[KYUUBI #6041] RESTful API supports isolated authentication configuration #6042
Conversation
| @@ -797,6 +797,14 @@ object KyuubiConf { | |||
| .checkValues(AuthTypes) | |||
| .createWithDefault(Seq(AuthTypes.NONE.toString)) | |||
|
|
|||
| val RESTFUL_AUTHENTICATION: ConfigEntry[Boolean] = | |||
| buildConf("kyuubi.restful.security.enabled") | |||
There was a problem hiding this comment.
agree. Now I just turn off RESTful API authentication. Is there anything else I need to consider or implement?
There was a problem hiding this comment.
THRIFT-HTTP and RESTful are different things, your change affects both.
We should make the configuration intuitive
kyuubi.authentication=
// fallback to `kyuubi.authentication` if not configure
kyuubi.frontend.mysql.authentication=
kyuubi.frontend.rest.authentication=
There was a problem hiding this comment.
agree 👍. Isolated authentication method configuration is better.
docs/configuration/settings.md
Outdated
| @@ -246,6 +246,7 @@ You can configure the Kyuubi properties in `$KYUUBI_HOME/conf/kyuubi-defaults.co | |||
| | kyuubi.frontend.mysql.worker.keepalive.time | PT1M | Time(ms) that an idle async thread of the command execution thread pool will wait for a new task to arrive before terminating in MySQL frontend service | duration | 1.4.0 | | |||
| | kyuubi.frontend.protocols | THRIFT_BINARY,REST | A comma-separated list for all frontend protocols <ul> <li>THRIFT_BINARY - HiveServer2 compatible thrift binary protocol.</li> <li>THRIFT_HTTP - HiveServer2 compatible thrift http protocol.</li> <li>REST - Kyuubi defined REST API(experimental).</li> <li>MYSQL - MySQL compatible text protocol(experimental).</li> <li>TRINO - Trino compatible http protocol(experimental).</li> </ul> | seq | 1.4.0 | | |||
| | kyuubi.frontend.proxy.http.client.ip.header | X-Real-IP | The HTTP header to record the real client IP address. If your server is behind a load balancer or other proxy, the server will see this load balancer or proxy IP address as the client IP address, to get around this common issue, most load balancers or proxies offer the ability to record the real remote IP address in an HTTP header that will be added to the request for other devices to use. Note that, because the header value can be specified to any IP address, so it will not be used for authentication. | string | 1.6.0 | | |||
| | kyuubi.frontend.rest.authentication | NONE | A comma-separated list of client authentication types. It fallback to `kyuubi.authentication` if not configure. | seq | 1.9.0 | | |||
There was a problem hiding this comment.
mysql and other forntend protocols would implement in another PR.
beryllw
changed the title
|
Look like Not sure if I've missed anything, could you help me review this code? @pan3793 @turboFei cc |
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #6042 +/- ##
=========================================
Coverage 61.07% 61.08%
Complexity 23 23
=========================================
Files 623 623
Lines 37160 37231 +71
Branches 5038 5042 +4
=========================================
+ Hits 22696 22742 +46
- Misses 12014 12019 +5
- Partials 2450 2470 +20 ☔ View full report in Codecov by Sentry. |
| .version("1.9.0") | ||
| .serverOnly | ||
| .fallbackConf(AUTHENTICATION_METHOD) | ||
|
|
||
| val AUTHENTICATION_CUSTOM_CLASS: OptionalConfigEntry[String] = | ||
| buildConf("kyuubi.authentication.custom.class") |
There was a problem hiding this comment.
should we make it isolated too?
|
|
|
Have a quick look, overall LGTM. As many community users request to use Web UI while enabling security on Thrift Binary protocol, would you mind doing a manual test to make sure everything goes well in a such case? Additionally, if you are interested in the Web UI tech stack, we may want basic authN support for Web UI - that means, when LDAP/JDBC/CUSTOM auth method is configured, pop something like below to allow user login via username and password
|
backported to kyuubi 1.8.0, with following configuration, rest Is there anything else need to do? |
🔍 Description
Issue References 🔗
This pull request fixes #6041
Describe Your Solution 🔧
Please include a summary of the change and which issue is fixed. Please also include relevant motivation and context. List any dependencies that are required for this change.
Types of changes 🔖
Test Plan 🧪
Behavior Without This Pull Request ⚰️
Behavior With This Pull Request 🎉
Related Unit Tests
Checklist 📝
Be nice. Be informative.