Skip to content

Server Authorization

Server Authorization can be enabled in Unity Catalog Server using server.authorization property in etc/conf/server.properties configuration file.

To enable the server authorization server.authorization property should be enable (case-insensitive).

With server authorization enabled, Unity Catalog Server registers AuthDecorator to intercept all requests to /api/2.1/unity-catalog/-prefixed URLs.

Bearer Authentication

From OpenAPI Guide (extra spacing mine):

Bearer Authentication (token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens.

The name "Bearer authentication" can be understood as "give access to the bearer of this token."

The bearer token is a cryptic string, usually generated by the server in response to a login request.

The client must send this token in the Authorization header when making requests to protected resources:

Authorization: Bearer <token>

The Bearer authentication scheme was originally created as part of OAuth 2.0 in RFC 6750.

Bearer authentication should only be used over HTTPS (SSL).

Demo

Enable Server Authorization

Add the following to etc/conf/server.properties:

server.authorization=enable

Tip

Enable ALL logging level for io.unitycatalog.server.service.AuthDecorator logger.

Start Unity Catalog server.

Unauthorized Access

❯ ./bin/uc catalog list
Exception in thread "main" java.lang.RuntimeException: io.unitycatalog.client.ApiException: listCatalogs call failed with: 401 - {"error_code":"UNAUTHENTICATED","details":[{"reason":"UNAUTHENTICATED","metadata":{},"@type":"google.rpc.ErrorInfo"}],"stack_trace":null,"message":"No authorization found."}
    at io.unitycatalog.cli.UnityCatalogCli.main(UnityCatalogCli.java:127)
Caused by: io.unitycatalog.client.ApiException: listCatalogs call failed with: 401 - {"error_code":"UNAUTHENTICATED","details":[{"reason":"UNAUTHENTICATED","metadata":{},"@type":"google.rpc.ErrorInfo"}],"stack_trace":null,"message":"No authorization found."}
    at io.unitycatalog.client.api.CatalogsApi.getApiException(CatalogsApi.java:77)
    at io.unitycatalog.client.api.CatalogsApi.listCatalogsWithHttpInfo(CatalogsApi.java:356)
    at io.unitycatalog.client.api.CatalogsApi.listCatalogs(CatalogsApi.java:333)
    at io.unitycatalog.cli.CatalogCli.listCatalogs(CatalogCli.java:74)
    at io.unitycatalog.cli.CatalogCli.handle(CatalogCli.java:39)
    at io.unitycatalog.cli.UnityCatalogCli.main(UnityCatalogCli.java:92)

Authorized Access

Use subject_token as specified in etc/conf/token.txt.

./bin/uc --auth_token $(cat etc/conf/token.txt) catalog list
┌─────┬────────────┬──────────┬─────────────┬──────────┬────────────────────────────────────┐
│NAME │  COMMENT   │PROPERTIES│ CREATED_AT  │UPDATED_AT│                 ID                 │
├─────┼────────────┼──────────┼─────────────┼──────────┼────────────────────────────────────┤
│unity│Main catalog│{}        │1721234405334│null      │f029b870-9468-4f10-badc-630b41e5690d│
└─────┴────────────┴──────────┴─────────────┴──────────┴────────────────────────────────────┘

You should see the following DEBUG messages in the server logs:

DEBUG io.unitycatalog.server.service.AuthDecorator:44 - AuthDecorator checking /api/2.1/unity-catalog/catalogs?max_results=100
DEBUG io.unitycatalog.server.service.AuthDecorator:44 - AuthDecorator checking /api/2.1/unity-catalog/catalogs?max_results=100
DEBUG io.unitycatalog.server.service.AuthDecorator:69 - Validating access-token for issuer: internal
DEBUG io.unitycatalog.server.service.AuthDecorator:78 - Access allowed for subject: "admin"