This is an automated email from the ASF dual-hosted git repository.
github-bot pushed a commit to branch asf-site
in repository https://gitbox.apache.org/repos/asf/amoro.git
The following commit(s) were added to refs/heads/asf-site by this push:
new 14cf8e6b3 Regenerated Amoro latest docs page based on
6c037912f7ada649f69afb643041a75eeeea8825 commit
14cf8e6b3 is described below
commit 14cf8e6b3418992fcc10fc4e81a17252f940a76b
Author: GitHub Actions <[email protected]>
AuthorDate: Thu Mar 26 08:52:10 2026 +0000
Regenerated Amoro latest docs page based on
6c037912f7ada649f69afb643041a75eeeea8825 commit
---
output/docs/latest/ams-config/index.html | 124 +++++++++++++++++++++++++++++++
output/docs/latest/search.json | 2 +-
2 files changed, 125 insertions(+), 1 deletion(-)
diff --git a/output/docs/latest/ams-config/index.html
b/output/docs/latest/ams-config/index.html
index d02f31b73..83a520409 100644
--- a/output/docs/latest/ams-config/index.html
+++ b/output/docs/latest/ams-config/index.html
@@ -880,6 +880,46 @@ table td:last-child, table th:last-child { width: 40%;
word-break: break-all; }
<td><undefined></td>
<td>User-defined JWT (JSON Web Token) authentication implementation
of org.apache.amoro.authentication.TokenAuthenticationProvider</td>
</tr>
+ <tr>
+ <td>http-server.authorization.default-role</td>
+ <td><undefined></td>
+ <td>Optional default dashboard role for authenticated users without
an LDAP role mapping.</td>
+ </tr>
+ <tr>
+ <td>http-server.authorization.enabled</td>
+ <td>false</td>
+ <td>Whether to enable dashboard RBAC authorization.</td>
+ </tr>
+ <tr>
+ <td>http-server.authorization.ldap-role-mapping.bind-dn</td>
+ <td></td>
+ <td>Optional LDAP bind DN used when querying role-mapping
groups.</td>
+ </tr>
+ <tr>
+ <td>http-server.authorization.ldap-role-mapping.bind-password</td>
+ <td></td>
+ <td>Optional LDAP bind password used when querying role-mapping
groups.</td>
+ </tr>
+ <tr>
+ <td>http-server.authorization.ldap-role-mapping.enabled</td>
+ <td>false</td>
+ <td>Whether to resolve dashboard roles from LDAP group
membership.</td>
+ </tr>
+ <tr>
+
<td>http-server.authorization.ldap-role-mapping.group-member-attribute</td>
+ <td>member</td>
+ <td>LDAP group attribute that stores member references.</td>
+ </tr>
+ <tr>
+ <td>http-server.authorization.ldap-role-mapping.groups</td>
+ <td><undefined></td>
+ <td>LDAP group-to-role mapping entries containing group-dn and role
fields.</td>
+ </tr>
+ <tr>
+ <td>http-server.authorization.ldap-role-mapping.user-dn-pattern</td>
+ <td><undefined></td>
+ <td>LDAP user DN pattern used to match group members. Use {0} as the
username placeholder.</td>
+ </tr>
<tr>
<td>http-server.bind-port</td>
<td>19090</td>
@@ -1117,6 +1157,89 @@ table td:last-child, table th:last-child { width: 40%;
word-break: break-all; }
</tr>
</tbody>
</table>
+<h2 id="rbac-example">RBAC Example</h2>
+<p>Enable RBAC only when you need role separation for dashboard users.</p>
+<p>The current RBAC model uses:</p>
+<ul>
+<li>string-based roles</li>
+<li>LDAP group-to-role mapping as the primary role source</li>
+<li>built-in Casbin policy to translate roles into privileges</li>
+<li>privilege-driven frontend authorization</li>
+</ul>
+<p>Amoro provides two built-in roles by default:</p>
+<table>
+ <thead>
+ <tr>
+ <th>Role</th>
+ <th>Description</th>
+ <th>Default Privileges</th>
+ </tr>
+ </thead>
+ <tbody>
+ <tr>
+ <td><code>SERVICE_ADMIN</code></td>
+ <td>Platform administrator</td>
+ <td>All privileges</td>
+ </tr>
+ <tr>
+ <td><code>VIEWER</code></td>
+ <td>Read-only resource viewer</td>
+ <td><code>VIEW_CATALOG</code>, <code>VIEW_TABLE</code>,
<code>VIEW_OPTIMIZER</code></td>
+ </tr>
+ </tbody>
+</table>
+<p><code>VIEWER</code> does not include <code>VIEW_SYSTEM</code>, so it cannot
access <code>Overview</code> or <code>Terminal</code>.
+After login succeeds, <code>/login/current</code> returns both
<code>roles</code> and effective <code>privileges</code>.</p>
+<p>If you need additional roles, define them by Casbin policy and map LDAP
groups to those
+role names. The role name itself does not need to be added to Java enum
code.</p>
+<div class="highlight"><pre tabindex="0"
style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code
class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span
style="color:#f92672">ams</span>:
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">http-server</span>:
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">authorization</span>:
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">enabled</span>: <span style="color:#66d9ef">true</span>
+</span></span></code></pre></div><div class="highlight"><pre tabindex="0"
style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code
class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span
style="color:#f92672">ams</span>:
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">http-server</span>:
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">login-auth-provider</span>: <span
style="color:#ae81ff">org.apache.amoro.server.authentication.LdapPasswdAuthenticationProvider</span>
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">login-auth-ldap-url</span>: <span
style="color:#e6db74">"ldap://ldap.example.com:389"</span>
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">login-auth-ldap-user-pattern</span>: <span
style="color:#e6db74">"uid={0},ou=people,dc=example,dc=com"</span>
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">authorization</span>:
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">enabled</span>: <span style="color:#66d9ef">true</span>
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">ldap-role-mapping</span>:
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">enabled</span>: <span style="color:#66d9ef">true</span>
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">group-member-attribute</span>: <span
style="color:#e6db74">"member"</span>
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">user-dn-pattern</span>: <span
style="color:#e6db74">"uid={0},ou=people,dc=example,dc=com"</span>
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">bind-dn</span>: <span
style="color:#e6db74">"cn=service-account,dc=example,dc=com"</span>
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">bind-password</span>: <span
style="color:#e6db74">"service-password"</span>
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">groups</span>:
+</span></span><span style="display:flex;"><span> - <span
style="color:#f92672">group-dn</span>: <span
style="color:#e6db74">"cn=amoro-service-admins,ou=groups,dc=example,dc=com"</span>
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">role</span>: <span
style="color:#ae81ff">SERVICE_ADMIN</span>
+</span></span><span style="display:flex;"><span> - <span
style="color:#f92672">group-dn</span>: <span
style="color:#e6db74">"cn=amoro-viewers,ou=groups,dc=example,dc=com"</span>
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">role</span>: <span style="color:#ae81ff">VIEWER</span>
+</span></span><span style="display:flex;"><span> - <span
style="color:#f92672">group-dn</span>: <span
style="color:#e6db74">"cn=amoro-catalog-admins,ou=groups,dc=example,dc=com"</span>
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">role</span>: <span
style="color:#ae81ff">CATALOG_ADMIN</span>
+</span></span></code></pre></div><p>Example <code>/login/current</code>
response:</p>
+<div class="highlight"><pre tabindex="0"
style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code
class="language-json" data-lang="json"><span style="display:flex;"><span>{
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">"userName"</span>: <span
style="color:#e6db74">"alice"</span>,
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">"roles"</span>: [<span
style="color:#e6db74">"CATALOG_ADMIN"</span>],
+</span></span><span style="display:flex;"><span> <span
style="color:#f92672">"privileges"</span>: [
+</span></span><span style="display:flex;"><span> <span
style="color:#e6db74">"VIEW_CATALOG"</span>,
+</span></span><span style="display:flex;"><span> <span
style="color:#e6db74">"MANAGE_CATALOG"</span>,
+</span></span><span style="display:flex;"><span> <span
style="color:#e6db74">"VIEW_TABLE"</span>,
+</span></span><span style="display:flex;"><span> <span
style="color:#e6db74">"MANAGE_TABLE"</span>
+</span></span><span style="display:flex;"><span> ]
+</span></span><span style="display:flex;"><span>}
+</span></span></code></pre></div><p>Example custom role policy:</p>
+<div class="highlight"><pre tabindex="0"
style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code
class="language-csv" data-lang="csv"><span style="display:flex;"><span><span
style="color:#e6db74">p</span>,<span style="color:#e6db74">
CATALOG_ADMIN</span>,<span style="color:#e6db74"> CATALOG</span>,<span
style="color:#e6db74"> GLOBAL</span>,<span style="color:#e6db74">
VIEW_CATALOG</span>,<span style="color:#e6db74"> all [...]
+</span></span><span style="display:flex;"><span><span
style="color:#e6db74">p</span>,<span style="color:#e6db74">
CATALOG_ADMIN</span>,<span style="color:#e6db74"> CATALOG</span>,<span
style="color:#e6db74"> GLOBAL</span>,<span style="color:#e6db74">
MANAGE_CATALOG</span>,<span style="color:#e6db74"> allow</span>
+</span></span><span style="display:flex;"><span><span
style="color:#e6db74">p</span>,<span style="color:#e6db74">
CATALOG_ADMIN</span>,<span style="color:#e6db74"> TABLE</span>,<span
style="color:#e6db74"> GLOBAL</span>,<span style="color:#e6db74">
VIEW_TABLE</span>,<span style="color:#e6db74"> allow</span>
+</span></span><span style="display:flex;"><span><span
style="color:#e6db74">p</span>,<span style="color:#e6db74">
CATALOG_ADMIN</span>,<span style="color:#e6db74"> TABLE</span>,<span
style="color:#e6db74"> GLOBAL</span>,<span style="color:#e6db74">
MANAGE_TABLE</span>,<span style="color:#e6db74"> allow</span>
+</span></span></code></pre></div><p>Notes:</p>
+<ul>
+<li>Recommended production setup is explicit role assignment only.</li>
+<li><code>default-role</code> is optional. If it is not set, users who do not
match any role mapping get no business role.</li>
+<li>Use <code>default-role: VIEWER</code> only if you intentionally want
authenticated users without a matched role mapping to receive read-only
access.</li>
+<li>Casbin model and default policy are built into the service and loaded from
classpath.</li>
+<li>Dashboard request-to-privilege mapping is also built into the service and
loaded from a resource configuration file.</li>
+</ul>
<h2 id="shade-utils-configuration">Shade Utils Configuration</h2>
<p>The configuration options for Amoro Configuration Shade Utils.</p>
<style>
@@ -1169,6 +1292,7 @@ table td:last-child, table th:last-child { width: 40%;
word-break: break-all; }
<nav id="TableOfContents">
<ul>
<li><a href="#amoro-management-service-configuration">Amoro Management
Service Configuration</a></li>
+ <li><a href="#rbac-example">RBAC Example</a></li>
<li><a href="#shade-utils-configuration">Shade Utils Configuration</a></li>
</ul>
</nav>
diff --git a/output/docs/latest/search.json b/output/docs/latest/search.json
index b393b15e5..b73ec1022 100644
--- a/output/docs/latest/search.json
+++ b/output/docs/latest/search.json
@@ -1 +1 @@
-[{"categories":null,"content":"Amoro Docs This directory contains the
documentation content of Amoro.\nThe documentation is written in Markdown
format. The images referenced in the documentation are saved in the images
folder. Style Proper nouns should start with a capital letter, like
Hadoop、Hive、Iceberg、Amoro
","description":"","title":"","uri":"https://amoro.apache.org/docs/latest/readme/"},{"categories":null,"content":";
AMS Configuration Amoro Management Service Configuration The con [...]
\ No newline at end of file
+[{"categories":null,"content":"Amoro Docs This directory contains the
documentation content of Amoro.\nThe documentation is written in Markdown
format. The images referenced in the documentation are saved in the images
folder. Style Proper nouns should start with a capital letter, like
Hadoop、Hive、Iceberg、Amoro
","description":"","title":"","uri":"https://amoro.apache.org/docs/latest/readme/"},{"categories":null,"content":";
AMS Configuration Amoro Management Service Configuration The con [...]
\ No newline at end of file
