-pushed the skrzypo/022-multiple-password-authenticators branch from 1e609a2 to 2b4aa7e Compare March 24, 2021 15:45
electrum
electrum approved these changes Mar 29, 2021
View reviewed changes
client/trino-jdbc/src/test/java/io/trino/jdbc/TestTrinoDriverImpersonateUser.java Outdated
{
Path passwordConfigDummy = Files.createTempFile("passwordConfigDummy", "");
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why not use (null, null) like TestPasswordAuthenticatorConfig? Seems like they should be consistent

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The prefix is defensive. If you happen to find 5k of files in /tmp you know where to look for a bug. Suffix changed to null

core/trino-main/src/main/java/io/trino/server/Server.java Outdated Show resolved Hide resolved
core/trino-main/src/test/java/io/trino/server/security/TestPasswordAuthenticatorManager.java Outdated Show resolved Hide resolved
core/trino-main/src/test/java/io/trino/server/security/TestPasswordAuthenticatorManager.java Outdated Show resolved Hide resolved
core/trino-main/src/test/java/io/trino/server/security/TestPasswordAuthenticatorManager.java Outdated Show resolved Hide resolved
core/trino-main/src/test/java/io/trino/server/security/TestPasswordAuthenticatorManager.java Outdated Show resolved Hide resolved
core/trino-main/src/test/java/io/trino/server/security/TestResourceSecurity.java Outdated Show resolved Hide resolved
kokosing
kokosing reviewed Mar 30, 2021
View reviewed changes
Copy link
Member

@kokosing kokosing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just skimmed FMI.

I think you want to add a product tests here where you could use actual two password authenticators.

client/trino-jdbc/src/test/java/io/trino/jdbc/TestTrinoDriverImpersonateUser.java Show resolved Hide resolved
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticatorManager.java Outdated Show resolved Hide resolved
core/trino-main/src/main/java/io/trino/server/security/ServerSecurityModule.java Outdated Show resolved Hide resolved
@skrzypo987 skrzypo987 force-pushed the skrzypo/022-multiple-password-authenticators branch 2 times, most recently from e8490dd to f97fdba Compare March 30, 2021 12:57
@skrzypo987
Copy link
Member Author

@kokosing added a simple product test. PTAL

kokosing
kokosing reviewed Apr 1, 2021
View reviewed changes
Copy link
Member

@kokosing kokosing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed product tests only.

testing/trino-product-tests/src/main/java/io/trino/tests/cli/TestTrinoLdapCli.java Show resolved Hide resolved
testing/trino-product-tests/src/main/java/io/trino/tests/cli/TestTrinoLdapCli.java
launchTrinoCliWithServerArgument();
trino.waitForPrompt();
trino.getProcessInput().println("select * from hive.default.nation;");
assertThat(trimLines(trino.readLinesUntilPrompt())).containsAll(nationTableInteractiveLines);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use JDBC for testing. Please make sure you test two authenticators. Please also add some negative tests where user was not able to authenticate.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please next time make 3 remarks instead of one.
2.This test is for the file authenticator, shouldRunQueryWithLdap is for LDAP. I don't see reason to repeat any of them.
3.Every failing test in this class doe this, e.g. shouldFailQueryForWrongLdapPassword

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Using TrinoLdapCLI for your use case is not a best fit. These tests are targeted for something else. I think need a dedicated set of tests.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I use both CLI and JDBC now.

...er/src/main/java/io/trino/tests/product/launcher/env/environment/AbstractSinglenodeLdap.java Outdated Show resolved Hide resolved
...er/src/main/java/io/trino/tests/product/launcher/env/environment/AbstractSinglenodeLdap.java Show resolved Hide resolved
.../resources/docker/presto-product-tests/conf/environment/singlenode-ldap-and-file/password.db
@@ -0,0 +1 @@
DefaultGroupUser:$2y$10$xA36wzOAnGWJmukr/zItyOrOyXPD6prgszOCN93MyFUpMAbGKcklm
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please do not use same user here as in ldap. That way we don't know which authenticator was actually used.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Part of the whole idea is to use two authenticators for one user.
I will another one and test it separately

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So how does it work then? You will one authenticator any way. It is not much interesting case.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Multiple password authenticators works exactly the same as standard authenticators.

@kokosing
Copy link
Member

kokosing commented Apr 1, 2021

Thanks for product tests! 🍰

@skrzypo987 skrzypo987 force-pushed the skrzypo/022-multiple-password-authenticators branch from aa63487 to e518249 Compare April 2, 2021 09:38
skrzypo987
skrzypo987 commented Apr 2, 2021
View reviewed changes
Copy link
Member Author

@skrzypo987 skrzypo987 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@kokosing PTAL

@skrzypo987 skrzypo987 force-pushed the skrzypo/022-multiple-password-authenticators branch from e518249 to b0184aa Compare April 6, 2021 10:44
@skrzypo987
Copy link
Member Author

@kokosing added offline-requested upper-case SQL keywords.

kokosing
kokosing reviewed Apr 6, 2021
View reviewed changes
Copy link
Member

@kokosing kokosing left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

product tests LGTM

...her/src/main/java/io/trino/tests/product/launcher/env/environment/SinglenodeLdapAndFile.java Outdated Show resolved Hide resolved
testing/trino-product-tests/src/main/java/io/trino/tests/jdbc/TestLdapTrinoJdbc.java Outdated Show resolved Hide resolved
@skrzypo987 skrzypo987 force-pushed the skrzypo/022-multiple-password-authenticators branch from b0184aa to 00ed323 Compare April 6, 2021 13:17
@skrzypo987 skrzypo987 force-pushed the skrzypo/022-multiple-password-authenticators branch from 00ed323 to d83246c Compare April 6, 2021 14:45
@sopel39 sopel39 merged commit 10bae4c into trinodb:master Apr 6, 2021
@sopel39
Copy link
Member

sopel39 commented Apr 6, 2021

please add documentation

@sopel39 sopel39 mentioned this pull request Apr 6, 2021
Closed
7 tasks
@martint martint added this to the 355 milestone Apr 6, 2021
@electrum electrum mentioned this pull request Sep 13, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kokosing kokosing kokosing left review comments

@electrum electrum electrum approved these changes

@sopel39 sopel39 sopel39 approved these changes

@dain dain Awaiting requested review from dain

Assignees
No one assigned
Labels
cla-signed
Milestone
355
Development

Successfully merging this pull request may close these issues.

Support multiple password authentication plugins
5 participants
@skrzypo987 @sopel39 @kokosing @electrum @martint