Open oneonestar opened 4 months ago
In trino-proxy
, we handled this by creating a JWT bearer token using the certificate principal . trino-proxy
is configured with a key to generate the JWT that is trusted by the Trino coordinator. In other words, we convert the TLS certificate into a bearer token.
Another potential option is to support the Client-Certificate
header from RFC 9440. This would require support in Trino. It's similar to the standard Forwarded
in that it requires opt-in configuration to be trusted, as we do with the http-server.process-forwarded
config.
@electrum for the RFC 9440 do we need to touch jetty at all? We have an access to the headers in the public Identity authenticate(ContainerRequestContext request)
so we can get the cert chain there
for the RFC 9440 do we need to touch jetty at all?
No. ContainerRequestContext is enough.
I think the flow would be:
Client-Certificate
header to Trino, along with a JWT to proof itself is from gatewayClient-Certificate
header and pass it to CertificateAuthenticator
(Feature request) Trino Gateway currently doesn't work if the backend Trino is using certificate authentication.
There are a few ways that I could think of to solve this issue. Discussion is needed before moving to implementation.
Looking at the dev sync's meeting notes, method 1 seems a reasonable choice.
Support Certificate Authentication in Trino Gateway (draft)