Authentication in the Cogrion UI
This page covers how a user authenticates when opening the Cogrion UI and how that identity is carried through subsequent requests.
Authentication in the Control Plane
This page covers how the Control Plane validates inbound requests and how services authenticate with each other across the platform.
Token Exchange and Data Access
This page covers how a user's identity flows from the Cogrion UI all the way to a query executing against data — and how access policies are enforced at each step.
User Secret Management
This page covers how user credentials (AWS keys, database passwords, API tokens) are stored, accessed, and isolated within the platform. There are two access paths: a user-facing REST API through the BFF, and a direct path for notebooks and jobs via a service account.
JupyterHub Spawner — OpenBao Secret Auth
When a user opens a notebook, they need to be able to read and write their own secrets (API keys, credentials, etc.) stored in OpenBao. This page explains how that access is set up automatically — without the notebook ever having to log in to anything.
JupyterHub — Cogrion SDK Authentication
When a data scientist opens a Jupyter notebook on the Cogrion platform, they get more than just a Python environment. They get a fully authenticated session: their notebook code can call Cogrion platform APIs, read from the data warehouse, and manage workspace files — all without the user ever typing a password or managing a credential.
Trino Gateway Auth
This page covers how identity flows into the Trino Gateway and how access privileges are enforced at the gateway layer. For how queries are then authorized at the Trino + Ranger layer, see SQL Auth — Superset, Trino & Ranger.
Trino Gateway Auth — BFF
This page covers how the BFF API authenticates management operations against the Trino Gateway — cluster registration, activation, deactivation, and routing rule updates.
SQL Auth — Superset, Trino & Ranger
This page covers the mechanics of how a user's identity flows from the browser/API calls all the way to a query executing against data, and how access policies are enforced at each step.
Keycloak → Ranger Role Sync
This page covers how Keycloak realm role membership is mirrored into Apache Ranger, enabling Ranger policies to reference roles rather than individual users.
Metadata Auth — DataHub & Trino
This page covers how a user's identity flows when performing metadata operations (adding tags, updating descriptions, reviewing PII) that require Trino to introspect table schemas, and how Ranger enforces access at query time.
Semantic Layer Auth — Ontology, Cube & Trino
This page covers how a user's identity flows from the BFF API through the Ontology backend and Cube semantic layer to Trino query execution, and where Ranger enforces access policies.
ML Agent Auth — Trino
This page covers how a user's identity flows when the BFF API proxies requests to the ML-Agent service, which in turn queries Trino for catalog and schema metadata and executes ML workflows.
Security Gaps
This document records identified security gaps in the platform's authentication and authorization flows. Each gap is a section with the date it was found. Gaps are not necessarily exploitable vulnerabilities — some are design questions, missing documentation, or deviations from the established platform pattern that require review.