Akanksha-kedia commented on PR #18933: URL: https://github.com/apache/pinot/pull/18933#issuecomment-4915526306
@apucher @shounakmk219 @soumitra-st @xiangfu0 — all CI checks are now passing ✅. Would appreciate a review when you get a chance. This PR adds a **session-based UI authentication layer** (Trino/Ambari-style) on top of any configured `AccessControlFactory`: - Server-side session tokens stored in `SessionManager` (ConcurrentHashMap + sliding TTL) - `POST /auth/login` validates credentials via the configured `AccessControl`, sets an HttpOnly `SameSite=Strict` cookie - `GET /auth/logout` immediately invalidates the server-side session - `SessionAuthenticationFilter` (priority AUTHENTICATION-10) guards all UI requests — API callers with an `Authorization` header bypass it and go through the existing `AuthenticationFilter` - UI strips the Authorization header in SESSION mode; credentials never appear in the browser network tab - Inactivity timeout with a 60s warning dialog, configurable via `controller.ui.session.inactivity.timeout.seconds` Activated by setting `controller.ui.session.authentication.enabled=true` — no factory class change required, works with BasicAuth, ZkBasicAuth, LDAP, or any custom factory. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
