AuthDecorator¶

AuthDecorator is a DecoratingHttpServiceFunction (Armeria) for a JWT access-token authorization in the Unity Catalog Server.

Serve Incoming HttpRequest¶

DecoratingHttpServiceFunction

HttpResponse serve(
  HttpService delegate,
  ServiceRequestContext ctx,
  HttpRequest req)

serve is part of the DecoratingHttpServiceFunction (Armeria) abstraction.

serve prints out the following DEBUG message to the logs (with the path of the given HttpRequest):

AuthDecorator checking [path]

serve finds Authorization header in the given HttpRequest.

AuthorizationException

serve reports an AuthorizationException unless there is an Authorization header in the HttpRequest:

No authorization found.

serve makes sure that the Authorization header is Bearer with a JSON Web Token.

AuthorizationException

serve reports an AuthorizationException unless there is a Bearer token in the HttpRequest:

No Bearer found.

serve gets the issuer (the iss claim) and the keyId (the kid header claim) in the token.

serve prints out the following DEBUG message to the logs:

Validating access-token for issuer: [issuer]

AuthorizationException

serve reports an AuthorizationException unless the access token is for internal issuer:

Invalid access token.

serve verifies the access token with the verifier for the issuer and the keyId.

serve prints out the following DEBUG message to the logs (with the sub claim of the access token):

Access allowed for subject: [sub]

In the end, serve sets DECODED_JWT_ATTR attribute in the ServiceRequestContext.

FIXME Why is DECODED_JWT_ATTR attribute required and where is it used?

Enable ALL logging level for io.unitycatalog.server.service.AuthDecorator logger to see what happens inside.

Add the following line to etc/conf/server.log4j2.properties:

logger.AuthDecorator.name = io.unitycatalog.server.service.AuthDecorator
logger.AuthDecorator.level = all

Refer to Logging.