Implement support for JWT-based authentication in the Trino Gateway.

Author: ashekh1

gateway-ha/pom.xml

@@ -131,6 +131,11 @@
             <artifactId>concurrent</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>io.airlift</groupId>
+            <artifactId>configuration</artifactId>
+        </dependency>
+
         <dependency>
             <groupId>io.airlift</groupId>
             <artifactId>http-client</artifactId>

gateway-ha/src/main/java/io/trino/gateway/ha/config/AuthenticationConfiguration.java

@@ -18,12 +18,14 @@ public class AuthenticationConfiguration
     private String defaultType;
     private OAuthConfiguration oauth;
     private FormAuthConfiguration form;
+    private JwtConfiguration jwt;
 
-    public AuthenticationConfiguration(String defaultType, OAuthConfiguration oauth, FormAuthConfiguration form)
+    public AuthenticationConfiguration(String defaultType, OAuthConfiguration oauth, FormAuthConfiguration form, JwtConfiguration jwt)
     {
         this.defaultType = defaultType;
         this.oauth = oauth;
         this.form = form;
+        this.jwt = jwt;
     }
 
     public AuthenticationConfiguration() {}
@@ -57,4 +59,14 @@ public void setForm(FormAuthConfiguration form)
     {
         this.form = form;
     }
+
+    public JwtConfiguration getJwt()
+    {
+        return this.jwt;
+    }
+
+    public void setJwt(JwtConfiguration jwt)
+    {
+        this.jwt = jwt;
+    }
 }

gateway-ha/src/main/java/io/trino/gateway/ha/config/JwtConfiguration.java

@@ -0,0 +1,91 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.gateway.ha.config;
+
+import io.airlift.configuration.validation.FileExists;
+
+import java.io.File;
+import java.util.Optional;
+
+public class JwtConfiguration
+{
+    private String keyFile;
+    private String requiredIssuer;
+    private String requiredAudience;
+    private String principalField = "sub";
+    private Optional<String> userMappingPattern = Optional.empty();
+    private Optional<File> userMappingFile = Optional.empty();
+
+    public JwtConfiguration() {}
+
+    public String getKeyFile()
+    {
+        return this.keyFile;
+    }
+
+    public void setKeyFile(String keyFile)
+    {
+        this.keyFile = keyFile;
+    }
+
+    public String getRequiredIssuer()
+    {
+        return this.requiredIssuer;
+    }
+
+    public void setRequiredIssuer(String requiredIssuer)
+    {
+        this.requiredIssuer = requiredIssuer;
+    }
+
+    public String getRequiredAudience()
+    {
+        return this.requiredAudience;
+    }
+
+    public void setRequiredAudience(String requiredAudience)
+    {
+        this.requiredAudience = requiredAudience;
+    }
+
+    public String getPrincipalField()
+    {
+        return this.principalField;
+    }
+
+    public void setPrincipalField(String principalField)
+    {
+        this.principalField = principalField;
+    }
+
+    public Optional<String> getUserMappingPattern()
+    {
+        return this.userMappingPattern;
+    }
+
+    public void setUserMappingPattern(String userMappingPattern)
+    {
+        this.userMappingPattern = Optional.ofNullable(userMappingPattern);
+    }
+
+    public Optional<@FileExists File> getUserMappingFile()
+    {
+        return this.userMappingFile;
+    }
+
+    public void setUserMappingFile(File userMappingFile)
+    {
+        this.userMappingFile = Optional.ofNullable(userMappingFile);
+    }
+}

gateway-ha/src/main/java/io/trino/gateway/ha/module/HaGatewayProviderModule.java

@@ -60,6 +60,8 @@
 import io.trino.gateway.ha.security.LbAuthorizer;
 import io.trino.gateway.ha.security.LbFilter;
 import io.trino.gateway.ha.security.LbFormAuthManager;
+import io.trino.gateway.ha.security.LbJwtAuthenticator;
+import io.trino.gateway.ha.security.LbJwtManager;
 import io.trino.gateway.ha.security.LbOAuthManager;
 import io.trino.gateway.ha.security.LbUnauthorizedHandler;
 import io.trino.gateway.ha.security.NoopAuthorizer;
@@ -83,6 +85,7 @@ public class HaGatewayProviderModule
 {
     private final LbOAuthManager oauthManager;
     private final LbFormAuthManager formAuthManager;
+    private final LbJwtManager jwtManager;
     private final AuthorizationManager authorizationManager;
     private final ResourceSecurityDynamicFeature resourceSecurityDynamicFeature;
     private final HaGatewayConfiguration configuration;
@@ -110,6 +113,7 @@ public HaGatewayProviderModule(HaGatewayConfiguration configuration)
 
         oauthManager = getOAuthManager(configuration);
         formAuthManager = getFormAuthManager(configuration);
+        jwtManager = getJwtManager(configuration);
 
         authorizationManager = new AuthorizationManager(configuration.getAuthorization(), presetUsers);
         resourceSecurityDynamicFeature = getAuthFilter(configuration);
@@ -146,6 +150,15 @@ private LbFormAuthManager getFormAuthManager(HaGatewayConfiguration configuratio
         return null;
     }
 
+    private LbJwtManager getJwtManager(HaGatewayConfiguration configuration)
+    {
+        AuthenticationConfiguration authenticationConfiguration = configuration.getAuthentication();
+        if (authenticationConfiguration != null && authenticationConfiguration.getJwt() != null) {
+            return new LbJwtManager(authenticationConfiguration.getJwt(), configuration.getPagePermissions());
+        }
+        return null;
+    }
+
     private ChainedAuthFilter getAuthenticationFilters(AuthenticationConfiguration config, Authorizer authorizer)
     {
         ImmutableList.Builder<ContainerRequestFilter> authFilters = ImmutableList.builder();
@@ -171,6 +184,14 @@ private ChainedAuthFilter getAuthenticationFilters(AuthenticationConfiguration c
                     new LbUnauthorizedHandler(defaultType)));
         }
 
+        if (jwtManager != null) {
+            authFilters.add(new LbFilter(
+                    new LbJwtAuthenticator(jwtManager, authorizationManager),
+                    authorizer,
+                    "Bearer",
+                    new LbUnauthorizedHandler(defaultType)));
+        }
+
         return new ChainedAuthFilter(authFilters.build());
     }
 
@@ -203,6 +224,13 @@ public LbFormAuthManager getFormAuthentication()
         return this.formAuthManager;
     }
 
+    @Provides
+    @Singleton
+    public LbJwtManager getJwtAuthentication()
+    {
+        return this.jwtManager;
+    }
+
     @Provides
     @Singleton
     public AuthorizationManager getAuthorizationManager()

gateway-ha/src/main/java/io/trino/gateway/ha/resource/LoginResource.java

@@ -19,6 +19,7 @@
 import io.trino.gateway.ha.domain.Result;
 import io.trino.gateway.ha.domain.request.RestLoginRequest;
 import io.trino.gateway.ha.security.LbFormAuthManager;
+import io.trino.gateway.ha.security.LbJwtManager;
 import io.trino.gateway.ha.security.LbOAuthManager;
 import io.trino.gateway.ha.security.LbPrincipal;
 import io.trino.gateway.ha.security.OidcCookie;
@@ -34,6 +35,7 @@
 import jakarta.ws.rs.WebApplicationException;
 import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.Cookie;
+import jakarta.ws.rs.core.HttpHeaders;
 import jakarta.ws.rs.core.MediaType;
 import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.core.SecurityContext;
@@ -56,12 +58,14 @@ public class LoginResource
 
     private final LbOAuthManager oauthManager;
     private final LbFormAuthManager formAuthManager;
+    private final LbJwtManager jwtManager;
 
     @Inject
-    public LoginResource(@Nullable LbOAuthManager oauthManager, @Nullable LbFormAuthManager formAuthManager)
+    public LoginResource(@Nullable LbOAuthManager oauthManager, @Nullable LbFormAuthManager formAuthManager, @Nullable LbJwtManager jwtManager)
     {
         this.oauthManager = oauthManager;
         this.formAuthManager = formAuthManager;
+        this.jwtManager = jwtManager;
     }
 
     @GET
@@ -174,7 +178,11 @@ else if (oauthManager != null) {
     public Response loginType()
     {
         String loginType;
-        if (formAuthManager != null) {
+        // Check for JWT authentication first (highest priority)
+        if (jwtManager != null) {
+            loginType = "jwt";
+        }
+        else if (formAuthManager != null) {
             loginType = "form";
         }
         else if (oauthManager != null) {
@@ -185,4 +193,18 @@ else if (oauthManager != null) {
         }
         return Response.ok(Result.ok("Ok", loginType)).build();
     }
+
+    @POST
+    @Path("token")
+    @Consumes(MediaType.APPLICATION_JSON)
+    @Produces(MediaType.APPLICATION_JSON)
+    public Response token(@Context HttpHeaders headers)
+    {
+        String authHeaderVal = headers.getHeaderString(HttpHeaders.AUTHORIZATION);
+        String bearerToken = null;
+        if (authHeaderVal != null && authHeaderVal.startsWith("Bearer ")) {
+            bearerToken = authHeaderVal.substring("Bearer ".length());
+        }
+        return Response.ok(Result.ok("Ok", bearerToken)).build();
+    }
 }

gateway-ha/src/main/java/io/trino/gateway/ha/security/LbJwtAuthenticator.java

@@ -0,0 +1,80 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.gateway.ha.security;
+
+import com.auth0.jwt.interfaces.Claim;
+import io.airlift.log.Logger;
+import io.trino.gateway.ha.security.util.AuthenticationException;
+import io.trino.gateway.ha.security.util.IdTokenAuthenticator;
+
+import java.util.Map;
+import java.util.Optional;
+
+import static io.trino.gateway.ha.security.UserMapping.createUserMapping;
+
+public class LbJwtAuthenticator
+        implements IdTokenAuthenticator
+{
+    private static final Logger log = Logger.get(LbJwtAuthenticator.class);
+
+    private final LbJwtManager jwtManager;
+    private final AuthorizationManager authorizationManager;
+    private final UserMapping userMapping;
+
+    public LbJwtAuthenticator(LbJwtManager jwtManager,
+            AuthorizationManager authorizationManager)
+    {
+        this.jwtManager = jwtManager;
+        this.authorizationManager = authorizationManager;
+        this.userMapping = createUserMapping(jwtManager.getUserMappingPattern(), jwtManager.getUserMappingFile());
+    }
+
+    /**
+     * If the JWT token is valid and has the right claims, it returns the principal,
+     * otherwise is returns an empty optional.
+     *
+     * @param token JWT token
+     * @return an optional principal
+     */
+    @Override
+    public Optional<LbPrincipal> authenticate(String token)
+            throws AuthenticationException
+    {
+        Optional<Map<String, Claim>> claimsOptional = jwtManager.getClaimsFromToken(token);
+        if (claimsOptional.isEmpty()) {
+            log.error("JWT token verification failed");
+            throw new AuthenticationException("JWT token verification failed");
+        }
+
+        Map<String, Claim> claims = claimsOptional.orElseThrow();
+
+        String principalField = jwtManager.getPrincipalField();
+        if (!claims.containsKey(principalField)) {
+            log.error("Required principal field %s not found in JWT token", principalField);
+            throw new AuthenticationException("Principal field does not exist in JWT token");
+        }
+
+        String originalUserId = claims.get(principalField).asString();
+        // Apply user mapping to transform the username if configured
+        String mappedUserId = userMapping.mapUser(originalUserId);
+        if (log.isDebugEnabled()) {
+            log.debug("JWT principal mapping: %s -> %s", originalUserId, mappedUserId);
+        }
+
+        // Get privileges from the authorization manager
+        Optional<String> privileges = authorizationManager.getPrivileges(mappedUserId);
+
+        return Optional.of(new LbPrincipal(mappedUserId, privileges));
+    }
+}