[AMORO-2667] Implement basic authentication for REST APIs (#2687)

* feat: implement basic authentication for REST APIs * docs: add docs for basic auth --------- Co-authored-by: baiyangtx <[email protected]> Co-authored-by: ZhouJinsong <[email protected]>
apache · May 10, 2024 · bdd780b · bdd780b
1 parent 4961e8d
commit bdd780b
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 6 deletions.
diff --git a/amoro-ams/amoro-ams-server/src/main/java/org/apache/amoro/server/ArcticManagementConf.java b/amoro-ams/amoro-ams-server/src/main/java/org/apache/amoro/server/ArcticManagementConf.java
@@ -222,6 +222,12 @@ public class ArcticManagementConf {
           .defaultValue(19090)
           .withDescription("Port that the Http server is bound to.");
 
+  public static final ConfigOption<String> HTTP_SERVER_REST_AUTH_TYPE =
+      ConfigOptions.key("http-server.rest-auth-type")
+          .stringType()
+          .defaultValue("token")
+          .withDescription("The authentication used by REST APIs, token (default) or basic.");
+
   public static final ConfigOption<Integer> OPTIMIZING_COMMIT_THREAD_COUNT =
       ConfigOptions.key("self-optimizing.commit-thread-count")
           .intType()

diff --git a/...ams/amoro-ams-server/src/main/java/org/apache/amoro/server/dashboard/DashboardServer.java b/...ams/amoro-ams-server/src/main/java/org/apache/amoro/server/dashboard/DashboardServer.java
@@ -25,12 +25,14 @@
 import static io.javalin.apibuilder.ApiBuilder.put;
 
 import io.javalin.apibuilder.EndpointGroup;
+import io.javalin.core.security.BasicAuthCredentials;
 import io.javalin.http.ContentType;
 import io.javalin.http.Context;
 import io.javalin.http.HttpCode;
 import io.javalin.http.staticfiles.Location;
 import io.javalin.http.staticfiles.StaticFileConfig;
 import org.apache.amoro.api.config.Configurations;
+import org.apache.amoro.server.ArcticManagementConf;
 import org.apache.amoro.server.DefaultOptimizingService;
 import org.apache.amoro.server.RestCatalogService;
 import org.apache.amoro.server.dashboard.controller.CatalogController;
@@ -77,6 +79,10 @@ public class DashboardServer {
   private final TerminalController terminalController;
   private final VersionController versionController;
 
+  private final String authType;
+  private final String basicAuthUser;
+  private final String basicAuthPassword;
+
   public DashboardServer(
       Configurations serviceConfig,
       TableService tableService,
@@ -93,6 +99,10 @@ public DashboardServer(
     this.tableController = new TableController(tableService, tableDescriptor, serviceConfig);
     this.terminalController = new TerminalController(terminalManager);
     this.versionController = new VersionController();
+
+    this.authType = serviceConfig.get(ArcticManagementConf.HTTP_SERVER_REST_AUTH_TYPE);
+    this.basicAuthUser = serviceConfig.get(ArcticManagementConf.ADMIN_USERNAME);
+    this.basicAuthPassword = serviceConfig.get(ArcticManagementConf.ADMIN_PASSWORD);
   }
 
   private String indexHtml = "";
@@ -387,12 +397,24 @@ public EndpointGroup endpoints() {
   public void preHandleRequest(Context ctx) {
     String uriPath = ctx.path();
     if (needApiKeyCheck(uriPath)) {
-      checkApiToken(
-          ctx.method(),
-          ctx.url(),
-          ctx.queryParam("apiKey"),
-          ctx.queryParam("signature"),
-          ctx.queryParamMap());
+      if ("basic".equalsIgnoreCase(authType)) {
+        BasicAuthCredentials cred = ctx.basicAuthCredentials();
+        if (!(basicAuthUser.equals(cred.component1())
+            && basicAuthPassword.equals(cred.component2()))) {
+          LOG.debug(
+              String.format(
+                  "Failed to authenticate via basic authentication.  Request url: %s %s.",
+                  ctx.req.getMethod(), uriPath));
+          throw new SignatureCheckException();
+        }
+      } else {
+        checkApiToken(
+            ctx.method(),
+            ctx.url(),
+            ctx.queryParam("apiKey"),
+            ctx.queryParam("signature"),
+            ctx.queryParamMap());
+      }
     } else if (needLoginCheck(uriPath)) {
       if (null == ctx.sessionAttribute("user")) {
         LOG.info("session info: {}", JacksonUtil.toJSONString(ctx.sessionAttributeMap()));

diff --git a/docs/admin-guides/deployment.md b/docs/admin-guides/deployment.md
@@ -92,6 +92,7 @@ If you want to use AMS in a production environment, it is recommended to modify
 - The `ams.thrift-server.table-service.bind-port` configuration specifies the binding port of the Thrift Server that provides the table service. The compute engines access AMS through this port, and the default value is 1260.
 - The `ams.thrift-server.optimizing-service.bind-port` configuration specifies the binding port of the Thrift Server that provides the optimizing service. The optimizers access AMS through this port, and the default value is 1261.
 - The `ams.http-server.bind-port` configuration specifies the port to which the HTTP service is bound. The Dashboard and Open API are bound to this port, and the default value is 1630.
+- The `ams.http-server.rest-auth-type` configuration specifies the REST API auth type, which could be token(default) or basic. The basic auth would reuse `ams.admin-username` and `ams.admin-password` for authentication. 
 
 ```yaml
 ams: