search

trinodb / trino

Official repository of Trino, the distributed SQL query engine for big data, formerly known as PrestoSQL (https://trino.io)
https://trino.io
Apache License 2.0
9.94k stars 2.87k forks source link

oauth2 and trino cannot impersonate user XXX of Keycloak #20289

Open deebify opened 6 months ago

deebify commented 6 months ago

Configuring Trino to use Keycloak for authentication, It used the ID of the Keycloak user instead of a username.

In my case, Keycloak User ID is "327a2b89-7124-4b71-85d1-c185f9ea1f32"

Screenshot from 2024-01-07 10-25-43

(base) ╭─deeb@DEEB ~ 
╰─$ ./Downloads/trino-cli-435-executable.jar --server https://trino.data.io:8443 --external-authentication --keystore-path=trino-server-435/etc/server.p12 --keystore-password=XXXX --user yassine@data.io
trino> show catalogs;
Query 20240107_082246_00046_p5f9x failed: Access Denied: User 327a2b89-7124-4b71-85d1-c185f9ea1f32 cannot impersonate user yassine@data.io

or 

(base) ╭─deeb@DEEB ~ 
╰─$ ./Downloads/trino-cli-435-executable.jar --server https://trino.data.io:8443 --external-authentication --keystore-path=trino-server-435/etc/server.p12 --keystore-password=XXXX --user yassine       
trino> show catalogs;
Query 20240107_082721_00047_p5f9x failed: Access Denied: User 327a2b89-7124-4b71-85d1-c185f9ea1f32 cannot impersonate user yassine

user or email does not work, only ID of user and I must use the --user option even if it's external authentication.

When I used the ID of the Keycloak user it worked! 

(base) ╭─deeb@DEEB ~ 
╰─$ ./Downloads/trino-cli-435-executable.jar --server https://trino.data.io:8443 --external-authentication --keystore-path=trino-server-435/etc/server.p12 --keystore-password=XXXX --user 327a2b89-7124-4b71-85d1-c185f9ea1f32
trino> 
trino> 
trino> show catalogs;
 Catalog 
---------
 jmx     
 system  
(2 rows)

Query 20240107_081849_00029_p5f9x, FINISHED, 1 node
Splits: 11 total, 11 done (100.00%)
0.92 [0 rows, 0B] [0 rows/s, 0B/s]

Trino config.properties: 


coordinator=true
node-scheduler.include-coordinator=true
internal-communication.https.required=true
http-server.http.port=8585
discovery.uri=http://tirno.data.io:8585
internal-communication.shared-secret=XXXXXXXX
http-server.authentication.type=oauth2
http-server.https.port=8443
http-server.https.enabled=true
http-server.http.enabled = true
http-server.authentication.oauth2.refresh-tokens=true
http-server.authentication.oauth2.issuer=http://keycloak.data.io:9090/realms/dataio
http-server.authentication.oauth2.client-id=trino
http-server.authentication.oauth2.client-secret=XXXXXXXXXXXXX
lukasz-walkiewicz commented 6 months ago

When providing a different user in OAuth2 token claim (most probably sub in this case) and via --user option there is an impersonation taking place. The engine checks whether a user 327a2b89-7124-4b71-85d1-c185f9ea1f32 can impersonate yassine@data.io and in this case access control says they can't. There are a couple of possible solutions: