Trino Gateway Health check fails when trino cluster has oauth2 enabled

[JustinR5]

Whenever Trino gateway runs a health check with the trino backend clusters, it returns an 'Unauthorized to fetch cluster stats' error and sets the status of the cluster to 'false'. When changing trino authentication to 'form' from 'oauth2' the health check works.

[willmostly]

Trino only currently supports the authorization code flow, so you'll need to switch to JDBC health checks and set up a separate authn mechanism for the gateway service user.

For example, you can set http-server-authorization.types = OAUTH2, PASSWORD and set up the password database with a service user for the Gateway. The gateway only needs access to the system.runtime schema for health checks so you can restrict its access to everything else.

[andythsu]

if the auth is oauth2 then useApi has to be set to false, since oauth2 flow doesn't support /ui/api/stats

clusterStatsConfiguration:
  useApi: false

[siminyou]

Trino only currently supports the authorization code flow, so you'll need to switch to JDBC health checks and set up a separate authn mechanism for the gateway service user.

For example, you can set http-server-authorization.types = OAUTH2, PASSWORD and set up the password database with a service user for the Gateway. The gateway only needs access to the system.runtime schema for health checks so you can restrict its access to everything else.

the issue with JDBC is internal trino clusters might not have TLS enabled (for various reasons) while it is a strict requirement for JDBC client.

[mosabua]

TLS is not required for JDBC connections

[oneonestar]

I think this is resolved by #264

[mosabua]

Yeah .. good call @oneonestar .. pleasetest and confirm once the new 7 release is out @JustinR5

[oneonestar]

Please reopen if things still doesn't work for you.