This is an automated email from the ASF dual-hosted git repository.
wuchong pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/fluss.git
The following commit(s) were added to refs/heads/main by this push:
new 296a0a252 [server] Support plugin discovery for client authentication
(#3474)
296a0a252 is described below
commit 296a0a25264c74bef2fdb4e9bbdb717e7c4f8aa5
Author: yunhong <[email protected]>
AuthorDate: Thu Jun 11 19:17:04 2026 +0800
[server] Support plugin discovery for client authentication (#3474)
---
.../src/main/java/org/apache/fluss/config/ConfigOptions.java | 12 ++++++++++++
.../apache/fluss/security/auth/AuthenticationFactory.java | 9 ++++++++-
.../fluss/server/tools/ClusterHealthReadinessCheck.java | 4 ++++
3 files changed, 24 insertions(+), 1 deletion(-)
diff --git
a/fluss-common/src/main/java/org/apache/fluss/config/ConfigOptions.java
b/fluss-common/src/main/java/org/apache/fluss/config/ConfigOptions.java
index fafcc2905..0301d3d47 100644
--- a/fluss-common/src/main/java/org/apache/fluss/config/ConfigOptions.java
+++ b/fluss-common/src/main/java/org/apache/fluss/config/ConfigOptions.java
@@ -1291,6 +1291,18 @@ public class ConfigOptions {
.withDescription(
"The authentication protocol used to authenticate
the client.");
+ public static final ConfigOption<Boolean>
CLIENT_SECURITY_ENABLE_PLUGIN_DISCOVERY =
+ key("client.security.enable-plugin-discovery")
+ .booleanType()
+ .defaultValue(false)
+ .withDescription(
+ "When set to true, the client will additionally
discover "
+ + "authentication plugins from the
configured plugins/ folder "
+ + "via the PluginManager, in addition to
the default classpath. "
+ + "This is useful for standalone tools or
scripts that run outside "
+ + "the server JVM but still need to load
authentication plugins "
+ + "shipped in plugins/.");
+
public static final ConfigOption<MemorySize>
CLIENT_SCANNER_LOG_FETCH_MAX_BYTES =
key("client.scanner.log.fetch.max-bytes")
.memoryType()
diff --git
a/fluss-common/src/main/java/org/apache/fluss/security/auth/AuthenticationFactory.java
b/fluss-common/src/main/java/org/apache/fluss/security/auth/AuthenticationFactory.java
index 65cbfff9c..a7fd76947 100644
---
a/fluss-common/src/main/java/org/apache/fluss/security/auth/AuthenticationFactory.java
+++
b/fluss-common/src/main/java/org/apache/fluss/security/auth/AuthenticationFactory.java
@@ -68,8 +68,15 @@ public class AuthenticationFactory {
Configuration configuration) {
String clientAuthenticateProtocol =
configuration.getString(ConfigOptions.CLIENT_SECURITY_PROTOCOL);
+ PluginManager pluginManager = null;
+ if
(configuration.getBoolean(ConfigOptions.CLIENT_SECURITY_ENABLE_PLUGIN_DISCOVERY))
{
+ pluginManager =
PluginUtils.createPluginManagerFromRootFolder(configuration);
+ }
ClientAuthenticationPlugin authenticatorPlugin =
- discoverPlugin(clientAuthenticateProtocol,
ClientAuthenticationPlugin.class, null);
+ discoverPlugin(
+ clientAuthenticateProtocol,
+ ClientAuthenticationPlugin.class,
+ pluginManager);
return () ->
authenticatorPlugin.createClientAuthenticator(configuration);
}
diff --git
a/fluss-server/src/main/java/org/apache/fluss/server/tools/ClusterHealthReadinessCheck.java
b/fluss-server/src/main/java/org/apache/fluss/server/tools/ClusterHealthReadinessCheck.java
index 320afbc60..6e9c70ae1 100644
---
a/fluss-server/src/main/java/org/apache/fluss/server/tools/ClusterHealthReadinessCheck.java
+++
b/fluss-server/src/main/java/org/apache/fluss/server/tools/ClusterHealthReadinessCheck.java
@@ -19,6 +19,7 @@ package org.apache.fluss.server.tools;
import org.apache.fluss.cluster.ServerNode;
import org.apache.fluss.cluster.ServerType;
+import org.apache.fluss.config.ConfigOptions;
import org.apache.fluss.config.Configuration;
import org.apache.fluss.exception.UnsupportedVersionException;
import org.apache.fluss.metrics.registry.MetricRegistryImpl;
@@ -230,6 +231,9 @@ public final class ClusterHealthReadinessCheck {
if (authString == null || authString.trim().isEmpty()) {
return conf;
}
+ // Enable plugin discovery so the client authenticator can discover
authentication
+ // plugins shipped in the server's plugins/ directory.
+ conf.setBoolean(ConfigOptions.CLIENT_SECURITY_ENABLE_PLUGIN_DISCOVERY,
true);
for (String pair : authString.split(";")) {
String trimmed = pair.trim();
if (trimmed.isEmpty()) {