-
Notifications
You must be signed in to change notification settings - Fork 45
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix rest user info to match API auth with Webapp Auth #310
Conversation
securityContext.isUserInRole() is actually calling this: trino-gateway/gateway-ha/src/main/java/io/trino/gateway/ha/security/LbAuthorizer.java Line 34 in ac407dc
|
gateway-ha/src/main/java/io/trino/gateway/ha/resource/LoginResource.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
nit: We should have a test for this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just tested and it seems to work well!
Please add same logic to GatewayWebAppResource
good call! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please squash commits into one and follow the commit message guideline: https://github.com/trinodb/trino/blob/master/.github/DEVELOPMENT.md#format-git-commit-messages
gateway-ha/src/main/java/io/trino/gateway/ha/resource/LoginResource.java
Outdated
Show resolved
Hide resolved
The restUserInfo method in the LoginResource class and the findQueryHistory method in the GatewayWapResource were using string manipulation of the getMemberOf method from the LbPrincipal to do role authorization. This change fixes the role authorization to be consistent throughout the app by utilizing the isUserInRole method that keeps the context of the LbAuthorization when checking user access to the ADMIN, USER, and API roles.
Fixes the restUserInfo function to return Trino Gateway Roles (ADMIN, USER, API) to the Webapp, which is what the webapp expects.
Additional context and related issues
I opened this PR to map LDAP groups to Trino gateway roles and then came up with this simpler solution.
The following configs will break in the current (prior to this commit) version of Trino gateway because the admin user will not have admin privileges within the webapp like it should. This is because the webapp checks role membership by comparing the roles passed to those in an enum.
breaking auth example:
This broken example works as expected after this fix.
This is how the webapp checks role membership:
https://github.com/trinodb/trino-gateway/blob/739ec5e67799dd5df0ab8aaec7934e21a63507fa/webapp/src/store/access.ts#L73C9-L76C9
And where those role membership checks are made:
trino-gateway/webapp/src/components/selector.tsx
Line 80 in ac407dc
trino-gateway/webapp/src/components/cluster.tsx
Line 89 in ac407dc
trino-gateway/webapp/src/components/history.tsx
Line 93 in ac407dc
trino-gateway/webapp/src/components/resource-group.tsx
Line 88 in ac407dc
Release notes
( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
(X) Release notes are required, with the following suggested text:
* fixed userInfo resource to pass role information used by the api, so that webapp auth matches api auth