Server Authorization¶
Server Authorization can be enabled in Unity Catalog Server using server.authorization
property in etc/conf/server.properties
configuration file.
To enable the server authorization server.authorization
property should be enable
(case-insensitive).
With server authorization enabled, Unity Catalog Server registers AuthDecorator to intercept all requests to /api/2.1/unity-catalog/
-prefixed URLs.
Bearer Authentication¶
From OpenAPI Guide (extra spacing mine):
Bearer Authentication (token authentication) is an HTTP authentication scheme that involves security tokens called bearer tokens.
The name "Bearer authentication" can be understood as "give access to the bearer of this token."
The bearer token is a cryptic string, usually generated by the server in response to a login request.
The client must send this token in the Authorization header when making requests to protected resources:
The Bearer authentication scheme was originally created as part of OAuth 2.0 in RFC 6750.
Bearer authentication should only be used over HTTPS (SSL).
Demo¶
Enable Server Authorization¶
Add the following to etc/conf/server.properties
:
Tip
Enable ALL
logging level for io.unitycatalog.server.service.AuthDecorator logger.
Start Unity Catalog server.
Unauthorized Access¶
❯ ./bin/uc catalog list
Exception in thread "main" java.lang.RuntimeException: io.unitycatalog.client.ApiException: listCatalogs call failed with: 401 - {"error_code":"UNAUTHENTICATED","details":[{"reason":"UNAUTHENTICATED","metadata":{},"@type":"google.rpc.ErrorInfo"}],"stack_trace":null,"message":"No authorization found."}
at io.unitycatalog.cli.UnityCatalogCli.main(UnityCatalogCli.java:127)
Caused by: io.unitycatalog.client.ApiException: listCatalogs call failed with: 401 - {"error_code":"UNAUTHENTICATED","details":[{"reason":"UNAUTHENTICATED","metadata":{},"@type":"google.rpc.ErrorInfo"}],"stack_trace":null,"message":"No authorization found."}
at io.unitycatalog.client.api.CatalogsApi.getApiException(CatalogsApi.java:77)
at io.unitycatalog.client.api.CatalogsApi.listCatalogsWithHttpInfo(CatalogsApi.java:356)
at io.unitycatalog.client.api.CatalogsApi.listCatalogs(CatalogsApi.java:333)
at io.unitycatalog.cli.CatalogCli.listCatalogs(CatalogCli.java:74)
at io.unitycatalog.cli.CatalogCli.handle(CatalogCli.java:39)
at io.unitycatalog.cli.UnityCatalogCli.main(UnityCatalogCli.java:92)
Authorized Access¶
Use subject_token
as specified in etc/conf/token.txt
.
┌─────┬────────────┬──────────┬─────────────┬──────────┬────────────────────────────────────┐
│NAME │ COMMENT │PROPERTIES│ CREATED_AT │UPDATED_AT│ ID │
├─────┼────────────┼──────────┼─────────────┼──────────┼────────────────────────────────────┤
│unity│Main catalog│{} │1721234405334│null │f029b870-9468-4f10-badc-630b41e5690d│
└─────┴────────────┴──────────┴─────────────┴──────────┴────────────────────────────────────┘
You should see the following DEBUG messages in the server logs:
DEBUG io.unitycatalog.server.service.AuthDecorator:44 - AuthDecorator checking /api/2.1/unity-catalog/catalogs?max_results=100
DEBUG io.unitycatalog.server.service.AuthDecorator:44 - AuthDecorator checking /api/2.1/unity-catalog/catalogs?max_results=100
DEBUG io.unitycatalog.server.service.AuthDecorator:69 - Validating access-token for issuer: internal
DEBUG io.unitycatalog.server.service.AuthDecorator:78 - Access allowed for subject: "admin"