feat: create user if not exists on JWT authenticate

[junnplus]

I hereby agree to the terms of the CLA available at: https://databend.rs/dev/policies/cla/

Summary

Create user if not exists on JWT authenticate.

Specify the create_user struct in custom claims to create a user.

#[derive(Default, Deserialize, Serialize)]
pub struct CreateUser {
    pub tenant_id: Option<String>,
    pub roles: Vec<String>,
}

#[derive(Default, Deserialize, Serialize)]
pub struct CustomClaims {
    pub create_user: Option<CreateUser>,
}

Changelog

• New Feature

Related Issues

Fixes #4875

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

1 Ignored Deployment

Name	Status	Preview	Updated
databend	⬜️ Ignored (Inspect)		Apr 19, 2022 at 7:25AM (UTC)

[mergify]

Thanks for the contribution!
I have applied any labels matching special text in your PR Changelog.

Please review the labels and make any necessary changes.

[youngsofun]

1. add_user return error if user exists. does the cloud platform when it should carry the create_user field?

2. for an existed user, what if the existed user info diff with info in create_user?

[junnplus]

add_user return error if user exists. does the cloud platform when it should carry the create_user field?

User will be created only if user does not exist. is_not_exists is true for add_user .

for an existed user, what if the existed user info diff with info in create_user?

create_user just used to create users, not update.

[youngsofun]

User will be created only if user does not exist

do you mean cloud platform do this check to determine whether or not to addcreate_user in jwt? cc @flaneur2020

add_user may ErrorCode::UserAlreadyExists

[flaneur2020]

do you mean cloud platform do this check to determine whether or not to addcreate_user in jwt?

i guess the cloud platform could ensure user exists by an jwt with create_user enabled when the user successfully logged in, and then pass normal jwt for the normal operations to interact with databend-query.

a jwt is used to authenticate an user, if the jwt verified successfully and the user already existed, it can pass the authentication happily, it might a bit weird to get a userAlreadyExists in this case. 🤔

[flaneur2020]

btw, how about making the create_user claim into a bool?

the infomation about tenant and role may already existed some another claims 🤔

[junnplus]

btw, how about making the create_user claim into a bool?

like this?

{
    "create_user": true,
    "tenant_id": "",
    "roles": []
}

I'm not sure if the same fields would be in custom claims, it's better together.

[youngsofun]

@junnplus sorry, what I saw is UserApi::add_user.

[youngsofun]

i guess the cloud platform could ensure user exists by an jwt with create_user enabled when the user successfully logged in, and then pass normal jwt for the normal operations to interact with databend-query.

maybe we can call it ensure_user? I saw it a lot in puppet. or "create_user_if_not_exist".

btw, how about making the create_user claim into a bool?

seems currently this create_user provides only a basic template for a newly-seen user, so the value in it take effective only when user dose not exist. and it will not override behavior specified by an existing userInfo.

So, I prefer to separate it from other fields，which while be regard，naturally， being able to override the behavior of the session

@flaneur2020

[junnplus]

ensure_user SGTM. cc @flaneur2020

[flaneur2020]

cool, ensure_user is much better than create_user_if_not_exist.

I guess jwt in some manner favors shorter names, as it'd like to avoids getting too big in the transport, likewise "aud" over "audience", "sub" over "subject" etc.

[youngsofun]

if add_user does return ok, no need to get_user here?

[junnplus]

if add_user does return ok, no need to get_user here?

If the user already exists, we still need to get the user.

[youngsofun]

why not return the UserInfo just created?

[junnplus]

why not return the UserInfo just created?

User will not be created if user already exists, so we need to get_user.

[youngsofun]

so, put it together, Jwt only create a user if not exist.
the user may be altered later as normal.

lgtm