ML Agent Authentication: BFF to ML-Agent to Trino
This page covers how a user's identity flows when the BFF API proxies requests to the ML-Agent service, which in turn queries Trino for catalog and schema metadata and executes ML workflows.
For the data query flow via Superset, see SQL Auth — Superset, Trino & Ranger.
Routes Covered
All routes are defined in src/routes/mlAgentRoute.js and protected by the validateJWT middleware.
| Method | Route | Purpose |
|---|---|---|
GET | /chatbot/trino/catalogs | List available Trino catalogs |
GET | /chatbot/trino/schemas/:catalog | List schemas in a catalog |
GET | /chatbot/trino/tables/:catalog/:schema | List tables in a schema |
POST | /chatbot/run-workflow-trino | Run an ML workflow against a Trino table |
End-to-End Flow
Step 1: JWT Validation — BFF
The validateJWT middleware validates the user's JWT before the request proceeds. This ensures only authenticated users reach ML-Agent.
Step 2: Raw Token Forwarding — BFF to ML-Agent
Unlike other BFF flows, no token exchange is performed at the BFF layer before forwarding to ML-Agent. The user's original Authorization header is passed directly:
// mlAgentRoute.js
req.headers.authorization // forwarded as-is to ML-Agent
For the /chatbot/run-workflow-trino route, the user's email is also extracted from the validated JWT and sent alongside the request.
The documented platform pattern states that the user's original session token should never be forwarded to downstream services — it should always be exchanged for a service-scoped token first. This flow deviates from that pattern. See Security Gaps.
Step 3: ML-Agent to Trino
How ML-Agent authenticates to Trino is not visible from BFF code alone.
TODO: Determine how ML-Agent authenticates to Trino:
- Does ML-Agent perform its own token exchange (audience:
{workspaceId}-trino-gw) before querying Trino?- Does it forward the user JWT received from BFF directly to Trino?
- Does it use a service account?
This determines whether Ranger sees the real user identity or a shared service account identity on these queries.
TODO: Confirm whether Ranger policies are evaluated at all for catalog/schema listing queries (
/chatbot/trino/catalogs,/chatbot/trino/schemas,/chatbot/trino/tables). If ML-Agent uses a service account, Ranger cannot enforce per-user access on these metadata endpoints.
Configuration
| Config key | Env var | Purpose |
|---|---|---|
mlAgent.url | ML_AGENT_URL | ML-Agent service endpoint |
Go Deeper
- Token Exchange and Data Access — token exchange model
- Security Gaps — known gap: missing token exchange on this path
- SQL Auth — Superset, Trino & Ranger — Ranger enforcement detail