Open JustinR5 opened 5 months ago
Trino only currently supports the authorization code flow, so you'll need to switch to JDBC health checks and set up a separate authn mechanism for the gateway service user.
For example, you can set http-server-authorization.types = OAUTH2, PASSWORD
and set up the password database with a service user for the Gateway. The gateway only needs access to the system.runtime
schema for health checks so you can restrict its access to everything else.
if the auth is oauth2
then useApi has to be set to false, since oauth2 flow doesn't support /ui/api/stats
clusterStatsConfiguration:
useApi: false
Trino only currently supports the authorization code flow, so you'll need to switch to JDBC health checks and set up a separate authn mechanism for the gateway service user.
For example, you can set
http-server-authorization.types = OAUTH2, PASSWORD
and set up the password database with a service user for the Gateway. The gateway only needs access to thesystem.runtime
schema for health checks so you can restrict its access to everything else.
the issue with JDBC is internal trino clusters might not have TLS enabled (for various reasons) while it is a strict requirement for JDBC client.
TLS is not required for JDBC connections
I think this is resolved by #264
Yeah .. good call @oneonestar .. pleasetest and confirm once the new 7 release is out @JustinR5
Whenever Trino gateway runs a health check with the trino backend clusters, it returns an 'Unauthorized to fetch cluster stats' error and sets the status of the cluster to 'false'. When changing trino authentication to 'form' from 'oauth2' the health check works.