AuthDecorator¶
AuthDecorator is a DecoratingHttpServiceFunction (Armeria) for a JWT access-token authorization in the Unity Catalog Server.
Decoded JSON Web Token¶
DECODED_JWT_ATTR is an AttributeKey (Netty) with a JSON Web Token (decoded from its string representation).
AuthDecorator sets the decoded JSON Web Token while serving incoming requests.
DECODED_JWT_ATTR is used when:
- Scim2UserService is requested for the current user
IdentityUtilsis requested for the email address of the principal
Serve Incoming HttpRequest¶
DecoratingHttpServiceFunction
serve is part of the DecoratingHttpServiceFunction (Armeria) abstraction.
serve prints out the following DEBUG message to the logs (with the path of the given HttpRequest):
serve finds Authorization header in the given HttpRequest.
AuthorizationException
serve reports an AuthorizationException unless there is an Authorization header in the HttpRequest:
serve makes sure that the Authorization header is Bearer with a JSON Web Token.
AuthorizationException
serve reports an AuthorizationException unless there is a Bearer token in the HttpRequest:
serve gets the issuer (the iss claim) and the keyId (the kid header claim) in the token.
serve prints out the following DEBUG message to the logs:
AuthorizationException
serve reports an AuthorizationException unless the access token is for internal issuer:
serve verifies the access token with the verifier for the issuer and the keyId.
serve prints out the following DEBUG message to the logs (with the sub claim of the access token):
In the end, serve sets DECODED_JWT_ATTR attribute in the ServiceRequestContext.
Logging¶
Enable ALL logging level for io.unitycatalog.server.service.AuthDecorator logger to see what happens inside.
Add the following line to etc/conf/server.log4j2.properties:
logger.AuthDecorator.name = io.unitycatalog.server.service.AuthDecorator
logger.AuthDecorator.level = all
Refer to Logging.