Add method to provide Identity from Authenticator's in SPI #27387
Conversation
tbaeg
force-pushed
the
connector-authenticator
branch
from
f9a4c25 to
a3aba1e
Compare
|
@dain do you want to chime in? |
core/trino-main/src/main/java/io/trino/server/security/CertificateAuthenticator.java
Outdated
Show resolved
Hide resolved
This describes the code change, but not the context. The Why remains unclear. |
tbaeg
force-pushed
the
connector-authenticator
branch
from
a3aba1e to
fb131c2
Compare
I've updated the description to better outline the problem it's trying to solve along with additional context from another MR/comment. |
| @Deprecated | ||
| Principal createAuthenticatedPrincipal(List<X509Certificate> certificates); |
There was a problem hiding this comment.
I'm mostly interested in the backwards compatibility story (as I'm sure I'll be adjusting a bunch of authenticators to that new API).
- Making this method deprecated indicates that it should not be used or implemented, but it looks like a normal fallback. Is the intent to remove it entirely in the future?
- Renaming this method forces the implementers to make adjustments anyway, can this be avoided?
- Naming the new method the same as the old one is confusing - the correct course of action when someone wants to keep the current behavior is to rename the method in the interface implementation, but the error message will say that the return type is wrong, which suggests something else
There was a problem hiding this comment.
- Making this method deprecated indicates that it should not be used or implemented, but it looks like a normal fallback.
That's how deprecation is done. If the method was no longer called, we would remove it.
There was a problem hiding this comment.
True, except that it's also renamed, making it technically a new method. So implementers of this interface need to adjust anyway. A typical deprecation process would deprecate the method, but implementations would work unchanged.
There was a problem hiding this comment.
Making this method deprecated indicates that it should not be used or implemented, but it looks like a normal fallback. Is the intent to remove it entirely in the future?
My preference would be to remove it entirely. I see limited/deprecated usage of the Principal (i.e. - SystemAccessControl.checkCanSetUser) that further supports removal.
Renaming this method forces the implementers to make adjustments anyway, can this be avoided?
I generally wouldn't rename the deprecated method, but the main reason was for:
- Consistency between authenticators in it's current state.
- The supplanting method name be
authenticate. At it's core, it's really just a naming preference. (authenticatevscreateAuthenticatedIdentity).
Naming the new method the same as the old one is confusing - the correct course of action when someone wants to keep the current behavior is to rename the method in the interface implementation, but the error message will say that the return type is wrong, which suggests something else
I don't disagree it is a tad confusing and I'm not against naming the new method createAuthenticatedIdentity. That said, I don't think most people have a much trouble with this and I prefer to have some pain on some method names if we can get to the desired state faster.
There was a problem hiding this comment.
Sure. Like I said, I will be updating a bunch of authenticators so this affects my work. It's not a big deal for me, though it may be for others. I just wanted to make sure that this is deliberate and well-thought-out. Thanks!
There was a problem hiding this comment.
Sure. Like I said, I will be updating a bunch of authenticators so this affects my work. It's not a big deal for me, though it may be for others. I just wanted to make sure that this is deliberate and well-thought-out. Thanks!
I think your concern is valid and warranted. I will happily change the name to createAuthenticatedIdentity.
tbaeg
force-pushed
the
connector-authenticator
branch
from
fb131c2 to
7153299
Compare
kokosing
left a comment
kokosing
left a comment
There was a problem hiding this comment.
Some authentication methods can also have authorization information (i.e. - Identity.groups population using JWT claims
Populating groups as part of the authentication is wrong path. We had that for oauth2 and we realized it caused a lot of issues problems with views. For groups you should be using group providers.
I don't understand the specific problem that was encountered, but populating group information is just an example of what is possible; not a requirement. This just gives extension writers more flexibility in shaping the This is outside of the scope of this PR, but I'd love to see movement away from |
Can you please elaborate?
I like to post this on github as it is then easier to find in future. |
5 participants
Description
Introduce additional methods to the SPI authenticators to directly provide an
Identity.Problem
Some authentication methods can also have authorization information (i.e. -
Identity.groupspopulation usingJWT claims.. also see comments) but there is no way to provide that information to theIdentitygiven the current implementation (only accepts aPrincipal).Solution
Allow implementing classes to provide an
Identitydirectly. This allows significantly more flexibility in shaping what properties anIdentityhas and better decoupling from main.Release notes
(x) This is not user-visible or is docs only, and no release notes are required.
( ) Release notes are required. Please propose a release note for me.
( ) Release notes are required, with the following suggested text: