Support for external identity providers

polaris-core/src/main/java/org/apache/polaris/core/auth/AuthenticatedPolarisPrincipal.java

@@ -30,7 +30,7 @@ public class AuthenticatedPolarisPrincipal implements java.security.Principal {
   public AuthenticatedPolarisPrincipal(
       @Nonnull PolarisEntity principalEntity, @Nonnull Set<String> activatedPrincipalRoles) {
     this.principalEntity = principalEntity;
-    this.activatedPrincipalRoleNames = activatedPrincipalRoles;
+    this.activatedPrincipalRoleNames = Set.copyOf(activatedPrincipalRoles);
   }
 
   @Override
@@ -42,6 +42,13 @@ public PolarisEntity getPrincipalEntity() {
     return principalEntity;
   }
 
+  /**
+   * Returns the set of activated principal role names. Activated role names are the roles that were
+   * explicitly requested by the client when authenticating, through JWT claims or other means.
+   *
+   * <p>By convention, this method returns an empty set when the principal is requesting all
+   * available principal roles.
+   */
   public Set<String> getActivatedPrincipalRoleNames() {
     return activatedPrincipalRoleNames;
   }

polaris-core/src/main/java/org/apache/polaris/core/config/ProductionReadinessCheck.java

@@ -32,6 +32,10 @@ static ProductionReadinessCheck of(Error... errors) {
     return ImmutableProductionReadinessCheck.builder().addErrors(errors).build();
   }
 
+  static ProductionReadinessCheck of(Iterable<? extends Error> errors) {
+    return ImmutableProductionReadinessCheck.builder().addAllErrors(errors).build();
+  }
+
   default boolean ready() {
     return getErrors().isEmpty();
   }

quarkus/defaults/build.gradle.kts

@@ -35,6 +35,7 @@ dependencies {
   compileOnly("io.quarkus:quarkus-smallrye-health")
   compileOnly("io.quarkus:quarkus-micrometer")
   compileOnly("io.quarkus:quarkus-micrometer-registry-prometheus")
+  compileOnly("io.quarkus:quarkus-oidc")
   compileOnly("io.quarkus:quarkus-opentelemetry")
   compileOnly("io.quarkus:quarkus-smallrye-context-propagation")
 }

quarkus/defaults/src/main/resources/application.properties

@@ -30,6 +30,7 @@ quarkus.http.compress-media-types=application/json,text/html,text/plain
 quarkus.management.enabled=true
 quarkus.micrometer.enabled=true
 quarkus.micrometer.export.prometheus.enabled=true
+quarkus.oidc.enabled=true
 quarkus.otel.enabled=true
 
 # ---- Runtime Configuration ----
@@ -74,6 +75,18 @@ quarkus.log.category."io.smallrye.config".level=INFO
 quarkus.management.port=8182
 quarkus.management.test-port=0
 
+# OIDC settings. These settings are required only when using external authentication providers.
+# See https://quarkus.io/guides/security-oidc-configuration-properties-reference
+# Default tenant (disabled by default, set this to true if you use external authentication)
+quarkus.oidc.tenant-enabled=false
+# quarkus.oidc.auth-server-url=https://auth.example.com/realms/polaris
+# quarkus.oidc.client-id=polaris
+# Roles mapping; see https://quarkus.io/guides/security-oidc-bearer-token-authentication#token-claims-and-security-identity-roles
+# quarkus.oidc.roles.role-claim-path=realm/groups
+# Named tenants:
+# quarkus.oidc.idp1.auth-server-url=https://auth.example.com/realms/polaris2
+# quarkus.oidc.idp1.client-id=polaris2
+
 # quarkus.otel.sdk.disabled is set to `true` by default to avoid spuriour errors about
 # trace collector connections being impossible to establish. This setting can be enabled
 # at runtime after configuring other OTel properties for proper trace data collection.
@@ -130,7 +143,14 @@ polaris.rate-limiter.token-bucket.window=PT10S
 
 polaris.active-roles-provider.type=default
 
+# Polaris authentication settings
+polaris.authentication.type=internal
 polaris.authentication.authenticator.type=default
+# Per-realm overrides:
+# polaris.authentication.realm1.type=external
+# polaris.authentication.realm1.authenticator.type=custom
+
+# Options effective when using internal auth (can be overridden in per realm):
 polaris.authentication.token-service.type=default
 polaris.authentication.token-broker.type=rsa-key-pair
 polaris.authentication.token-broker.max-token-generation=PT1H
@@ -139,6 +159,27 @@ polaris.authentication.token-broker.max-token-generation=PT1H
 # polaris.authentication.token-broker.symmetric-key.secret=secret
 # polaris.authentication.token-broker.symmetric-key.file=/tmp/symmetric.key
 
+# OIDC Principals mapping
+polaris.oidc.principal-mapper.type=default
+# polaris.oidc.principal-mapper.id-claim-path=sub
+# polaris.oidc.principal-mapper.name-claim-path=preferred_username
+# Per-tenant overrides:
+# polaris.oidc.idp1.principal-mapper.id-claim-path=polaris/principal_id
+# polaris.oidc.idp1.principal-mapper.name-claim-path=polaris/principal_name
+
+# OIDC Principal roles mapping
+polaris.oidc.principal-roles-mapper.type=default
+# Principal role mapping is done through quarkus.oidc.roles.role-claim-path
+# The properties below define how the roles mapped by Quarkus are converted to Polaris roles
+# polaris.oidc.principal-roles-mapper.filter=PRINCIPAL_ROLE:.*
+# polaris.oidc.principal-roles-mapper.mappings[0].regex=PRINCIPAL_ROLE:(.*)
+# polaris.oidc.principal-roles-mapper.mappings[0].replacement=PRINCIPAL_ROLE:$1
+# Per-tenant overrides:
+# polaris.oidc.idp1.principal-roles-mapper.type=custom
+# polaris.oidc.idp1.principal-roles-mapper.filter=POLARIS_ROLE:.*
+# polaris.oidc.idp1.principal-roles-mapper.mappings[0].regex=POLARIS_ROLE:(.*)
+# polaris.oidc.idp1.principal-roles-mapper.mappings[0].replacement=POLARIS_ROLE:$1
+
 # If the following properties are unset, the default credential provider chain will be used
 # polaris.storage.aws.access-key=accessKey
 # polaris.storage.aws.secret-key=secretKey

quarkus/service/build.gradle.kts

@@ -47,6 +47,7 @@ dependencies {
   implementation("io.quarkus:quarkus-smallrye-health")
   implementation("io.quarkus:quarkus-micrometer")
   implementation("io.quarkus:quarkus-micrometer-registry-prometheus")
+  implementation("io.quarkus:quarkus-oidc")
   implementation("io.quarkus:quarkus-opentelemetry")
   implementation("io.quarkus:quarkus-security")
   implementation("io.quarkus:quarkus-smallrye-context-propagation")

quarkus/service/src/main/java/org/apache/polaris/service/quarkus/auth/ActiveRolesAugmentor.java

@@ -32,33 +32,47 @@
 
 /**
  * A custom {@link SecurityIdentityAugmentor} that adds active roles to the {@link
- * SecurityIdentity}. This is used to augment the identity with active roles after authentication.
+ * SecurityIdentity}. This is used to augment the identity with valid active roles after
+ * authentication.
  */
 @ApplicationScoped
 public class ActiveRolesAugmentor implements SecurityIdentityAugmentor {
 
-  @Inject ActiveRolesProvider activeRolesProvider;
+  // must run after AuthenticatingAugmentor
+  public static final int PRIORITY = AuthenticatingAugmentor.PRIORITY - 1;
+
+  private final ActiveRolesProvider activeRolesProvider;
+
+  @Inject
+  public ActiveRolesAugmentor(ActiveRolesProvider activeRolesProvider) {
+    this.activeRolesProvider = activeRolesProvider;
+  }
+
+  @Override
+  public int priority() {
+    return PRIORITY;
+  }
 
   @Override
   public Uni<SecurityIdentity> augment(
       SecurityIdentity identity, AuthenticationRequestContext context) {
     if (identity.isAnonymous()) {
       return Uni.createFrom().item(identity);
     }
-    return context.runBlocking(() -> augmentWithActiveRoles(identity));
+    return context.runBlocking(() -> validateActiveRoles(identity));
   }
 
-  private SecurityIdentity augmentWithActiveRoles(SecurityIdentity identity) {
-    AuthenticatedPolarisPrincipal polarisPrincipal =
-        identity.getPrincipal(AuthenticatedPolarisPrincipal.class);
-    if (polarisPrincipal == null) {
+  private SecurityIdentity validateActiveRoles(SecurityIdentity identity) {
+    if (!(identity.getPrincipal() instanceof AuthenticatedPolarisPrincipal)) {
       throw new AuthenticationFailedException("No Polaris principal found");
     }
+    AuthenticatedPolarisPrincipal polarisPrincipal =
+        identity.getPrincipal(AuthenticatedPolarisPrincipal.class);
     Set<String> validRoleNames = activeRolesProvider.getActiveRoles(polarisPrincipal);
     return QuarkusSecurityIdentity.builder()
         .setAnonymous(false)
         .setPrincipal(polarisPrincipal)
-        .addRoles(validRoleNames)
+        .addRoles(validRoleNames) // replace the current roles with valid ones
         .addCredentials(identity.getCredentials())
         .addAttributes(identity.getAttributes())
         .addPermissionChecker(identity::checkPermission)

quarkus/service/src/main/java/org/apache/polaris/service/quarkus/auth/AuthenticatingAugmentor.java

@@ -0,0 +1,87 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.polaris.service.quarkus.auth;
+
+import io.quarkus.security.AuthenticationFailedException;
+import io.quarkus.security.identity.AuthenticationRequestContext;
+import io.quarkus.security.identity.SecurityIdentity;
+import io.quarkus.security.identity.SecurityIdentityAugmentor;
+import io.quarkus.security.runtime.QuarkusSecurityIdentity;
+import io.smallrye.mutiny.Uni;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+import org.apache.iceberg.exceptions.NotAuthorizedException;
+import org.apache.polaris.core.auth.AuthenticatedPolarisPrincipal;
+import org.apache.polaris.service.auth.Authenticator;
+import org.apache.polaris.service.auth.PrincipalAuthInfo;
+
+/**
+ * A custom {@link SecurityIdentityAugmentor} that, after Quarkus OIDC or Internal Auth extracted
+ * and validated the principal credentials, augments the {@link SecurityIdentity} by authenticating
+ * the principal and setting an {@link AuthenticatedPolarisPrincipal} as the identity's principal.
+ */
+@ApplicationScoped
+public class AuthenticatingAugmentor implements SecurityIdentityAugmentor {
+
+  public static final int PRIORITY = 1000;
+
+  private final Authenticator<PrincipalAuthInfo, AuthenticatedPolarisPrincipal> authenticator;
+
+  @Inject
+  public AuthenticatingAugmentor(
+      Authenticator<PrincipalAuthInfo, AuthenticatedPolarisPrincipal> authenticator) {
+    this.authenticator = authenticator;
+  }
+
+  @Override
+  public int priority() {
+    return PRIORITY;
+  }
+
+  @Override
+  public Uni<SecurityIdentity> augment(
+      SecurityIdentity identity, AuthenticationRequestContext context) {
+    if (identity.isAnonymous()) {
+      return Uni.createFrom().item(identity);
+    }
+    PrincipalAuthInfo authInfo = extractPrincipalAuthInfo(identity);
+    return context.runBlocking(() -> authenticatePolarisPrincipal(identity, authInfo));
+  }
+
+  private PrincipalAuthInfo extractPrincipalAuthInfo(SecurityIdentity identity) {
+    QuarkusPrincipalAuthInfo credential = identity.getCredential(QuarkusPrincipalAuthInfo.class);
+    if (credential == null) {
+      throw new AuthenticationFailedException("No token credential available");
+    }
+    return credential;
+  }
+
+  private SecurityIdentity authenticatePolarisPrincipal(
+      SecurityIdentity identity, PrincipalAuthInfo authInfo) {
+    try {
+      AuthenticatedPolarisPrincipal polarisPrincipal =
+          authenticator
+              .authenticate(authInfo)
+              .orElseThrow(() -> new NotAuthorizedException("Authentication failed"));
+      return QuarkusSecurityIdentity.builder(identity).setPrincipal(polarisPrincipal).build();
+    } catch (RuntimeException e) {
+      throw new AuthenticationFailedException(e);
+    }
+  }
+}

quarkus/service/src/main/java/org/apache/polaris/service/quarkus/auth/QuarkusAuthenticationConfiguration.java

@@ -19,44 +19,19 @@
 package org.apache.polaris.service.quarkus.auth;
 
 import io.smallrye.config.ConfigMapping;
+import io.smallrye.config.WithDefaults;
+import io.smallrye.config.WithParentName;
+import io.smallrye.config.WithUnnamedKey;
+import java.util.Map;
 import org.apache.polaris.service.auth.AuthenticationConfiguration;
 
 @ConfigMapping(prefix = "polaris.authentication")
-public interface QuarkusAuthenticationConfiguration extends AuthenticationConfiguration {
+public interface QuarkusAuthenticationConfiguration
+    extends AuthenticationConfiguration<QuarkusAuthenticationRealmConfiguration> {
 
+  @WithParentName
+  @WithUnnamedKey(DEFAULT_REALM_KEY)
+  @WithDefaults
   @Override
-  QuarkusAuthenticatorConfiguration authenticator();
-
-  @Override
-  QuarkusTokenServiceConfiguration tokenService();
-
-  @Override
-  QuarkusTokenBrokerConfiguration tokenBroker();
-
-  interface QuarkusAuthenticatorConfiguration extends AuthenticatorConfiguration {
-
-    /**
-     * The type of the authenticator. Must be a registered {@link
-     * org.apache.polaris.service.auth.Authenticator} identifier.
-     */
-    String type();
-  }
-
-  interface QuarkusTokenServiceConfiguration extends TokenServiceConfiguration {
-
-    /**
-     * The type of the OAuth2 service. Must be a registered {@link
-     * org.apache.polaris.service.catalog.api.IcebergRestOAuth2ApiService} identifier.
-     */
-    String type();
-  }
-
-  interface QuarkusTokenBrokerConfiguration extends TokenBrokerConfiguration {
-
-    /**
-     * The type of the token broker factory. Must be a registered {@link
-     * org.apache.polaris.service.auth.TokenBrokerFactory} identifier.
-     */
-    String type();
-  }
+  Map<String, QuarkusAuthenticationRealmConfiguration> realms();
 }