Fix rest user info to match API auth with Webapp Auth #310
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
securityContext.isUserInRole() is actually calling this: Before: After: |
ebyhr
reviewed
Apr 9, 2024
gateway-ha/src/main/java/io/trino/gateway/ha/resource/LoginResource.java
Outdated
Show resolved
Hide resolved
oneonestar
approved these changes
Apr 9, 2024
Chaho12
reviewed
Apr 9, 2024
good call! |
ebyhr
approved these changes
Apr 9, 2024
There was a problem hiding this comment.
Please squash commits into one and follow the commit message guideline: https://github.com/trinodb/trino/blob/master/.github/DEVELOPMENT.md#format-git-commit-messages
ebyhr
reviewed
Apr 10, 2024
gateway-ha/src/main/java/io/trino/gateway/ha/resource/LoginResource.java
Outdated
Show resolved
Hide resolved
The restUserInfo method in the LoginResource class and the findQueryHistory method in the GatewayWapResource were using string manipulation of the getMemberOf method from the LbPrincipal to do role authorization. This change fixes the role authorization to be consistent throughout the app by utilizing the isUserInRole method that keeps the context of the LbAuthorization when checking user access to the ADMIN, USER, and API roles.
This was referenced Apr 10, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes the restUserInfo function to return Trino Gateway Roles (ADMIN, USER, API) to the Webapp, which is what the webapp expects.
Additional context and related issues
I opened this PR to map LDAP groups to Trino gateway roles and then came up with this simpler solution.
The following configs will break in the current (prior to this commit) version of Trino gateway because the admin user will not have admin privileges within the webapp like it should. This is because the webapp checks role membership by comparing the roles passed to those in an enum.
breaking auth example:
This broken example works as expected after this fix.
This is how the webapp checks role membership:
https://github.com/trinodb/trino-gateway/blob/739ec5e67799dd5df0ab8aaec7934e21a63507fa/webapp/src/store/access.ts#L73C9-L76C9
And where those role membership checks are made:
trino-gateway/webapp/src/components/selector.tsx
Line 80 in ac407dc
trino-gateway/webapp/src/components/cluster.tsx
Line 89 in ac407dc
trino-gateway/webapp/src/components/history.tsx
Line 93 in ac407dc
trino-gateway/webapp/src/components/resource-group.tsx
Line 88 in ac407dc
Release notes
( ) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
(X) Release notes are required, with the following suggested text:
* fixed userInfo resource to pass role information used by the api, so that webapp auth matches api auth