Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add authentication to the Preview Web UI #23230

Merged
merged 1 commit into from
Jan 10, 2025
Merged

Add authentication to the Preview Web UI #23230

merged 1 commit into from
Jan 10, 2025

Conversation

koszti
Copy link
Member

@koszti koszti commented Sep 2, 2024
edited
Loading

Description

Authentication methods for the preview UI. Partially addressing #22697

Technical details

Introducing three new API endpoints designed for enhanced Single Page App compatibility:

  • GET: /ui/preview/auth/info: Provides a lightweight JSON response containing the essential details for authentication type, user information, and login form rendering (if needed). Unlike the current approach, it eliminates the need for server-side HTML rendering and string manipulation.. Example:
$ curl -k https://127.0.0.1:8443/ui/preview/auth/info
{"authType":"form","isPasswordAllowed":true,"isAuthenticated":false}
  • POST: /ui/preview/auth/login: Functionally equivalent to POST: /ui/login, but it exchanges data via JSON instead of HTTP forms and HTML responses.
  • GET: /ui/preview/auth/logout: Functionally equivalent to GET: /ui/logout but it exchanges data via JSON instead of HTTP redirects and HTML response

Supported Authentication Types

  • INSECURE
  • FORM (via HTTP)
  • FORM (via HTTPS)
  • FIXED
  • OAUTH2 (tested with Okta)
  • JWT: - (tested by ingesting jwt tokens into HTTP header as auth bearer token using mitmproxy)
  • KERBEROS
  • CERTIFICATE

Screenshots

1. INSECURE auth type for development. No password.
image

2. FORM auth type via HTTPS
image

3. FIXED
image

4. OAUTH2 Okta as IdP
image

NOTE: In oauth2, the IdP login form is displayed (such as okta login page), whereas for fixed and protocol-based authenticators (jwt, certifacte and kerberos), users are redirected to the main page upon successful authentication without being shown a login form.

5. Periodically fetching /ui/api/stats endpoint after a successful login
image

@cla-bot cla-bot bot added the cla-signed label Sep 2, 2024
@koszti koszti changed the title Webapp Preview: Authentication [WiP] Webapp Preview: Authentication Sep 2, 2024
@koszti koszti mentioned this pull request Sep 2, 2024
Open
@github-actions github-actions bot added the ui Web UI label Sep 2, 2024
@koszti koszti force-pushed the webapp-preview-auth branch from 67f054b to 03ae4a8 Compare September 2, 2024 21:25
@koszti koszti force-pushed the webapp-preview-auth branch 5 times, most recently from 3895cf2 to 92310b1 Compare September 14, 2024 21:41
@wendigo wendigo self-requested a review September 15, 2024 05:04
@koszti koszti force-pushed the webapp-preview-auth branch 6 times, most recently from ef2ee0e to f5f4331 Compare September 17, 2024 08:32
@koszti koszti changed the title [WiP] Webapp Preview: Authentication Webapp Preview: Authentication Sep 17, 2024
@koszti koszti force-pushed the webapp-preview-auth branch 2 times, most recently from 6c48bf4 to 8e3d739 Compare September 17, 2024 20:36
@koszti koszti mentioned this pull request Sep 29, 2024
Merged
@koszti koszti force-pushed the webapp-preview-auth branch from 8e3d739 to ce604df Compare September 30, 2024 09:05
@koszti koszti force-pushed the webapp-preview-auth branch from 75666ed to e2eb9cd Compare October 10, 2024 07:45
@github-actions github-actions bot added release-notes docs jdbc Relates to Trino JDBC driver hudi Hudi connector iceberg Iceberg connector delta-lake Delta Lake connector hive Hive connector labels Oct 10, 2024
@wendigo
Copy link
Contributor

wendigo commented Dec 12, 2024

@koszti I've pushed a bunch of changes - can you test them? I'm ok with the change as it is right now so I'm willing to merge it.

@koszti
Copy link
Member Author

koszti commented Dec 13, 2024
edited
Loading

@wendigo I'm fixing conflicts and testing your commits. I can see you've moved @ResourceSecurity annotations to class level but that causes this exception:

Caused by: IllegalArgumentException: Trino resource is not annotated with @ResourceSecurity: public AuthInfo LoginPreviewResource.getAuthInfo(ContainerRequestContext,SecurityContext)

I've checked other resources and seems like it's always annotated at the endpoint methods and not at the class level. One annotation for each.. Should I modify related classes accordingly so it'd look like this below? Doing that there is no exception:

@Path("")
@Consumes(APPLICATION_JSON)
@Produces(APPLICATION_JSON)
public class LoginPreviewResource
{
...
    @GET
    @Path(UI_PREVIEW_AUTH_INFO)
    @ResourceSecurity(WEB_UI)
    public AuthInfo getAuthInfo(...)
...

    @POST
    @Path(UI_PREVIEW_LOGIN_FORM)
    @ResourceSecurity(WEB_UI)
    public Response login(...)
...

@wendigo
Copy link
Contributor

wendigo commented Dec 13, 2024

@koszti according to the code it should work on the class-level as well

@koszti
Copy link
Member Author

koszti commented Dec 13, 2024
edited
Loading

@koszti according to the code it should work on the class-level as well

io.trino.server.ui.PreviewUiQueryRunner isn’t starting with class-level annotations. I’ll try to investigate the cause.
I need a bit more time to resolve all conflicts and align everything with the master branch but will do it in the next couple of days.

@wendigo
Copy link
Contributor

wendigo commented Dec 13, 2024

@koszti there is an invalid check in the ResourceAccessType. There should be a single verifyNotTrinoResource call there by the end of the method. Can you test with that change?

diff --git a/core/trino-main/src/main/java/io/trino/server/security/ResourceAccessType.java b/core/trino-main/src/main/java/io/trino/server/security/ResourceAccessType.java
index 9fe79418b35..b71a2d0b9e0 100644
--- a/core/trino-main/src/main/java/io/trino/server/security/ResourceAccessType.java
+++ b/core/trino-main/src/main/java/io/trino/server/security/ResourceAccessType.java
@@ -49,7 +49,6 @@ public class ResourceAccessType
             // check if the resource class has an access type declared for all methods
             accessType = resourceAccessTypeLoader.getAccessType(resourceInfo.getResourceClass());
             if (accessType.isPresent()) {
-                verifyNotTrinoResource(resourceInfo);
                 return accessType.get();
             }
             // in some cases there the resource is a nested class, so check the parent class
@@ -57,7 +56,6 @@ public class ResourceAccessType
             if (resourceInfo.getResourceClass().getDeclaringClass() != null) {
                 accessType = resourceAccessTypeLoader.getAccessType(resourceInfo.getResourceClass().getDeclaringClass());
                 if (accessType.isPresent()) {
-                    verifyNotTrinoResource(resourceInfo);
                     return accessType.get();
                 }
             }

@koszti
Copy link
Member Author

koszti commented Dec 13, 2024
edited
Loading

@wendigo yes, it does work after your changes, thanks! I'm going to continue the rest and will come back soon

@koszti koszti force-pushed the webapp-preview-auth branch 4 times, most recently from a3f0d91 to 2ccf6ec Compare December 16, 2024 01:00
@koszti koszti changed the title Webapp Preview: Authentication Add authentication to the Preview Web UI Dec 16, 2024
@koszti koszti force-pushed the webapp-preview-auth branch from dd3d28b to 2ccf6ec Compare December 16, 2024 01:14
@koszti
Copy link
Member Author

koszti commented Dec 16, 2024

@wendigo this is now ready.

@wendigo wendigo force-pushed the webapp-preview-auth branch from 2ccf6ec to 4d750ff Compare December 16, 2024 10:58
@wendigo
Copy link
Contributor

wendigo commented Dec 16, 2024

@koszti there were unrelated changes in 3 files which I removed and extracted one change to a separate commit.

@github-actions GitHub Actions
Copy link

github-actions bot commented Jan 6, 2025

This pull request has gone a while without any activity. Tagging for triage help: @mosabua

@github-actions github-actions bot added the stale label Jan 6, 2025
@wendigo wendigo force-pushed the webapp-preview-auth branch from 4d750ff to f921d83 Compare January 7, 2025 10:28
@github-actions github-actions bot removed the stale label Jan 7, 2025
@koszti
Copy link
Member Author

koszti commented Jan 9, 2025

@wendigo is this ready to merge, or is there anything I can do to assist with it?

@wendigo
Copy link
Contributor

wendigo commented Jan 9, 2025

@koszti I'll do a final pass and merge it :)

@wendigo wendigo merged commit 93f4963 into trinodb:master Jan 10, 2025
93 of 94 checks passed
@github-actions github-actions bot added this to the 469 milestone Jan 10, 2025
@mosabua
Copy link
Member

mosabua commented Jan 10, 2025

So awesome @koszti and @wendigo !!!!

@mosabua mosabua mentioned this pull request Jan 10, 2025
Open
@koszti koszti deleted the webapp-preview-auth branch January 10, 2025 18:58
@mosabua mosabua mentioned this pull request Jan 10, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wendigo wendigo wendigo approved these changes

Assignees
No one assigned
Labels
bigquery BigQuery connector cla-signed delta-lake Delta Lake connector docs hive Hive connector hudi Hudi connector iceberg Iceberg connector jdbc Relates to Trino JDBC driver mongodb MongoDB connector ui Web UI
Milestone
469
Development

Successfully merging this pull request may close these issues.
4 participants
@koszti @wendigo @mosabua @martint