nozjkoitop opened a new pull request, #18778: URL: https://github.com/apache/druid/pull/18778
<!-- Thanks for trying to help us make Apache Druid be the best it can be! Please fill out as much of the following information as is possible (where relevant, and remove it when irrelevant) to help make the intention and scope of this PR clear in order to ease review. --> <!-- Please read the doc for contribution (https://github.com/apache/druid/blob/master/CONTRIBUTING.md) before making this PR. Also, once you open a PR, please _avoid using force pushes and rebasing_ since these make it difficult for reviewers to see what you've changed in response to their reviews. See [the 'If your pull request shows conflicts with master' section](https://github.com/apache/druid/blob/master/CONTRIBUTING.md#if-your-pull-request-shows-conflicts-with-master) for more details. --> ### Description This PR is aimed to enable flexible mapping of OIDC/JWT roles to Druid roles. By default, the pac4j OIDC authentication only maps the `sub` claim to a single Druid role, which is extremely inconvenient. This PR adds support for extracting roles from any nested claim path in the JWT. ### Configuration New property introduced in runtime.properties: ```properties # Dot-separated path to the claim containing user roles druid.auth.pac4j.oidc.roleClaimPath=resource_access.client.roles ``` When set, all values found at roleClaimPath are mapped 1:1 to Druid roles. * Path format: a.b.c for nested JSON fields * Claim may contain a single value or be multivalued * If not set, behavior remains unchanged (maps sub to a single Druid role) #### Example JWT payload ``` { "iss": "https://idp.example.com/";, "sub": "user123", "...": "...", "resource_access": { "client": { "roles": ["role1", "role2"] } }, "...": "..." } ``` With the configuration: ```properties druid.auth.pac4j.oidc.roleClaimPath=resource_access.client.roles ``` The authenticated user will be assigned Druid roles role1 and role2, if those roles exist in the Druid security configuration. #### Release note Added support for extracting OIDC/JWT roles from a configurable nested claim path and mapping them directly to Druid roles. <hr> ##### Key changed/added classes in this PR * `RoleBasedAuthGen` * `Pac4jFilter` * `RoleProviderUtil` * `LDAPRoleProvider` * `MetadataStoreRoleProvider` <hr> <!-- Check the items by putting "x" in the brackets for the done things. Not all of these items apply to every PR. Remove the items which are not done or not relevant to the PR. None of the items from the checklist below are strictly necessary, but it would be very helpful if you at least self-review the PR. --> This PR has: - [x] been self-reviewed. - [x] added documentation for new or modified features or behaviors. - [x] a release note entry in the PR description. - [ ] added or updated version, license, or notice information in [licenses.yaml](https://github.com/apache/druid/blob/master/dev/license.md) - [ ] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader. - [x] added unit tests or modified existing tests to cover new code paths, ensuring the threshold for [code coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md) is met. - [ ] added integration tests. - [x] been tested in a test Druid cluster. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
