This is an automated email from the ASF dual-hosted git repository.
nicholasjiang pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/celeborn.git
The following commit(s) were added to refs/heads/main by this push:
new 4b157c68a [CELEBORN-2278] Make HTTP auth bypass API paths configurable
4b157c68a is described below
commit 4b157c68a5f7e82f4a50b8a2c8ae8989aff843c1
Author: Aravind Patnam <[email protected]>
AuthorDate: Tue Mar 10 10:36:54 2026 +0800
[CELEBORN-2278] Make HTTP auth bypass API paths configurable
### What changes were proposed in this pull request?
Allow http paths that should be bypassed from auth to be configured. This
is particularly useful when one of the read endpoints is used for health
checks, and should not require auth each time for a high frequency operation.
### Why are the changes needed?
See above.
### Does this PR resolve a correctness bug?
No.
### Does this PR introduce _any_ user-facing change?
No.
### How was this patch tested?
Trivial change, already added in our cluster for certain endpoints.
Closes #3622 from akpatnam25/CELEBORN-2278.
Authored-by: Aravind Patnam <[email protected]>
Signed-off-by: SteNicholas <[email protected]>
---
.../main/scala/org/apache/celeborn/common/CelebornConf.scala | 10 ++++++++++
docs/configuration/master.md | 1 +
docs/configuration/worker.md | 1 +
.../common/http/authentication/AuthenticationFilter.scala | 7 +++++--
4 files changed, 17 insertions(+), 2 deletions(-)
diff --git
a/common/src/main/scala/org/apache/celeborn/common/CelebornConf.scala
b/common/src/main/scala/org/apache/celeborn/common/CelebornConf.scala
index 8b406c3e9..6ec87a7c4 100644
--- a/common/src/main/scala/org/apache/celeborn/common/CelebornConf.scala
+++ b/common/src/main/scala/org/apache/celeborn/common/CelebornConf.scala
@@ -2647,6 +2647,16 @@ object CelebornConf extends Logging {
.stringConf
.createWithDefault("X-Real-IP")
+ val HTTP_AUTH_BYPASS_API_PATHS: ConfigEntry[Seq[String]] =
+ buildConf("celeborn.http.auth.bypass.api.paths")
+ .categories("master", "worker")
+ .version("0.7.0")
+ .doc("A comma-separated list of additional API paths that bypass
authentication. The " +
+ "path must match exactly and is case-sensitive. Wildcards not
accepted.")
+ .stringConf
+ .toSequence
+ .createWithDefault(Seq.empty)
+
val MASTER_HTTP_AUTH_BASIC_PROVIDER: ConfigEntry[String] =
buildConf("celeborn.master.http.auth.basic.provider")
.categories("master")
diff --git a/docs/configuration/master.md b/docs/configuration/master.md
index 843e0c16a..9ae889fe0 100644
--- a/docs/configuration/master.md
+++ b/docs/configuration/master.md
@@ -33,6 +33,7 @@ license: |
| celeborn.dynamicConfig.store.db.hikari.password | | false | The password of
db store backend. | 0.5.0 | |
| celeborn.dynamicConfig.store.db.hikari.username | | false | The username of
db store backend. | 0.5.0 | |
| celeborn.dynamicConfig.store.fs.path | <undefined> | false | The path
of dynamic config file for fs store backend. The file format should be yaml.
The default path is `${CELEBORN_CONF_DIR}/dynamicConfig.yaml`. | 0.5.0 | |
+| celeborn.http.auth.bypass.api.paths | | false | A comma-separated list of
additional API paths that bypass authentication. The path must match exactly
and is case-sensitive. Wildcards not accepted. | 0.7.0 | |
| celeborn.internal.port.enabled | false | false | Whether to create a
internal port on Masters/Workers for inter-Masters/Workers communication. This
is beneficial when SASL authentication is enforced for all interactions between
clients and Celeborn Services, but the services can exchange messages without
being subject to SASL authentication. | 0.5.0 | |
| celeborn.logConf.enabled | false | false | When `true`, log the CelebornConf
for debugging purposes. | 0.5.0 | |
| celeborn.master.allowWorkerHostPattern | <undefined> | false | Pattern
of worker host that allowed to register with the master. If not set, all
workers are allowed to register. | 0.6.0 | |
diff --git a/docs/configuration/worker.md b/docs/configuration/worker.md
index 5eb90f155..0adfabe67 100644
--- a/docs/configuration/worker.md
+++ b/docs/configuration/worker.md
@@ -33,6 +33,7 @@ license: |
| celeborn.dynamicConfig.store.db.hikari.password | | false | The password of
db store backend. | 0.5.0 | |
| celeborn.dynamicConfig.store.db.hikari.username | | false | The username of
db store backend. | 0.5.0 | |
| celeborn.dynamicConfig.store.fs.path | <undefined> | false | The path
of dynamic config file for fs store backend. The file format should be yaml.
The default path is `${CELEBORN_CONF_DIR}/dynamicConfig.yaml`. | 0.5.0 | |
+| celeborn.http.auth.bypass.api.paths | | false | A comma-separated list of
additional API paths that bypass authentication. The path must match exactly
and is case-sensitive. Wildcards not accepted. | 0.7.0 | |
| celeborn.internal.port.enabled | false | false | Whether to create a
internal port on Masters/Workers for inter-Masters/Workers communication. This
is beneficial when SASL authentication is enforced for all interactions between
clients and Celeborn Services, but the services can exchange messages without
being subject to SASL authentication. | 0.5.0 | |
| celeborn.logConf.enabled | false | false | When `true`, log the CelebornConf
for debugging purposes. | 0.5.0 | |
| celeborn.master.endpoints | <localhost>:9097 | false | Endpoints of
master nodes for celeborn clients to connect. Client uses resolver provided by
celeborn.master.endpoints.resolver to resolve the master endpoints. By default
Celeborn uses `org.apache.celeborn.common.client.StaticMasterEndpointResolver`
which take static master endpoints as input. Allowed pattern:
`<host1>:<port1>[,<host2>:<port2>]*`, e.g. `clb1:9097,clb2:9098,clb3:9099`. If
the port is omitted, 9097 will be used [...]
diff --git
a/service/src/main/scala/org/apache/celeborn/server/common/http/authentication/AuthenticationFilter.scala
b/service/src/main/scala/org/apache/celeborn/server/common/http/authentication/AuthenticationFilter.scala
index 092541195..55274fc8a 100644
---
a/service/src/main/scala/org/apache/celeborn/server/common/http/authentication/AuthenticationFilter.scala
+++
b/service/src/main/scala/org/apache/celeborn/server/common/http/authentication/AuthenticationFilter.scala
@@ -73,6 +73,9 @@ class AuthenticationFilter(conf: CelebornConf, serviceName:
String) extends Filt
conf.get(CelebornConf.WORKER_HTTP_AUTH_ADMINISTERS).toSet
}
+ private val bypassApiPaths: Set[String] =
+ BYPASS_DEFAULT_API_PATHS ++
conf.get(CelebornConf.HTTP_AUTH_BYPASS_API_PATHS).toSet
+
private def initAuthHandlers(): Unit = {
if (authSchemes.contains(HttpAuthSchemes.NEGOTIATE)) {
serviceName match {
@@ -137,7 +140,7 @@ class AuthenticationFilter(conf: CelebornConf, serviceName:
String) extends Filt
HTTP_CLIENT_IP_ADDRESS.set(httpRequest.getRemoteAddr)
HTTP_PROXY_HEADER_CLIENT_IP_ADDRESS.set(httpRequest.getHeader(proxyClientIpHeader))
- if (authSchemeHandlers.isEmpty ||
BYPASS_API_PATHS.contains(httpRequest.getRequestURI)) {
+ if (authSchemeHandlers.isEmpty ||
bypassApiPaths.contains(httpRequest.getRequestURI)) {
try {
filterChain.doFilter(request, response)
return
@@ -218,7 +221,7 @@ class AuthenticationFilter(conf: CelebornConf, serviceName:
String) extends Filt
}
object AuthenticationFilter {
- private val BYPASS_API_PATHS = Set("/openapi.json", "/openapi.yaml")
+ private val BYPASS_DEFAULT_API_PATHS = Set("/openapi.json", "/openapi.yaml")
final val HTTP_CLIENT_IP_ADDRESS = new ThreadLocal[String]() {
override protected def initialValue: String = null
