Example Authentication providers #3410
Conversation
formed status objects
...cket-jakarta/src/main/java/io/grpc/servlet/web/websocket/MultiplexedWebsocketStreamImpl.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
I think these are mostly great. I know we've talked a little bit about the packaging changes you expect to make.
I glossed over oidc and postrges impls and JS.
I have successfully run the JS examples, as well as extended the java client to more thoroughly test psk, mtls, and anonymous.
| return Optional.of(new AuthContext() { | ||
| @Override | ||
| public LogOutput append(LogOutput logOutput) { | ||
| return logOutput.append(x509Certificates.get(0).getSubjectDN().getName()); | ||
| } | ||
| }); |
There was a problem hiding this comment.
I think we want to move towards more structured AuthContexts that capture the full state:
class MtlsAuthContext implements AuthContext {
private final List<X509Certificate> ...
...
}I know we don't have great Authorization tie-ins at the moment, but mTLS in particular is a cool case b/c multiple privileges can be attached to a single certificate.
There was a problem hiding this comment.
Definitely agreed, but I'd like to tackle that later, and offer some base implementations along the way, with things like roles optionally populated. As it stands today, every implementation of AuthContext is functionally the same - there is no difference between Anonymous and SuperUser except what they log.
There was a problem hiding this comment.
Users have to implement their own versions of AuthWiring classes. I think Devin is asking for the ability to class-cast and invoke an accessor method. I can't see a good reason to not include that at this time. If a user does indeed subclass, this is a simple java-ism that they will want to be able to do.
There was a problem hiding this comment.
Only that I want to separate the goals here, focusing on the authentication side, making sure it works with several use cases, and follow up with authorization, as Auth(oriziation)Wiring is explicitly the second. I think we need more than "provide some subclasses and cast" to get that to make sense.
|
|
||
| @Override | ||
| public void initialize(String targetUrl) { | ||
|
|
There was a problem hiding this comment.
Yep see description, I'm hoping for some feedback on expected conventions - how noisy, do we log at all, just the URL, do we really need every handler to log roughly the same URL, etc
There was a problem hiding this comment.
targetUrl is a bit weird to pass into this function. I understand we're giving psk a chance to log out a "pretty" URL, but maybe there is a better way to structure this.
My vote might be to rip out the init logging (except for Anonymous), and then have the server print targetUrl once.
| ); | ||
|
|
||
| INSERT INTO deephaven_username_password_auth.users (username, password_hash, rounds) | ||
| VALUES ('admin', '$2a$10$kjbt1Fq4k4W6EB67GDhAauuIWeI8ppx2gsi6.zLL2R5UYokek8nqO', 10); |
There was a problem hiding this comment.
It looks like rounds is encoded in the password_hash; rounds may be extraneous?
There was a problem hiding this comment.
Yes, unfortunately I would have to implement my own parsing, the existing bcrypt java library doesn't offer a way to read that value, so I just stored it as a separate column.
There was a problem hiding this comment.
Looks like https://github.com/patrickfav/bcrypt might be a more recently maintained alternative? Quick look at the API shows that it supports parsing w/o explicitly passing in rounds and improvements https://github.com/patrickfav/bcrypt#enhancements-over-jbcrypt
There was a problem hiding this comment.
Okay to have as an optional, very-backlogged followup?
If we're doing this "actually 100% right" there is a lot more that needs to be done too, like pooling jdbc connections, explicitly supporting other drivers, etc.
web/client-api/src/main/java/io/deephaven/web/public/authentication/basic.html
Outdated
Show resolved
Hide resolved
| return Optional.of(new AuthContext() { | ||
| @Override | ||
| public LogOutput append(LogOutput logOutput) { | ||
| return logOutput.append(x509Certificates.get(0).getSubjectDN().getName()); | ||
| } | ||
| }); |
There was a problem hiding this comment.
Users have to implement their own versions of AuthWiring classes. I think Devin is asking for the ability to class-cast and invoke an accessor method. I can't see a good reason to not include that at this time. If a user does indeed subclass, this is a simple java-ism that they will want to be able to do.
| } | ||
|
|
||
| @Override | ||
| public void initialize(String targetUrl) { |
There was a problem hiding this comment.
I suspect we may want to force this call to be as close to the gRPC server start() call. I'd noticed back when we were originally logging the "Anonymous access is enabled" warning that it was rather early in the start up process. Other OSS products that I've seen start web servers provide such a log message near the tail of their start-up logging. We should do the same if you haven't already addressed that.
There was a problem hiding this comment.
can you and @devinrsmith discuss a bit directly here? I definitely think these two(ish) things are true:
- Some authentication handlers must be logged - anon must get called out noisily, and PSK stops looking like an acceptable replacement for anon if the user has to find the url, click it, go back to the log, find the PSK, copy it, paste it into the box in the browser... Both of these are best if this is the ~last thing that is logged before we hand off control to the user.
- Most other auth handlers really have no need for the target url or to log at all.
There was a problem hiding this comment.
I would be in favor of having io.deephaven.server.runner.DeephavenApiServer#run be in control of the necessary logging and removing targetUrl from initialize. This gives us a chance to delay logging until after the server has started, and be smarter about when and what we actually log. This suggests we may need to use reflection (or some "hacky" means for PSK), or elevate PSK to the authentication project.
|
Possible layout for docker compose sample. I think this is too much, even without making it clearer. The only part I want to keep (in a different commit...) is to create the /apps/libs directory when we make the images, rather than make users create it themselves - but the steps to create this are a bit too complex, unless we intend to publish the image. I think it would be better to have an explicit Dockerfile example somewhere, rather than a runnable dev docker example. |
I see value in publishing PSK, but it's hard to see immediate value from publishing the other ones.
classname sounds good
I'd say "no" to further parameterization at this point. May be reasonable to rename to "oidc-keycloak" or similar. |
|
Out of the box, mtls, psk, and keycloak are configurable for "just limit users to those who fit this simple criteria", which solves the major feature gap we were missing here. With oidc/keycloak, an existing instance can be used by just adding a new realm or new client an an existing realm to grant/deny access, and with mtls controlling the CA used for browser or programmatic clients is at least enough to offer some guarantee over who can connect or not. The Basic sql one is a little weaker here (though you can give it an existing postgresql database and specify the table/columns to use). It might be a stretch here, but it seems odd to skip this one, as it certainly can work out of the box (and doubles as its own tool to create passwords for the DB to store) in a simpler way than to say "either roll your own or also stand up Keycloak). |
|
Labels indicate documentation is required. Issues for documentation have been opened: How-to: https://github.com/deephaven/deephaven.io/issues/2243 |
Remaining to mark it as ready:
Discussion points for reviews:
AuthHandlersvalueFixes #2564
Fixes #2934