kyuubi icon indicating copy to clipboard operation
kyuubi copied to clipboard
verified publisher icon apache

[KYUUBI #6041] RESTful API supports isolated authentication configuration

Open beryllw opened this issue 1 year ago โ€ข 7 comments

:mag: Description

Issue References ๐Ÿ”—

This pull request fixes #6041

Describe Your Solution ๐Ÿ”ง

Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.

Types of changes :bookmark:

  • [ ] Bugfix (non-breaking change which fixes an issue)
  • [ ] New feature (non-breaking change which adds functionality)
  • [ ] Breaking change (fix or feature that would cause existing functionality to change)

Test Plan ๐Ÿงช

Behavior Without This Pull Request :coffin:

Behavior With This Pull Request :tada:

Related Unit Tests

Checklist ๐Ÿ“

Be nice. Be informative.

beryllw avatar Feb 04 '24 09:02 beryllw

@pan3793 @turboFei cc

beryllw avatar Feb 06 '24 09:02 beryllw

Look like MYSQL, TRINO, THRIFT_BINARY(KyuubiTBinaryFrontendService) and THRIFT_HTTP(KyuubiTHttpFrontendService) are not required to support isolated authentication configuration at this time, so I only support RESTful API.

Not sure if I've missed anything, could you help me review this code? @pan3793 @turboFei cc

beryllw avatar Feb 20 '24 12:02 beryllw

Codecov Report

Attention: Patch coverage is 92.50000% with 3 lines in your changes are missing coverage. Please review.

Project coverage is 61.08%. Comparing base (a2179cc) to head (8ab6c16). Report is 21 commits behind head on master.

Files Patch % Lines
...authentication/AuthenticationProviderFactory.scala 80.00% 0 Missing and 1 partial :warning:
...che/kyuubi/server/KyuubiTHttpFrontendService.scala 50.00% 0 Missing and 1 partial :warning:
...ver/http/authentication/AuthenticationFilter.scala 80.00% 0 Missing and 1 partial :warning:
Additional details and impacted files 
@@            Coverage Diff            @@
##             master    #6042   +/-   ##
=========================================
  Coverage     61.07%   61.08%           
  Complexity       23       23           
=========================================
  Files           623      623           
  Lines         37160    37231   +71     
  Branches       5038     5042    +4     
=========================================
+ Hits          22696    22742   +46     
- Misses        12014    12019    +5     
- Partials       2450     2470   +20

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov-commenter avatar Feb 20 '24 13:02 codecov-commenter

AUTHENTICATION_METHOD and AUTHENTICATION_CUSTOM_CLASS related to FrontendProtocol, i only support rest api isolated authentication for this time. Other FrontendProtocol also can support, if necessary we can implement it.

beryllw avatar Feb 21 '24 10:02 beryllw

@pan3793 @turboFei cc

beryllw avatar Feb 22 '24 10:02 beryllw

Have a quick look, overall LGTM.

As many community users request to use Web UI while enabling security on Thrift Binary protocol, would you mind doing a manual test to make sure everything goes well in a such case?

Additionally, if you are interested in the Web UI tech stack, we may want basic authN support for Web UI - that means, when LDAP/JDBC/CUSTOM auth method is configured, pop something like below to allow user login via username and password

image

pan3793 avatar Feb 22 '24 13:02 pan3793

As many community users request to use Web UI while enabling security on Thrift Binary protocol, would you mind doing a manual test to make sure everything goes well in a such case?

backported to kyuubi 1.8.0, with following configuration, rest api/v1 and thrift binary authentication test OK.

kyuubi.authentication   KERBEROS
kyuubi.frontend.rest.authentication     NONE

kyuubi.authentication   KERBEROS
kyuubi.frontend.rest.authentication     JDBC

Is there anything else need to do?

beryllw avatar Feb 23 '24 12:02 beryllw