Add Knowledge Graph JWT auth with traversal ID payload
What does this MR do and why?
Adds JWT authentication for the Knowledge Graph service. Generates HS256 tokens carrying the user's authorization context (traversal IDs from !224372 (merged)) so the GKG query engine can apply namespace-level prefix filtering in ClickHouse.
Stacked on Add Knowledge Graph traversal ID authorization ... (!224372 - merged)
How to set up and validate locally
git checkout gkg-jwt-auth
bundle exec rails console1. JWT round-trip
user = User.where(admin: false).joins(:group_members).first
token = Analytics::KnowledgeGraph::JwtAuth.generate_token(user: user)
decoded = Analytics::KnowledgeGraph::JwtAuth.decode_token(token)
decoded.first.keys.sort
# => ["admin", "aud", "exp", "group_traversal_ids", "iat", "iss",
# "min_access_level", "sub", "user_id", "username"]2. Admin JWT (no traversal IDs)
admin = User.where(admin: true).first
token = Analytics::KnowledgeGraph::JwtAuth.generate_token(user: admin)
decoded = Analytics::KnowledgeGraph::JwtAuth.decode_token(token)
decoded.first['admin'] # => true
decoded.first['group_traversal_ids'] # => nil3. Authorization header
Analytics::KnowledgeGraph::JwtAuth.authorization_header(user: user)
# => "Bearer eyJhbGciOiJIUzI1NiJ9..."References
- Depends on: !224372 (merged) (traversal ID authorization context)
- Companion MR: !224266 (merged) (RedactionService -- Layer 3)
- Part of: &20566 (Rails Integration)
- Related: gitlab-org/orbit/knowledge-graph#9 (closed) (JWT Passing)
Edited by Michael Angelo Rivera