Support SET SESSION AUTHORIZATION and RESET SESSION AUTHORIZATION

[baohe-zhang]

Description

This PR adds support for impersonating as another user by running SET SESSION AUTHIORIZATION user SQL command. And it's related to the issue #2512. After this PR gets merged, user u1 can run SET SESSION AUTHORIZATION u2 to impersonate u2. And the user can run RESET SESSION AUTHORIZATION to switch back to the original user u1. This SQL command can allow a superuser to temporarily become an unprivileged user and later switch back to being a superuser.

New request headers:

• X-Trino-Original-User: store the original logged-in user, the X-Trino-User can be updated with SET SESSION AUTHORIZATION user command.

New response headers:

• X-Trino-Set-Authorization-User: instruct the client to set X-Trino-User to another user.
• X-Trino-Reset-Authorization-User: instruct the client to reset X-Trino-User to the original user.

The workflow of the set session authorization:

1. User u1 starts a trino session, initially the request header will have <X-Trino-User: u1> and <X-Trino-Original-User: u1>.
2. User u1 runs SET SESSION AUTHORIZATION u2.
3. Trino server parses this SQL command and checks if the original user u1 can impersonate u2. If the check passes the server will add <X-Trino-Set-Authorization-User:u2> in the response header.
4. Trino client processes the response and it finds X-Trino-Set-Authorization-User exist in the header, thus updating the ClientSession.authorizationUser field to u2.
5. Trino client submits a sql query and adds <X-Trino-User: u2> and <X-Trino-Original-User: u1> in the request header.
6. Trino server detects X-Trino-User and X-Trino-Original-User are different in the request header, thus it will check if original user u1 can impersonate u2. If the check passes the query will be executed as u2 (use u2 to create session identity).

Since the Session's identity will be overridden by authorizationIdentity in step 5, we would need a new session field originalIdentity to preserve the information of the original user. This originalIdentity will be used for the impersonation checks during query session creation and It will also be used as the source of audit information.

Additional context and related issues

workflow:

trino> select current_user;
  _col0   
----------
 baozhang 
(1 row)

trino> set session authorization prestodv;
SET SESSION AUTHORIZATION
trino> 
trino> select current_user;
  _col0   
----------
 prestodv 
(1 row)

trino> reset session authorization;
RESET SESSION AUTHORIZATION
trino> 
trino> select current_user;
  _col0   
----------
 baozhang 
(1 row)

trino-python-client support is added in trinodb/trino-python-client#349

Release notes

( ) This is not user-visible or docs only and no release notes are required.
() Release notes are required, please propose a release note for me.
(x) Release notes are required, with the following suggested text:

# General
* Add support for `SET SESSION AUTHORIZATION` and `RESET SESSION AUTHORIZATION` syntax. ({issue}`16067`)

[phd3]

Please look at test failures - seem related

[phd3]

can we add tests in TestResourceSecurity and TestUserImpersonationAccessControl to validate the impersonation ?

[baohe-zhang]

We can add unit tests in TestUserImpersonationAccessControl after we have added client side support. And I think the unit test there should be enough to validate the impersonation.

[baohe-zhang]

The unit tests are added in testing/trino-tests/src/test/java/io/trino/execution/TestSetSessionAuthorization.java

[phd3]

Adding to TestResourceSecurity still seems valuable as UI access (e.g. QueryResource access goes through extractAuthorizedIdentity without going through the query flow - and would be good to also test it out in this codepath - in case someone sends a X-Trino-Authorization-User header that way)

[baohe-zhang]

Sounds good. Will take a look and try to add some unit tests for UI access impersonation.

[baohe-zhang]

Added a unit test in TestResourceSecurity to verify the code path of UI impersonation.

[kokosing]

In HttpRequestSessionContextFactory we are also using authenticatedIdentity. I think the flow is already complex, it would be nice to document them and differences between them somewhere. One thing is to document it https://trino.io/docs/current/develop/client-protocol.html, but I think also it would be nice to document authentication flow. Maybe https://github.com/trinodb/trino/wiki/HTTP-Protocol

[baohe-zhang]

Added docs for new client headers.

[kokosing]

Did you mean principalIdentity or authenticationIdentity. The identity that is used for authentication, while the other one should be called sessionIdentity or authorizationIdentity. Am I right?

[phd3]

You're right - but since the "executing" identity is referred to as "identity" in the code currently - we can refer the "authorization" identity as "identity" with this change ... and rename the original (or authentication) identity, wdyt ?

[phd3]

some initial comments

[phd3]

nit: redundant this

[baohe-zhang]

Fixed.

[phd3]

nit: should have isNullOrEmpty check based on the error message

[baohe-zhang]

Fixed.

[phd3]

nit: use Java 17 syntax where you don't need to cast again

e.g.

if (userExpression instanceof Identifier identifier) {
    user = identifier.getValue();
}

[baohe-zhang]

Fixed

[phd3]

same comment about nullOrEmpty

[baohe-zhang]

Fixed

[phd3]

nit: we need to add more details in terms of what the "original" user means here (i.e. sessionUser vs principal etc)

[baohe-zhang]

Added more details.

[phd3]

resetAuthorizationUser should be fine - generally we avoid abbreviations in codebase

[baohe-zhang]

Fixed

[phd3]

Adding to TestResourceSecurity still seems valuable as UI access (e.g. QueryResource access goes through extractAuthorizedIdentity without going through the query flow - and would be good to also test it out in this codepath - in case someone sends a X-Trino-Authorization-User header that way)

[phd3]

You're right - but since the "executing" identity is referred to as "identity" in the code currently - we can refer the "authorization" identity as "identity" with this change ... and rename the original (or authentication) identity, wdyt ?

[phd3]

Adding some discussion here that we had over slack with @kokosing :

• With regards to extra credentials, we do not transfer them today in case of SECURITY DEFINER in views (which is also some kind of impersonation). So if we want to transfer them in SET SESSION AUTHORIZATION we should consider transferring it in all other forms of impersonation (like row filters, column masks). We can start with not transferring them then - we can tackle the extracreds in a common way across these sql commands if a usecase demands it.

• For groups -> since they can be used for access control, we'll need to derive new groups for authorizationUser using GroupProvider#getGroups() - so that AccessControl can use proper groups corresponding to the authorizationUser for making the checks. I think this is consistent with the fact that we're using authorizationUser instead of the originalUser for making the AccessControl checks.

[baohe-zhang]

@phd3
for groups, we already have

        Identity identity = optionalAuthorizationUser.map(authorizationUser -> Identity.from(originalIdentity)
                        .withUser(authorizationUser)
                        .withGroups(groupProvider.getGroups(authorizationUser))
                        .build())
                .orElse(originalIdentity);

to get the authorizationUser's groups. I wonder do we need to change withGroups to withAdditionalGroups to preserve the original user's groups in the authorization user's identity?

[cla-bot]

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: Baohe Zhang.
This is most likely caused by a git client misconfiguration; please make sure to:

1. check if your git client is configured with an email to sign commits git config --list | grep email
2. If not, set it up using git config --global user.email [email protected]
3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

[cla-bot]

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: Baohe Zhang.
This is most likely caused by a git client misconfiguration; please make sure to:

1. check if your git client is configured with an email to sign commits git config --list | grep email
2. If not, set it up using git config --global user.email [email protected]
3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

[cla-bot]

Thank you for your pull request and welcome to our community. We could not parse the GitHub identity of the following contributors: Baohe Zhang.
This is most likely caused by a git client misconfiguration; please make sure to:

1. check if your git client is configured with an email to sign commits git config --list | grep email
2. If not, set it up using git config --global user.email [email protected]
3. Make sure that the git commit email is configured in your GitHub account settings, see https://github.com/settings/emails

[phd3]

LGTM! Minor comments.

[phd3]

I'd extract this out in a method so that the logic of preferring originalUser and fallback on user remains in one place. Also let's add a comment on why we do this

[baohe-zhang]

Fixed.

[phd3]

LGTM. @baohe-zhang Could you please squash commits? Or open access for me to be able to push to your branch, which I'm currently not.

[phd3]

Merged, thanks @baohe-zhang @martint !

[findepi]

The new statements should fail when client does not support the new headers. Please update ClientCapabilities.

[findepi]

The new statements should fail when client does not support the new headers. Please update ClientCapabilities.

@baohe-zhang @phd3 can you please follow-up on this?