Netcracker · nurtai325 · Oct 12, 2025 · Oct 12, 2025 · Oct 14, 2025 · Oct 14, 2025
@@ -202,6 +202,19 @@
             <artifactId>lombok-mapstruct-binding</artifactId>
             <version>${lombok-mapstruct-binding.version}</version>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-smallrye-jwt</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-smallrye-jwt-build</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.netcracker.cloud.security.core.utils</groupId>
+            <artifactId>k8s-utils</artifactId>
+            <version>2.2.2-SNAPSHOT</version>
-            <version>2.2.2-SNAPSHOT</version>
+            <version>2.2.2</version>
-            <version>2.2.2-SNAPSHOT</version>
+            <version>2.2.2</version>
+        </dependency>
 
         <!-- Test dependencies -->
         <dependency>
@@ -254,6 +267,11 @@
             <version>1.21.3</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>io.quarkus</groupId>
+            <artifactId>quarkus-test-oidc-server</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 
     <build>

@@ -0,0 +1,66 @@
+package com.netcracker.cloud.dbaas.config.security;
+
+import io.quarkus.security.identity.IdentityProviderManager;
+import io.quarkus.security.identity.SecurityIdentity;
+import io.quarkus.security.identity.request.AuthenticationRequest;
+import io.quarkus.smallrye.jwt.runtime.auth.JWTAuthMechanism;
+import io.quarkus.vertx.http.runtime.security.BasicAuthenticationMechanism;
+import io.quarkus.vertx.http.runtime.security.ChallengeData;
+import io.quarkus.vertx.http.runtime.security.HttpAuthenticationMechanism;
+import io.quarkus.vertx.http.runtime.security.HttpCredentialTransport;
+import io.smallrye.mutiny.Uni;
+import io.vertx.ext.web.RoutingContext;
+import jakarta.annotation.Priority;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.inject.Inject;
+import lombok.extern.slf4j.Slf4j;
+
+import java.util.HashSet;
+import java.util.Set;
+
+@Priority(1)
+@ApplicationScoped
+@Slf4j
+public class BasicAndKubernetesAuthMechanism implements HttpAuthenticationMechanism {
+    @Inject
+    BasicAuthenticationMechanism basicAuth;
+
+    @Inject
+    JWTAuthMechanism jwtAuth;
+
+    @Override
+    public Uni<SecurityIdentity> authenticate(RoutingContext context, IdentityProviderManager identityProviderManager) {
+        return selectMechanism(context).authenticate(context, identityProviderManager);
+    }
+
+    @Override
+    public Uni<ChallengeData> getChallenge(RoutingContext context) {
+        return selectMechanism(context).getChallenge(context);
+    }
+
+    @Override
+    public Set<Class<? extends AuthenticationRequest>> getCredentialTypes() {
+        Set<Class<? extends AuthenticationRequest>> types = new HashSet<>();
-        Set<Class<? extends AuthenticationRequest>> types = new HashSet<>();
+        Set<Class<? extends AuthenticationRequest>> types = new HashSet<>(basicAuth.getCredentialTypes().size() + jwtAuth.getCredentialTypes().size());
-        Set<Class<? extends AuthenticationRequest>> types = new HashSet<>();
+        Set<Class<? extends AuthenticationRequest>> types = new HashSet<>(basicAuth.getCredentialTypes().size() + jwtAuth.getCredentialTypes().size());
+        types.addAll(basicAuth.getCredentialTypes());
+        types.addAll(jwtAuth.getCredentialTypes());
+        return types;
+    }
+
+    @Override
+    public Uni<HttpCredentialTransport> getCredentialTransport(RoutingContext context) {
+        return selectMechanism(context).getCredentialTransport(context);
+    }
+
+    private HttpAuthenticationMechanism selectMechanism(RoutingContext context) {
+        if (isBearerTokenPresent(context)) {
+            return jwtAuth;
+        } else {
+            return basicAuth;
+        }
+    }
+
+    private boolean isBearerTokenPresent(RoutingContext context) {
-    private boolean isBearerTokenPresent(RoutingContext context) {
+    private static final String BEARER_PREFIX = "Bearer ";
+
+    private boolean isBearerTokenPresent(RoutingContext context) {
+        String authHeader = context.request().getHeader("Authorization");
+        return authHeader != null && authHeader.startsWith(BEARER_PREFIX);
+    }
-    private boolean isBearerTokenPresent(RoutingContext context) {
+    private static final String BEARER_PREFIX = "Bearer ";
+
+    private boolean isBearerTokenPresent(RoutingContext context) {
+        String authHeader = context.request().getHeader("Authorization");
+        return authHeader != null && authHeader.startsWith(BEARER_PREFIX);
+    }
+        String authHeader = context.request().getHeader("Authorization");
+        return authHeader != null && authHeader.startsWith("Bearer ");
+    }
+}
@@ -0,0 +1,61 @@
+package com.netcracker.cloud.dbaas.config.security;
+
+import com.netcracker.cloud.security.core.utils.k8s.KubernetesTokenVerificationException;
+import com.netcracker.cloud.security.core.utils.k8s.KubernetesTokenVerifier;
+import io.quarkus.runtime.StartupEvent;
+import io.smallrye.jwt.auth.principal.*;
+import jakarta.annotation.Priority;
+import jakarta.enterprise.context.ApplicationScoped;
+import jakarta.enterprise.event.Observes;
+import jakarta.enterprise.inject.Alternative;
+import jakarta.inject.Inject;
+import lombok.extern.slf4j.Slf4j;
+import org.eclipse.microprofile.config.inject.ConfigProperty;
+
+@ApplicationScoped
+@Alternative
+@Priority(1)
+@Slf4j
+public class KubernetesJWTCallerPrincipalFactory extends JWTCallerPrincipalFactory {
+
+    private final KubernetesTokenVerifier verifier;
+
+    @Inject
+    public KubernetesJWTCallerPrincipalFactory(
+            @ConfigProperty(name = "dbaas.security.k8s.jwt.enabled") boolean isJwtEnabled,
+            @ConfigProperty(name = "dbaas.security.k8s.jwt.audience") String jwtAudience
+    ) {
+        if (!isJwtEnabled) {
+            log.info("JWT not enabled, skipping verifier initialization");
+            this.verifier = null;
+            return;
+        }
+
+        log.info("Initializing KubernetesTokenVerifier");
+        try {
+            this.verifier = new KubernetesTokenVerifier(jwtAudience);
+            log.info("KubernetesTokenVerifier initialized successfully");
+        } catch (RuntimeException e) {
+            log.error("Failed to initialize KubernetesTokenVerifier", e);
+            throw e;
+        }
+    }
+
+    KubernetesJWTCallerPrincipalFactory(KubernetesTokenVerifier verifier) {
+        this.verifier = verifier;
+    }
+
+    @Override
+    public JWTCallerPrincipal parse(String token, JWTAuthContextInfo authContextInfo) throws ParseException {
+        try {
+            var prin = new DefaultJWTCallerPrincipal(verifier.verify(token));
+            return prin;
+        } catch (KubernetesTokenVerificationException e) {
+            throw new ParseException("failed to parse kubernetes projected volume token", e);
+        }
+    }
+
+    // observe StartupEvent so that bean is created at startup
+    void onStartUp(@Observes StartupEvent event) {
+    }
+}
@@ -1,22 +1,21 @@
 package com.netcracker.cloud.dbaas.controller.error;
 
-import com.netcracker.cloud.dbaas.exceptions.ForbiddenDeleteOperationException;
 import jakarta.ws.rs.core.Context;
 import jakarta.ws.rs.core.Response;
 import jakarta.ws.rs.core.UriInfo;
 import jakarta.ws.rs.ext.ExceptionMapper;
 import jakarta.ws.rs.ext.Provider;
+import com.netcracker.cloud.dbaas.exceptions.ForbiddenException;
 
 import static com.netcracker.cloud.dbaas.controller.error.Utils.buildDefaultResponse;
 
 @Provider
-public class ForbiddenDeleteOperationExceptionMapper implements ExceptionMapper<ForbiddenDeleteOperationException> {
-
+public class ForbiddenExceptionMapper implements ExceptionMapper<ForbiddenException> {
     @Context
     UriInfo uriInfo;
 
     @Override
-    public Response toResponse(ForbiddenDeleteOperationException e) {
+    public Response toResponse(ForbiddenException e) {
         return buildDefaultResponse(uriInfo, e, Response.Status.FORBIDDEN);
-        return buildDefaultResponse(uriInfo, e, Response.Status.FORBIDDEN);
+        if (uriInfo == null) {
+            return Response.status(Response.Status.FORBIDDEN).entity(e.getMessage()).build();
+        }
+        return buildDefaultResponse(uriInfo, e, Response.Status.FORBIDDEN);
-        return buildDefaultResponse(uriInfo, e, Response.Status.FORBIDDEN);
+        if (uriInfo == null) {
+            return Response.status(Response.Status.FORBIDDEN).entity(e.getMessage()).build();
+        }
+        return buildDefaultResponse(uriInfo, e, Response.Status.FORBIDDEN);
     }
 }
@@ -1,5 +1,6 @@
 package com.netcracker.cloud.dbaas.controller.v3;
 
+import com.netcracker.cloud.context.propagation.core.ContextManager;
 import com.netcracker.cloud.dbaas.controller.abstact.AbstractDatabaseAdministrationController;
 import com.netcracker.cloud.dbaas.dto.ClassifierWithRolesRequest;
 import com.netcracker.cloud.dbaas.dto.Source;
@@ -12,13 +13,19 @@
 import com.netcracker.cloud.dbaas.exceptions.NotFoundException;
 import com.netcracker.cloud.dbaas.exceptions.*;
 import com.netcracker.cloud.dbaas.monitoring.model.DatabasesInfo;
+import com.netcracker.cloud.dbaas.security.validators.NamespaceValidator;
 import com.netcracker.cloud.dbaas.service.*;
+import com.netcracker.cloud.dbaas.utils.JwtUtils;
+import com.netcracker.cloud.framework.contexts.tenant.BaseTenantProvider;
+import com.netcracker.cloud.framework.contexts.tenant.TenantContextObject;
+import io.smallrye.jwt.auth.principal.DefaultJWTCallerPrincipal;
 import jakarta.annotation.security.RolesAllowed;
 import jakarta.inject.Inject;
 import jakarta.transaction.Transactional;
 import jakarta.ws.rs.*;
 import jakarta.ws.rs.core.MediaType;
 import jakarta.ws.rs.core.Response;
+import jakarta.ws.rs.core.SecurityContext;
 import lombok.extern.slf4j.Slf4j;
 import org.eclipse.microprofile.openapi.annotations.Operation;
 import org.eclipse.microprofile.openapi.annotations.enums.SchemaType;
@@ -63,6 +70,10 @@ public class AggregatedDatabaseAdministrationControllerV3 extends AbstractDataba
     PasswordEncryption encryption;
     @Inject
     BlueGreenService blueGreenService;
+    @Inject
+    NamespaceValidator namespaceValidator;
+    @Inject
+    SecurityContext securityContext;
 
     @Operation(summary = "V3. Creates new database V3",
             description = "Creates new database and returns it with connection information, " +
@@ -84,11 +95,11 @@ public Response createDatabase(@Parameter(description = "The model for creating
                                    @PathParam(NAMESPACE_PARAMETER) String namespace,
                                    @Parameter(description = "Determines if database should be created asynchronously")
                                    @QueryParam(ASYNC_PARAMETER) Boolean async) {
-        if (!AggregatedDatabaseAdministrationService.AggregatedDatabaseAdministrationUtils.isClassifierCorrect(createRequest.getClassifier())) {
-            throw new InvalidClassifierException("Classifier doesn't contain all mandatory fields. " +
-                    "Check that classifier has `microserviceName`, `scope`. If `scope` = `tenant`, classifier must contain `tenantId` property",
-                    createRequest.getClassifier(), Source.builder().pointer("/classifier").build());
+        if (!AggregatedDatabaseAdministrationService.AggregatedDatabaseAdministrationUtils.isClassifierCorrect(createRequest.getClassifier()) ||
+                !namespaceValidator.checkNamespaceFromClassifier(securityContext, createRequest.getClassifier())) {
+            throw InvalidClassifierException.withDefaultMsg(createRequest.getClassifier());
         }
+        checkTenantId(createRequest.getClassifier());
         checkOriginService(createRequest);
 
         namespace = (String) createRequest.getClassifier().get(NAMESPACE);
@@ -196,9 +207,10 @@ public Response getDatabaseByClassifier(@Parameter(description = "Classifier on
                                             @Parameter(description = "The type of base in which the database was created. For example PostgreSQL  or MongoDB", required = true)
                                             @PathParam("type") String type) {
         checkOriginService(classifierRequest);
-        if (!dBaaService.isValidClassifierV3(classifierRequest.getClassifier())) {
+        if (!dBaaService.isValidClassifierV3(classifierRequest.getClassifier()) || !namespaceValidator.checkNamespaceFromClassifier(securityContext, classifierRequest.getClassifier())) {
             throw new InvalidClassifierException("Invalid V3 classifier", classifierRequest.getClassifier(), Source.builder().pointer("").build());
         }
+        checkTenantId(classifierRequest.getClassifier());
         checkOriginService(classifierRequest);
         namespace = (String) classifierRequest.getClassifier().get(NAMESPACE);
 
@@ -280,11 +292,10 @@ public Response addExternalDatabase(@Parameter(description = "Request with conne
                                         @Parameter(description = "Namespace with which new database will be connected", required = true)
                                         @PathParam(NAMESPACE_PARAMETER) String namespace) {
         log.info("Get request on adding external database with classifier {} and type {} in namespace {}", externalDatabaseRequest.getClassifier(), externalDatabaseRequest.getType(), namespace);
-        if (!AggregatedDatabaseAdministrationService.AggregatedDatabaseAdministrationUtils.isClassifierCorrect(externalDatabaseRequest.getClassifier())) {
-            throw new InvalidClassifierException("Classifier doesn't contain all mandatory fields. " +
-                    "Check that classifier has `microserviceName`, `scope`. If `scope` = `tenant`, classifier must contain `tenantId` property",
-                    externalDatabaseRequest.getClassifier(), Source.builder().pointer("/classifier").build());
+        if (!AggregatedDatabaseAdministrationService.AggregatedDatabaseAdministrationUtils.isClassifierCorrect(externalDatabaseRequest.getClassifier()) || !namespaceValidator.checkNamespaceFromClassifier(securityContext, externalDatabaseRequest.getClassifier())) {
+            throw InvalidClassifierException.withDefaultMsg(externalDatabaseRequest.getClassifier());
         }
+        checkTenantId(externalDatabaseRequest.getClassifier());
         DatabaseRegistry databaseRegistry = externalDatabaseRequest.toDatabaseRegistry();
         Optional<BgDomain> bgDomainOpt = aggregatedDatabaseAdministrationService.getBgDomain(namespace);
         if (bgDomainOpt.isPresent()) {
@@ -396,9 +407,23 @@ public Response deleteDatabaseByClassifier(@Parameter(description = "A unique id
     }
 
     private void checkOriginService(UserRolesServices rolesServices) {
+        if (securityContext.getUserPrincipal() instanceof DefaultJWTCallerPrincipal principal) {
-        if (securityContext.getUserPrincipal() instanceof DefaultJWTCallerPrincipal principal) {
+if (securityContext.getUserPrincipal() != null && securityContext.getUserPrincipal() instanceof DefaultJWTCallerPrincipal principal) {
-        if (securityContext.getUserPrincipal() instanceof DefaultJWTCallerPrincipal principal) {
+if (securityContext.getUserPrincipal() != null && securityContext.getUserPrincipal() instanceof DefaultJWTCallerPrincipal principal) {
+            rolesServices.setOriginService(JwtUtils.getServiceAccountName(principal));
+        }
         if (rolesServices.getOriginService() == null || rolesServices.getOriginService().isEmpty()) {
             log.error("Request body={} must contain originService", rolesServices);
             throw new InvalidOriginServiceException();
         }
     }
+
+    private void checkTenantId(Map<String, Object> classifier) {
+        if (!Objects.equals(classifier.get(SCOPE), SCOPE_VALUE_TENANT)) {
+            return;
+        }
+        String tenantId = ((TenantContextObject) ContextManager.get(BaseTenantProvider.TENANT_CONTEXT_NAME)).getTenant();
-        String tenantId = ((TenantContextObject) ContextManager.get(BaseTenantProvider.TENANT_CONTEXT_NAME)).getTenant();
+TenantContextObject tenantContext = (TenantContextObject) ContextManager.get(BaseTenantProvider.TENANT_CONTEXT_NAME);
+        if (tenantContext == null || !tenantId.equals(classifier.get(TENANT_ID))) {
-        String tenantId = ((TenantContextObject) ContextManager.get(BaseTenantProvider.TENANT_CONTEXT_NAME)).getTenant();
+TenantContextObject tenantContext = (TenantContextObject) ContextManager.get(BaseTenantProvider.TENANT_CONTEXT_NAME);
+        if (tenantContext == null || !tenantId.equals(classifier.get(TENANT_ID))) {
+        if (tenantId.equals(classifier.get(TENANT_ID))) {
+            return;
+        }
+        throw new ForbiddenTenantIdException();
+    }
 }
@@ -11,7 +11,7 @@ public class ClassifierWithRolesRequest implements UserRolesServices {
     @Schema(description = "Database composite identify key. See details in https://perch.qubership.org/display/CLOUDCORE/DbaaS+Database+Classifier", required = true)
     private Map<String, Object> classifier;
 
-    @Schema(description = "Origin service which send request", required = true)
+    @Schema(description = "Origin service which send request")
-    @Schema(description = "Origin service which send request")
+    @Schema(description = "Origin service which sends request")
-    @Schema(description = "Origin service which send request")
+    @Schema(description = "Origin service which sends request")
     private String originService;
 
     @Schema(description = "Indicates connection properties with which user role should be returned to a client")

diff --git a/...aggregator/src/main/java/com/netcracker/cloud/dbaas/dto/role/ServiceAccountWithRoles.java b/...aggregator/src/main/java/com/netcracker/cloud/dbaas/dto/role/ServiceAccountWithRoles.java
@@ -0,0 +1,21 @@
+package com.netcracker.cloud.dbaas.dto.role;
+
+import lombok.Getter;
+import lombok.Setter;
+
+import java.util.Set;
+
+public class ServiceAccountWithRoles {
+    @Setter
+    @Getter
+    private String name;
-    private String name;
+    private Set<String> roles = new HashSet<>();
-    private String name;
+    private Set<String> roles = new HashSet<>();
+
+    @Setter
+    @Getter
+    private Set<String> roles;
+
+    public ServiceAccountWithRoles(String name, Set<String> roles) {
+        this.name = name;
+        this.roles = roles;
+    }
+}
@@ -18,7 +18,7 @@ public DatabaseCreateRequestV3(@NonNull Map<String, Object> classifier, @NonNull
         super(classifier, type);
     }
 
-    @Schema(description = "Origin service which send request", required = true)
+    @Schema(description = "Origin service which send request")
     private String originService;
 
     @Schema(description = "Indicates connection properties with which user role should be returned to a client")

@@ -5,6 +5,8 @@
 public interface UserRolesServices {
     String getOriginService();
 
+    void setOriginService(String originService);
+
     String getUserRole();
 
     Map<String, Object> getClassifier();

@@ -208,6 +208,10 @@ public enum ErrorCodes implements ErrorCode {
             "Adapter address name has wrong format",
             "register request contains adapter address field, but it has wrong format: %s. " +
                     "Must be in format: <schema>://<service-name>.<namespace>:<port>, e.g.: http://dbaas-postgres-adapter.postgresql:8080"),
+    CORE_DBAAS_4046(
-    CORE_DBAAS_4046(
+    CORE_DBAAS_4046(
-    CORE_DBAAS_4046(
+    CORE_DBAAS_4046(
+            "CORE-DBAAS-4046",
-            "CORE-DBAAS-4046",
+            "CORE-DBAAS-4046",
-            "CORE-DBAAS-4046",
+            "CORE-DBAAS-4046",
+            "Invalid tenantId in classifier",
-            "Invalid tenantId in classifier",
+            "Tenant ID mismatch in classifier",
-            "Invalid tenantId in classifier",
+            "Tenant ID mismatch in classifier",
+            "tenantId from classifier and tenantId from request don't match"),
-            "tenantId from classifier and tenantId from request don't match"),
+            "Tenant ID from classifier does not match tenant ID from request"),
-            "tenantId from classifier and tenantId from request don't match"),
+            "Tenant ID from classifier does not match tenant ID from request"),
 
     CORE_DBAAS_7002(
             "CORE-DBAAS-7002",

@@ -4,7 +4,7 @@
 import lombok.Getter;
 
 @Getter
-public class ForbiddenDeleteBackupOperationException extends ErrorCodeException {
+public class ForbiddenDeleteBackupOperationException extends ForbiddenException {
 
     public ForbiddenDeleteBackupOperationException(String detail) {
         super(ErrorCodes.CORE_DBAAS_4013, ErrorCodes.CORE_DBAAS_4013.getDetail(detail));

@@ -4,7 +4,7 @@
 import lombok.Getter;
 
 @Getter
-public class ForbiddenDeleteOperationException extends ErrorCodeException {
+public class ForbiddenDeleteOperationException extends ForbiddenException {
 
     public ForbiddenDeleteOperationException() {
         super(ErrorCodes.CORE_DBAAS_4003, ErrorCodes.CORE_DBAAS_4003.getDetail());