Trino Gateway has its own security with its own authentication and authorization. These features are used only to authenticate and authorize its user interface and the APIs. All Trino-related requests are passed through to the Trino cluster without any authentication or authorization check in Trino Gateway.
The authentication would happen on https protocol only. Add the
authentication:
section in the config file. The default authentication type is
set using defaultType: "form"
Following types of the authentications are
supported.
It can be configured as below
authentication:
defaultType: "oauth"
oauth:
issuer:
clientId:
clientSecret:
tokenEndpoint:
authorizationEndpoint:
jwkEndpoint:
redirectUrl:
redirectWebUrl:
userIdField:
scopes:
- s1
- s2
- s3
- For OAuth Trino Gateway uses
oidc/callback
where as Trino usesoauth2
path - Trino Gateway should have its own client id
- All the Trino backend clusters should have a single client id.
- Trino Gateway needs to pass thorugh the Trino Oauth2 requests only to one of the clusters.
- One way to handle it is to set a special rule like below:
---
name: "Oauth requests"
description: "Oauth requests need to go to a single backed"
condition: "request.getRequestURI.startsWith(\"/oauth2\")"
actions:
- "result.put(\"routingGroup\", \"oauth2-handler\")"
- That also means you need to have a cluster with that routing group.
- It's ok to replicate an existing cluster backend record with a different name for that purpose.
The authentication happens with the pre-defined users from the configuration file. To define the preset user use the following section. Please note that 'privileges' can only be a combination of 'ADMIN', 'USER', and 'API', with '_' used for segmentation.
presetUsers:
user1:
password: <password>
privileges: ADMIN_USER
user2:
password: <password>
privileges: API
Also provide a random key pair in RSA format.
authentication:
defaultType: "form"
form:
selfSignKeyPair:
privateKeyRsa: <private_key_path>
publicKeyRsa: <public_key_path>
LDAP requires both random key pair and config path for LDAP
authentication:
defaultType: "form"
form:
ldapConfigPath: <ldap_config_path>
selfSignKeyPair:
privateKeyRsa: <private_key_path>
publicKeyRsa: <public_key_path>
Trino Gateway supports the following roles in regex string format:
-
admin : Allows access to the Editor tab, which can be used to configure the backends
-
user : Allows access to the rest of the website
-
api : Allows access to rest apis to configure the backends
Users with attributes next to the role will be giving those privileges the users. You can use the preset users defined in the yaml file. LDAP Authorization is also supported by adding user attribute configs in file.
- Check out LDAPTestConfig.yml file for config details
# Roles should be in regex format
authorization:
admin: (.*)ADMIN(.*)
user: (.*)USER(.*)
api: (.*)API(.*)
ldapConfigPath: '<ldap_config_path>'
The LDAP config file should have the following contents:
ldapHost: '<ldap sever>'
ldapPort: <port>
useTls: <true/false>
useSsl: <true/false>
ldapAdminBindDn: <>
ldapUserBaseDn: <>
ldapUserSearch: <>
ldapGroupMemberAttribute: <>
ldapAdminPassword: <>
ldapTrustStorePath: <for a secure ldap connectivity>
ldapTrustStorePassword: '<for a secure ldap connectivity>'
poolMaxIdle: 8
poolMaxTotal: 8
poolMinIdle: 0
poolTestOnBorrow: true
By default, all pages are accessible to all roles.
To limit page access, you can set page permissions by pages
and _
as separator field.
The following pages are available:
dashboard
cluster
resource-group
selector
history
# admin/api can access all pages, while user can only access dashboard/history
pagePermissions:
admin:
user: dashboard_history
api: