Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trino authentication with kerberos does not always follow user mapping pattern #24476

Open
Chiney973 opened this issue Dec 14, 2024 · 0 comments
Open

Trino authentication with kerberos does not always follow user mapping pattern #24476

Chiney973 opened this issue Dec 14, 2024 · 0 comments

Comments

@Chiney973
Copy link

I have set up authentication with kerberos on my trino server

I have set up http-server.authentication.krb5.user-mapping.pattern=(.*)(@.*) so that all users coming from kerberos with this format {username}@bar.com will have @bar.com stripped

But it does not always work as expected

I have a client setting up a powerbi to trino with a connector for whom I am unable to strip the remaining domain with the user mapping pattern

In these logs we can see that trino is not even attempting to set the username correctly:

2024-12-13T10:38:28.741Z	INFO	http-worker-160	stderr	krb5: Entered Krb5Context.acceptSecContext with state=STATE_NEW
2024-12-13T10:38:28.742Z	INFO	http-worker-160	stderr	krb5: Looking for keys for: HTTP/ppr-trino.domaini.com@MY-WORK-DOMAIN.COM
2024-12-13T10:38:28.742Z	INFO	http-worker-160	stderr	krb5: Added key: 18, version: 3
2024-12-13T10:38:28.742Z	INFO	http-worker-160	stderr	krb5: >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
2024-12-13T10:38:28.743Z	INFO	http-worker-160	stderr	krb5: default_enctypes:aes256-cts aes128-cts
2024-12-13T10:38:28.743Z	INFO	http-worker-160	stderr	krb5: default etypes for permitted_enctypes: 18 17.
2024-12-13T10:38:28.743Z	INFO	http-worker-160	stderr	krb5: >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
2024-12-13T10:38:28.744Z	INFO	http-worker-160	stderr	krb5: MemoryCache: add 1734086308/007473/708BC6B89F33F76CEC8125327EA1E441400B54AD2C1C3DC9C89667315BB97159/my-user@MY-WORK-DOMAIN.COM to my-user@MY-WORK-DOMAIN.COM|HTTP/ppr-trino.domaini.com@MY-WORK-DOMAIN.COM
2024-12-13T10:38:28.744Z	INFO	http-worker-160	stderr	krb5: >>> KrbApReq: authenticate succeed.
2024-12-13T10:38:28.744Z	INFO	http-worker-160	stderr	krb5: Krb5Context setting peerSeqNumber to: 2057187908
2024-12-13T10:38:28.744Z	INFO	http-worker-160	stderr	krb5: >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
2024-12-13T10:38:28.745Z	INFO	http-worker-160	stderr	krb5: Krb5Context setting mySeqNumber to: 914462711
2024-12-13T10:38:28.745Z	INFO	http-worker-160	stderr	krb5: >>> Constrained deleg from GSSCaller{UNKNOWN}
2024-12-13T10:38:28.744Z	INFO	http-worker-160	stderr	krb5: >>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
2024-12-13T10:38:28.745Z	INFO	http-worker-160	stderr	krb5: Krb5Context setting mySeqNumber to: 914462711
2024-12-13T10:38:28.745Z	INFO	http-worker-160	stderr	krb5: >>> Constrained deleg from GSSCaller{UNKNOWN}
2024-12-13T10:38:28.758Z	DEBUG	dispatcher-query-26	io.trino.security.AccessControl	Invocation of checkCanSetUser(principal=Optional[my-user@MY-WORK-DOMAIN.COM], userName='my-user@MY-WORK-DOMAIN.COM') succeeded in 52.13us
2024-12-13T10:38:28.758Z	DEBUG	dispatcher-query-26	io.trino.security.AccessControl	Invocation of checkCanImpersonateUser(identity=Identity{user='my-user', principal=my-user@MY-WORK-DOMAIN.COM}, userName='my-user@MY-WORK-DOMAIN.COM') succeeded in 101.20us
2024-12-13T10:38:28.759Z	DEBUG	dispatcher-query-26	io.trino.security.AccessControl	Invocation of checkCanExecuteQuery(identity=Identity{user='my-user@MY-WORK-DOMAIN.COM', principal=my-user@MY-WORK-DOMAIN.COM}, queryId=20241213_103828_00118_4ej6g) succeeded in 25.59us

I have myself tried with a python script in my windows host and in this log we can see that trino is in fact setting up the right user with user mapping effective

2024-12-13T15:42:18.727Z  DEBUG  dispatcher-query-34  io.trino.security.AccessControl  Invocation of checkCanSetUser(principal=Optional[bar@MY-WORK_DOMAIN.FR], userName='bar') succeeded in 52.49us
2024-12-13T15:42:18.728Z  DEBUG  dispatcher-query-34  io.trino.security.AccessControl  Invocation of checkCanExecuteQuery(identity=Identity{user='bar', groups=[rw_testguy, rw_testtest4324143132, rw_testtest5432543254325, ro_testtest, ro_testtest4324143132, ro_testtest543254325243, ro_testtest5432543254325, rw_testtest432432, ro_testtest3, ro_testtest54253523532, ro_testtest2, ro_testtest1, ro_testtest432432, rw_testtest3, rw_testtest2, rw_testtest1, rw_testtest54253523532, rw_testtest543254325243, admin, ro_testguy, rw_testtest], principal=bar@MY-WORK_DOMAIN.FR}, queryId=20241213_154159_00230_kiw5t) succeeded in 51.64us
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Chiney973