apache
diff --git a/‎polaris-core/src/main/java/org/apache/polaris/core/auth/AuthenticatedPolarisPrincipal.java
+9-1 b/‎polaris-core/src/main/java/org/apache/polaris/core/auth/AuthenticatedPolarisPrincipal.java
+9-1
diff --git a/‎polaris-core/src/main/java/org/apache/polaris/core/config/ProductionReadinessCheck.java
+4 b/‎polaris-core/src/main/java/org/apache/polaris/core/config/ProductionReadinessCheck.java
+4
diff --git a/‎quarkus/defaults/build.gradle.kts
+1 b/‎quarkus/defaults/build.gradle.kts
+1
diff --git a/‎quarkus/defaults/src/main/resources/application.properties
+41 b/‎quarkus/defaults/src/main/resources/application.properties
+41
diff --git a/‎quarkus/service/build.gradle.kts
+2 b/‎quarkus/service/build.gradle.kts
+2
diff --git a/‎quarkus/service/src/main/java/org/apache/polaris/service/quarkus/auth/ActiveRolesAugmentor.java
+16-7 b/‎quarkus/service/src/main/java/org/apache/polaris/service/quarkus/auth/ActiveRolesAugmentor.java
+16-7
diff --git a/‎quarkus/service/src/main/java/org/apache/polaris/service/quarkus/auth/AuthenticatingAugmentor.java
+82 b/‎quarkus/service/src/main/java/org/apache/polaris/service/quarkus/auth/AuthenticatingAugmentor.java
+82
diff --git a/‎quarkus/service/src/main/java/org/apache/polaris/service/quarkus/auth/PolarisIdentityProvider.java
-80 b/‎quarkus/service/src/main/java/org/apache/polaris/service/quarkus/auth/PolarisIdentityProvider.java
-80
diff --git a/‎quarkus/service/src/main/java/org/apache/polaris/service/quarkus/auth/QuarkusAuthenticationConfiguration.java
+12-31 b/‎quarkus/service/src/main/java/org/apache/polaris/service/quarkus/auth/QuarkusAuthenticationConfiguration.java
+12-31
@@ -35,7 +35,7 @@ public class AuthenticatedPolarisPrincipal implements java.security.Principal {
   public AuthenticatedPolarisPrincipal(
       @Nonnull PolarisEntity principalEntity, @Nonnull Set<String> activatedPrincipalRoles) {
     this.principalEntity = principalEntity;
-    this.activatedPrincipalRoleNames = activatedPrincipalRoles;
+    this.activatedPrincipalRoleNames = Set.copyOf(activatedPrincipalRoles);
     this.activatedPrincipalRoles = null;
   }
 
@@ -48,6 +48,13 @@ public PolarisEntity getPrincipalEntity() {
     return principalEntity;
   }
 
+  /**
+   * Returns the set of activated principal role names. Activated role names are the roles that were
+   * explicitly requested by the client when authenticating, through JWT claims or other means.
+   *
+   * <p>By convention, this method returns an empty set when the principal is requesting all
+   * available principal roles.
+   */
   public Set<String> getActivatedPrincipalRoleNames() {
     return activatedPrincipalRoleNames;
   }
@@ -56,6 +63,7 @@ public List<PrincipalRoleEntity> getActivatedPrincipalRoles() {
     return activatedPrincipalRoles;
   }
 
+  /** FIXME this method makes this class mutable, which seems risky */
   public void setActivatedPrincipalRoles(List<PrincipalRoleEntity> activatedPrincipalRoles) {
     this.activatedPrincipalRoles = activatedPrincipalRoles;
   }
 
@@ -32,6 +32,10 @@ static ProductionReadinessCheck of(Error... errors) {
     return ImmutableProductionReadinessCheck.builder().addErrors(errors).build();
   }
 
+  static ProductionReadinessCheck of(Iterable<? extends Error> errors) {
+    return ImmutableProductionReadinessCheck.builder().addAllErrors(errors).build();
+  }
+
   default boolean ready() {
     return getErrors().isEmpty();
   }
 
@@ -35,6 +35,7 @@ dependencies {
   compileOnly("io.quarkus:quarkus-smallrye-health")
   compileOnly("io.quarkus:quarkus-micrometer")
   compileOnly("io.quarkus:quarkus-micrometer-registry-prometheus")
+  compileOnly("io.quarkus:quarkus-oidc")
   compileOnly("io.quarkus:quarkus-opentelemetry")
   compileOnly("io.quarkus:quarkus-smallrye-context-propagation")
 }
@@ -30,6 +30,7 @@ quarkus.http.compress-media-types=application/json,text/html,text/plain
 quarkus.management.enabled=true
 quarkus.micrometer.enabled=true
 quarkus.micrometer.export.prometheus.enabled=true
+quarkus.oidc.enabled=true
 quarkus.otel.enabled=true
 
 # ---- Runtime Configuration ----
@@ -74,6 +75,18 @@ quarkus.log.category."io.smallrye.config".level=INFO
 quarkus.management.port=8182
 quarkus.management.test-port=0
 
+# OIDC settings. These settings are required only when using external authentication providers.
+# See https://quarkus.io/guides/security-oidc-configuration-properties-reference
+# Default tenant (disabled by default, set this to true if you use external authentication)
+quarkus.oidc.tenant-enabled=false
+# quarkus.oidc.auth-server-url=https://auth.example.com/realms/polaris
+# quarkus.oidc.client-id=polaris
+# Roles mapping; see https://quarkus.io/guides/security-oidc-bearer-token-authentication#token-claims-and-security-identity-roles
+# quarkus.oidc.roles.role-claim-path=realm/groups
+# Named tenants:
+# quarkus.oidc.idp1.auth-server-url=https://auth.example.com/realms/polaris2
+# quarkus.oidc.idp1.client-id=polaris2
+
 # quarkus.otel.sdk.disabled is set to `true` by default to avoid spuriour errors about
 # trace collector connections being impossible to establish. This setting can be enabled
 # at runtime after configuring other OTel properties for proper trace data collection.
@@ -126,7 +139,14 @@ polaris.rate-limiter.token-bucket.window=PT10S
 
 polaris.active-roles-provider.type=default
 
+# Polaris authentication settings
+polaris.authentication.type=internal
 polaris.authentication.authenticator.type=default
+# Per-realm overrides:
+# polaris.authentication.realm1.type=external
+# polaris.authentication.realm1.authenticator.type=custom
+
+# Options effective when using internal auth (can be overridden in per realm):
 polaris.authentication.token-service.type=default
 polaris.authentication.token-broker.type=rsa-key-pair
 polaris.authentication.token-broker.max-token-generation=PT1H
@@ -135,6 +155,27 @@ polaris.authentication.token-broker.max-token-generation=PT1H
 # polaris.authentication.token-broker.symmetric-key.secret=secret
 # polaris.authentication.token-broker.symmetric-key.file=/tmp/symmetric.key
 
+# OIDC Principals mapping
+polaris.oidc.principal-mapper.type=default
+# polaris.oidc.principal-mapper.id-claim-path=sub
+# polaris.oidc.principal-mapper.name-claim-path=preferred_username
+# Per-tenant overrides:
+# polaris.oidc.idp1.principal-mapper.id-claim-path=polaris/principal_id
+# polaris.oidc.idp1.principal-mapper.name-claim-path=polaris/principal_name
+
+# OIDC Principal roles mapping
+polaris.oidc.principal-roles-mapper.type=default
+# Principal role mapping is done through quarkus.oidc.roles.role-claim-path
+# The properties below define how the roles mapped by Quarkus are converted to Polaris roles
+# polaris.oidc.principal-roles-mapper.filter=PRINCIPAL_ROLE:.*
+# polaris.oidc.principal-roles-mapper.mappings[0].regex=PRINCIPAL_ROLE:(.*)
+# polaris.oidc.principal-roles-mapper.mappings[0].replacement=PRINCIPAL_ROLE:$1
+# Per-tenant overrides:
+# polaris.oidc.idp1.principal-roles-mapper.type=custom
+# polaris.oidc.idp1.principal-roles-mapper.filter=POLARIS_ROLE:.*
+# polaris.oidc.idp1.principal-roles-mapper.mappings[0].regex=POLARIS_ROLE:(.*)
+# polaris.oidc.idp1.principal-roles-mapper.mappings[0].replacement=POLARIS_ROLE:$1
+
 # If the following properties are unset, the default credential provider chain will be used
 # polaris.storage.aws.access-key=accessKey
 # polaris.storage.aws.secret-key=secretKey
 
@@ -55,6 +55,8 @@ dependencies {
   implementation("io.quarkus:quarkus-opentelemetry")
   implementation("io.quarkus:quarkus-security")
   implementation("io.quarkus:quarkus-smallrye-context-propagation")
+  implementation("io.quarkus:quarkus-security")
+  implementation("io.quarkus:quarkus-oidc")
 
   implementation(libs.jakarta.enterprise.cdi.api)
   implementation(libs.jakarta.inject.api)
 
@@ -32,33 +32,42 @@
 
 /**
  * A custom {@link SecurityIdentityAugmentor} that adds active roles to the {@link
- * SecurityIdentity}. This is used to augment the identity with active roles after authentication.
+ * SecurityIdentity}. This is used to augment the identity with valid active roles after
+ * authentication.
  */
 @ApplicationScoped
 public class ActiveRolesAugmentor implements SecurityIdentityAugmentor {
 
+  // must run after AuthenticatingAugmentor
+  public static final int PRIORITY = AuthenticatingAugmentor.PRIORITY - 1;
+
   @Inject ActiveRolesProvider activeRolesProvider;
 
+  @Override
+  public int priority() {
+    return PRIORITY;
+  }
+
   @Override
   public Uni<SecurityIdentity> augment(
       SecurityIdentity identity, AuthenticationRequestContext context) {
     if (identity.isAnonymous()) {
       return Uni.createFrom().item(identity);
     }
-    return context.runBlocking(() -> augmentWithActiveRoles(identity));
+    return context.runBlocking(() -> validateActiveRoles(identity));
   }
 
-  private SecurityIdentity augmentWithActiveRoles(SecurityIdentity identity) {
-    AuthenticatedPolarisPrincipal polarisPrincipal =
-        identity.getPrincipal(AuthenticatedPolarisPrincipal.class);
-    if (polarisPrincipal == null) {
+  private SecurityIdentity validateActiveRoles(SecurityIdentity identity) {
+    if (!(identity.getPrincipal() instanceof AuthenticatedPolarisPrincipal)) {
       throw new AuthenticationFailedException("No Polaris principal found");
     }
+    AuthenticatedPolarisPrincipal polarisPrincipal =
+        identity.getPrincipal(AuthenticatedPolarisPrincipal.class);
     Set<String> validRoleNames = activeRolesProvider.getActiveRoles(polarisPrincipal);
     return QuarkusSecurityIdentity.builder()
         .setAnonymous(false)
         .setPrincipal(polarisPrincipal)
-        .addRoles(validRoleNames)
+        .addRoles(validRoleNames) // replace the current roles with valid ones
         .addCredentials(identity.getCredentials())
         .addAttributes(identity.getAttributes())
         .addPermissionChecker(identity::checkPermission)
 
@@ -0,0 +1,82 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.polaris.service.quarkus.auth;
+
+import io.quarkus.security.AuthenticationFailedException;
+import io.quarkus.security.identity.AuthenticationRequestContext;
+import io.quarkus.security.identity.SecurityIdentity;
+import io.quarkus.security.identity.SecurityIdentityAugmentor;
+import io.quarkus.security.runtime.QuarkusSecurityIdentity;
+import io.smallrye.mutiny.Uni;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+import org.apache.iceberg.exceptions.NotAuthorizedException;
+import org.apache.polaris.core.auth.AuthenticatedPolarisPrincipal;
+import org.apache.polaris.service.auth.Authenticator;
+import org.apache.polaris.service.auth.PrincipalCredential;
+
+/**
+ * A custom {@link SecurityIdentityAugmentor} that, after Quarkus OIDC or Internal Auth extracted
+ * and validated the principal credentials, augments the {@link SecurityIdentity} by authenticating
+ * the principal and setting an {@link AuthenticatedPolarisPrincipal} as the identity's principal.
+ */
+@ApplicationScoped
+public class AuthenticatingAugmentor implements SecurityIdentityAugmentor {
+
+  public static final int PRIORITY = 100;
+
+  @Inject Authenticator<PrincipalCredential, AuthenticatedPolarisPrincipal> authenticator;
+
+  @Override
+  public int priority() {
+    return PRIORITY;
+  }
+
+  @Override
+  public Uni<SecurityIdentity> augment(
+      SecurityIdentity identity, AuthenticationRequestContext context) {
+    if (identity.isAnonymous()) {
+      return Uni.createFrom().item(identity);
+    }
+    PrincipalCredential credential = extractTokenCredential(identity);
+    return context.runBlocking(() -> authenticatePolarisPrincipal(identity, credential));
+  }
+
+  private PrincipalCredential extractTokenCredential(SecurityIdentity identity) {
+    QuarkusPrincipalCredential credential =
+        identity.getCredential(QuarkusPrincipalCredential.class);
+    if (credential == null) {
+      throw new AuthenticationFailedException("No token credential available");
+    }
+    return credential;
+  }
+
+  private SecurityIdentity authenticatePolarisPrincipal(
+      SecurityIdentity identity, PrincipalCredential credential) {
+    try {
+      AuthenticatedPolarisPrincipal polarisPrincipal =
+          authenticator
+              .authenticate(credential)
+              .orElseThrow(() -> new NotAuthorizedException("Authentication failed"));
+      return QuarkusSecurityIdentity.builder(identity).setPrincipal(polarisPrincipal).build();
+    } catch (RuntimeException e) {
+      throw new AuthenticationFailedException(e);
+    }
+  }
+}
@@ -19,44 +19,25 @@
 package org.apache.polaris.service.quarkus.auth;
 
 import io.smallrye.config.ConfigMapping;
+import io.smallrye.config.WithDefaults;
+import io.smallrye.config.WithParentName;
+import io.smallrye.config.WithUnnamedKey;
+import java.util.Map;
+import org.apache.polaris.core.context.RealmContext;
 import org.apache.polaris.service.auth.AuthenticationConfiguration;
 
 @ConfigMapping(prefix = "polaris.authentication")
 public interface QuarkusAuthenticationConfiguration extends AuthenticationConfiguration {
 
+  @WithParentName
+  @WithUnnamedKey(DEFAULT_REALM_KEY)
+  @WithDefaults
   @Override
-  QuarkusAuthenticatorConfiguration authenticator();
+  Map<String, QuarkusAuthenticationRealmConfiguration> realms();
 
   @Override
-  QuarkusTokenServiceConfiguration tokenService();
-
-  @Override
-  QuarkusTokenBrokerConfiguration tokenBroker();
-
-  interface QuarkusAuthenticatorConfiguration extends AuthenticatorConfiguration {
-
-    /**
-     * The type of the authenticator. Must be a registered {@link
-     * org.apache.polaris.service.auth.Authenticator} identifier.
-     */
-    String type();
-  }
-
-  interface QuarkusTokenServiceConfiguration extends TokenServiceConfiguration {
-
-    /**
-     * The type of the OAuth2 service. Must be a registered {@link
-     * org.apache.polaris.service.catalog.api.IcebergRestOAuth2ApiService} identifier.
-     */
-    String type();
-  }
-
-  interface QuarkusTokenBrokerConfiguration extends TokenBrokerConfiguration {
-
-    /**
-     * The type of the token broker factory. Must be a registered {@link
-     * org.apache.polaris.service.auth.TokenBrokerFactory} identifier.
-     */
-    String type();
+  default QuarkusAuthenticationRealmConfiguration forRealm(RealmContext realmContext) {
+    return (QuarkusAuthenticationRealmConfiguration)
+        AuthenticationConfiguration.super.forRealm(realmContext);
   }
 }
Original file line number	Diff line number	Diff line change
`@@ -35,7 +35,7 @@ public class AuthenticatedPolarisPrincipal implements java.security.Principal {`
`35`	`35`	`public AuthenticatedPolarisPrincipal(`
`36`	`36`	`@Nonnull PolarisEntity principalEntity, @Nonnull Set<String> activatedPrincipalRoles) {`
`37`	`37`	`this.principalEntity = principalEntity;`
`38`		`- this.activatedPrincipalRoleNames = activatedPrincipalRoles;`
	`38`	`+ this.activatedPrincipalRoleNames = Set.copyOf(activatedPrincipalRoles);`
`39`	`39`	`this.activatedPrincipalRoles = null;`
`40`	`40`	`}`
`41`	`41`
`@@ -48,6 +48,13 @@ public PolarisEntity getPrincipalEntity() {`
`48`	`48`	`return principalEntity;`
`49`	`49`	`}`
`50`	`50`
	`51`	`+ /**`
	`52`	`+ * Returns the set of activated principal role names. Activated role names are the roles that were`
	`53`	`+ * explicitly requested by the client when authenticating, through JWT claims or other means.`
	`54`	`+ *`
	`55`	`+ * <p>By convention, this method returns an empty set when the principal is requesting all`
	`56`	`+ * available principal roles.`
	`57`	`+ */`
`51`	`58`	`public Set<String> getActivatedPrincipalRoleNames() {`
`52`	`59`	`return activatedPrincipalRoleNames;`
`53`	`60`	`}`
`@@ -56,6 +63,7 @@ public List<PrincipalRoleEntity> getActivatedPrincipalRoles() {`
`56`	`63`	`return activatedPrincipalRoles;`
`57`	`64`	`}`
`58`	`65`
	`66`	`+ /** FIXME this method makes this class mutable, which seems risky */`
`59`	`67`	`public void setActivatedPrincipalRoles(List<PrincipalRoleEntity> activatedPrincipalRoles) {`
`60`	`68`	`this.activatedPrincipalRoles = activatedPrincipalRoles;`
`61`	`69`	`}`
Original file line number	Diff line number	Diff line change
`@@ -32,6 +32,10 @@ static ProductionReadinessCheck of(Error... errors) {`
`32`	`32`	`return ImmutableProductionReadinessCheck.builder().addErrors(errors).build();`
`33`	`33`	`}`
`34`	`34`
	`35`	`+ static ProductionReadinessCheck of(Iterable<? extends Error> errors) {`
	`36`	`+ return ImmutableProductionReadinessCheck.builder().addAllErrors(errors).build();`
	`37`	`+ }`
	`38`	`+`
`35`	`39`	`default boolean ready() {`
`36`	`40`	`return getErrors().isEmpty();`
`37`	`41`	`}`
Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,7 @@ dependencies {`
`35`	`35`	`compileOnly("io.quarkus:quarkus-smallrye-health")`
`36`	`36`	`compileOnly("io.quarkus:quarkus-micrometer")`
`37`	`37`	`compileOnly("io.quarkus:quarkus-micrometer-registry-prometheus")`
	`38`	`+ compileOnly("io.quarkus:quarkus-oidc")`
`38`	`39`	`compileOnly("io.quarkus:quarkus-opentelemetry")`
`39`	`40`	`compileOnly("io.quarkus:quarkus-smallrye-context-propagation")`
`40`	`41`	`}`