Open deebify opened 6 months ago
When providing a different user in OAuth2 token claim (most probably sub
in this case) and via --user
option there is an impersonation taking place. The engine checks whether a user 327a2b89-7124-4b71-85d1-c185f9ea1f32
can impersonate yassine@data.io
and in this case access control says they can't. There are a couple of possible solutions:
allow-all
system access control which allows impersonation,http-server.authentication.oauth2.principal-field
Configuring Trino to use Keycloak for authentication, It used the ID of the Keycloak user instead of a username.
In my case, Keycloak User ID is "327a2b89-7124-4b71-85d1-c185f9ea1f32"
or
user or email does not work, only ID of user and I must use the --user option even if it's external authentication.
When I used the ID of the Keycloak user it worked!
Trino config.properties: