AuthDecorator¶
AuthDecorator
is a DecoratingHttpServiceFunction
(Armeria) for a JWT access-token authorization in the Unity Catalog Server.
Serve Incoming HttpRequest¶
DecoratingHttpServiceFunction
serve
is part of the DecoratingHttpServiceFunction
(Armeria) abstraction.
serve
prints out the following DEBUG message to the logs (with the path of the given HttpRequest
):
serve
finds Authorization
header in the given HttpRequest
.
AuthorizationException
serve
reports an AuthorizationException
unless there is an Authorization
header in the HttpRequest
:
serve
makes sure that the Authorization
header is Bearer
with a JSON Web Token.
AuthorizationException
serve
reports an AuthorizationException
unless there is a Bearer
token in the HttpRequest
:
serve
gets the issuer (the iss
claim) and the keyId (the kid
header claim) in the token.
serve
prints out the following DEBUG message to the logs:
AuthorizationException
serve
reports an AuthorizationException
unless the access token is for internal
issuer:
serve
verifies the access token with the verifier for the issuer and the keyId.
serve
prints out the following DEBUG message to the logs (with the sub
claim of the access token):
In the end, serve
sets DECODED_JWT_ATTR
attribute in the ServiceRequestContext
.
FIXME Why is DECODED_JWT_ATTR
attribute required and where is it used?
Logging¶
Enable ALL
logging level for io.unitycatalog.server.service.AuthDecorator
logger to see what happens inside.
Add the following line to etc/conf/server.log4j2.properties
:
logger.AuthDecorator.name = io.unitycatalog.server.service.AuthDecorator
logger.AuthDecorator.level = all
Refer to Logging.