apache/kyuubi
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
ebe7e922ee
kyuubi/docs/extensions/server/authentication.rst
George314159 a4390a785a [KYUUBI #6618] Support http bearer token authentication for REST protocol 
# 🔍 Description
## Issue References 🔗

This pull request fixes #6618

## Describe Your Solution 🔧

It is a subtask of #6590
This PR is to support http bearer token authentication for REST protocol. In addition to BasicAuthenticationHandler, BearerAuthenticationHandler will be added to handle http bear token authentication. They will both support CUSTOM AuthType. In order to distinguish them, two new configurations are added: kyuubi.authentication.custom.basic.class and kyuubi.authentication.custom.bearer.class. For http bear token custom authentication, users could implement the new 'org.apache.kyuubi.service.authentication.TokenAuthenticationProvider', and specify it in the configuration.

## Types of changes 🔖

- [ ] Bugfix (non-breaking change which fixes an issue)
- [x] New feature (non-breaking change which adds functionality)
- [ ] Breaking change (fix or feature that would cause existing functionality to change)

## Test Plan 🧪

#### Behavior Without This Pull Request ⚰️

#### Behavior With This Pull Request 🎉

#### Related Unit Tests

---

# Checklist 📝

- [x] This patch was not authored or co-authored using [Generative Tooling](https://www.apache.org/legal/generative-tooling.html)

**Be nice. Be informative.**

Closes #6608 from George314159/authentication.

Closes #6618

d07a30f83 [Wang, Fei] fix UT
6499c9986 [George314159] Update Test Case
da519a9c6 [George314159] Update based on comments
f47160148 [Wang, Fei] Refine UT
544422399 [George314159] Add test suite for custom authentication
f2bbfbf7e [Wang, Fei] comments & refine
a733c0e8f [George314159] Remove unused val
6f669d46c [George314159] Fix
650b88d4e [George314159] Update based on comments
5bc2bac58 [George314159] Update based on comments
1893889db [George314159] Update based on Comments
ddee882e9 [George314159] Fix Style
379a563fa [George314159] Support http bearer token authentication

Lead-authored-by: George314159 <hua16732@gmail.com>
Co-authored-by: Wang, Fei <fwang12@ebay.com>
Signed-off-by: Cheng Pan <chengpan@apache.org>
2024-08-16 11:06:16 +00:00

85 lines
3.3 KiB
ReStructuredText
Raw Blame History

.. Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
.. http://www.apache.org/licenses/LICENSE-2.0
.. Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
Configure Kyuubi to use Custom Authentication
=============================================
Besides the `builtin authentication`_ methods, kyuubi supports custom
authentication implementations of `org.apache.kyuubi.service.authentication.PasswdAuthenticationProvider`
and `org.apache.kyuubi.service.authentication.TokenAuthenticationProvider`.
.. code-block:: scala
package org.apache.kyuubi.service.authentication
import javax.security.sasl.AuthenticationException
trait PasswdAuthenticationProvider {
/**
* The authenticate method is called by the Kyuubi Server authentication layer
* to authenticate users for their requests.
* If a user is to be granted, return nothing/throw nothing.
* When a user is to be disallowed, throw an appropriate [[AuthenticationException]].
*
* @param user The username received over the connection request
* @param password The password received over the connection request
*
* @throws AuthenticationException When a user is found to be invalid by the implementation
*/
@throws[AuthenticationException]
def authenticate(user: String, password: String): Unit
}
Build A Custom Authenticator
----------------------------
To create custom Authenticator class derived from the above interface, we need to:
- Referencing the library
.. parsed-literal::
<dependency>
<groupId>org.apache.kyuubi</groupId>
<artifactId>kyuubi-common_2.12</artifactId>
<version>\ |release|\</version>
<scope>provided</scope>
</dependency>
- Implement PasswdAuthenticationProvider or TokenAuthenticationProvider - `Sample Code`_
Enable Custom Authentication
----------------------------
To enable the custom authentication method, we need to
- Put the jar package to ``$KYUUBI_HOME/jars`` directory to make it visible for
the classpath of the kyuubi server.
- Configure the following properties to ``$KYUUBI_HOME/conf/kyuubi-defaults.conf``
on each node where kyuubi server is installed.
.. code-block:: property
kyuubi.authentication=CUSTOM
kyuubi.authentication.custom.class=YourAuthenticationProvider
kyuubi.authentication.custom.basic.class=YourBasicAuthenticationProvider
kyuubi.authentication.custom.bearer.class=YourBearerAuthenticationProvider
- Restart all the kyuubi server instances
.. _builtin authentication: ../../security/authentication.html
.. _Sample Code: https://github.com/kyuubilab/example-custom-authentication/blob/main/src/main/scala/org/apache/kyuubi/example/MyAuthenticationProvider.scala
Reference in New Issue View Git Blame Copy Permalink