Enable dual authentication methods

Author: AndyJiang99

docs/security.md

@@ -36,16 +36,16 @@ for more details.
 
 The authentication would happen on https protocol only. Add the
 `authentication:` section in the config file. The default authentication type is
-set using `defaultType: "form"` Following types of the authentications are
-supported.
+set using `defaultTypes: ["form"]`. The first authentication type in `defaultTypes` is prioritized and then falls back to following ones.
+Following types of the authentications are supported.
 
 ### OAuth/OpenIDConnect
 
 It can be configured as below
 
 ```yaml
 authentication:
-  defaultType: "oauth"
+  defaultTypes: ["oauth"]
   oauth:
     issuer:
     clientId:
@@ -81,6 +81,11 @@ Set the `privilegesField` to retrieve privileges from an OAuth claim.
 ```
 - That also means you need to have a cluster with that routing group.
 - It's ok to replicate an existing Trino cluster record with a different name for that purpose.
+- If you want to have all users who are authenticated via SSO and are not in the `presetUsers` list be able to view the dashboard and query history, you can set `defaultPrivilege` in the config file:
+```yaml
+authorization:
+  defaultPrivilege: "USER"
+```
 
 ### Form/Basic authentication
 
@@ -102,7 +107,7 @@ Also provide a random key pair in RSA format.
 
 ```yaml
 authentication:
-  defaultType: "form"
+  defaultTypes: ["form"]
   form:
     selfSignKeyPair:
       privateKeyRsa: <private_key_path>
@@ -115,7 +120,7 @@ LDAP requires both random key pair and config path for LDAP
 
 ```yaml
 authentication:
-  defaultType: "form"
+  defaultTypes: ["form"]
   form:
     ldapConfigPath: <ldap_config_path>
     selfSignKeyPair:

gateway-ha/pom.xml

@@ -323,6 +323,13 @@
             <scope>runtime</scope>
         </dependency>
 
+        <dependency>
+            <groupId>com.github.docker-java</groupId>
+            <artifactId>docker-java-api</artifactId>
+            <version>3.4.2</version>
+            <scope>test</scope>
+        </dependency>
+
         <!-- Test deps -->
         <dependency>
             <groupId>com.h2database</groupId>

gateway-ha/src/main/java/io/trino/gateway/ha/config/AuthenticationConfiguration.java

@@ -13,29 +13,31 @@
  */
 package io.trino.gateway.ha.config;
 
+import java.util.List;
+
 public class AuthenticationConfiguration
 {
-    private String defaultType;
+    private List<String> defaultTypes;
     private OAuthConfiguration oauth;
     private FormAuthConfiguration form;
 
-    public AuthenticationConfiguration(String defaultType, OAuthConfiguration oauth, FormAuthConfiguration form)
+    public AuthenticationConfiguration(List<String> defaultTypes, OAuthConfiguration oauth, FormAuthConfiguration form)
     {
-        this.defaultType = defaultType;
+        this.defaultTypes = defaultTypes;
         this.oauth = oauth;
         this.form = form;
     }
 
     public AuthenticationConfiguration() {}
 
-    public String getDefaultType()
+    public List<String> getDefaultTypes()
     {
-        return this.defaultType;
+        return this.defaultTypes;
     }
 
-    public void setDefaultType(String defaultType)
+    public void setDefaultTypes(List<String> defaultTypes)
     {
-        this.defaultType = defaultType;
+        this.defaultTypes = defaultTypes;
     }
 
     public OAuthConfiguration getOauth()

gateway-ha/src/main/java/io/trino/gateway/ha/config/AuthorizationConfiguration.java

@@ -19,13 +19,15 @@ public class AuthorizationConfiguration
     private String user;
     private String api;
     private String ldapConfigPath;
+    private String defaultPrivilege;
 
-    public AuthorizationConfiguration(String admin, String user, String api, String ldapConfigPath)
+    public AuthorizationConfiguration(String admin, String user, String api, String ldapConfigPath, String defaultPrivilege)
     {
         this.admin = admin;
         this.user = user;
         this.api = api;
         this.ldapConfigPath = ldapConfigPath;
+        this.defaultPrivilege = defaultPrivilege;
     }
 
     public AuthorizationConfiguration() {}
@@ -69,4 +71,14 @@ public void setLdapConfigPath(String ldapConfigPath)
     {
         this.ldapConfigPath = ldapConfigPath;
     }
+
+    public String getDefaultPrivilege()
+    {
+        return this.defaultPrivilege;
+    }
+
+    public void setDefaultPrivilege(String defaultPrivilege)
+    {
+        this.defaultPrivilege = defaultPrivilege;
+    }
 }

gateway-ha/src/main/java/io/trino/gateway/ha/module/HaGatewayProviderModule.java

@@ -145,28 +145,39 @@ private LbFormAuthManager getFormAuthManager(HaGatewayConfiguration configuratio
     private ChainedAuthFilter getAuthenticationFilters(AuthenticationConfiguration config, Authorizer authorizer)
     {
         ImmutableList.Builder<ContainerRequestFilter> authFilters = ImmutableList.builder();
-        String defaultType = config.getDefaultType();
-        if (oauthManager != null) {
-            authFilters.add(new LbFilter(
-                    new LbAuthenticator(oauthManager, authorizationManager),
-                    authorizer,
-                    "Bearer",
-                    new LbUnauthorizedHandler(defaultType)));
+        List<String> authMethods = config.getDefaultTypes();
+        if (authMethods == null || authMethods.isEmpty()) {
+            return new ChainedAuthFilter(authFilters.build());
         }
 
-        if (formAuthManager != null) {
-            authFilters.add(new LbFilter(
-                    new FormAuthenticator(formAuthManager, authorizationManager),
-                    authorizer,
-                    "Bearer",
-                    new LbUnauthorizedHandler(defaultType)));
+        for (String authMethod : authMethods) {
+            switch (authMethod) {
+                case "oauth" -> {
+                    if (oauthManager != null) {
+                        authFilters.add(new LbFilter(
+                                new LbAuthenticator(oauthManager, authorizationManager),
+                                authorizer,
+                                "Bearer",
+                                new LbUnauthorizedHandler("oauth")));
+                    }
+                }
+                case "form" -> {
+                    if (formAuthManager != null) {
+                        authFilters.add(new LbFilter(
+                                new FormAuthenticator(formAuthManager, authorizationManager),
+                                authorizer,
+                                "Bearer",
+                                new LbUnauthorizedHandler("form")));
 
-            authFilters.add(new BasicAuthFilter(
-                    new ApiAuthenticator(formAuthManager, authorizationManager),
-                    authorizer,
-                    new LbUnauthorizedHandler(defaultType)));
+                        authFilters.add(new BasicAuthFilter(
+                                new ApiAuthenticator(formAuthManager, authorizationManager),
+                                authorizer,
+                                new LbUnauthorizedHandler("form")));
+                    }
+                }
+                default -> {}
+            }
         }
-
         return new ChainedAuthFilter(authFilters.build());
     }
 

gateway-ha/src/main/java/io/trino/gateway/ha/resource/LoginResource.java

@@ -16,6 +16,7 @@
 import com.google.common.collect.ImmutableList;
 import com.google.inject.Inject;
 import io.airlift.log.Logger;
+import io.trino.gateway.ha.config.HaGatewayConfiguration;
 import io.trino.gateway.ha.domain.Result;
 import io.trino.gateway.ha.domain.request.RestLoginRequest;
 import io.trino.gateway.ha.security.LbFormAuthManager;
@@ -56,10 +57,12 @@ public class LoginResource
 
     private final LbOAuthManager oauthManager;
     private final LbFormAuthManager formAuthManager;
+    private final HaGatewayConfiguration haGatewayConfiguration;
 
     @Inject
-    public LoginResource(@Nullable LbOAuthManager oauthManager, @Nullable LbFormAuthManager formAuthManager)
+    public LoginResource(HaGatewayConfiguration haGatewayConfiguration, @Nullable LbOAuthManager oauthManager, @Nullable LbFormAuthManager formAuthManager)
     {
+        this.haGatewayConfiguration = haGatewayConfiguration;
         this.oauthManager = oauthManager;
         this.formAuthManager = formAuthManager;
     }
@@ -173,16 +176,13 @@ else if (oauthManager != null) {
     @Produces(MediaType.APPLICATION_JSON)
     public Response loginType()
     {
-        String loginType;
-        if (formAuthManager != null) {
-            loginType = "form";
-        }
-        else if (oauthManager != null) {
-            loginType = "oauth";
+        List<String> loginTypes;
+        if (haGatewayConfiguration.getAuthentication() != null) {
+            loginTypes = haGatewayConfiguration.getAuthentication().getDefaultTypes();
         }
         else {
-            loginType = "none";
+            loginTypes = List.of("none");
         }
-        return Response.ok(Result.ok("Ok", loginType)).build();
+        return Response.ok(Result.ok("Ok", loginTypes)).build();
     }
 }

gateway-ha/src/main/java/io/trino/gateway/ha/security/AuthorizationManager.java

@@ -24,11 +24,13 @@ public class AuthorizationManager
 {
     private final Map<String, UserConfiguration> presetUsers;
     private final LbLdapClient lbLdapClient;
+    private final AuthorizationConfiguration authorizationConfiguration;
 
     public AuthorizationManager(AuthorizationConfiguration configuration,
             Map<String, UserConfiguration> presetUsers)
     {
         this.presetUsers = presetUsers;
+        this.authorizationConfiguration = configuration;
         if (configuration != null && configuration.getLdapConfigPath() != null) {
             lbLdapClient = new LbLdapClient(LdapConfiguration.load(configuration.getLdapConfigPath()));
         }
@@ -49,6 +51,13 @@ public Optional<String> getPrivileges(String username)
         else if (lbLdapClient != null) {
             privs = lbLdapClient.getMemberOf(username);
         }
-        return Optional.ofNullable(privs);
+
+        if (privs == null || privs.trim().isEmpty()) {
+            if (authorizationConfiguration != null && authorizationConfiguration.getDefaultPrivilege() != null) {
+                return Optional.of(authorizationConfiguration.getDefaultPrivilege());
+            }
+            return Optional.empty(); // No default privilege if not configured
+        }
+        return Optional.of(privs);
     }
 }