New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support multiple password authentication plugins #7151
Support multiple password authentication plugins #7151
Conversation
docs still missing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Skimmed
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticator.java
Outdated
Show resolved
Hide resolved
import static java.util.Objects.requireNonNull; | ||
|
||
public class PasswordAuthenticatorManager | ||
{ | ||
private static final Logger log = Logger.get(PasswordAuthenticatorManager.class); | ||
|
||
private static final File CONFIG_FILE = new File("etc/password-authenticator.properties"); | ||
private static final File DEFAULT_CONFIG_FILE = new File("etc/password-authenticator.properties"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you move to as default value of password-authenticator.config-files
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is how we do it for similar plugins. If we move it, we need to check here that the list is not empty. (maybe can use bean validation for that)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It appears to be screwing up testing pretty badly as the validation of the existence of the file is done always.
I agree with @kokosing that we should try to flatten password authenticatiors instead of nesting them. |
@kokosing @sopel39 |
I was thinking that each file should generate one |
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticatorManager.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/server/security/AuthenticationFilter.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticatorManager.java
Outdated
Show resolved
Hide resolved
@@ -62,6 +62,7 @@ protected void setup(Binder binder) | |||
.internalOnlyResource(StoreResource.class); | |||
|
|||
binder.bind(PasswordAuthenticatorManager.class).in(Scopes.SINGLETON); | |||
configBinder(binder).bindConfig(PasswordAuthenticatorConfig.class); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should not be possible to specify password config properties when password
authentication is not used.
Maybe PasswordAuthenticatorManager
(along with config) can be binded conditionally? Add PasswordAuthenticatorSupportModule
as for Jwt and Oauth2.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is not that easy.
PasswordAuthenticatorManager
is used by PluginManager
and needs to be present even if it is not used. And the config is needed by Guice to create it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
core/trino-main/src/main/java/io/trino/server/ui/FormUiAuthenticatorModule.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/test/java/io/trino/server/security/TestPasswordAuthenticatorManager.java
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/server/security/AuthenticationFilter.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticator.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticator.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticator.java
Outdated
Show resolved
Hide resolved
import static java.util.Objects.requireNonNull; | ||
|
||
public class PasswordAuthenticatorManager | ||
{ | ||
private static final Logger log = Logger.get(PasswordAuthenticatorManager.class); | ||
|
||
private static final File CONFIG_FILE = new File("etc/password-authenticator.properties"); | ||
private static final File DEFAULT_CONFIG_FILE = new File("etc/password-authenticator.properties"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is how we do it for similar plugins. If we move it, we need to check here that the list is not empty. (maybe can use bean validation for that)
3787dab
to
53f041e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comments addressed
@@ -62,6 +62,7 @@ protected void setup(Binder binder) | |||
.internalOnlyResource(StoreResource.class); | |||
|
|||
binder.bind(PasswordAuthenticatorManager.class).in(Scopes.SINGLETON); | |||
configBinder(binder).bindConfig(PasswordAuthenticatorConfig.class); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is not that easy.
PasswordAuthenticatorManager
is used by PluginManager
and needs to be present even if it is not used. And the config is needed by Guice to create it
core/trino-main/src/test/java/io/trino/server/security/TestPasswordAuthenticatorManager.java
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/server/ui/FormUiAuthenticatorModule.java
Show resolved
Hide resolved
41bde08
to
2ab1da2
Compare
Commits reordered, tests fixed. |
2ab1da2
to
cae545b
Compare
core/trino-main/src/main/java/io/trino/server/ui/FormUiAuthenticatorModule.java
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticator.java
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticatorConfig.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/server/ui/FormUiAuthenticatorModule.java
Show resolved
Hide resolved
1395f19
to
60fa2d5
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm % small comments
core/trino-main/src/main/java/io/trino/server/security/ServerSecurityModule.java
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticator.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/test/java/io/trino/server/security/TestResourceSecurity.java
Outdated
Show resolved
Hide resolved
60fa2d5
to
c8d715c
Compare
Squashed the two "optional binding" commits. |
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticatorConfig.java
Outdated
Show resolved
Hide resolved
c8d715c
to
1e609a2
Compare
@sopel39 Config description added |
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticatorConfig.java
Outdated
Show resolved
Hide resolved
1e609a2
to
2b4aa7e
Compare
core/trino-main/src/main/java/io/trino/server/security/AuthenticationFilter.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticator.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticatorManager.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/server/ui/FormUiAuthenticatorModule.java
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticatorManager.java
Outdated
Show resolved
Hide resolved
{ | ||
Path passwordConfigDummy = Files.createTempFile("passwordConfigDummy", ""); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not use (null, null)
like TestPasswordAuthenticatorConfig
? Seems like they should be consistent
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The prefix is defensive. If you happen to find 5k of files in /tmp
you know where to look for a bug. Suffix changed to null
core/trino-main/src/test/java/io/trino/server/security/TestPasswordAuthenticatorManager.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/test/java/io/trino/server/security/TestPasswordAuthenticatorManager.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/test/java/io/trino/server/security/TestPasswordAuthenticatorManager.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/test/java/io/trino/server/security/TestPasswordAuthenticatorManager.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/test/java/io/trino/server/security/TestResourceSecurity.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just skimmed FMI.
I think you want to add a product tests here where you could use actual two password authenticators.
client/trino-jdbc/src/test/java/io/trino/jdbc/TestTrinoDriverImpersonateUser.java
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticatorManager.java
Outdated
Show resolved
Hide resolved
core/trino-main/src/main/java/io/trino/server/security/ServerSecurityModule.java
Outdated
Show resolved
Hide resolved
e8490dd
to
f97fdba
Compare
@kokosing added a simple product test. PTAL |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Reviewed product tests only.
testing/trino-product-tests/src/main/java/io/trino/tests/cli/TestTrinoLdapCli.java
Show resolved
Hide resolved
launchTrinoCliWithServerArgument(); | ||
trino.waitForPrompt(); | ||
trino.getProcessInput().println("select * from hive.default.nation;"); | ||
assertThat(trimLines(trino.readLinesUntilPrompt())).containsAll(nationTableInteractiveLines); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please use JDBC for testing. Please make sure you test two authenticators. Please also add some negative tests where user was not able to authenticate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please next time make 3 remarks instead of one.
2.This test is for the file authenticator, shouldRunQueryWithLdap
is for LDAP. I don't see reason to repeat any of them.
3.Every failing test in this class doe this, e.g. shouldFailQueryForWrongLdapPassword
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Using TrinoLdapCLI
for your use case is not a best fit. These tests are targeted for something else. I think need a dedicated set of tests.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I use both CLI and JDBC now.
...er/src/main/java/io/trino/tests/product/launcher/env/environment/AbstractSinglenodeLdap.java
Outdated
Show resolved
Hide resolved
...er/src/main/java/io/trino/tests/product/launcher/env/environment/AbstractSinglenodeLdap.java
Show resolved
Hide resolved
@@ -0,0 +1 @@ | |||
DefaultGroupUser:$2y$10$xA36wzOAnGWJmukr/zItyOrOyXPD6prgszOCN93MyFUpMAbGKcklm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please do not use same user here as in ldap. That way we don't know which authenticator was actually used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Part of the whole idea is to use two authenticators for one user.
I will another one and test it separately
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So how does it work then? You will one authenticator any way. It is not much interesting case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Multiple password authenticators works exactly the same as standard authenticators.
Thanks for product tests! 🍰 |
aa63487
to
e518249
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kokosing PTAL
e518249
to
b0184aa
Compare
@kokosing added offline-requested upper-case SQL keywords. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
product tests LGTM
...her/src/main/java/io/trino/tests/product/launcher/env/environment/SinglenodeLdapAndFile.java
Outdated
Show resolved
Hide resolved
testing/trino-product-tests/src/main/java/io/trino/tests/jdbc/TestLdapTrinoJdbc.java
Outdated
Show resolved
Hide resolved
b0184aa
to
00ed323
Compare
This way password config is not read when password authentication type is not set
LDAP + file based authentication is used.
00ed323
to
d83246c
Compare
please add documentation |
Fixes: #1791