This is an automated email from the ASF dual-hosted git repository.
jshao pushed a commit to branch branch-0.6
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/branch-0.6 by this push:
new 785474511 [#4321] improvement(docs): Update docs for multiple
authentication (#4534)
785474511 is described below
commit 785474511ae9b9a93264854d9a3eb18406dd2afc
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Thu Aug 15 17:36:44 2024 +0800
[#4321] improvement(docs): Update docs for multiple authentication (#4534)
### What changes were proposed in this pull request?
Update docs for multiple authentication
### Why are the changes needed?
Fix: #4321
Co-authored-by: lwyang <[email protected]>
---
docs/security.md | 31 +++++++++++-----------
docs/webui.md | 10 +++----
.../authentication/AuthenticationFilter.java | 1 +
3 files changed, 22 insertions(+), 20 deletions(-)
diff --git a/docs/security.md b/docs/security.md
index 190a90941..87aaeed6f 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -7,7 +7,7 @@ license: "This software is licensed under the Apache License
version 2."
## Authentication
-Apache Gravitino supports two kinds of authentication mechanisms: simple and
OAuth.
+Apache Gravitino supports three kinds of authentication mechanisms: simple,
OAuth and Kerberos.
### Simple mode
@@ -34,7 +34,7 @@ Gravitino only supports external OAuth 2.0 servers.
First, users need to guarantee that the external correctly configured OAuth
2.0 server supports Bearer JWT.
-Then, on the server side, users should set `gravitino.authenticator` as
`oauth` and give
+Then, on the server side, users should set `gravitino.authenticators` as
`oauth` and give
`gravitino.authenticator.oauth.defaultSignKey`,
`gravitino.authenticator.oauth.serverUri` and
`gravitino.authenticator.oauth.tokenPath` a proper value.
@@ -58,7 +58,7 @@ GravitinoClient client = GravitinoClient.builder(uri)
Gravitino supports Kerberos mode.
-For the server side, users should set `gravitino.authenticator` as `kerberos`
and give
+For the server side, users should set `gravitino.authenticators` as `kerberos`
and give
`gravitino.authenticator.kerberos.principal` and
`gravitino.authenticator.kerberos.keytab` a proper value.
For the client side, users can enable `kerberos` mode by the following code:
@@ -88,17 +88,18 @@ The URI must use the hostname of server instead of IP.
### Server configuration
-| Configuration item | Description
|
Default value | Required | Since version |
-|---------------------------------------------------|-----------------------------------------------------------------------------------------------------|-------------------|--------------------------------------------|---------------|
-| `gravitino.authenticator` | The authenticator which
Gravitino uses, setting as `simple`,`oauth` or `kerberos`. |
`simple` | No | 0.3.0 |
-| `gravitino.authenticator.oauth.serviceAudience` | The audience name when
Gravitino uses OAuth as the authenticator. |
`GravitinoServer` | No | 0.3.0 |
-| `gravitino.authenticator.oauth.allowSkewSecs` | The JWT allows skew
seconds when Gravitino uses OAuth as the authenticator.
| `0` | No | 0.3.0
|
-| `gravitino.authenticator.oauth.defaultSignKey` | The signing key of JWT
when Gravitino uses OAuth as the authenticator. |
(none) | Yes if use `oauth` as the authenticator | 0.3.0 |
-| `gravitino.authenticator.oauth.signAlgorithmType` | The signature algorithm
when Gravitino uses OAuth as the authenticator. |
`RS256` | No | 0.3.0 |
-| `gravitino.authenticator.oauth.serverUri` | The URI of the default
OAuth server. |
(none) | Yes if use `oauth` as the authenticator | 0.3.0 |
-| `gravitino.authenticator.oauth.tokenPath` | The path for token of
the default OAuth server. |
(none) | Yes if use `oauth` as the authenticator | 0.3.0 |
-| `gravitino.authenticator.kerberos.principal` | Indicates the Kerberos
principal to be used for HTTP endpoint. Principal should start with `HTTP/`. |
(none) | Yes if use `kerberos` as the authenticator | 0.4.0 |
-| `gravitino.authenticator.kerberos.keytab` | Location of the keytab
file with the credentials for the principal. |
(none) | Yes if use `kerberos` as the authenticator | 0.4.0 |
+| Configuration item | Description
| Default
value | Required | Since version |
+|---------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------|--------------------------------------------|---------------|
+| `gravitino.authenticator` | It is deprecated since
Gravitino 0.6.0. Please use `gravitino.authenticators` instead.
| `simple`
| No | 0.3.0 |
+| `gravitino.authenticators` | The authenticators which
Gravitino uses, setting as `simple`,`oauth` or `kerberos`. Multiple
authenticators are separated by commas. If a request is supported by multiple
authenticators simultaneously, the first authenticator will be used by default
| `simple` | No | 0.6.0
|
+| `gravitino.authenticator.oauth.serviceAudience` | The audience name when
Gravitino uses OAuth as the authenticator.
|
`GravitinoServer` | No | 0.3.0 |
+| `gravitino.authenticator.oauth.allowSkewSecs` | The JWT allows skew
seconds when Gravitino uses OAuth as the authenticator.
| `0`
| No | 0.3.0 |
+| `gravitino.authenticator.oauth.defaultSignKey` | The signing key of JWT
when Gravitino uses OAuth as the authenticator.
| (none)
| Yes if use `oauth` as the authenticator | 0.3.0 |
+| `gravitino.authenticator.oauth.signAlgorithmType` | The signature algorithm
when Gravitino uses OAuth as the authenticator.
| `RS256`
| No | 0.3.0 |
+| `gravitino.authenticator.oauth.serverUri` | The URI of the default
OAuth server.
| (none)
| Yes if use `oauth` as the authenticator | 0.3.0 |
+| `gravitino.authenticator.oauth.tokenPath` | The path for token of
the default OAuth server.
| (none)
| Yes if use `oauth` as the authenticator | 0.3.0 |
+| `gravitino.authenticator.kerberos.principal` | Indicates the Kerberos
principal to be used for HTTP endpoint. Principal should start with `HTTP/`.
| (none)
| Yes if use `kerberos` as the authenticator | 0.4.0 |
+| `gravitino.authenticator.kerberos.keytab` | Location of the keytab
file with the credentials for the principal.
| (none)
| Yes if use `kerberos` as the authenticator | 0.4.0 |
The signature algorithms that Gravitino supports follows:
@@ -150,7 +151,7 @@ You can follow the steps to set up an OAuth mode Gravitino
server.
6. You can refer to the [Configurations](gravitino-server-config.md) and
append the configurations to the conf/gravitino.conf.
```text
-gravitino.authenticator = oauth
+gravitino.authenticators = oauth
gravitino.authenticator.oauth.serviceAudience = test
gravitino.authenticator.oauth.defaultSignKey = <the default signing key>
gravitino.authenticator.oauth.tokenPath = /oauth2/token
diff --git a/docs/webui.md b/docs/webui.md
index 94ebefa15..1fd7ef6b9 100644
--- a/docs/webui.md
+++ b/docs/webui.md
@@ -18,7 +18,7 @@ Currently, you can integrate [OAuth settings](./security.md)
to view, add, modif
The web UI homepage displayed in Gravitino depends on the configuration
parameter for OAuth mode, see the details in [Security](./security.md).
-Set parameter for `gravitino.authenticator`, [`simple`](#simple-mode) or
[`oauth`](#oauth-mode). Simple mode is the default authentication option.
+Set parameter for `gravitino.authenticators`, [`simple`](#simple-mode) or
[`oauth`](#oauth-mode). Simple mode is the default authentication option. If
multiple authenticators are set, the first one is taken by default.
:::tip
After changing the configuration, make sure to restart the Gravitino server.
@@ -29,10 +29,10 @@ After changing the configuration, make sure to restart the
Gravitino server.
### Simple mode
```text
-gravitino.authenticator = simple
+gravitino.authenticators = simple
```
-Set the configuration parameter `gravitino.authenticator` to `simple`, and the
web UI displays the homepage (Metalakes).
+Set the configuration parameter `gravitino.authenticators` to `simple`, and
the web UI displays the homepage (Metalakes).
@@ -43,10 +43,10 @@ The main content displays the existing metalake list.
### Oauth mode
```text
-gravitino.authenticator = oauth
+gravitino.authenticators = oauth
```
-Set the configuration parameter `gravitino.authenticator` to `oauth`, and the
web UI displays the login page.
+Set the configuration parameter `gravitino.authenticators` to `oauth`, and the
web UI displays the login page.
:::caution
If both `OAuth` and `HTTPS` are set, due to the different security permission
rules of various browsers, to avoid cross-domain errors,
diff --git
a/server-common/src/main/java/org/apache/gravitino/server/authentication/AuthenticationFilter.java
b/server-common/src/main/java/org/apache/gravitino/server/authentication/AuthenticationFilter.java
index 3479503d4..8e376738f 100644
---
a/server-common/src/main/java/org/apache/gravitino/server/authentication/AuthenticationFilter.java
+++
b/server-common/src/main/java/org/apache/gravitino/server/authentication/AuthenticationFilter.java
@@ -68,6 +68,7 @@ public class AuthenticationFilter implements Filter {
authData = headerData.nextElement().getBytes(StandardCharsets.UTF_8);
}
+ // If token is supported by multiple authenticators, use the first by
default.
Principal principal = null;
for (Authenticator authenticator : authenticators) {
if (authenticator.supportsToken(authData) &&
authenticator.isDataFromToken()) {
