SecurityContext¶
SecurityContext is used by UnityCatalogServer to create the following:
Creating Instance¶
SecurityContext takes the following to be created:
- Configuration directory
- SecurityConfiguration
- Service Name
- Local Issuer
SecurityContext is created alongside UnityCatalogServer.
Configuration Directory¶
SecurityContext is given the path of a configuration directory when created.
The configuration directory is supposed to contain the following files:
UnityCatalogServer
UnityCatalogServer uses etc/conf as the configuration directory.
SecurityConfiguration¶
SecurityContext is given a SecurityConfiguration when created.
SecurityContext uses the SecurityConfiguration to initialize the following properties:
| Property | Value |
|---|---|
| rsaPublicKey | rsaPublicKey |
| rsaPrivateKey | rsaPrivateKey |
| algorithm | algorithmRSA |
| keyId | getKeyId |
Initialization¶
SecurityContext creates a service token as follows:
| Token Claim | Value |
|---|---|
Subject (sub) | Service Name |
Issuer (iss) | Local Issuer |
Issued At (iat) | Current time (in millis) |
Key Id (kid) | Key of this SecurityConfiguration |
JWT Id (jti) | Random UUID |
Type (type) | SERVICE |
Subject (sub) | admin |
SecurityContext creates the internal certs file.
SecurityContext creates the service token file.
In the end, SecurityContext prints out the following INFO message to the logs (with the content of certs.json):
certs.json¶
SecurityContext uses certs.json in the configuration directory to be an internal certs file.
certs.json is used when:
JwksOperationsis requested to loadJwkProvider (for theinternalissuer)
token.txt¶
SecurityContext creates token.txt (in the configuration directory) as the service token.
| Token Claim | Value |
|---|---|
Subject (sub) | Service Name |
Issuer (iss) | Local Issuer |
Issued At (iat) | Current time (in millis) |
Key Id (kid) | getKeyId of this SecurityConfiguration |
JWT Id (jti) | Random UUID |
Type (type) | SERVICE |
Subject (sub) | admin |
Note
The difference between this service token (token.txt) and access tokens to be created are as follows:
| Token Claim | Service Token | Access Tokens |
|---|---|---|
Type (type) | SERVICE | ACCESS |
Subject (sub) | admin | The subject (based on a DecodedJWT) |
Create Access Token¶
createAccessToken determines the subject based on the following claims in the given DecodedJWT:
email(preferred)sub
createAccessToken creates an access token as follows:
| Token Claim | Value |
|---|---|
Subject (sub) | Service Name |
Issuer (iss) | Local Issuer |
Issued At (iat) | Current time (in millis) |
Key Id (kid) | getKeyId of this SecurityConfiguration |
JWT Id (jti) | Random UUID |
Type (type) | ACCESS |
Subject (sub) | The subject (based on the given DecodedJWT) |
SecurityContext signs the service token with the algorithm (of this SecurityConfiguration).
createAccessToken is used when:
AuthServiceis requested to grant a token
Logging¶
Enable ALL logging level for io.unitycatalog.server.security.SecurityContext logger to see what happens inside.
Add the following line to etc/conf/server.log4j2.properties:
logger.SecurityContext.name = io.unitycatalog.server.security.SecurityContext
logger.SecurityContext.level = all
Refer to Logging.