[HWORKS-860] hopsworks realm (#1490)

Author: ErmiasG

hopsworks-api/src/main/webapp/WEB-INF/web.xml

@@ -340,7 +340,7 @@
   </security-constraint>
   <login-config>
     <auth-method>BASIC</auth-method>
-    <realm-name>cauthRealm</realm-name>
+    <realm-name>hopsworksrealm</realm-name>
   </login-config>
   <context-param>
     <param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name>

hopsworks-ca/src/main/webapp/WEB-INF/web.xml

@@ -76,7 +76,7 @@
   </security-constraint>
   <login-config>
     <auth-method>BASIC</auth-method>
-    <realm-name>cauthRealm</realm-name>
+    <realm-name>hopsworksrealm</realm-name>
   </login-config>
   <context-param>
     <param-name>javax.faces.FACELETS_SKIP_COMMENTS</param-name>

hopsworks-realm/README.md

@@ -0,0 +1,39 @@
+## Hopsworks jdbc realm
+Hopsworks JDBC realm is a security realm for Payara with a JDBC backend.
+
+Payara's JDBC realm assumes a data model with two tables.
+One for user with encoded password and another with pairs of usernames and group names
+to define to which groups a user belongs.
+
+Hopsworks JDBC realm accepts two queries one to determine the password of the
+user based on the username and one to determine the groups the user belongs to based
+on the username. This allows it to handle any data model.
+
+
+### Build hopsworks JDBC realm
+```sh
+ mvn clean compile assembly:single
+```
+
+### Use hopsworks JDBC realm
+
+Copy ```hopsworks-realm-jar-with-dependencies.jar``` to ```[payara home installation]/domains/domain1/lib/hopsworks-realm.jar```
+
+#### Create the realm
+
+```sh
+PASSWORD_QUERY="SELECT password FROM hopsworks.users WHERE email = ?"
+GROUP_QUERY ="SELECT G.group_name from hopsworks.bbc_group AS G, hopsworks.user_group AS UG, hopsworks.users AS U WHERE U.email=? AND UG.gid = G.gid AND UG.uid = U.uid"
+
+${PAYARA_DIR}/bin/asadmin create-auth-realm \
+--login-module=io.hops.hopsworks.realm.jdbc.HopsworksLoginModule \
+--classname=io.hops.hopsworks.realm.jdbc.HopsworksJDBCRealm \
+--property=jaas-context=hopsworksJdbcRealm:datasource-jndi=jdbc/hopsworks:password-query=${PASSWORD_QUERY}:group-query=${GROUP_QUERY}:digest-algorithm=SHA-256:encoding=Hex \
+hopsworksrealm
+```
+
+1. _password-query_ query used to determine the password of the user based on the username (login name). default
+   ```"SELECT password FROM hopsworks.users WHERE email = ?"```
+2. _group-query_ query used to determine the groups the user belongs to based on the username (login name). default
+   ```"SELECT G.group_name from hopsworks.bbc_group AS G, hopsworks.user_group AS UG, hopsworks.users AS U WHERE U.email=? AND UG.gid = G.gid AND UG.uid = U.uid"```
+3. _datasource-jndi_ the datasource used to access the database.

hopsworks-realm/pom.xml

@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  ~ This file is part of Hopsworks
+  ~ Copyright (C) 2023, Hopsworks AB. All rights reserved
+  ~
+  ~ Hopsworks is free software: you can redistribute it and/or modify it under the terms of
+  ~ the GNU Affero General Public License as published by the Free Software Foundation,
+  ~ either version 3 of the License, or (at your option) any later version.
+  ~
+  ~ Hopsworks is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
+  ~ without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+  ~ PURPOSE.  See the GNU Affero General Public License for more details.
+  ~
+  ~ You should have received a copy of the GNU Affero General Public License along with this program.
+  ~ If not, see <https://www.gnu.org/licenses/>.
+  -->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+  <parent>
+    <groupId>io.hops</groupId>
+    <artifactId>hopsworks</artifactId>
+    <version>3.8.0-SNAPSHOT</version>
+    <relativePath>../pom.xml</relativePath>
+  </parent>
+
+  <groupId>io.hops.hopsworks</groupId>
+  <artifactId>hopsworks-realm</artifactId>
+  <name>Hopsworks - realm</name>
+  <description>Hopsworks custom realm</description>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.apache.maven.plugins</groupId>
+      <artifactId>maven-assembly-plugin</artifactId>
+      <version>3.6.0</version>
+    </dependency>
+    <dependency>
+      <groupId>fish.payara.extras</groupId>
+      <artifactId>payara-embedded-web</artifactId>
+    </dependency>
+  </dependencies>
+  <build>
+    <finalName>hopsworks-realm</finalName>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+      </plugin>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-assembly-plugin</artifactId>
+        <version>3.6.0</version>
+        <configuration>
+          <descriptorRefs>
+            <descriptorRef>jar-with-dependencies</descriptorRef>
+          </descriptorRefs>
+        </configuration>
+        <executions>
+          <execution>
+            <id>make-assembly</id>
+            <phase>package</phase>
+            <goals>
+              <goal>single</goal>
+            </goals>
+          </execution>
+        </executions>
+      </plugin>
+    </plugins>
+  </build>
+</project>