jerqi commented on code in PR #4496:
URL: https://github.com/apache/gravitino/pull/4496#discussion_r1716432568
##########
docs/security/how-to-authenticate.md:
##########
@@ -0,0 +1,176 @@
+---
+title: "How to authenticate"
+slug: /security/how-to-authenticate
+keyword: security authentication oauth kerberos
+license: "This software is licensed under the Apache License version 2."
+---
+
+## Authentication
+
+Apache Gravitino supports three kinds of authentication mechanisms:
simple,OAuth and Kerberos.
+
+### Simple mode
+
+Simple mode is the default authentication option of the server.
+
+For the client side, if it doesn't set the authentication explicitly, it will
use anonymous to access the server.
+
+If the client sets the simple mode, it will use the environment variable
`GRAVITINO_USER` as the user.
+
+If the environment variable `GRAVITINO_USER` isn't set, the client uses the
user of the machine that sends requests.
+
+For the client side, users can enable `simple` mode by the following code:
+
+```java
+GravitinoClient client = GravitinoClient.builder(uri)
+ .withMetalake("metalake")
+ .withSimpleAuth()
+ .build();
+```
+
+### OAuth mode
+
+Gravitino only supports external OAuth 2.0 servers.
+
+First, users need to guarantee that the external correctly configured OAuth
2.0 server supports Bearer JWT.
+
+Then, on the server side, users should set `gravitino.authenticator` as
`oauth` and give
+`gravitino.authenticator.oauth.defaultSignKey`,
`gravitino.authenticator.oauth.serverUri` and
+`gravitino.authenticator.oauth.tokenPath` a proper value.
+
+Next, for the client side, users can enable `OAuth` mode by the following code:
+
+```java
+DefaultOAuth2TokenProvider authDataProvider =
DefaultOAuth2TokenProvider.builder()
+ .withUri("oauth server uri")
+ .withCredential("yy:xx")
+ .withPath("oauth/token")
+ .withScope("test")
+ .build();
+
+GravitinoClient client = GravitinoClient.builder(uri)
+ .withMetalake("metalake")
+ .withOAuth(authDataProvider)
+ .build();
+```
+
+### Kerberos mode
+
+Gravitino supports Kerberos mode.
+
+For the server side, users should set `gravitino.authenticator` as `kerberos`
and give
+`gravitino.authenticator.kerberos.principal` and
`gravitino.authenticator.kerberos.keytab` a proper value.
+
+For the client side, users can enable `kerberos` mode by the following code:
+
+```java
+// Use keytab to create KerberosTokenProvider
+KerberosTokenProvider provider = KerberosTokenProvider.builder()
+ .withClientPrincipal(clientPrincipal)
+ .withKeyTabFile(new File(keytabFile))
+ .build();
+
+// Use ticketCache to create KerberosTokenProvider
+KerberosTokenProvider provider = KerberosTokenProvider.builder()
+ .withClientPrincipal(clientPrincipal)
+ .build();
+
+GravitinoClient client = GravitinoClient.builder(uri)
+ .withMetalake("metalake")
+ .withKerberosAuth(provider)
+ .build();
+```
+
+:::info
+Now Iceberg REST service doesn't support Kerberos authentication.
+The URI must use the hostname of server instead of IP.
+:::
+
+### Server configuration
Review Comment:
Iceberg REST server doesn't have delicated configuration.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
