This is an automated email from the ASF dual-hosted git repository.
jinsongzhou pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/amoro.git
The following commit(s) were added to refs/heads/master by this push:
new bdd780b7f [AMORO-2667] Implement basic authentication for REST APIs
(#2687)
bdd780b7f is described below
commit bdd780b7f7181ede63688668b55b79e852e7be57
Author: Paul Lin <[email protected]>
AuthorDate: Fri May 10 10:30:39 2024 +0800
[AMORO-2667] Implement basic authentication for REST APIs (#2687)
* feat: implement basic authentication for REST APIs
* docs: add docs for basic auth
---------
Co-authored-by: baiyangtx <[email protected]>
Co-authored-by: ZhouJinsong <[email protected]>
---
.../apache/amoro/server/ArcticManagementConf.java | 6 ++++
.../amoro/server/dashboard/DashboardServer.java | 34 ++++++++++++++++++----
docs/admin-guides/deployment.md | 1 +
3 files changed, 35 insertions(+), 6 deletions(-)
diff --git
a/amoro-ams/amoro-ams-server/src/main/java/org/apache/amoro/server/ArcticManagementConf.java
b/amoro-ams/amoro-ams-server/src/main/java/org/apache/amoro/server/ArcticManagementConf.java
index b03f5bce2..7d83e1fd7 100644
---
a/amoro-ams/amoro-ams-server/src/main/java/org/apache/amoro/server/ArcticManagementConf.java
+++
b/amoro-ams/amoro-ams-server/src/main/java/org/apache/amoro/server/ArcticManagementConf.java
@@ -222,6 +222,12 @@ public class ArcticManagementConf {
.defaultValue(19090)
.withDescription("Port that the Http server is bound to.");
+ public static final ConfigOption<String> HTTP_SERVER_REST_AUTH_TYPE =
+ ConfigOptions.key("http-server.rest-auth-type")
+ .stringType()
+ .defaultValue("token")
+ .withDescription("The authentication used by REST APIs, token
(default) or basic.");
+
public static final ConfigOption<Integer> OPTIMIZING_COMMIT_THREAD_COUNT =
ConfigOptions.key("self-optimizing.commit-thread-count")
.intType()
diff --git
a/amoro-ams/amoro-ams-server/src/main/java/org/apache/amoro/server/dashboard/DashboardServer.java
b/amoro-ams/amoro-ams-server/src/main/java/org/apache/amoro/server/dashboard/DashboardServer.java
index 633943c2a..04f519a0f 100644
---
a/amoro-ams/amoro-ams-server/src/main/java/org/apache/amoro/server/dashboard/DashboardServer.java
+++
b/amoro-ams/amoro-ams-server/src/main/java/org/apache/amoro/server/dashboard/DashboardServer.java
@@ -25,12 +25,14 @@ import static io.javalin.apibuilder.ApiBuilder.post;
import static io.javalin.apibuilder.ApiBuilder.put;
import io.javalin.apibuilder.EndpointGroup;
+import io.javalin.core.security.BasicAuthCredentials;
import io.javalin.http.ContentType;
import io.javalin.http.Context;
import io.javalin.http.HttpCode;
import io.javalin.http.staticfiles.Location;
import io.javalin.http.staticfiles.StaticFileConfig;
import org.apache.amoro.api.config.Configurations;
+import org.apache.amoro.server.ArcticManagementConf;
import org.apache.amoro.server.DefaultOptimizingService;
import org.apache.amoro.server.RestCatalogService;
import org.apache.amoro.server.dashboard.controller.CatalogController;
@@ -77,6 +79,10 @@ public class DashboardServer {
private final TerminalController terminalController;
private final VersionController versionController;
+ private final String authType;
+ private final String basicAuthUser;
+ private final String basicAuthPassword;
+
public DashboardServer(
Configurations serviceConfig,
TableService tableService,
@@ -93,6 +99,10 @@ public class DashboardServer {
this.tableController = new TableController(tableService, tableDescriptor,
serviceConfig);
this.terminalController = new TerminalController(terminalManager);
this.versionController = new VersionController();
+
+ this.authType =
serviceConfig.get(ArcticManagementConf.HTTP_SERVER_REST_AUTH_TYPE);
+ this.basicAuthUser =
serviceConfig.get(ArcticManagementConf.ADMIN_USERNAME);
+ this.basicAuthPassword =
serviceConfig.get(ArcticManagementConf.ADMIN_PASSWORD);
}
private String indexHtml = "";
@@ -387,12 +397,24 @@ public class DashboardServer {
public void preHandleRequest(Context ctx) {
String uriPath = ctx.path();
if (needApiKeyCheck(uriPath)) {
- checkApiToken(
- ctx.method(),
- ctx.url(),
- ctx.queryParam("apiKey"),
- ctx.queryParam("signature"),
- ctx.queryParamMap());
+ if ("basic".equalsIgnoreCase(authType)) {
+ BasicAuthCredentials cred = ctx.basicAuthCredentials();
+ if (!(basicAuthUser.equals(cred.component1())
+ && basicAuthPassword.equals(cred.component2()))) {
+ LOG.debug(
+ String.format(
+ "Failed to authenticate via basic authentication. Request
url: %s %s.",
+ ctx.req.getMethod(), uriPath));
+ throw new SignatureCheckException();
+ }
+ } else {
+ checkApiToken(
+ ctx.method(),
+ ctx.url(),
+ ctx.queryParam("apiKey"),
+ ctx.queryParam("signature"),
+ ctx.queryParamMap());
+ }
} else if (needLoginCheck(uriPath)) {
if (null == ctx.sessionAttribute("user")) {
LOG.info("session info: {}",
JacksonUtil.toJSONString(ctx.sessionAttributeMap()));
diff --git a/docs/admin-guides/deployment.md b/docs/admin-guides/deployment.md
index 368b0a2cc..f7a027c80 100644
--- a/docs/admin-guides/deployment.md
+++ b/docs/admin-guides/deployment.md
@@ -92,6 +92,7 @@ If you want to use AMS in a production environment, it is
recommended to modify
- The `ams.thrift-server.table-service.bind-port` configuration specifies the
binding port of the Thrift Server that provides the table service. The compute
engines access AMS through this port, and the default value is 1260.
- The `ams.thrift-server.optimizing-service.bind-port` configuration specifies
the binding port of the Thrift Server that provides the optimizing service. The
optimizers access AMS through this port, and the default value is 1261.
- The `ams.http-server.bind-port` configuration specifies the port to which
the HTTP service is bound. The Dashboard and Open API are bound to this port,
and the default value is 1630.
+- The `ams.http-server.rest-auth-type` configuration specifies the REST API
auth type, which could be token(default) or basic. The basic auth would reuse
`ams.admin-username` and `ams.admin-password` for authentication.
```yaml
ams:
