Comments (6)
Just some notes:
HBA explicitly picks up first matching entry:
https://github.com/crate/crate/blob/master/server/src/main/java/io/crate/auth/HostBasedAuthentication.java#L175
We would need to try to auth against all matching entries.
Also, this is HTTP specific since PG protcol cannot have jwt auth.
from crate.
Just for reference the errors we get when using the auth method which is configured 2nd:
- config
- -Cauth.host_based.config.98.method=jwt
- -Cauth.host_based.config.98.protocol=http
- -Cauth.host_based.config.99.method=password
- request with username/pwd
$ curl -u myuser:mypwd -X POST -d '{"stmt":"select current_user;"}' -H "Content-Type: application/json" https://localhost:4200/_sql -k -v
< HTTP/1.1 401 Unauthorized
< content-length: 144
* Authentication problem. Ignoring this.
< www-authenticate: Basic realm="CrateDB Authenticator"
<
jwt authentication failed for user myuser. Reason: Cannot invoke "com.auth0.jwt.interfaces.DecodedJWT.getIssuer()" because "decodedJWT" is null
... and with swapped order
- -Cauth.host_based.config.98.method=password
- -Cauth.host_based.config.99.method=jwt
- -Cauth.host_based.config.99.protocol=http
- request with jwt
$ curl -X POST -d '{"stmt":"select current_user;"}' -H "Content-Type: application/json" https://localhost:4200/_sql -k -H "Authorization: Bearer {jwt}" -v
< HTTP/1.1 401 Unauthorized
< content-length: 46
< www-authenticate: Basic realm="CrateDB Authenticator"
<
password authentication failed for user "my_jwt_user"
from crate.
We would need to try to auth against all matching entries.
That's cumbersome and also can be not nice in implementation because of "jwt-is-only-http" aspect.
I think instead of going through all methods we can adjust the HBA method resolving to the following:
- if resolved method is already single, use it.
- if we have multiple matching methods, pickup one which corresponds to the header payload - we cannot mix different headers.
This way we still have jwt/password differentiation which is less confusing than having jwt_or_password
and also keep possibility or granular config per use, ie โallow only jwt for Georgโ
I wonder if we should treat this as a bug. Irrelevant of JWT but speaking from HBA point of view - we have a request that matches HBA and fails for either of jwt/password because of the order.
from crate.
can be not nice in implementation because of "jwt-is-only-http" aspect.
That is however related to the actual implementation. If JWT would have been implemented to reuse password
field (as suggested in the original ticket), one could have also easily used it via the PostgreSQL wire protocol. If "password" would instead be treated as a more generic Use "HTTP authorization header" approach, this also would be a non issue.
This issue arises from treating JWT as a separate authentication mode solely for HTTP connections. Whether this is a bug or not is irrelevant; the feature was intended for hosted use cases. Just as we expect to use the PostgreSQL wire protocol and the HTTP endpoint with the same user, we also anticipated using password and JWT authentication with the same user. As it stands, we can't make much use of it. As we did agree to treat new features as experimental to some degree and only consider them stable after iterations, we can't make much use of it right now. While this technically might not be a bug (since it wasn't specified in the original request, nor was the contrary), I would still love to see this resolved quickly within this (5.7) or the next minor release (5.8).
If the HBA matched not only the host but also the authentication method provided by the user's authentication attempt, this issue would be resolved.
i.e.
if we have multiple matching methods, pickup one which corresponds to the header payload - we cannot mix different headers.
would be favourable ๐
from crate.
I wonder if we should treat this as a bug. Irrelevant of JWT but speaking from HBA point of view - we have a request that matches HBA and fails for either of jwt/password because of the order.
Added a bug label for now, will discuss with the team later
UPD: Removed bug as "picking up first" is documented behavior.
From https://cratedb.com/docs/crate/reference/en/latest/admin/auth/hba.html
The authentication method of the first entry that matches the client user and address will be used. If the authentication attempt fails, subsequent entries will not be considered. The entry look-up order is determined by the order identifier of each entry.
from crate.
Hi @proddata, thx for reporting. Fix will be available in the next 5.7.2 hotfix release
from crate.
Related Issues (20)
- Allow FDW user mapping against roles HOT 3
- Allow the use of EXPLAIN ANALYZE on queries with scalar subselects
- Ensure own password is also hidden when querying `information_schema.user_mapping_options` HOT 2
- SQLParseException on query with subqueries with latest nightly HOT 4
- FDW - Cannot read JSONB directly from PostgreSQL Server HOT 2
- Expand `OBJECT`s during view creation to include subfields in metadata HOT 4
- ClassCastException on function with RETURNS OBJECT HOT 2
- Support `ALTER SERVER` to change connection url
- Support PUBLIC user mapping for FDW HOT 1
- Unexpected result when using `PG_GET_PARTKEYDEF` HOT 1
- Unexpected result when using `DEFAULT` during creating table HOT 1
- Regression on correlated subqueries HOT 2
- Meta - Foreign Tables with PostgreSQL JSON(B) Columns HOT 6
- Can't join foreign table with a local table in a multi-node cluster HOT 1
- INSERT INTO much slower than separate SELECT and INSERT HOT 4
- Ignored objects in foreign tables should be fetched as a whole
- Support sas_token for Azure Snapshot repository
- Unexpected result when using `FORMAT_TYPE` HOT 1
- Unexpected result when querying with boolean comparisons HOT 1
- Simplify join condition by optimizing the expression
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from crate.