Excessive LDAP lookups on each UI API call due to repeated memberOf resolution

[vishnu-lab]

Currently, when navigating between pages in the Trino-gateway UI, each page transition triggers API calls to the gateway. For every API call, a new LbPrincipal is generated by decoding the JWT and fetching the memberOf attribute from LDAP. This causes unnecessary and excessive LDAP queries on every API request, even within the same authenticated session.

Proposed improvements to reduce redundant LDAP calls:

1. Add an evictable cache: Maintain a cache mapping users to their memberOf attribute values, reducing repeated lookups for the same user within a reasonable TTL (time-to-live).
2. Include roles in JWT claims: Encode the user’s roles (e.g., memberOf information) directly into the JWT at login time. This would avoid the need for repeated LDAP calls during subsequent API requests.

[vishnu-lab]

@Chaho12 @oneonestar can you take a look on this

[Chaho12]

Even if Option 1 is applied, it wil still incur LDAP queries, though greatly reduced. Cache adss complexity (eviction, consistency) too.
Hence Option 2 sound sbetter if we use short-lived JWTs (maybe 5 or 10 min?) to minimize the risk of stale role data (this doesn't change often so doesn't have to be immediate)

[vishnu-lab]

got it , i would like to implement this

[Chaho12]

@vishalya Any thoughts on this?
Yes, we would appreciate if you send a PR on this. But please wait a moment as there might be other thoughts.

[oneonestar]

Yea, I think Option 2 is better. The current implementation of OAuth is also using Option 2.

[vishalya]

Thanks for the PR, yes, options is better as it bypasses the LDAP altogether.