arenadata · VitekArkhipov · Jan 24, 2025
diff --git a/core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticator.java b/core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticator.java
@@ -13,6 +13,7 @@
  */
 package io.trino.server.security;
 
+import com.google.common.collect.ImmutableMap;
 import com.google.inject.Inject;
 import io.trino.client.ProtocolDetectionException;
 import io.trino.server.ProtocolConfig;
@@ -36,15 +37,17 @@ public class PasswordAuthenticator
     private final PasswordAuthenticatorManager authenticatorManager;
     private final UserMapping userMapping;
     private final Optional<String> alternateHeaderName;
+    private final boolean populateExtraCredentials;
 
     @Inject
-    public PasswordAuthenticator(PasswordAuthenticatorManager authenticatorManager, PasswordAuthenticatorConfig config, ProtocolConfig protocolConfig)
+    public PasswordAuthenticator(PasswordAuthenticatorManager authenticatorManager, PasswordAuthenticatorConfig config,
+            ProtocolConfig protocolConfig)
     {
         this.userMapping = createUserMapping(config.getUserMappingPattern(), config.getUserMappingFile());
-
         this.authenticatorManager = requireNonNull(authenticatorManager, "authenticatorManager is null");
         authenticatorManager.setRequired();
         this.alternateHeaderName = protocolConfig.getAlternateHeaderName();
+        this.populateExtraCredentials = config.isPopulateExtraCredentials();
     }
 
     @Override
@@ -65,9 +68,15 @@ public Identity authenticate(ContainerRequestContext request)
 
                 // rewrite the original "unmapped" user header to the mapped user (see method Javadoc for more details)
                 rewriteUserHeaderToMappedUser(basicAuthCredentials, request.getHeaders(), authenticatedUser);
-                return Identity.forUser(authenticatedUser)
-                        .withPrincipal(principal)
-                        .build();
+                Identity.Builder identityBuilder = Identity.forUser(authenticatedUser).withPrincipal(principal);
+
+                if (populateExtraCredentials) {
+                    ImmutableMap<String, String> credentials = ImmutableMap.of(
+                            "arenadata.username", basicAuthCredentials.getUser(),
+                            "arenadata.password", basicAuthCredentials.getPassword().get());
+                    identityBuilder.withExtraCredentials(credentials);
+                }
+                return identityBuilder.build();
             }
             catch (UserMappingException | AccessDeniedException e) {
                 if (exception == null) {
@@ -90,7 +99,8 @@ public Identity authenticate(ContainerRequestContext request)
      * When the user in the basic authentication header matches the x-trino-user header, we assume that the client does
      * not want to force the runtime user name, and only wanted to communicate the authentication user.
      */
-    private void rewriteUserHeaderToMappedUser(BasicAuthCredentials basicAuthCredentials, MultivaluedMap<String, String> headers, String authenticatedUser)
+    private void rewriteUserHeaderToMappedUser(BasicAuthCredentials basicAuthCredentials,
+            MultivaluedMap<String, String> headers, String authenticatedUser)
     {
         String userHeader;
         try {

diff --git a/core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticatorConfig.java b/core/trino-main/src/main/java/io/trino/server/security/PasswordAuthenticatorConfig.java
@@ -31,6 +31,7 @@ public class PasswordAuthenticatorConfig
     private Optional<String> userMappingPattern = Optional.empty();
     private Optional<File> userMappingFile = Optional.empty();
     private List<File> passwordAuthenticatorFiles = ImmutableList.of(new File("etc/password-authenticator.properties"));
+    private boolean populateExtraCredentials;
 
     public Optional<String> getUserMappingPattern()
     {
@@ -72,4 +73,17 @@ public PasswordAuthenticatorConfig setPasswordAuthenticatorFiles(List<String> pa
                 .collect(toImmutableList());
         return this;
     }
+
+    public boolean isPopulateExtraCredentials()
+    {
+        return this.populateExtraCredentials;
+    }
+
+    @Config("arenadata.http-server.authentication.password.populate-extra-credentials")
+    @ConfigDescription("Whether to propagate username and password to extra credentials that could be read by catalogs")
+    public PasswordAuthenticatorConfig setPopulateExtraCredentials(boolean populateExtraCredentials)
+    {
+        this.populateExtraCredentials = populateExtraCredentials;
+        return this;
+    }
 }