Implement support for JWT-based authentication in the Trino Gateway.

docs/security.md

@@ -123,6 +123,59 @@ authentication:
       publicKeyRsa: <public_key_path>
 ```
 
+### JWT authentication
+
+JWT (JSON Web Token) authentication enables access to Trino Gateway
+without interactive login. This is useful for integration with external identity providers.
+
+JWT authentication supports three key sources:
+
+- **RSA public key file**: A PEM-encoded RSA public key file
+- **HMAC secret file**: A file containing the HMAC secret
+- **JWKS URL**: A URL to a JSON Web Key Set (for dynamic key retrieval)
+
+```yaml
+authentication:
+  defaultType: "jwt" # Using JWT authentication
+  jwt:
+    # Key file can be:
+    # - Path to RSA public key PEM file
+    # - Path to HMAC secret file
+    # - JWKS URL (e.g., https://idp.example.com/.well-known/jwks.json)
+    keyFile: "/etc/trino-gateway/jwt-public-key.pem"
+
+    # Required issuer - tokens must have this issuer claim
+    requiredIssuer: "https://idp.example.com"
+
+    # Required audience - tokens must have this audience claim
+    requiredAudience: "trino-gateway"
+
+    # JWT claim field containing the principal/username (default: "sub")
+    principalField: "sub"
+
+    # User mapping (optional) - transform the principal to a different username
+    # Use either userMappingPattern OR userMappingFile, not both
+    userMappingPattern: "(.*)@example\\.com"  # Extracts username before @
+    # userMappingFile: "/etc/trino-gateway/user-mapping.json"
+```
+
+**Example with JWKS URL:**
+
+```yaml
+authentication:
+  jwt:
+    keyFile: "https://login.microsoftonline.com/tenant-id/discovery/v2.0/keys"
+    requiredIssuer: "https://login.microsoftonline.com/tenant-id/v2.0"
+    requiredAudience: "api://trino-gateway"
+    principalField: "preferred_username"
+    userMappingPattern: "(.*)@company\\.com"
+```
+
+When using JWT authentication, clients include the token in the Authorization header:
+
+```
+Authorization: Bearer <jwt-token>
+```
 
 ## Authorization
 
@@ -172,6 +225,160 @@ The LDAP config file should have the following contents:
   poolTestOnBorrow: true
 ```
 
+## User mapping
+
+User mapping transforms the authenticated user identity before it is used for
+authorization decisions. This is useful for:
+
+- Extracting usernames from email addresses (e.g., `[email protected]` → `john.doe`)
+- Normalizing usernames to a specific case
+- Denying access to specific users or patterns
+- Mapping external identity provider names to internal usernames
+
+### How user mapping works
+
+1. **Input**: The principal extracted from the authentication source
+   - For JWT: The value of the claim specified by `principalField` (default: `sub`)
+   - For OAuth: The value of `userIdField` claim
+   - For Form/LDAP: The authenticated username
+
+2. **Transformation**: The principal is matched against user mapping rules
+   - Rules are evaluated in order until a match is found
+   - Each rule contains a regex pattern and optional transformation
+   - If no rule matches, authentication fails
+
+3. **Output**: The mapped username used for authorization
+   - The mapped user is checked against the authorization manager
+   - Privileges (admin, user, api) are determined based on the mapped identity
+
+### Configuration options
+
+User mapping can be configured in two ways:
+
+**Simple pattern (inline regex):**
+
+```yaml
+authentication:
+  jwt:
+    keyFile: "/etc/trino-gateway/jwt-public-key.pem"
+    principalField: "email"
+    userMappingPattern: "(.*)@company\\.com"
+```
+
+This pattern extracts the first capture group as the username. For example,
+`[email protected]` becomes `alice`.
+
+**Rules file (advanced):**
+
+```yaml
+authentication:
+  jwt:
+    keyFile: "/etc/trino-gateway/jwt-public-key.pem"
+    principalField: "sub"
+    userMappingFile: "/etc/trino-gateway/user-mapping.json"
+```
+
+### User mapping rules file format
+
+The rules file is a JSON file with an array of rules:
+
+```json
+{
+  "rules": [
+    {
+      "pattern": "(.*)@banned-domain\\.com",
+      "allow": false
+    },
+    {
+      "pattern": "admin@company\\.com",
+      "user": "super-admin"
+    },
+    {
+      "pattern": "(.*)@company\\.com",
+      "user": "$1",
+      "case": "LOWER"
+    },
+    {
+      "pattern": "(.*)",
+      "user": "$1"
+    }
+  ]
+}
+```
+
+**Rule properties:**
+
+| Property  | Required | Default | Description |
+|-----------|----------|---------|-------------|
+| `pattern` | Yes      | -       | Regex pattern to match against the principal |
+| `user`    | No       | `$1`    | Replacement string (supports regex capture groups) |
+| `allow`   | No       | `true`  | Set to `false` to deny matching principals |
+| `case`    | No       | `KEEP`  | Case transformation: `KEEP`, `LOWER`, or `UPPER` |
+
+**How rules are evaluated:**
+
+1. Rules are evaluated in order from first to last
+2. The first matching rule determines the result
+3. If `allow` is `false`, authentication fails with "Principal is not allowed"
+4. If `allow` is `true` (default), the `user` replacement is applied
+5. Capture groups from the pattern can be referenced in `user` (e.g., `$1`, `$2`)
+6. If no rule matches, authentication fails
+
+### User mapping examples
+
+**Example 1: Strip email domain**
+
+Pattern: `(.*)@.*`
+
+| Input | Output |
+|-------|--------|
+| `[email protected]` | `alice` |
+| `[email protected]` | `bob` |
+
+**Example 2: Allow only specific domain and lowercase**
+
+Rules file:
+```json
+{
+  "rules": [
+    {
+      "pattern": "(.*)@company\\.com",
+      "user": "$1",
+      "case": "LOWER"
+    }
+  ]
+}
+```
+
+| Input | Output |
+|-------|--------|
+| `[email protected]` | `alice` |
+| `[email protected]` | No match (domain is case-sensitive) |
+| `[email protected]` | No match (authentication fails) |
+
+**Example 3: Deny specific users**
+
+Rules file:
+```json
+{
+  "rules": [
+    {
+      "pattern": "service-account-blocked",
+      "allow": false
+    },
+    {
+      "pattern": "(.*)",
+      "user": "$1"
+    }
+  ]
+}
+```
+
+| Input | Output |
+|-------|--------|
+| `service-account-blocked` | Denied |
+| `alice` | `alice` |
+
 ## Web page permissions
 
 By default, all pages are accessible to all roles.

gateway-ha/pom.xml

@@ -131,6 +131,11 @@
             <artifactId>concurrent</artifactId>
         </dependency>
 
+        <dependency>
+            <groupId>io.airlift</groupId>
+            <artifactId>configuration</artifactId>
+        </dependency>
+
         <dependency>
             <groupId>io.airlift</groupId>
             <artifactId>http-client</artifactId>

gateway-ha/src/main/java/io/trino/gateway/ha/config/AuthenticationConfiguration.java

@@ -18,12 +18,14 @@ public class AuthenticationConfiguration
     private String defaultType;
     private OAuthConfiguration oauth;
     private FormAuthConfiguration form;
+    private JwtConfiguration jwt;
 
-    public AuthenticationConfiguration(String defaultType, OAuthConfiguration oauth, FormAuthConfiguration form)
+    public AuthenticationConfiguration(String defaultType, OAuthConfiguration oauth, FormAuthConfiguration form, JwtConfiguration jwt)
     {
         this.defaultType = defaultType;
         this.oauth = oauth;
         this.form = form;
+        this.jwt = jwt;
     }
 
     public AuthenticationConfiguration() {}
@@ -57,4 +59,14 @@ public void setForm(FormAuthConfiguration form)
     {
         this.form = form;
     }
+
+    public JwtConfiguration getJwt()
+    {
+        return this.jwt;
+    }
+
+    public void setJwt(JwtConfiguration jwt)
+    {
+        this.jwt = jwt;
+    }
 }

gateway-ha/src/main/java/io/trino/gateway/ha/config/JwtConfiguration.java

@@ -0,0 +1,91 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.gateway.ha.config;
+
+import io.airlift.configuration.validation.FileExists;
+
+import java.io.File;
+import java.util.Optional;
+
+public class JwtConfiguration
+{
+    private String keyFile;
+    private String requiredIssuer;
+    private String requiredAudience;
+    private String principalField = "sub";
+    private Optional<String> userMappingPattern = Optional.empty();
+    private Optional<File> userMappingFile = Optional.empty();
+
+    public JwtConfiguration() {}
+
+    public String getKeyFile()
+    {
+        return this.keyFile;
+    }
+
+    public void setKeyFile(String keyFile)
+    {
+        this.keyFile = keyFile;
+    }
+
+    public String getRequiredIssuer()
+    {
+        return this.requiredIssuer;
+    }
+
+    public void setRequiredIssuer(String requiredIssuer)
+    {
+        this.requiredIssuer = requiredIssuer;
+    }
+
+    public String getRequiredAudience()
+    {
+        return this.requiredAudience;
+    }
+
+    public void setRequiredAudience(String requiredAudience)
+    {
+        this.requiredAudience = requiredAudience;
+    }
+
+    public String getPrincipalField()
+    {
+        return this.principalField;
+    }
+
+    public void setPrincipalField(String principalField)
+    {
+        this.principalField = principalField;
+    }
+
+    public Optional<String> getUserMappingPattern()
+    {
+        return this.userMappingPattern;
+    }
+
+    public void setUserMappingPattern(String userMappingPattern)
+    {
+        this.userMappingPattern = Optional.ofNullable(userMappingPattern);
+    }
+
+    public Optional<@FileExists File> getUserMappingFile()
+    {
+        return this.userMappingFile;
+    }
+
+    public void setUserMappingFile(File userMappingFile)
+    {
+        this.userMappingFile = Optional.ofNullable(userMappingFile);
+    }
+}