trinodb · kenandominic · Feb 12, 2024 · mosabua · Aug 26, 2024
diff --git a/core/trino-main/src/main/java/io/trino/server/security/HeaderAuthenticatorManager.java b/core/trino-main/src/main/java/io/trino/server/security/HeaderAuthenticatorManager.java
@@ -13,6 +13,7 @@
  */
 package io.trino.server.security;
 
+import com.google.common.annotations.VisibleForTesting;
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
 import com.google.inject.Inject;
@@ -115,4 +116,12 @@ public boolean isLoaded()
     {
         return authenticators.get() != null;
     }
+
+    @VisibleForTesting
+    public void setAuthenticators(HeaderAuthenticator... authenticators)
+    {
+        if (!this.authenticators.compareAndSet(null, ImmutableList.copyOf(authenticators))) {
+            throw new IllegalStateException("authenticators already loaded");
+        }
+    }
 }
diff --git a/core/trino-main/src/main/java/io/trino/server/ui/WebUiAuthenticationModule.java b/core/trino-main/src/main/java/io/trino/server/ui/WebUiAuthenticationModule.java
@@ -21,6 +21,9 @@
 import io.trino.server.security.Authenticator;
 import io.trino.server.security.CertificateAuthenticator;
 import io.trino.server.security.CertificateConfig;
+import io.trino.server.security.HeaderAuthenticator;
+import io.trino.server.security.HeaderAuthenticatorConfig;
+import io.trino.server.security.HeaderAuthenticatorManager;
 import io.trino.server.security.KerberosAuthenticator;
 import io.trino.server.security.KerberosConfig;
 import io.trino.server.security.SecurityConfig;
@@ -58,6 +61,11 @@ protected void setup(Binder binder)
         }));
         installWebUiAuthenticator("kerberos", KerberosAuthenticator.class, KerberosConfig.class);
         install(webUiAuthenticator("jwt", JwtAuthenticator.class, new JwtAuthenticatorSupportModule()));
+        install(webUiAuthenticator("header", HeaderAuthenticator.class, headerBinder -> {
+            newOptionalBinder(headerBinder, HeaderAuthenticatorManager.class);
+            configBinder(headerBinder).bindConfig(HeaderAuthenticatorConfig.class);
+            headerBinder.bind(HeaderAuthenticatorManager.class).in(SINGLETON);
+        }));
     }
 
     private void installWebUiAuthenticator(String type, Module module)

diff --git a/core/trino-main/src/test/java/io/trino/server/ui/TestWebUi.java b/core/trino-main/src/test/java/io/trino/server/ui/TestWebUi.java
@@ -34,6 +34,7 @@
 import io.trino.server.HttpRequestSessionContextFactory;
 import io.trino.server.ProtocolConfig;
 import io.trino.server.protocol.PreparedStatementEncoder;
+import io.trino.server.security.HeaderAuthenticatorManager;
 import io.trino.server.security.PasswordAuthenticatorManager;
 import io.trino.server.security.ResourceSecurity;
 import io.trino.server.security.oauth2.ChallengeFailedException;
@@ -43,6 +44,7 @@
 import io.trino.server.testing.TestingTrinoServer;
 import io.trino.spi.security.AccessDeniedException;
 import io.trino.spi.security.BasicPrincipal;
+import io.trino.spi.security.HeaderAuthenticator;
 import io.trino.spi.security.Identity;
 import jakarta.servlet.http.HttpServlet;
 import jakarta.servlet.http.HttpServletRequest;
@@ -163,6 +165,8 @@ public class TestWebUi
     private static final PrivateKey JWK_PRIVATE_KEY;
     private static final String REFRESH_TOKEN = "REFRESH_TOKEN";
     private static final Duration REFRESH_TOKEN_TIMEOUT = Duration.ofMinutes(1);
+    private static final String AUTHN_HEADER = "header-authn";
+    private static final String ALTERNATE_AUTHN_HEADER = "header-authn-alternate";
 
     static {
         try {
@@ -871,6 +875,54 @@ public void testOAuth2AuthenticatorWithoutEndSessionEndpoint()
         }
     }
 
+    @Test
+    public void testHeaderAuthenticator()
+            throws Exception
+    {
+        final Path headerConfigDummy = Files.createTempFile("passwordConfigDummy", "");
+        headerConfigDummy.toFile().deleteOnExit();
+        try (TestingTrinoServer server = TestingTrinoServer.builder()
+                .setProperties(ImmutableMap.<String, String>builder()
+                        .putAll(SECURE_PROPERTIES)
+                        .put("web-ui.authentication.type", "header")
+                        .put("header-authenticator.config-files", headerConfigDummy.toString())
+                        .buildOrThrow())
+                .build()) {
+            server.getInstance(Key.get(HeaderAuthenticatorManager.class))
+                    .setAuthenticators(
+                            headerAuthenticator(AUTHN_HEADER),
+                            headerAuthenticator(ALTERNATE_AUTHN_HEADER));
+            HttpServerInfo httpServerInfo = server.getInstance(Key.get(HttpServerInfo.class));
+            String nodeId = server.getInstance(Key.get(NodeInfo.class)).getNodeId();
+
+            testLogIn(httpServerInfo.getHttpUri(), FORM_LOGIN_USER, TEST_PASSWORD, false);
+            testNeverAuthorized(httpServerInfo.getHttpsUri(), client);
+
+            OkHttpClient clientWithAuthNHeader = client.newBuilder()
+                    .addInterceptor(chain -> chain.proceed(chain.request()
+                            .newBuilder()
+                            .addHeader(AUTHN_HEADER, TEST_USER)
+                            .build()))
+                    .build();
+            testAlwaysAuthorized(httpServerInfo.getHttpsUri(), clientWithAuthNHeader, nodeId);
+
+            OkHttpClient clientWithAltAuthNHeader = client.newBuilder()
+                    .addInterceptor(chain -> chain.proceed(chain.request()
+                            .newBuilder()
+                            .addHeader(ALTERNATE_AUTHN_HEADER, TEST_USER)
+                            .build()))
+                    .build();
+            testAlwaysAuthorized(httpServerInfo.getHttpsUri(), clientWithAltAuthNHeader, nodeId);
+        }
+    }
+
+    private static HeaderAuthenticator headerAuthenticator(String authnHeader)
+    {
+        return (headers) -> Optional.ofNullable(headers.getHeader(authnHeader))
+                .map(values -> new BasicPrincipal(values.get(0)))
+                .orElseThrow(() -> new AccessDeniedException("You shall not pass!"));
+    }
+
     private void assertAuth2Authentication(TestingTrinoServer server, String accessToken, Optional<String> idToken, boolean refreshTokensEnabled, boolean supportsEndSessionEndpoint)
             throws Exception
     {

diff --git a/docs/src/main/sphinx/admin/properties-web-interface.md b/docs/src/main/sphinx/admin/properties-web-interface.md
@@ -5,7 +5,7 @@ The following properties can be used to configure the {doc}`web-interface`.
 ## `web-ui.authentication.type`
 
 - **Type:** {ref}`prop-type-string`
-- **Allowed values:** `FORM`, `FIXED`, `CERTIFICATE`, `KERBEROS`, `JWT`, `OAUTH2`
+- **Allowed values:** `FORM`, `FIXED`, `CERTIFICATE`, `KERBEROS`, `JWT`, `OAUTH2`, `HEADER`
 - **Default value:** `FORM`
 
 The authentication mechanism to allow user access to the Web UI. See

diff --git a/docs/src/main/sphinx/admin/web-interface.md b/docs/src/main/sphinx/admin/web-interface.md
@@ -46,6 +46,7 @@ The following Web UI authentication types are also supported:
 - `KERBEROS`, see details in {doc}`/security/kerberos`
 - `JWT`, see details in {doc}`/security/jwt`
 - `OAUTH2`, see details in {doc}`/security/oauth2`
+- `HEADER`, see details in {doc}`/develop/header-authenticator`
 
 For these authentication types, the username is defined by {doc}`/security/user-mapping`.