LogoLogo
Public Knowledge Base
Public Knowledge BaseSupport Knowledge ArticlesPrerequisite Checklist HubSnowflakeSelf-Managed Articles
Public Knowledge Base
Public Knowledge BaseSupport Knowledge ArticlesPrerequisite Checklist HubSnowflakeSelf-Managed Articles
  • Self-hosted Immuta
    • Official Immuta Self-Managed Deployment Documentation
    • What's new in 2024.2?
    • Deployment Options
      • AWS Immuta Deployment
      • Azure Immuta Deployment
      • In-cluster PostgreSQL using Crunchydata
      • In-cluster Elasticsearch using Elastic Cloud on Kubernetes (ECK)
      • Production Linkerd with AWS Private CA issuer
      • Deploying Linkerd via Open Source Linkerd
      • Deploying Linkerd Service Mesh via Buoyant Enterprise for Linkerd
      • Uninstalling Linkerd
      • Upgrading to Immuta 2024.2 LTS
      • LTS Upgrade via Legacy Chart
      • Legacy Audit - no Elasticsearch
      • Temporal with RDS
      • Setting Up OpenSearch User Pemissions
    • Air gapped installations
      • Immuta Installation on k3s in Air Gapped environment
      • Air-gapped Installation Artifact Transfer
  • Excessive failed jobs in pgboss impacting system performance
  • Example Trino installation via Open Source Helm Chart
  • Immuta Installation on Self Managed Infrastructure Overview
  • Repeatable k3s stack deployment on AWS EC2
  • Trino OAuth2 and JWT via Okta
  • Copy of Okta Attribute Mapping
Powered by GitBook
On this page
  • Configuring Okta
  • Configuring Trino
  • Registering a Trino Datasource in Immuta
  • End-user authentication validation via Trino cli

Trino OAuth2 and JWT via Okta

PreviousRepeatable k3s stack deployment on AWS EC2NextCopy of Okta Attribute Mapping

Last updated 1 month ago

The steps below describe how to configure Trino for end-user authentication via OAuth2 and M2M authentication (for data source onboarding in Immuta) via JWT using the same Okta app.

Configuring Okta

As an Okta admin, create a new app integration. Select OIDC and Web Application

Configure the app integration similar to the setting in the screenshot below. The Client Credentials checkbox is essential for M2M JWT authentication but is not necessary for OAuth2.

Configure the app Assignments according to organizational practices and click Save

Note the Client ID and Client Secret on the next page. These are used in the Trino config file:

Under Security -> API -> Authorization Servers -> default -> Scopes add a trino:access scope

Validate the response from the following curl call, using your Okta DNS Name:

curl -X POST "https://immuta.oktapreview.com/oauth2/default/v1/token" \
     -d "grant_type=client_credentials" \
     -d "client_id=0oal4jjks6kqzHwRe1d7" \
     -d "client_secret=<secret>" \
     -d "scope=trino:access"
{"token_type":"Bearer","expires_in":3600,"access_token":"eyJraWQiOiJucm9nQ2hOdFJDYUZ4bEZUVFBOQXVJUnhrbXkxckw2TU15YkRCdVJEcWZvIiwiYWxnIjoiUlMyNTYifQ.eyJ2ZXIiOjEsImp0aSI6IkFULnJOU1NxazNpYlZLZlhnb0dFWXg4SVo3SUxmbEQ3elMtU3JxRXpQOUlqSWMiLCJpc3MiOiJodHRwczovL2ltbXV0YS5va3RhcHJldmlldy5jb20vb2F1dGgyL2RlZmF1bHQiLCJhdWQiOiJhcGk6Ly9kZWZhdWx0IiwiaWF0IjoxNzQyNTg0OTQzLCJleHAiOjE3NDI1ODg1NDMsImNpZCI6IjBvYWw0amprczZrcXpId1JlMWQ3Iiwic2NwIjpbInRyaW5vOmFjY2VzcyJdLCJzdWIiOiIwb2FsNGpqa3M2a3F6SHdSZTFkNyJ9.AkjKFCPKgaDwDYRQMbGS8p-GyzhztXbtzDsZDYjjPMo2glnh9MDk2q2dI5rGIdeoQ60K7Q55780NTZFpsucAS4tMYscot8z9_cy5NRbjjViOfUZ_nWG8zTJKvBwWdfhDKXJpIFiu4iYKzUt46FKVcCwnOdEyH6G0raesqJzPtHJ1w0Wk5X3HdduNlhka4hpYHPYfoXNeTgjKLYJoX0SnEuy20C77RtCZpptv9bTV37Z9to257tgJVqJt2x5P9IuiSKTdFdmJBfm1Uo14bEggT5m0Tgl0m_uEWW0igSQSNTREhRHtY2L6YdMfcYqYaIKY2QWuzEiHar-atRd6_qZgvQ","scope":"trino:access"}

Decode the access_token via https://jwt.io

Decoded Payload
{
  "ver": 1,
  "jti": "AT.rNSSqk3ibVKfXgoGEYx8IZ7ILflD7zS-SrqEzP9IjIc",
  "iss": "https://immuta.oktapreview.com/oauth2/default",
  "aud": "api://default",
  "iat": 1742584943,
  "exp": 1742588543,
  "cid": "0oal4jjks6kqzHwRe1d7",
  "scp": [
    "trino:access"
  ],
  "sub": "0oal4jjks6kqzHwRe1d7"
}

The value of the sub field must be listed as an immuta.user.admin in the immuta-access-control.properties file on the Trino cluster.

Configuring Trino

To set up Trino for both OAuth2 and JWT authentication, you only need to edit the coordinator's config.properties once. The example below demonstrates how to update the Trino Helm chart accordingly:

server:
  config:
    authenticationType: PASSWORD,OAUTH2,JWT
  coordinatorExtraConfig: |-
    access-control.config-files=/immuta/immuta-access-control.properties
    web-ui.enabled=true
    web-ui.authentication.type=OAUTH2
    # OAuth2 settings (for end users)
    http-server.authentication.oauth2.issuer=https://immuta.oktapreview.com/oauth2/default
    http-server.authentication.oauth2.client-id=0oal4jjks6kqzHwRe1d7
    http-server.authentication.oauth2.client-secret=<client_secret>
    http-server.authentication.oauth2.scopes=openid,profile,email
    http-server.authentication.oauth2.principal-field=email
    # JWT settings (for M2M)
    http-server.authentication.jwt.key-file=https://immuta.oktapreview.com/oauth2/default/v1/keys

Registering a Trino Datasource in Immuta

Validate the changes to Trino by registering a new data source in Immuta. Populate the fields in the new data source creation page according to the client id, secret, and scope used in the curl call above, for example:

Click Create to register the schema in Immuta

End-user authentication validation via Trino cli

./trino --server https://trino-rebtest.immuta.us --user ryan.bauman@immuta.com --external-authentication
trino> select * from tpch.sf10000.customer limit 5;
  custkey  |        name        |                 address                  | nationkey |      phone      | acctbal | mktsegment |                                                 >
-----------+--------------------+------------------------------------------+-----------+-----------------+---------+------------+------------------------------------------------->
 375000001 | Customer#375000001 | A2qPnPHny3EfSYRt5HRK xbO25               |        14 | 24-835-946-7501 |  873.28 | HOUSEHOLD  |  dogged requests. packages are bold             >
 375000002 | Customer#375000002 | tZjdsgDPTGclO4nnJ,                       |         4 | 14-951-488-5148 | 1111.71 | BUILDING   | telets; foxes x-ray quickly. carefully ironic pi>
 375000003 | Customer#375000003 | PZ3lLzEz8GeTL9k                          |        12 | 22-782-389-7245 | 4493.38 | MACHINERY  | oxes. carefully bold instructions sleep sometime>
 375000004 | Customer#375000004 | hPoY29v307gXyjvo7UX5                     |        12 | 22-119-308-8149 | 3178.53 | MACHINERY  | fully unusual deposits snooze along the unusual,>
 375000005 | Customer#375000005 | rOwQejfsU68eMBmY1O7vJR                   |         0 | 10-739-382-1640 | 3615.61 | HOUSEHOLD  | es grow fluffily even packages. carefully unusua>

To validate that the end-user OAuth2 workflow is functioning as intended, use the to connect and run a query against one of the newly registered data sources. The user must be assigned to the application in Okta and exist in Immuta for this query to return successfully:

Trino cli jar