druid icon indicating copy to clipboard operation
druid copied to clipboard
verified publisher icon apache

Role mapping support in pac4j extension

Open nozjkoitop opened this issue 1 month ago • 2 comments

Description

This PR is aimed to enable flexible mapping of OIDC/JWT roles to Druid roles. By default, the pac4j OIDC authentication only maps the sub claim to a single Druid role, which is extremely inconvenient. This PR adds support for extracting roles from any nested claim path in the JWT.

Configuration

New property introduced in runtime.properties:

# Dot-separated path to the claim containing user roles
druid.auth.pac4j.oidc.roleClaimPath=resource_access.client.roles

When set, all values found at roleClaimPath are mapped 1:1 to Druid roles.

  • Path format: a.b.c for nested JSON fields
  • Claim may contain a single value or be multivalued
  • If not set, behavior remains unchanged (maps sub to a single Druid role)

Example JWT payload

{
  "iss": "https://idp.example.com/",
  "sub": "user123",
  "...": "...",
  "resource_access": {
    "client": {
      "roles": ["role1", "role2"]
    }
  },
  "...": "..."
}

With the configuration:

druid.auth.pac4j.oidc.roleClaimPath=resource_access.client.roles

The authenticated user will be assigned Druid roles role1 and role2, if those roles exist in the Druid security configuration.

Release note

Added support for extracting OIDC/JWT roles from a configurable nested claim path and mapping them directly to Druid roles.

Key changed/added classes in this PR
  • RoleBasedAuthGen
  • Pac4jFilter
  • RoleProviderUtil
  • LDAPRoleProvider
  • MetadataStoreRoleProvider

This PR has:

  • [x] been self-reviewed.
  • [x] added documentation for new or modified features or behaviors.
  • [x] a release note entry in the PR description.
  • [ ] added or updated version, license, or notice information in licenses.yaml
  • [ ] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • [x] added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • [ ] added integration tests.
  • [x] been tested in a test Druid cluster.

nozjkoitop avatar Nov 25 '25 15:11 nozjkoitop

cc @pjain1 @capistrant can you help in reviewing this.

AdheipSingh avatar Dec 01 '25 09:12 AdheipSingh

As per our discussion on druid slack , i'm tagging @kfaraz for review. Thanks for the coordination.

AdheipSingh avatar Dec 09 '25 12:12 AdheipSingh

Thanks, @AdheipSingh ! I will try to prioritize the review of this PR soon.

kfaraz avatar Dec 18 '25 15:12 kfaraz