xxubai opened a new pull request, #4118: URL: https://github.com/apache/amoro/pull/4118
# [AMORO-XXXX][AMS][Web] Add Dashboard RBAC with LDAP Group Role Mapping ## Why are the changes needed? Currently all authenticated Dashboard users have full admin privileges. This PR adds role-based access control (RBAC) to the Amoro Dashboard with two roles: **ADMIN** and **READ_ONLY**, allowing organizations to restrict write operations to authorized administrators. Key motivations: 1. **Security** — Prevent unauthorized users from modifying catalogs, managing optimizers, or executing SQL. 2. **LDAP integration** — Map LDAP group membership (e.g., Active Directory groups) to Amoro roles without maintaining a separate user database. 3. **Backward compatibility** — Disabled by default; existing deployments are unaffected. Resolve #XXXX. ## Brief change log ### Backend — `amoro-ams` - **New `Role` enum** (`authorization/Role.java`) — Defines `ADMIN` and `READ_ONLY`. - **New `RoleResolver`** (`authorization/RoleResolver.java`) — Resolves user roles at login with priority: local users → admin-users whitelist → built-in admin → LDAP group → default-role. - **New `LdapGroupRoleResolver`** (`authorization/LdapGroupRoleResolver.java`) — Queries LDAP group membership via JNDI using a service account bind. Supports full DN lookup with `Context.REFERRAL = "follow"` for AD compatibility. - **Modified `LoginController`** — Returns `role` in `SessionInfo`. Separates auth errors from role-resolution errors: auth failures show "invalid user or password", config errors show "server configuration error, contact administrator". - **Modified `DashboardServer`** — Enforces role-based API access; `READ_ONLY` users receive HTTP 403 on write endpoints. - **Modified `LdapPasswdAuthenticationProvider`** — Added `normalizeUsername()` to strip email domain suffix (`[email protected]` → `xuba`); added LDAP referral following. - **Modified `AmoroManagementConf`** — Added 10 new config options under `http-server.authorization.*`. ### Frontend — `amoro-web` - **New `permission.ts`** (`utils/permission.ts`) — Utility function `isReadOnly()` that checks the user store. - **Modified `store/index.ts`** — Added `role` to user state. - **Modified `Sidebar.vue`, `Topbar.vue`** — Hide admin-only navigation for READ_ONLY users. - **Modified catalog/resource/terminal/table views** — Disable create/delete/execute buttons for READ_ONLY users. - **Modified `request.ts`** — Store role from login response. - **Modified `login/index.vue`** — Pass role from login API response. ### Configuration — `dist/` - **Modified `config.yaml`** — Added commented-out RBAC examples under `http-server.authorization`. - **Modified `shade.sensitive-keywords`** — Added `http-server.authorization.ldap-role-mapping.bind-password`. ### Documentation — `docs/` - **Modified `ams-config.md`** — Added authorization config table entries and RBAC usage examples. ## How was this patch tested? - [x] Add some test cases that check the changes thoroughly including negative and positive cases if possible - `RoleResolverTest` — Tests role resolution priority: local users, admin-users whitelist, built-in admin, LDAP fallback, default role, authorization-disabled backward compatibility. - `LdapGroupRoleResolverTest` — Tests member matching (DN-style, CN-style, uid-style, plain username, case-insensitive), LDAP error propagation, config validation. - `HttpAuthenticationFactoryTest` — Tests authentication provider factory. - [ ] Add screenshots for manual tests if appropriate - [x] Run test locally before making a pull request ## Documentation - Does this pull request introduce a new feature? **yes** - If yes, how is the feature documented? **docs** (`ams-config.md` updated with config reference and RBAC examples; `config.yaml` template includes commented-out examples) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
