Remove ActiveRolesProvider (apache#2390)

Summary of changes:

- As proposed on the ML, `ActiveRolesProvider` is removed, and `DefaultActiveRolesProvider` is merged into `DefaultAuthenticator`. `ActiveRolesAugmentor` is also merged into `AuthenticatingAugmentor`.

- The implicit convention that no roles in credentials == all roles requested is removed as it is ambiguous. Credentials must explicitly include the `PRINCIPAL_ROLE:ALL` pseudo-role to request all roles available.

- PersistedPolarisPrincipal is removed. It existed merely as a means of passing the `PrincipalEntity` from the authenticator to the roles provider. This is not necessary anymore.

Author: adutra

CHANGELOG.md

@@ -101,8 +101,7 @@ refresh-credentials flag for the desired storage provider.
 
 ### Deprecations
 
-- The property `polaris.active-roles-provider.type` is deprecated for removal.
-- The `ActiveRolesProvider` interface is deprecated for removal.
+* The property `polaris.active-roles-provider.type` is deprecated and has no effect anymore.
 
 ### Fixes
 

helm/polaris/README.md

@@ -189,8 +189,7 @@ ct install --namespace polaris --charts ./helm/polaris
 |-----|------|---------|-------------|
 | advancedConfig | object | `{}` | Advanced configuration. You can pass here any valid Polaris or Quarkus configuration property. Any property that is defined here takes precedence over all the other configuration values generated by this chart. Properties can be passed "flattened" or as nested YAML objects (see examples below). Note: values should be strings; avoid using numbers, booleans, or other types. |
 | affinity | object | `{}` | Affinity and anti-affinity for polaris pods. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity. |
-| authentication | object | `{"activeRolesProvider":{"type":"default"},"authenticator":{"type":"default"},"realmOverrides":{},"tokenBroker":{"maxTokenGeneration":"PT1H","secret":{"name":null,"privateKey":"private.pem","publicKey":"public.pem","rsaKeyPair":{"privateKey":"private.pem","publicKey":"public.pem"},"secretKey":"symmetric.pem","symmetricKey":{"secretKey":"symmetric.key"}},"type":"rsa-key-pair"},"tokenService":{"type":"default"},"type":"internal"}` | Polaris authentication configuration. |
-| authentication.activeRolesProvider | object | `{"type":"default"}` | The `ActiveRolesProvider` implementation to use. Only one built-in type is supported: default. |
+| authentication | object | `{"authenticator":{"type":"default"},"realmOverrides":{},"tokenBroker":{"maxTokenGeneration":"PT1H","secret":{"name":null,"privateKey":"private.pem","publicKey":"public.pem","rsaKeyPair":{"privateKey":"private.pem","publicKey":"public.pem"},"secretKey":"symmetric.pem","symmetricKey":{"secretKey":"symmetric.key"}},"type":"rsa-key-pair"},"tokenService":{"type":"default"},"type":"internal"}` | Polaris authentication configuration. |
 | authentication.authenticator | object | `{"type":"default"}` | The `Authenticator` implementation to use. Only one built-in type is supported: default. |
 | authentication.realmOverrides | object | `{}` | Authentication configuration overrides per realm. |
 | authentication.tokenBroker | object | `{"maxTokenGeneration":"PT1H","secret":{"name":null,"privateKey":"private.pem","publicKey":"public.pem","rsaKeyPair":{"privateKey":"private.pem","publicKey":"public.pem"},"secretKey":"symmetric.pem","symmetricKey":{"secretKey":"symmetric.key"}},"type":"rsa-key-pair"}` | The `TokenBroker` implementation to use. Two built-in types are supported: rsa-key-pair and symmetric-key. Only relevant when using internal (or mixed) authentication. When using external authentication, the token broker is not used. |
@@ -299,7 +298,7 @@ ct install --namespace polaris --charts ./helm/polaris
 | oidc.principalMapper.type | string | `"default"` | The `PrincipalMapper` implementation to use. Only one built-in type is supported: default. |
 | oidc.principalRolesMapper | object | `{"filter":null,"mappings":[],"rolesClaimPath":null,"type":"default"}` | Principal roles mapping configuration. |
 | oidc.principalRolesMapper.filter | string | `nil` | A regular expression that matches the role names in the identity. Only roles that match this regex will be included in the Polaris-specific roles. |
-| oidc.principalRolesMapper.mappings | list | `[]` | A list of regex mappings that will be applied to each role name in the identity. This can be used to transform the role names in the identity into role names as expected by Polaris. The default ActiveRolesProvider expects the security identity to expose role names in the format `POLARIS_ROLE:<role name>`. |
+| oidc.principalRolesMapper.mappings | list | `[]` | A list of regex mappings that will be applied to each role name in the identity. This can be used to transform the role names in the identity into role names as expected by Polaris. The default Authenticator expects the security identity to expose role names in the format `POLARIS_ROLE:<role name>`. |
 | oidc.principalRolesMapper.rolesClaimPath | string | `nil` | The path to the claim that contains the principal roles. Nested paths can be expressed using "/" as a separator, e.g. "polaris/principal_roles" would look for the "principal_roles" field inside the "polaris" object in the token claims. If not set, Quarkus looks for roles in standard locations. See https://quarkus.io/guides/security-oidc-bearer-token-authentication#token-claims-and-security-identity-roles. |
 | oidc.principalRolesMapper.type | string | `"default"` | The `PrincipalRolesMapper` implementation to use. Only one built-in type is supported: default. |
 | persistence | object | `{"relationalJdbc":{"secret":{"jdbcUrl":"jdbcUrl","name":null,"password":"password","username":"username"}},"type":"in-memory"}` | Polaris persistence configuration. |

helm/polaris/ci/authentication-values.yaml

@@ -31,8 +31,6 @@ authentication:
   type: internal
   authenticator:
     type: default
-  activeRolesProvider:
-    type: default
   tokenService:
     type: default
   tokenBroker:

helm/polaris/templates/_helpers.tpl

@@ -316,7 +316,6 @@ Sets the configmap authentication options for a given realm.
 {{- end -}}
 {{- $_ := set $map (printf "%s.type" $prefix) $authType -}}
 {{- $_ = set $map (printf "%s.authenticator.type" $prefix) (dig "authenticator" "type" "default" $auth) -}}
-{{- $_ = set $map (printf "%s.active-roles-provider.type" $prefix) (dig "activeRolesProvider" "type" "default" $auth) -}}
 {{- if (or (eq $authType "mixed") (eq $authType "internal")) -}}
 {{- $tokenBrokerType := dig "tokenBroker" "type" "rsa-key-pair" $auth -}}
 {{- $_ = set $map (printf "%s.token-service.type" $prefix) (dig "tokenService" "type" "default" $auth) -}}

helm/polaris/tests/configmap_test.yaml

@@ -168,16 +168,6 @@ tests:
     asserts:
       - matchRegex: { path: 'data["application.properties"]', pattern: "polaris.authentication.authenticator.type=custom" }
 
-  - it: should configure default active roles provider
-    set: { authentication: { activeRolesProvider: { type: default } } }
-    asserts:
-      - matchRegex: { path: 'data["application.properties"]', pattern: "polaris.authentication.active-roles-provider.type=default" }
-
-  - it: should configure custom active roles provider
-    set: { authentication: { activeRolesProvider: { type: custom } } }
-    asserts:
-      - matchRegex: { path: 'data["application.properties"]', pattern: "polaris.authentication.active-roles-provider.type=custom" }
-
   - it: should configure default token service
     set: { authentication: { tokenService: { type: default } } }
     asserts:
@@ -209,18 +199,16 @@ tests:
     set:
       authentication:
         realmOverrides:
-          realm1: { type: mixed, authenticator: { type: custom1 }, activeRolesProvider: { type: custom1 }, tokenBroker: { type: custom1 }, tokenService: { type: custom1 } }
-          realm2: { type: external, authenticator: { type: custom2 }, activeRolesProvider: { type: custom2 } }
+          realm1: { type: mixed, authenticator: { type: custom1 }, tokenBroker: { type: custom1 }, tokenService: { type: custom1 } }
+          realm2: { type: external, authenticator: { type: custom2 } }
           "REALM 3": { type: internal, tokenBroker: { type: rsa-key-pair, secret: { name: polaris-auth } } }
     asserts:
       - matchRegex: { path: 'data["application.properties"]', pattern: "polaris.authentication.\"realm1\".type=mixed" }
       - matchRegex: { path: 'data["application.properties"]', pattern: "polaris.authentication.\"realm1\".authenticator.type=custom1" }
-      - matchRegex: { path: 'data["application.properties"]', pattern: "polaris.authentication.\"realm1\".active-roles-provider.type=custom1" }
       - matchRegex: { path: 'data["application.properties"]', pattern: "polaris.authentication.\"realm1\".token-broker.type=custom1" }
       - matchRegex: { path: 'data["application.properties"]', pattern: "polaris.authentication.\"realm1\".token-service.type=custom1" }
       - matchRegex: { path: 'data["application.properties"]', pattern: "polaris.authentication.\"realm2\".type=external" }
       - matchRegex: { path: 'data["application.properties"]', pattern: "polaris.authentication.\"realm2\".authenticator.type=custom2" }
-      - matchRegex: { path: 'data["application.properties"]', pattern: "polaris.authentication.\"realm2\".active-roles-provider.type=custom2" }
       - matchRegex: { path: 'data["application.properties"]', pattern: "polaris.authentication.\"REALM\\\\ 3\".type=internal" }
       - matchRegex: { path: 'data["application.properties"]', pattern: "polaris.authentication.\"REALM\\\\ 3\".token-broker.type=rsa-key-pair" }
       - matchRegex: { path: 'data["application.properties"]', pattern: "polaris.authentication.\"REALM\\\\ 3\".token-broker.rsa-key-pair.public-key-file=/deployments/config/REALM\\+3/public.pem" }

helm/polaris/values.yaml

@@ -580,9 +580,6 @@ authentication:
   # -- The `Authenticator` implementation to use. Only one built-in type is supported: default.
   authenticator:
     type: default
-  # -- The `ActiveRolesProvider` implementation to use. Only one built-in type is supported: default.
-  activeRolesProvider:
-    type: default
   # -- The token service (`IcebergRestOAuth2ApiService`) implementation to use. Two built-in types are supported: default and disabled.
   # Only relevant when using internal (or mixed) authentication. When using external authentication, the token service is always disabled.
   tokenService:
@@ -671,7 +668,7 @@ oidc:
     filter: ~  # ^(?!profile$|email$).*
     # -- A list of regex mappings that will be applied to each role name in the identity. This can
     # be used to transform the role names in the identity into role names as expected by Polaris.
-    # The default ActiveRolesProvider expects the security identity to expose role names in the
+    # The default Authenticator expects the security identity to expose role names in the
     # format `POLARIS_ROLE:<role name>`.
     mappings: []
       # - regex: role_(.*)

runtime/defaults/src/main/resources/application.properties

@@ -150,17 +150,12 @@ polaris.rate-limiter.token-bucket.type=default
 polaris.rate-limiter.token-bucket.requests-per-second=9999
 polaris.rate-limiter.token-bucket.window=PT10S
 
-# This property is DEPRECATED for removal; use polaris.authentication.active-roles-provider.type instead
-polaris.active-roles-provider.type=default
-
 # Polaris authentication settings
 polaris.authentication.type=internal
 polaris.authentication.authenticator.type=default
-polaris.authentication.active-roles-provider.type=${polaris.active-roles-provider.type}
 # Per-realm overrides:
 # polaris.authentication.realm1.type=external
 # polaris.authentication.realm1.authenticator.type=custom
-# polaris.authentication.realm1.active-roles-provider.type=custom
 
 # Options effective when using internal auth (can be overridden in per realm):
 polaris.authentication.token-service.type=default

runtime/service/src/main/java/org/apache/polaris/service/auth/ActiveRolesAugmentor.java

@@ -72,7 +72,17 @@ private SecurityIdentity authenticatePolarisPrincipal(
       SecurityIdentity identity, PolarisCredential polarisCredential) {
     try {
       PolarisPrincipal polarisPrincipal = authenticator.authenticate(polarisCredential);
-      return QuarkusSecurityIdentity.builder(identity).setPrincipal(polarisPrincipal).build();
+      QuarkusSecurityIdentity.Builder builder =
+          QuarkusSecurityIdentity.builder()
+              .setAnonymous(false)
+              .setPrincipal(polarisPrincipal)
+              .addRoles(polarisPrincipal.getRoles())
+              .addCredentials(identity.getCredentials())
+              .addAttributes(identity.getAttributes())
+              .addPermissionChecker(identity::checkPermission);
+      // Also include the Polaris principal properties as attributes of the identity
+      polarisPrincipal.getProperties().forEach(builder::addAttribute);
+      return builder.build();
     } catch (RuntimeException e) {
       throw new AuthenticationFailedException(e);
     }