You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Currently, we authenticate an user and get the userId from OAuth provider.
The mapping between userId and role is done by setting the presetUsers.
If userId exists in presetUsers, we'll use the privileges set for the user and match it in authorization.
It's inconvenient to set every account in presetUsers in order to perform a userId to role mapping.
We can improve this by getting the info from OAuth claims.
A similar feature already exist in LDAP (lbLdapClient.getMemberOf(username)).
This feature also exists in Trino (trinodb/trino#15669), although it's discouraged due to the conflict with impersonation. We don't have impersonation in gateway, so this won't be a concert.
Currently, we authenticate an user and get the userId from OAuth provider.
The mapping between userId and role is done by setting the
presetUsers
.If userId exists in
presetUsers
, we'll use the privileges set for the user and match it in authorization.It's inconvenient to set every account in presetUsers in order to perform a userId to role mapping.
We can improve this by getting the info from OAuth claims.
A similar feature already exist in LDAP (
lbLdapClient.getMemberOf(username)
).This feature also exists in Trino (trinodb/trino#15669), although it's discouraged due to the conflict with impersonation. We don't have impersonation in gateway, so this won't be a concert.
Ref:
trino-gateway/gateway-ha/src/main/java/io/trino/gateway/ha/security/AuthorizationManager.java
Lines 40 to 53 in 6fb8346
The text was updated successfully, but these errors were encountered: