奥里，奎托斯，->，->，Trino/Starburst

Question

我已经部署了奥里·奎托斯，奥里·奥塔门将，星爆和阿帕奇护林员。其目标是允许用户使用Ory Kratos创建他们的帐户，然后用Ory Oathkeeper保护Starburst UI，这样一旦用户通过Ory Kratos进行身份验证并命中https://proxy.oathkeeper.mydomain.com/starburst/，我们就会将用户发送到Starburst UI中，手头有一个JWT，可以根据我们用Ory Oathkeeper创建的jwks.json文件进行验证。最后，使用当前登录用户的标识，使用Apache应用数据访问策略。

奎托斯用户界面在https://kratos.mydomain.com上

奎托斯公众在https://public.kratos.mydomain.com上

奎托斯管理员在https://admin.kratos.mydomain.com上

jwks.json在https://auth.mydomain.com/assets/well-known/jwks.json上

OryOath情人代理在https://proxy.oathkeeper.mydomain.com上

Oathkeeper在https://api.oathkeeper.mydomain.com上

Ory Kratos具有以下配置：(Terraform代码编码为yaml，用于舵机图表中的值文件)

config = {
  version = "v0.10.1"
  dsn     = "postgres://USERNAME:PASSWORD@${local.postgres_host}/kratos?sslmode=disable"
  courier = {
    smtp = {
      connection_uri = "SOME_URI"
    }
  }
  cookies = {
    domain    = "mydomain.com"
    path      = "/"
    same_site = "Lax"
  }
  session = {
    lifespan = "2h"
    cookie = {
      name       = "ory_kratos_session"
      persistent = true
      path       = "/"
      same_site  = "Lax"
      domain     = "mydomain.com"
    }
  }
  selfservice = {
    default_browser_return_url = "https://${local.kratos_ui_dns}/"
    methods = {
      password = {
        enabled = true
      }
    }
    flows = {
      login = {
        ui_url   = "https://${local.kratos_ui_dns}/login"
        lifespan = "10m"
      }
      error = {
        ui_url = "https://${local.kratos_ui_dns}/error"
      }
      settings = {
        ui_url                     = "https://${local.kratos_ui_dns}/setting"
        privileged_session_max_age = "15m"
      }
      recovery = {
        ui_url  = "https://${local.kratos_ui_dns}/recovery"
        enabled = true
      }
      verification = {
        ui_url  = "https://${local.kratos_ui_dns}/verification"
        enabled = true
        after = {
          default_browser_return_url = "https://${local.kratos_ui_dns}/"
        }
      }
      logout = {
        after = {
          default_browser_return_url = "https://${local.kratos_ui_dns}/login"
        }
      }
      registration = {
        lifespan = "10m"
        ui_url   = "https://${local.kratos_ui_dns}/registration"
        after = {
          password = {
            hooks = [{ "hook" : "session" }]
          }
        }
      }
    }
  }
  log = {
    level  = "debug"
    format = "text"
  }
  secrets = {
    cookie = ["SOME-COOKIE-INSECURE-VALUE"]
    cipher = ["32-LONG-SECRET-NOT-SECURE-AT-ALL"]
  }
  ciphers = {
    algorithm = "noop"
  }
  hashers = {
    algorithm = "bcrypt"
    bcrypt = {
      cost = 4
    }
  }

  serve = {
    public = {
      base_url = "http://${local.kratos_public_dns}"
      host     = ""
      port     = 80
      request_log = {
        disable_for_health = true
      }
    }
    admin = {
      base_url = "https://kratos-admin.dev.svc.cluster.local"
      host     = ""
      port     = 4434
      request_log = {
        disable_for_health = true
      }
    }
  }
}

这将在与奎托斯登录后，在浏览器中生成一个好的cookie和一个ory_kratos_session cookie。但没有JWT令牌。

Ory Oathkeeper配置如下：(Terraform代码被编码为yaml，用于舵机图表中的值文件)

config = {
  authenticators = {
    anonymous = {
      enabled = true
    }
    noop = {
      enabled = true
    }
    cookie_session = {
      enabled = true
      config = {
        check_session_url = "https://public.kratos.mydomain.com/sessions/whoami"
        preserve_path     = true
        extra_from : "@this"
        subject_from : "identity.id"
        only = [
          "ory_kratos_session"
        ]
      }
    }
    jwt = {
      enabled = true
      config = {
        jwks_urls = [
          "https://auth.mydomain.com/assets/well-known/jwks.json"
        ]
        scope_strategy = "none"
        target_audience = [
          "https://proxy.oathkeeper.mydomain.com/starburst/",
          "starburst-ui"
        ]
        trusted_issuers = [
          "https://proxy.oathkeeper.mydomain.com"
        ]
      }
    }
    oauth2_client_credentials = {
      enabled = false
      config = {
        token_url = "somesite/oath2/token"
      }
    }
  }
  authorizers = {
    allow = {
      enabled = true
    }
  }
  mutators = {
    noop = {
      enabled = true
    }
    id_token = {
      enabled = true
      config = {
        issuer_url = "https://proxy.oathkeeper.mydomain.com"
        jwks_url   = "https://auth.mydomain.com/assets/well-known/jwks.json"
        claims = jsonencode({
          aud = [
            "https://proxy.oathkeeper.mydomain.com/starburst",
            "starburst-ui"
          ],
          claims = {
            sub = "{{print .Subject}}"
          }
        })
      }
    }
  }

  serve = {
    proxy = {
      port = 4455
      cors = {
        enabled = false
      }
    }
    api = {
      port = 4456
      cors = {
        enabled = false
      }
    }
  }
}

访问规则如下：(json)

[
  {
    "id": "starburst-rule.app",
    "upstream": {
      "url": "http://starburst.app:8080/",
      "preserve_host": true,
      "strip_path": "/starburst"
    },
    "match": {
      "url": "https://proxy.oathkeeper.mydomain.com/starburst/<.*>",
      "methods": [
        "GET",
        "POST",
        "PUT",
        "DELETE",
        "PATCH"
      ]
    },
    "authenticators": [
      {
        "handler": "jwt",
        "config": {
          "jwks_urls": [
            "https://auth.mydomain.com/assets/well-known/jwks.json"
          ],
          "scope_strategy": "none",
          "target_audience": [
            "https://proxy.oathkeeper.mydomain.com/starburst/",
            "starburst-ui"
          ]
        }
      }
    ],
    "authorizer": {
      "handler": "allow"
    },
    "mutators": [
      {
        "handler": "id_token"
      }
    ],
    "errors": {
      "fallback": [
        "json"
      ],
      "handlers": {
        "redirect": {
          "enabled": true,
          "config": {
            "to": "https://kratos.mydomain.com/login",
            "when": [
              {
                "error": [
                  "unauthorized",
                  "forbidden"
                ],
                "request": {
                  "header": {
                    "accept": [
                      "text/html"
                    ]
                  }
                }
              }
            ]
          }
        },
        "json": {
          "enabled": true,
          "config": {
            "verbose": true
          }
        }
      }
    }
  }
]

Starburst/Trino配置如下：

config.properties: |
  coordinator=true
  node-scheduler.include-coordinator=false
  http-server.http.port=8080
  http-server.authentication.type=JWT
  http-server.authentication.jwt.key-file=https://auth.mydomain.com/assets/well-known/jwks.json
  http-server.authentication.jwt.required-issuer=https://proxy.oathkeeper.mydomain.com
  http-server.authentication.jwt.required-audience=https://proxy.oathkeeper.mydomain.com/starburst/

  discovery.uri=http://localhost:8080
  usage-metrics.gathering.initial-delay=1m
  usage-metrics.gathering.interval=10m
  usage-metrics.cluster-usage-resource.enabled=true

ory_kratos_session cookie如下所示：(json)

{
  "id": "1df8ddb5-9628-4c05-97f5-f32b42119748",
  "active": true,
  "expires_at": "2022-11-23T15:42:25.323749Z",
  "authenticated_at": "2022-11-23T13:42:25.323749Z",
  "authenticator_assurance_level": "aal1",
  "authentication_methods": [
    {
      "method": "password",
      "aal": "aal1",
      "completed_at": "2022-11-23T13:42:25.323746742Z"
    }
  ],
  "issued_at": "2022-11-23T13:42:25.323749Z",
  "identity": {
    "id": "844bbe95-5e16-4e8d-abe4-0f19578e17a4",
    "schema_id": "default",
    "schema_url": "http://public.kratos.mydomain.com/schemas/ZGVmYXVsdA",
    "state": "active",
    "state_changed_at": "2022-11-23T11:33:55.700664Z",
    "traits": {
      "email": "someuser@global.com"
    },
    "metadata_public": null,
    "created_at": "2022-11-23T11:33:55.702463Z",
    "updated_at": "2022-11-23T11:33:55.702463Z"
  }
}

当我尝试按预期访问https://proxy.oathkeeper.mydomain.com/foobar时，我确实得到了404响应代码。

问题是，当我尝试访问https://proxy.oathkeeper.mydomain.com/starburst/时，我得到了401

下面摘自Ory Oathkeeper的错误消息：

time=2022-11-23T15:29:45Z level=warning msg=Access request denied audience=application error=map[debug: message:Access credentials are invalid reason: status:Unauthorized status_code:401] granted=false http_host=proxy.oathkeeper.mydomain.com http_method=GET http_url=https://proxy.oathkeeper.mydomain.com/starburst/ http_user_agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 service_name=ORY Oathkeeper service_version=v0.38.19-beta.1
time=2022-11-23T15:29:45Z level=error msg=An error occurred while handling a request code=401 debug= details=map[] error=The request could not be authorized reason= request-id= status=401 writer=JSON
time=2022-11-23T15:29:45Z level=info msg=completed handling request http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 accept-encoding:gzip, deflate, br accept-language:en,sv;q=0.9 cache-control:no-cache cookie:Value is sensitive and has been redacted. To see the value set config key "log.leak_sensitive_values = true" or environment variable "LOG_LEAK_SENSITIVE_VALUES=true". user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 x-forwarded-for:10.7.223.164 x-forwarded-proto:https] host:proxy.oathkeeper.mydomain.com method:GET path:/starburst/ query:<nil> remote:172.29.44.94:8063 scheme:http] http_response=map[status:401 text_status:Unauthorized took:433.335µs]

星爆中没有Authorization: Bearer <JWT...>或相关日志的痕迹。

我不确定我是否错过了一些配置，如果配置是错误的，并希望有人可以审查这一点，并指出我的正确方向。

Answer 1

好的。我想通了。Ory应该配置Cookie会话，它不提供JWT令牌。ory_kratos_session可以将ory_kratos_session cookie转换为jwt令牌，但必须对其进行配置。

Oathkeeper应该启用cookie身份验证器、noop授权程序(在我的例子中)和id_token身份验证器，并配置了有效的颁发者url、jwks_url、ttl和接收方。至于cookie_session规则，应该使用id_token，“允许”授权器和id_token类型的变体及其配置中的声明，我的mutator规则配置只包含听众，因为其余的来自主配置文件。