Add authentication to the Preview Web UI

[koszti]

Description

Authentication methods for the preview UI. Partially addressing #22697

Technical details

Introducing three new API endpoints designed for enhanced Single Page App compatibility:

• GET: /ui/preview/auth/info: Provides a lightweight JSON response containing the essential details for authentication type, user information, and login form rendering (if needed). Unlike the current approach, it eliminates the need for server-side HTML rendering and string manipulation.. Example:

$ curl -k https://127.0.0.1:8443/ui/preview/auth/info
{"authType":"form","isPasswordAllowed":true,"isAuthenticated":false}

• POST: /ui/preview/auth/login: Functionally equivalent to POST: /ui/login, but it exchanges data via JSON instead of HTTP forms and HTML responses.
• GET: /ui/preview/auth/logout: Functionally equivalent to GET: /ui/logout but it exchanges data via JSON instead of HTTP redirects and HTML response

Supported Authentication Types

• INSECURE
• FORM (via HTTP)
• FORM (via HTTPS)
• FIXED
• OAUTH2 (tested with Okta)
• JWT: - (tested by ingesting jwt tokens into HTTP header as auth bearer token using mitmproxy)
• KERBEROS
• CERTIFICATE

Screenshots

1. INSECURE auth type for development. No password.

2. FORM auth type via HTTPS

3. FIXED

4. OAUTH2 Okta as IdP

NOTE: In oauth2, the IdP login form is displayed (such as okta login page), whereas for fixed and protocol-based authenticators (jwt, certifacte and kerberos), users are redirected to the main page upon successful authentication without being shown a login form.

5. Periodically fetching /ui/api/stats endpoint after a successful login

[wendigo]

@koszti I've pushed a commit to your PR that tries to simplify the bindings to reduce the scope of changes. Ideally we don't want to change existing classes at all to reduce the chance of introducing security-related bugs.

[koszti]

@koszti I've pushed a commit to your PR that tries to simplify the bindings to reduce the scope of changes. Ideally we don't want to change existing classes at all to reduce the chance of introducing security-related bugs.

thanks for doing that. I was struggling with that part so it was a great help. I made a few other modifications and everything is now working. I've also addressed nearly all your comments and rebased everything into a single commit.

[wendigo]

@koszti I've pushed a bunch of changes - can you test them? I'm ok with the change as it is right now so I'm willing to merge it.

[koszti]

@wendigo I'm fixing conflicts and testing your commits. I can see you've moved @ResourceSecurity annotations to class level but that causes this exception:

Caused by: IllegalArgumentException: Trino resource is not annotated with @ResourceSecurity: public AuthInfo LoginPreviewResource.getAuthInfo(ContainerRequestContext,SecurityContext)

I've checked other resources and seems like it's always annotated at the endpoint methods and not at the class level. One annotation for each.. Should I modify related classes accordingly so it'd look like this below? Doing that there is no exception:

@Path("")
@Consumes(APPLICATION_JSON)
@Produces(APPLICATION_JSON)
public class LoginPreviewResource
{
...
    @GET
    @Path(UI_PREVIEW_AUTH_INFO)
    @ResourceSecurity(WEB_UI)
    public AuthInfo getAuthInfo(...)
...

    @POST
    @Path(UI_PREVIEW_LOGIN_FORM)
    @ResourceSecurity(WEB_UI)
    public Response login(...)
...

[wendigo]

@koszti according to the code it should work on the class-level as well

[koszti]

@koszti according to the code it should work on the class-level as well

io.trino.server.ui.PreviewUiQueryRunner isn’t starting with class-level annotations. I’ll try to investigate the cause.
I need a bit more time to resolve all conflicts and align everything with the master branch but will do it in the next couple of days.

[wendigo]

@koszti there is an invalid check in the ResourceAccessType. There should be a single verifyNotTrinoResource call there by the end of the method. Can you test with that change?

diff --git a/core/trino-main/src/main/java/io/trino/server/security/ResourceAccessType.java b/core/trino-main/src/main/java/io/trino/server/security/ResourceAccessType.java
index 9fe79418b35..b71a2d0b9e0 100644
--- a/core/trino-main/src/main/java/io/trino/server/security/ResourceAccessType.java
+++ b/core/trino-main/src/main/java/io/trino/server/security/ResourceAccessType.java
@@ -49,7 +49,6 @@ public class ResourceAccessType
             // check if the resource class has an access type declared for all methods
             accessType = resourceAccessTypeLoader.getAccessType(resourceInfo.getResourceClass());
             if (accessType.isPresent()) {
-                verifyNotTrinoResource(resourceInfo);
                 return accessType.get();
             }
             // in some cases there the resource is a nested class, so check the parent class
@@ -57,7 +56,6 @@ public class ResourceAccessType
             if (resourceInfo.getResourceClass().getDeclaringClass() != null) {
                 accessType = resourceAccessTypeLoader.getAccessType(resourceInfo.getResourceClass().getDeclaringClass());
                 if (accessType.isPresent()) {
-                    verifyNotTrinoResource(resourceInfo);
                     return accessType.get();
                 }
             }

[koszti]

@wendigo yes, it does work after your changes, thanks! I'm going to continue the rest and will come back soon

[koszti]

@wendigo this is now ready.

[wendigo]

@koszti there were unrelated changes in 3 files which I removed and extracted one change to a separate commit.

[wendigo]

@dain this prohibited @ResourceSecurity at the class level for io.trino Jax-RS resources. Was it on purpose?