correct ldapconfig, add overview section

trinodb · Sep 12, 2023 · 483435a · 483435a
1 parent ca1ed85
commit 483435a
Showing 1 changed file with 34 additions and 5 deletions.
diff --git a/docs/security.md b/docs/security.md
@@ -15,6 +15,24 @@
 
 # Security
 
+## Overview
+Trino-gateway has it's own security with it's own authetication and authorization.
+It's security is used only to authenticate/authorize it's own ui and the APIs.
+
+### Note for oauth2 flow:
+For oauth2 gateway uses `oidc/callback` where as trino uses `oauth2` path
+gateway should have it's own client id and all the trino clusters should have a single client id.
+gateway needs to pass thorugh the trino oauth2 requests to only one of the cluster. One way to handle that is to set a spectial rule like below:
+```
+  ---
+  name: "Oauth requests"
+  description: "Oauth requests need to go to a single backed"
+  condition: "request.getRequestURI.startsWith(\"/oauth2\")"
+  actions:
+    - "result.put(\"routingGroup\", \"oauth2-handler\")"
+```
+That also means you need to have a cluster with that routing group. It's ok to replicate an existing cluster backend record with a different name for that purpose.
+
 ## Authentication
 
 The authentication would happen on https protocol only. Add the
@@ -100,12 +118,23 @@ authorization:
   admin: 'lb_admin'
   user: 'lb_user'
   api: "lb_api"
-  ldapHost:
-  ldapPort:
-  ldapBindDn:
-  ldapSearch:
-  ldapPassword:
+  ldapConfigPath: "<ldap_config_path>"
+```
+
+The ldap config file should have the following contents
+
 ```
+  ldapHost: '<ldap sever>'
+  ldapPort: <port>
+  useTls: <true/false>
+  useSsl: <true/false>
+  ldapAdminBindDn: <>
+  ldapUserBaseDn: <>
+  ldapUserSearch: <>
+  ldapGroupMemberAttribute: <>
+  ldapAdminPassword: <>
+```
+