Demonstrate authentication using bearer token #704
Conversation
# Conflicts: # build.gradle.kts # dropwizard/service/src/main/resources/META-INF/services/io.dropwizard.logging.common.layout.DiscoverableLayoutFactory # polaris-server.yml # service/common/src/main/java/org/apache/polaris/service/context/PolarisContextResolver.java # tools/version/src/main/version/polaris-version.properties
…polaris-server.yml
# Conflicts: # polaris-server.yml
cgpoh
requested review from
adutra,
ashvina,
dimas-b,
eric-maynard,
jackye1995,
jbonofre,
vvcephei,
collado-mike,
snazy,
RussellSpitzer,
takidau,
flyrain and
ebyhr
as code owners
There was a problem hiding this comment.
Hi @cgpoh I'm not sure I understand the purpose of this PR, but you seem to be proposing a new realm context resolver that resolves the realm from a claim in the JWT token, rather than from an adhoc header.
While I'm not opposed to the idea, I think you PR contains some unrelated changes (the Postgres Eclipselink configuration). It would be better to clean that up. Thanks!
| .build(); | ||
| try { | ||
| DecodedJWT decodedJWT = verifier.verify(token); | ||
| String realm = decodedJWT.getClaim(ISS_PROPERTY_KEY).asString(); |
There was a problem hiding this comment.
I don't think you can assume that the iss claim will always contain the realm identifier. For example, Polaris itself sets the iss claim to polaris:
In fact, Polaris does not include the realm in the JWT tokens it generates.
So, I think this needs to be configurable.
There was a problem hiding this comment.
Thanks, I think I just need the verify method to check for valid token. Will remove the getClaim method
| String principalId = decodedJWT.getClaim(PRINCIPAL_PROPERTY_KEY).asString(); | ||
|
|
||
| parsedProperties.put(REALM_PROPERTY_KEY, realm); | ||
| parsedProperties.put(PRINCIPAL_PROPERTY_KEY, principalId); |
There was a problem hiding this comment.
Will remove these unused properties
| import org.slf4j.LoggerFactory; | ||
|
|
||
| @JsonTypeName("polaris") | ||
| public class PolarisContextResolver implements RealmContextResolver { |
There was a problem hiding this comment.
I would rather call this BearerTokenRealmContextResolver.
| @@ -44,4 +44,27 @@ | |||
| <property name="eclipselink.persistence-context.flush-mode" value="auto"/> | |||
| </properties> | |||
| </persistence-unit> | |||
| <persistence-unit name="polaris-postgresql" transaction-type="RESOURCE_LOCAL"> | |||
There was a problem hiding this comment.
This change seems unrelated.
There was a problem hiding this comment.
Thanks, will remove that.
polaris-server.yml
Outdated
There was a problem hiding this comment.
This also looks unrelated
There was a problem hiding this comment.
Thanks, will revert the changes
| .build(); | ||
| try { | ||
| DecodedJWT decodedJWT = verifier.verify(token); | ||
| String realm = decodedJWT.getClaim(ISS_PROPERTY_KEY).asString(); |
There was a problem hiding this comment.
Obtaining real from access tokens looks interesting, but would you mind showing an end-to-end use case, @cgpoh ?
One rough edge seems to be that in order to obtain a token from Polaris, the user must provide a realm, so the access token cannot be an exclusive source of realm information.
If you mean tokens provided by external IdP, that feature is yet not available in Polaris (unless I missed it) 🤔
There was a problem hiding this comment.
Thanks @dimas-b. For my use case, I followed the Security section in the configuring-polaris-for-production guide. I deployed Polaris in our Kubernetes POC environment and bootstrapped it using PostgreSQL, setting the environment variables
POLARIS_BOOTSTRAP_POLARIS_ROOT_CLIENT_ID and POLARIS_BOOTSTRAP_POLARIS_ROOT_CLIENT_SECRET.
In the subsection, I noticed Polaris lacks a service to resolve a realm from bearer tokens. To address this, I created the PolarisContextResolver class. With this implementation, we can now create Polaris RBAC and catalogs using the bearer token retrieved from api/catalog/v1/oauth/tokens.
There was a problem hiding this comment.
Thanks for the clarification, @cgpoh !
From my POV, I'd question the current text in the callContextResolver & realmIdResolver doc section, actually.
Like I said, getting realm ID from a token is interesting, but it works well only for Polaris own tokens. If a token is from an external IdP (a feature being discussed on the dev mailing list), validating the token may not be as trivial. I can imagine that validation may require some knowledge about the IdP, which would naturally be part of the "realm" definition.
I'd propose to alter the approach a bit and perhaps try to refactor authenticators to also be able to produce realm information. This way, IMHO, the runtime flow will be more coherent: 1) the authenticator receives a "raw" request; 2) the authenticator uses headers (including Bearer token) to make sure that the request is valid (authentic) possibly taking both the realm header and JWT into account; 3) the authenticator declares that the request is for a) some realm, b) some specific principal.
WDYT?
There was a problem hiding this comment.
For my POC demonstration, I aimed to use a real token instead of a sequence of key/value pairs, like those in TestInlineBearerTokenPolarisAuthenticator, which led to the creation of the BearerTokenRealmContextResolver class. With the new Quarkus update, it seems TestInlineBearerTokenPolarisAuthenticator is no longer in use, so I believe I can close this PR for now.
I’m intrigued by your approach and will take some time to study the implementation further. Hopefully, I can raise a new PR to address this in the future! 😊
| parsedProperties.put(REALM_PROPERTY_KEY, realm); | ||
| parsedProperties.put(PRINCIPAL_PROPERTY_KEY, principalId); | ||
| } catch (Throwable t) { | ||
| throw new JWTVerificationException(t.getMessage(), t); |
There was a problem hiding this comment.
I'm not sure we can assume that all bearer tokens are JWTs. When external IdP support is added, it will be quite possible that access tokens are opaque.
There was a problem hiding this comment.
I’m thinking JWT for a start and maybe add more support when Quarkus migration is done, what do you think?
Thanks @adutra . Apologies for not being clear about the purpose of this PR. I’ve provided an explanation here |
…ContextResolver to BearerTokenRealmContextResolver
| import org.slf4j.LoggerFactory; | ||
|
|
||
| @JsonTypeName("polaris") | ||
| public class BearerTokenRealmContextResolver implements RealmContextResolver { |
There was a problem hiding this comment.
FYI: RealmContextResolver has been renamed. Please rebase.
| JWTVerifier verifier = | ||
| JWT.require(Algorithm.HMAC256("polaris")) | ||
| .withIssuer(ISS_PROPERTY_DEFAULT_VALUE) | ||
| .build(); |
There was a problem hiding this comment.
This will never be usable in production if you hardcode the secret here. The default token broker signs the JWT with a secret that is defined in the configuration - could be anything. Is it expected that this resolver is only used for test cases? Or is it intended to work in conjunction with the JWTBroker-generated tokens in prod?
There was a problem hiding this comment.
Agree. For now, is more of a POC. I intend to define a secret in a configuration without hardcoding when working with the JWTBroker in prod.
Add
PolarisContextResolverto demonstrate authentication using bearer token instead of the default custom bearer-token formatprincipal:data-engineer;password:test;realm:acct123