search

trinodb / trino-gateway

https://trinodb.github.io/trino-gateway/
Apache License 2.0
120 stars 47 forks source link

Unable to configure OAuth on Trino gateway #383

Open Nexengineer opened 2 weeks ago

Nexengineer commented 2 weeks ago

Hi,

I am trying to enable OAuth on gateway running via docker container. I have created an app registration in azure for the oauth. Below is my config file 

# Routing Rules are ways by which query can be send to a specific $schema
# Resource group
# reference - https://github.com/trinodb/trino-gateway/blob/main/docs/routing-rules.md
routingRules:
  rulesEngineEnabled: false
  # rulesConfigPath: "./gw_rules.yml" ---> Rules path

requestRouter:
  ssl: true
  port: 8080
  name: trinoRouter
  historySize: 1000
  requestBufferSize: 8192
  keystorePath: /opt/trino/standard_trusts.jks
  keystorePass: "password"

dataStore:
  jdbcUrl: jdbc:postgresql://host.docker.internal:5431/trino_gateway_db
  user: trino_gateway_db_admin
  password: P0stG&es
  driver: org.postgresql.Driver
  queryHistoryHoursRetention: 24

backendState:
  username: lb_query
  password: secret

clusterStatsConfiguration:
  monitorType: INFO_API
  # monitorType: JDBC

server:
  applicationConnectors:
    - type: https
      port: 8090
      useForwardedHeaders: true
      keyStorePath: /opt/trino/standard_trusts.jks
      keyStorePassword: "password"
  adminConnectors:
    - type: https
      port: 8091
      useForwardedHeaders: true
      keyStorePath: /opt/trino/standard_trusts.jks
      keyStorePassword: "password"

modules:
  - io.trino.gateway.ha.module.HaGatewayProviderModule
  - io.trino.gateway.ha.module.ClusterStateListenerModule
  - io.trino.gateway.ha.module.ClusterStatsMonitorModule

managedApps:
  - io.trino.gateway.ha.GatewayManagedApp
  - io.trino.gateway.ha.clustermonitor.ActiveClusterMonitor

# Logging settings.
logging:
  type: external

authentication:
  defaultType: "oauth"
  oauth:
    issuer: "https://login.microsoftonline.com/<tenant_id>/v2.0"
    clientId: <client_id>
    clientSecret: <client_secret>
    tokenEndpoint: "https://login.microsoftonline.com/<tenent_id>/oauth2/v2.0/authorize"
    authorizationEndpoint: "https://login.microsoftonline.com/<tenent_id>/oauth2/v2.0/authorize"
    jwkEndpoint: "https://login.microsoftonline.com/<tenent_id>/discovery/v2.0/keys" // want to know more about this
    redirectUrl: "https://localhost:8080/oidc/callback"
    redirectWebUrl: "https://localhost:8080/oidc/callback"
    userIdField: "" // want to know more about this
    scopes:
      - https://<scope>/.default
      - openid

docker container is starting and unhealthy. By looking at the logs, I am getting 

2024-06-12T07:21:08.217Z    INFO    main    io.trino.gateway.baseapp.BaseApp    op=register_start configuration=Configuration{server=DefaultServerFactory{applicationConnectors=[io.dropwizard.jetty.HttpsConnectorFactory@4a3be6a5], adminConnectors=[io.dropwizard.jetty.HttpsConnectorFactory@6b760460], adminMaxThreads=64, adminMinThreads=1, applicationContextPath='/', adminContextPath='/'}, logging=io.dropwizard.logging.common.ExternalLoggingFactory@1b005a0b, metrics=MetricsFactory{frequency=1 minute, reporters=[], reportOnStop=false}, admin=AdminFactory[healthChecks=HealthCheckConfiguration[servletEnabled= true, minThreads=1, maxThreads=4, workQueueSize=1], tasks=TaskConfiguration[printStackTraceOnError=false]], health=null}
2024-06-12T07:21:08.219Z    INFO    main    io.trino.gateway.baseapp.BaseApp    op=register type=auth filter item=class io.dropwizard.auth.AuthFilter
2024-06-12T07:21:08.226Z    INFO    main    io.trino.gateway.baseapp.BaseApp    op=register type=provider item=class io.trino.gateway.ha.security.AuthorizedExceptionMapper
2024-06-12T07:21:08.277Z    ERROR   main    io.trino.gateway.baseapp.BaseApp    Error loading managed app
com.google.inject.ProvisionException: Unable to provision, see the following errors:

1) [Guice/ErrorInCustomProvider]: IllegalStateException
  at HaGatewayProviderModule.provideGateway(HaGatewayProviderModule.java:216)
  at GatewayManagedApp.<init>(GatewayManagedApp.java:29)
      \_ for 1st parameter gateway
  while locating GatewayManagedApp

Learn more:
  https://github.com/google/guice/wiki/ERROR_IN_CUSTOM_PROVIDER

1 error

Need help on enabling oauth on gateway apis.

Nexengineer commented 1 week ago

Any updates on this

oneonestar commented 1 week ago

The error message was trimmed, making it difficult to determine the cause. I think this is the same as #242.

Nexengineer commented 1 week ago

I am adding the whole log @oneonestar 

2024-06-17T06:16:26.967Z    ERROR   main    io.trino.gateway.baseapp.BaseApp    Error loading managed app
com.google.inject.ProvisionException: Unable to provision, see the following errors:

1) [Guice/ErrorInCustomProvider]: IllegalStateException
  at HaGatewayProviderModule.provideGateway(HaGatewayProviderModule.java:216)
  at GatewayManagedApp.<init>(GatewayManagedApp.java:29)
      \_ for 1st parameter gateway
  while locating GatewayManagedApp

Learn more:
  https://github.com/google/guice/wiki/ERROR_IN_CUSTOM_PROVIDER

1 error

======================
Full classname legend:
======================
GatewayManagedApp:       "io.trino.gateway.ha.GatewayManagedApp"
HaGatewayProviderModule: "io.trino.gateway.ha.module.HaGatewayProviderModule"
========================
End of classname legend:
========================

    at com.google.inject.internal.InternalProvisionException.toProvisionException(InternalProvisionException.java:251)
    at com.google.inject.internal.InjectorImpl$1.get(InjectorImpl.java:1151)
    at com.google.inject.internal.InjectorImpl.getInstance(InjectorImpl.java:1186)
    at io.trino.gateway.baseapp.BaseApp.lambda$addManagedApps$1(BaseApp.java:187)
    at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    at io.trino.gateway.baseapp.BaseApp.addManagedApps(BaseApp.java:182)
    at io.trino.gateway.baseapp.BaseApp.registerWithInjector(BaseApp.java:142)
    at io.trino.gateway.baseapp.BaseApp.configureGuice(BaseApp.java:134)
    at io.trino.gateway.baseapp.BaseApp.run(BaseApp.java:125)
    at io.trino.gateway.baseapp.BaseApp.run(BaseApp.java:66)
    at io.dropwizard.core.cli.EnvironmentCommand.run(EnvironmentCommand.java:66)
    at io.dropwizard.core.cli.ConfiguredCommand.run(ConfiguredCommand.java:98)
    at io.dropwizard.core.cli.Cli.run(Cli.java:78)
    at io.dropwizard.core.Application.run(Application.java:94)
    at io.trino.gateway.ha.HaGatewayLauncher.main(HaGatewayLauncher.java:49)
Caused by: java.lang.IllegalStateException
    at java.base/java.util.OptionalInt.orElseThrow(OptionalInt.java:273)
    at io.trino.gateway.ha.module.HaGatewayProviderModule.getApplicationPort(HaGatewayProviderModule.java:190)
    at io.trino.gateway.ha.module.HaGatewayProviderModule.getProxyHandler(HaGatewayProviderModule.java:171)
    at io.trino.gateway.ha.module.HaGatewayProviderModule.provideGateway(HaGatewayProviderModule.java:235)
    at io.trino.gateway.ha.module.HaGatewayProviderModule$$FastClassByGuice$$86152.GUICE$TRAMPOLINE(<generated>)
    at io.trino.gateway.ha.module.HaGatewayProviderModule$$FastClassByGuice$$86152.apply(<generated>)
    at com.google.inject.internal.ProviderMethod$FastClassProviderMethod.doProvision(ProviderMethod.java:260)
    at com.google.inject.internal.ProviderMethod.doProvision(ProviderMethod.java:171)
    at com.google.inject.internal.InternalProviderInstanceBindingImpl$CyclicFactory.provision(InternalProviderInstanceBindingImpl.java:185)
    at com.google.inject.internal.InternalProviderInstanceBindingImpl$CyclicFactory.get(InternalProviderInstanceBindingImpl.java:162)
    at com.google.inject.internal.ProviderToInternalFactoryAdapter.get(ProviderToInternalFactoryAdapter.java:40)
    at com.google.inject.internal.SingletonScope$1.get(SingletonScope.java:169)
    at com.google.inject.internal.InternalFactoryToProviderAdapter.get(InternalFactoryToProviderAdapter.java:45)
    at com.google.inject.internal.SingleParameterInjector.inject(SingleParameterInjector.java:40)
    at com.google.inject.internal.SingleParameterInjector.getAll(SingleParameterInjector.java:60)
    at com.google.inject.internal.ConstructorInjector.provision(ConstructorInjector.java:113)
    at com.google.inject.internal.ConstructorInjector.construct(ConstructorInjector.java:91)
    at com.google.inject.internal.ConstructorBindingImpl$Factory.get(ConstructorBindingImpl.java:300)
    at com.google.inject.internal.InjectorImpl$1.get(InjectorImpl.java:1148)
    ... 13 more

2024-06-17T06:16:27.055Z    INFO    main    stdout  # WARNING: Unable to get Instrumentation. Dynamic Attach failed. You may add this JAR as -javaagent manually, or supply -Djdk.attach.allowAttachSelf
oneonestar commented 1 week ago

There is some large-scale refactoring ongoing. Please try #382 or wait for things to settle down a bit.