(amoro) branch master updated: [AMORO-3873][FOLLOWUP] Rename rest auth bearer type to JWT (#3953)

Fri, 21 Nov 2025 00:27:09 -0800 

This is an automated email from the ASF dual-hosted git repository.

xuba pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/amoro.git


The following commit(s) were added to refs/heads/master by this push:
     new 2a684233c [AMORO-3873][FOLLOWUP] Rename rest auth bearer type to JWT 
(#3953)
2a684233c is described below

commit 2a684233c493630eae39272fa4997a803ee9403d
Author: Fei Wang <[email protected]>
AuthorDate: Fri Nov 21 00:25:58 2025 -0800

    [AMORO-3873][FOLLOWUP] Rename rest auth bearer type to JWT (#3953)
---
 .../java/org/apache/amoro/server/AmoroManagementConf.java |  9 ++++-----
 .../apache/amoro/server/dashboard/DashboardServer.java    | 15 +++++++--------
 .../amoro/authentication/TokenAuthenticationProvider.java |  9 ++++-----
 docs/admin-guides/deployment.md                           |  4 ++--
 4 files changed, 17 insertions(+), 20 deletions(-)

diff --git 
a/amoro-ams/src/main/java/org/apache/amoro/server/AmoroManagementConf.java 
b/amoro-ams/src/main/java/org/apache/amoro/server/AmoroManagementConf.java
index 750907e21..77e92ccff 100644
--- a/amoro-ams/src/main/java/org/apache/amoro/server/AmoroManagementConf.java
+++ b/amoro-ams/src/main/java/org/apache/amoro/server/AmoroManagementConf.java
@@ -275,8 +275,7 @@ public class AmoroManagementConf {
       ConfigOptions.key("http-server.rest-auth-type")
           .stringType()
           .defaultValue("token")
-          .withDescription(
-              "The authentication used by REST APIs, token (default), basic or 
bearer.");
+          .withDescription("The authentication used by REST APIs, token 
(default), basic or jwt.");
 
   public static final ConfigOption<Duration> HTTP_SERVER_SESSION_TIMEOUT =
       ConfigOptions.key("http-server.session-timeout")
@@ -292,12 +291,12 @@ public class AmoroManagementConf {
               "User-defined password authentication implementation of"
                   + " 
org.apache.amoro.authentication.PasswdAuthenticationProvider");
 
-  public static final ConfigOption<String> HTTP_SERVER_AUTH_BEARER_PROVIDER =
-      ConfigOptions.key("http-server.auth-bearer-provider")
+  public static final ConfigOption<String> HTTP_SERVER_AUTH_JWT_PROVIDER =
+      ConfigOptions.key("http-server.auth-jwt-provider")
           .stringType()
           .noDefaultValue()
           .withDescription(
-              "User-defined Bearer token such as JWT (JSON Web Token) 
authentication implementation"
+              "User-defined JWT (JSON Web Token) authentication implementation"
                   + " of 
org.apache.amoro.authentication.TokenAuthenticationProvider");
 
   public static final ConfigOption<String> HTTP_SERVER_PROXY_CLIENT_IP_HEADER =
diff --git 
a/amoro-ams/src/main/java/org/apache/amoro/server/dashboard/DashboardServer.java
 
b/amoro-ams/src/main/java/org/apache/amoro/server/dashboard/DashboardServer.java
index 02395543b..f24f9c333 100644
--- 
a/amoro-ams/src/main/java/org/apache/amoro/server/dashboard/DashboardServer.java
+++ 
b/amoro-ams/src/main/java/org/apache/amoro/server/dashboard/DashboardServer.java
@@ -74,7 +74,7 @@ public class DashboardServer {
   public static final Logger LOG = 
LoggerFactory.getLogger(DashboardServer.class);
 
   private static final String AUTH_TYPE_BASIC = "basic";
-  private static final String AUTH_TYPE_BEARER = "bearer";
+  private static final String AUTH_TYPE_JWT = "jwt";
   private static final String X_REQUEST_SOURCE_HEADER = "X-Request-Source";
   private static final String X_REQUEST_SOURCE_WEB = "Web";
   private final CatalogController catalogController;
@@ -91,7 +91,7 @@ public class DashboardServer {
   private final ApiTokenController apiTokenController;
 
   private final PasswdAuthenticationProvider basicAuthProvider;
-  private final TokenAuthenticationProvider bearerAuthProvider;
+  private final TokenAuthenticationProvider jwtAuthProvider;
   private final String proxyClientIpHeader;
 
   public DashboardServer(
@@ -126,11 +126,10 @@ public class DashboardServer {
                 
serviceConfig.get(AmoroManagementConf.HTTP_SERVER_AUTH_BASIC_PROVIDER),
                 serviceConfig)
             : null;
-    this.bearerAuthProvider =
-        AUTH_TYPE_BEARER.equalsIgnoreCase(authType)
+    this.jwtAuthProvider =
+        AUTH_TYPE_JWT.equalsIgnoreCase(authType)
             ? HttpAuthenticationFactory.getBearerAuthenticationProvider(
-                
serviceConfig.get(AmoroManagementConf.HTTP_SERVER_AUTH_BEARER_PROVIDER),
-                serviceConfig)
+                
serviceConfig.get(AmoroManagementConf.HTTP_SERVER_AUTH_JWT_PROVIDER), 
serviceConfig)
             : null;
     this.proxyClientIpHeader =
         
serviceConfig.get(AmoroManagementConf.HTTP_SERVER_PROXY_CLIENT_IP_HEADER);
@@ -410,7 +409,7 @@ public class DashboardServer {
       }
       return;
     }
-    if (null != basicAuthProvider || null != bearerAuthProvider) {
+    if (null != basicAuthProvider || null != jwtAuthProvider) {
       Principal authPrincipal;
       if (null != basicAuthProvider) {
         authPrincipal =
@@ -418,7 +417,7 @@ public class DashboardServer {
                 HttpAuthenticationFactory.getPasswordCredential(ctx, 
proxyClientIpHeader));
       } else {
         authPrincipal =
-            bearerAuthProvider.authenticate(
+            jwtAuthProvider.authenticate(
                 HttpAuthenticationFactory.getBearerTokenCredential(ctx, 
proxyClientIpHeader));
       }
       LOG.info(
diff --git 
a/amoro-common/src/main/java/org/apache/amoro/authentication/TokenAuthenticationProvider.java
 
b/amoro-common/src/main/java/org/apache/amoro/authentication/TokenAuthenticationProvider.java
index d8100eebd..3087f8282 100644
--- 
a/amoro-common/src/main/java/org/apache/amoro/authentication/TokenAuthenticationProvider.java
+++ 
b/amoro-common/src/main/java/org/apache/amoro/authentication/TokenAuthenticationProvider.java
@@ -24,12 +24,11 @@ import java.security.Principal;
 
 public interface TokenAuthenticationProvider {
   /**
-   * TokenAuthenticationProvider is used by the Amoro server authentication 
layer to validate Bearer
-   * tokens, such as JWT (JSON Web Token), provided in client requests. If the 
token is invalid,
-   * expired, or fails signature verification, a {@link 
SignatureCheckException} should be thrown to
-   * deny access.
+   * TokenAuthenticationProvider is used by the Amoro server authentication 
layer to validate JSON
+   * Web Token (JWT) provided in client requests. If the token is invalid, 
expired, or fails
+   * signature verification, a {@link SignatureCheckException} should be 
thrown to deny access.
    *
-   * @param credential The Bearer token credential (e.g., JWT) received in the 
connection request
+   * @param credential The JSON Web Token credential received in the 
connection request
    * @return The {@link Principal} associated with the authenticated token
    * @throws SignatureCheckException If the token is invalid, expired, or 
fails verification
    */
diff --git a/docs/admin-guides/deployment.md b/docs/admin-guides/deployment.md
index 83c81840d..ab009b1e6 100644
--- a/docs/admin-guides/deployment.md
+++ b/docs/admin-guides/deployment.md
@@ -75,9 +75,9 @@ If you want to use AMS in a production environment, it is 
recommended to modify
 - The `ams.thrift-server.table-service.bind-port` configuration specifies the 
binding port of the Thrift Server that provides the table service. The compute 
engines access AMS through this port, and the default value is 1260.
 - The `ams.thrift-server.optimizing-service.bind-port` configuration specifies 
the binding port of the Thrift Server that provides the optimizing service. The 
optimizers access AMS through this port, and the default value is 1261.
 - The `ams.http-server.bind-port` configuration specifies the port to which 
the HTTP service is bound. The Dashboard and Open API are bound to this port, 
and the default value is 1630.
-- The `ams.http-server.rest-auth-type` configuration specifies the REST API 
auth type, which could be token(default), basic or bearer.
+- The `ams.http-server.rest-auth-type` configuration specifies the REST API 
auth type, which could be token(default), basic or jwt (JSON Web Token).
 - The `ams.http-server.auth-basic-provider` configuration specifies the REST 
API basic authentication provider. By default, it uses `ams.admin-username` and 
`ams.admin-password` for authentication. You can also specify a custom 
implementation by providing the fully qualified class name of a class that 
implements the `org.apache.amoro.authentication.PasswdAuthenticationProvider` 
interface.
-- The `ams.http-server.auth-bearer-provider` configuration specifies the REST 
API Bearer token authentication provider. Set this to the fully qualified class 
name of your custom provider implementing the 
`org.apache.amoro.authentication.TokenAuthenticationProvider` interface. This 
is required when `ams.http-server.rest-auth-type` is set to `bearer`.
+- The `ams.http-server.auth-jwt-provider` configuration specifies the REST API 
JWT authentication provider. Set this to the fully qualified class name of your 
custom provider implementing the 
`org.apache.amoro.authentication.TokenAuthenticationProvider` interface. This 
is required when `ams.http-server.rest-auth-type` is set to `jwt`.
 - The `ams.http-server.proxy-client-ip-header` configuration specifies the 
HTTP header to use for extracting the real client IP address when AMS is 
deployed behind a reverse proxy (such as Nginx or a load balancer). Common 
values include `X-Forwarded-For` or `X-Real-IP`. If not set, AMS will use the 
remote address from the connection.
 
 ```yaml

Reply via email to