fix(query): create a virtual JWT user instead of ensuring on metasrv (#10760)

* fix(query): create a virtual JWT user instead of from metasrv

* fix: remove hostname for JWT auth & deny root user

* fix: tests for auth

Author: everpcpc

src/query/service/src/auth.rs

@@ -31,7 +31,6 @@ pub struct AuthMgr {
 pub enum Credential {
     Jwt {
         token: String,
-        hostname: Option<String>,
     },
     Password {
         name: String,
@@ -52,10 +51,7 @@ impl AuthMgr {
 
     pub async fn auth(&self, session: Arc<Session>, credential: &Credential) -> Result<()> {
         match credential {
-            Credential::Jwt {
-                token: t,
-                hostname: h,
-            } => {
+            Credential::Jwt { token: t } => {
                 let jwt_auth = self
                     .jwt_auth
                     .as_ref()
@@ -71,32 +67,26 @@ impl AuthMgr {
                 if let Some(tenant) = jwt.custom.tenant_id {
                     session.set_current_tenant(tenant);
                 };
-                let tenant = session.get_current_tenant();
 
-                // create user if not exists when the JWT claims contains ensure_user
+                // create a virtual JWT user only available in current session
+                let auth_role = jwt.custom.role.clone();
+                let mut user_info = UserInfo::new(&user_name, "%", AuthInfo::JWT);
+                if user_info.identity().is_root() {
+                    return Err(ErrorCode::AuthenticateFailure(
+                        "root user is not allowed in jwt auth.",
+                    ));
+                }
+                if let Some(ref role) = auth_role {
+                    user_info.grants.grant_role(role.clone());
+                }
                 if let Some(ref ensure_user) = jwt.custom.ensure_user {
-                    let mut user_info = UserInfo::new(&user_name, "%", AuthInfo::JWT);
                     if let Some(ref roles) = ensure_user.roles {
                         for role in roles.clone().into_iter() {
                             user_info.grants.grant_role(role);
                         }
                     }
-                    UserApiProvider::instance()
-                        .ensure_builtin_roles(&tenant)
-                        .await?;
-                    UserApiProvider::instance()
-                        .add_user(&tenant, user_info.clone(), true)
-                        .await?;
                 }
 
-                let auth_role = jwt.custom.role.clone();
-                let user_info = UserApiProvider::instance()
-                    .get_user_with_client_ip(
-                        &tenant,
-                        &user_name,
-                        h.as_ref().unwrap_or(&"%".to_string()),
-                    )
-                    .await?;
                 session.set_authed_user(user_info, auth_role).await?;
             }
             Credential::Password {

src/query/service/src/servers/http/middleware.rs

@@ -100,7 +100,6 @@ fn auth_by_header(
         match Bearer::decode(value) {
             Some(bearer) => Ok(Credential::Jwt {
                 token: bearer.token().to_string(),
-                hostname: client_ip,
             }),
             None => Err(ErrorCode::AuthenticateFailure("bad Bearer auth header")),
         }