Add support for pluggable Custom Presto Authenticators

[imsayari404]

Description

A pluggable authenticator in Presto allows the authentication process to be customized based on specific use cases, such as integrating with different identity providers or token validation strategies.

Motivation and Context

Fixes #24052

Test Plan

Added Unit Tests

Contributor checklist

• Please make sure your submission complies with our development, formatting, commit message, and attribution guidelines.
• PR description addresses the issue accurately and concisely. If the change is non-trivial, a GitHub Issue is referenced.
• Documented new properties (with its default value), SQL syntax, functions, or other functionality.
• If release notes are required, they follow the release notes guidelines.
• Adequate tests were added if applicable.
• CI passed.

Release Notes

Please follow release notes guidelines and fill in the release notes below.

== RELEASE NOTES ==

Security Changes
* Add support for pluggable Custom Presto Authenticators :pr:`#24111`

[pramodsatya]

Thanks @imsayari404, could you please add a test? Will the JwtAuthenticator and PasswordAuthenticator be refactored, as suggested in #24053 (review), in this PR?

[pramodsatya]

Should this be an interface?

[imsayari404]

The PrestoAuthenticator class does not need to be an interface because it serves as a concrete adapter between the Airlift Authenticator interface and the pluggable design provided by PrestoAuthenticator and PrestoAuthenticatorFactory SPI. Its role is to delegate authentication to the PrestoAuthenticatorManager.

[imjalpreet]

@pramodsatya I understand why you might be confused. We have an interface called PrestoAuthenticator in the presto-spi package with the same name.

@tdcmeehan Currently, we've followed the same naming convention as was done for the PasswordAuthenticator SPI. This could lead to confusion since we have an SPI with the same name as the PasswordAuthenticator class in the presto-main package. Do you think we should refactor the class names in presto-main to eliminate the confusion?

[tdcmeehan]

Yes. How about CustomPrestoAuthenticator?

[steveburnett]

Thanks for the doc! A couple of rephrasing suggestions for conciseness.

Also - because this is a new page - you must add

develop/presto-authenticator

to https://github.com/prestodb/presto/blob/master/presto-docs/src/main/sphinx/develop.rst

so the new page will show up on the Developer Guide index page https://prestodb.io/docs/current/develop.html .

[imjalpreet]

Will the JwtAuthenticator and PasswordAuthenticator be refactored, as suggested in #24053 (review), in this PR?

@pramodsatya There has been a slight change since my last comment on this issue. After discussions with @tdcmeehan, we introduced a new and more generic SPI that is independent of the current Authenticators. This SPI can be used to implement any type of custom authenticator, without being limited to just a custom implementation of JWT or Password Authenticators.

We decided to keep the current implementation of Password and JWT authenticators unchanged to avoid introducing a breaking change.

[imjalpreet]

@tdcmeehan can you please have a look whenever you get a chance? Thanks!

[steveburnett]

Thanks for the revisions! The page content looks good to me.

However, because this is a new page in the Presto documentation, you must add

develop/presto-authenticator

to https://github.com/prestodb/presto/blob/master/presto-docs/src/main/sphinx/develop.rst

so the new page will show up on the Developer Guide index page in the Presto documentation.

[tdcmeehan]

HttpServletRequest is a little broad because it also returns the input stream of the actual request. In theory, someone could call that in a plugin. I think that should be a loud failure if that happens. Can you implement a subclass of HttpServletRequest, which wraps an inner HttpServletRequest, but throws if you attempt to use any method which modifies the request, or reads something which doesn't support repeatable reads (such as getInputStream)?

[imsayari404]

I've implemented the changes as suggested. I created a subclass of HttpServletRequest that wraps an inner HttpServletRequest and throws an exception if any method is called that modifies the request or accesses non-repeatable data like getInputStream. Let me know if there's anything else you'd like me to adjust.

[tdcmeehan]

It's not necessary right? Just omit this and it will use the parent method.

[tdcmeehan]

Let's call it

Suggested change

	public class RestrictedHttpServletRequest
	public class ReadOnlyHttpServletRequest

[tdcmeehan]

No need for this comment, it is self evident

[imsayari404]

I agree. I'll remove the unnecessary comment and rename the file to CustomPrestoAuthenticator as suggested.

[tdcmeehan]

Yes. How about CustomPrestoAuthenticator?

[tdcmeehan]

Please squash commits.

[tdcmeehan]

Suggested change

	@Override
	public String getAuthType()
	{
	return super.getAuthType();
	}
	@Override
	public Cookie[] getCookies()
	{
	return super.getCookies();
	}
	@Override
	public long getDateHeader(String name)
	{
	return super.getDateHeader(name);
	}
	@Override
	public String getHeader(String name)
	{
	return super.getHeader(name);
	}
	@Override
	public Enumeration<String> getHeaders(String name)
	{
	return super.getHeaders(name);
	}
	@Override
	public Enumeration<String> getHeaderNames()
	{
	return super.getHeaderNames();
	}
	@Override
	public int getIntHeader(String name)
	{
	return super.getIntHeader(name);
	}
	@Override
	public String getMethod()
	{
	return super.getMethod();
	}
	@Override
	public String getPathInfo()
	{
	return super.getPathInfo();
	}
	@Override
	public String getContextPath()
	{
	return super.getContextPath();
	}
	@Override
	public String getQueryString()
	{
	return super.getQueryString();
	}
	@Override
	public String getRemoteUser()
	{
	return super.getRemoteUser();
	}
	@Override
	public boolean isUserInRole(String role)
	{
	return super.isUserInRole(role);
	}
	@Override
	public Principal getUserPrincipal()
	{
	return super.getUserPrincipal();
	}
	@Override
	public String getRequestedSessionId()
	{
	return super.getRequestedSessionId();
	}
	@Override
	public String getRequestURI()
	{
	return super.getRequestURI();
	}
	@Override
	public StringBuffer getRequestURL()
	{
	return super.getRequestURL();
	}
	@Override
	public String getServletPath()
	{
	return super.getServletPath();
	}
	@Override
	public HttpSession getSession(boolean create)
	{
	return super.getSession(create);
	}
	@Override
	public HttpSession getSession()
	{
	return super.getSession();
	}
	@Override
	public String changeSessionId()
	{
	return super.changeSessionId();
	}
	@Override
	public boolean isRequestedSessionIdValid()
	{
	return super.isRequestedSessionIdValid();
	}
	@Override
	public boolean isRequestedSessionIdFromCookie()
	{
	return super.isRequestedSessionIdFromCookie();
	}
	@Override
	public boolean isRequestedSessionIdFromURL()
	{
	return super.isRequestedSessionIdFromURL();
	}
	@Override
	public boolean isRequestedSessionIdFromUrl()
	{
	return super.isRequestedSessionIdFromUrl();
	}
	@Override
	public Map<String, String[]> getParameterMap()
	{
	return super.getParameterMap();
	}
	@Override
	public String[] getParameterValues(String name)
	{
	return super.getParameterValues(name);
	}

Just remove these, they will all use the parent's implementation if they are not specified.

[tdcmeehan]

Can you make this exception more specific?

[tdcmeehan]

Let's just let it throw.

[tdcmeehan]

Suggested change

	ReadOnlyHttpServletRequest restrictedRequest = new ReadOnlyHttpServletRequest(request);
	return authenticatorManager.getAuthenticator().createAuthenticatedPrincipal(restrictedRequest);
	authenticatorManager.getAuthenticator().createAuthenticatedPrincipal(new ReadOnlyHttpServletRequest(request));

[tdcmeehan]

Instead of this flag, let's just pass in the SecurityConfig as a parameter to this class and @Inject it. And just check in the constructor if CUSTOM is one of the authentication types. Then we can make it immutable, private final boolean.

Finally, let's name it something else, like customAuthenticatorRequested.

[tdcmeehan]

I believe this could be problematic. I don't think it's a great idea to add the servlet API to the SPI. Instead, wondering if we can do something similar, like just authenticating the headers. That way, instead of the API surface being a ServletRequest, it could just be a map representing the headers.

[imjalpreet]

We can undo this change since we are removing the dependency from HttpServletRequest in the new SPI.

[imjalpreet]

We can undo this change since we are removing the dependency from HttpServletRequest in the new SPI.

[imjalpreet]

@imsayari404 thanks for the changes, I have taken another pass and added a few comments.

[imjalpreet]

nit: this is not required, please remove this.

[imjalpreet]

nit: we can move this method after all the public methods

[imjalpreet]

Some headers can be sent by clients as several headers each with a different value. So, we should update this to Map<String, List<String>>

[imjalpreet]

We can use request.getHeaders(headerName) to get all the values.

[imjalpreet]

nit: let's wrap this in AuthenticationException

Suggested change

	throw e;
	throw new AuthenticationException(e.getMessage());

[imjalpreet]

After making the headers map in SPI to Map<String, List<String>>, we can refactor this.

Suggested change

	return (httpRequest) -> {
	// TEST_HEADER will have value of the form PART1:PART2
	String[] header = httpRequest.get(TEST_HEADER).split(":");
	if (header[0].equals(this.validHeaderValue)) {
	return new BasicPrincipal(header[1]);
	}
	throw new AccessDeniedException("Authentication Failed!");
	};
	return (headers) -> {
	// TEST_HEADER will have value of the form PART1:PART2
	String[] header = headers.get(TEST_HEADER).get(0).split(":");
	if (header[0].equals(this.validHeaderValue)) {
	return new BasicPrincipal(header[1]);
	}
	throw new AccessDeniedException("Authentication Failed!");
	};

[imjalpreet]

please remove this class since this is unused

[imjalpreet]

Change the headers map to Map<String, List<String>>

[imjalpreet]

We can remove this class as this is unused

[imjalpreet]

Please remove this as well

[imjalpreet]

@imsayari404 thanks, mostly LGTM now, just a few minor comments.

[imjalpreet]

nit: empty line can be removed

[imjalpreet]

We can refactor this method and use Java Stream API

Suggested change

	Map<String, List<String>> headers = new HashMap<>();
	Enumeration<String> headerNames = request.getHeaderNames();
	while (headerNames.hasMoreElements()) {
	String headerName = headerNames.nextElement();
	Enumeration<String> headerValues = request.getHeaders(headerName);
	List<String> valuesList = new ArrayList<>();
	while (headerValues.hasMoreElements()) {
	valuesList.add(headerValues.nextElement());
	}
	headers.put(headerName, valuesList);
	}
	return headers;
	return Collections.list(request.getHeaderNames())
	.stream()
	.collect(Collectors.toMap(
	headerName -> headerName,
	headerName -> Collections.list(request.getHeaders(headerName))
	));

[imjalpreet]

Similar to the previous comment, please refactor this as well.

[imjalpreet]

@imsayari404 thanks, changes LGTM, can we squash the commits into relevant commits?

[imjalpreet]

LGTM 👍🏼

[steveburnett]

LGTM! (docs)

Pulled updated branch, new local doc build, looks good. Thanks!

[imsayari404]

Hi @tdcmeehan ,
I’ve addressed all the requested changes in the PR, and it’s ready for another round of review. Could you please take a look when you get a chance? Let me know if there’s anything else that needs to be updated.

[tdcmeehan]

Just some nits, otherwise LGTM

[tdcmeehan]

Let's just let it throw.

[tdcmeehan]

Suggested change

	.collect(Collectors.toMap(
	.collect(toImmutableMap(

[tdcmeehan]

Suggested change

	return Collections.list(request.getHeaderNames())
	return list(request.getHeaderNames())

[tdcmeehan]

Suggested change

	headerName -> Collections.list(request.getHeaders(headerName))));
	headerName -> list(request.getHeaders(headerName))));

[imjalpreet]

One minor change, otherwise LGTM

[imjalpreet]

We will need to catch AccessDeniedException here and throw it as AuthenticationException, we cannot remove that.

[imjalpreet]

We can remove the catch clause for RuntimeException but we need to catch AccessDeniedException.

[imjalpreet]

@imsayari404 Thanks for the PR, LGTM!

[imjalpreet]

@tdcmeehan This should be good for another review. Thank you.