This is an automated email from the ASF dual-hosted git repository.
jshao pushed a commit to branch branch-1.0
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/branch-1.0 by this push:
new 5790e74a17 [MINOR] docs(security): polish security document (#8534)
5790e74a17 is described below
commit 5790e74a1751ccfde79bb32001b73088a55a2f7d
Author: github-actions[bot]
<41898282+github-actions[bot]@users.noreply.github.com>
AuthorDate: Thu Sep 11 20:47:55 2025 +0800
[MINOR] docs(security): polish security document (#8534)
### What changes were proposed in this pull request?
polish security document
### Why are the changes needed?
Make user understand easily
### Does this PR introduce _any_ user-facing change?
no
### How was this patch tested?
just document
Co-authored-by: FANNG <[email protected]>
---
docs/security/how-to-authenticate.md | 42 +++++++++++++++++++-----------------
1 file changed, 22 insertions(+), 20 deletions(-)
diff --git a/docs/security/how-to-authenticate.md
b/docs/security/how-to-authenticate.md
index d6e92bde4e..157916a26e 100644
--- a/docs/security/how-to-authenticate.md
+++ b/docs/security/how-to-authenticate.md
@@ -105,25 +105,27 @@ GravitinoClient client = GravitinoClient.builder(uri)
### Server configuration
-| Configuration item | Description
| Default
value | Required | Since version |
-|---------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------|--------------------------------------------|------------------|
-| `gravitino.authenticator` | It is deprecated since
Gravitino 0.6.0. Please use `gravitino.authenticators` instead.
| `simple`
| No | 0.3.0 |
-| `gravitino.authenticators` | The authenticators which
Gravitino uses, setting as `simple`,`oauth` or `kerberos`. Multiple
authenticators are separated by commas. If a request is supported by multiple
authenticators simultaneously, the first authenticator will be used by default.
| `simple` | No |
0.6.0-incubating |
-| `gravitino.authenticator.oauth.serviceAudience` | The audience name when
Gravitino uses OAuth as the authenticator.
|
`GravitinoServer` | No | 0.3.0
|
-| `gravitino.authenticator.oauth.allowSkewSecs` | The JWT allows skew
seconds when Gravitino uses OAuth as the authenticator.
| `0`
| No | 0.3.0 |
-| `gravitino.authenticator.oauth.defaultSignKey` | The signing key of JWT
when Gravitino uses OAuth as the authenticator.
| (none)
| Yes if use `oauth` as the authenticator | 0.3.0 |
-| `gravitino.authenticator.oauth.signAlgorithmType` | The signature algorithm
when Gravitino uses OAuth as the authenticator.
| `RS256`
| No | 0.3.0 |
-| `gravitino.authenticator.oauth.serverUri` | The URI of the default
OAuth server.
| (none)
| Yes if use `oauth` as the authenticator | 0.3.0 |
-| `gravitino.authenticator.oauth.tokenPath` | The path for token of
the default OAuth server.
| (none)
| Yes if use `oauth` as the authenticator | 0.3.0 |
-| `gravitino.authenticator.oauth.provider` | OAuth provider type
(default, oidc). Determines the Web UI authentication flow. Use 'oidc' for Web
UI OIDC login, 'default' for legacy login or API-only authentication.
| `default` | No
| 1.0.0 |
-| `gravitino.authenticator.oauth.clientId` | OAuth client ID for Web
UI authentication.
| (none) | Yes if provider is `oidc`
| 1.0.0 |
-| `gravitino.authenticator.oauth.authority` | OAuth authority/issuer
URL for OIDC providers for web UI authentication. (e.g., Azure AD tenant URL).
| (none) | Yes if
provider is `oidc` | 1.0.0 |
-| `gravitino.authenticator.oauth.scope` | OAuth scopes for Web UI
authentication (space-separated).
| (none) | Yes if provider is `oidc`
| 1.0.0 |
-| `gravitino.authenticator.oauth.jwksUri` | JWKS URI for
server-side OAuth token validation. Required when using JWKS-based validation.
|
(none) | Yes if `tokenValidatorClass` is
`org.apache.gravitino.server.authentication.JwksTokenValidator` | 1.0.0
|
-| `gravitino.authenticator.oauth.principalFields` | JWT claim field(s) to
use as principal identity. Comma-separated list for fallback in order (e.g.,
'preferred_username,email,sub').
| `sub`
| No | 1.0.0 |
-| `gravitino.authenticator.oauth.tokenValidatorClass`| Fully qualified class
name of the OAuth token validator implementation. Use
`org.apache.gravitino.server.authentication.JwksTokenValidator` for JWKS-based
validation or
`org.apache.gravitino.server.authentication.StaticSignKeyValidator` for static
key validation. |
`org.apache.gravitino.server.authentication.StaticSignKeyValidator` | No |
1.0.0 |
-| `gravitino.authenticator.kerberos.principal` | Indicates the Kerberos
principal to be used for HTTP endpoint. Principal should start with `HTTP/`.
| (none)
| Yes if use `kerberos` as the authenticator | 0.4.0 |
-| `gravitino.authenticator.kerberos.keytab` | Location of the keytab
file with the credentials for the principal.
| (none)
| Yes if use `kerberos` as the authenticator | 0.4.0 |
+Gravitino server and Gravitino Iceberg REST server share the same
configuration items, you doesn't need to add `gravitino.iceberg-rest` prefix
for Gravitino Iceberg REST server.
+
+| Configuration item | Description
| Default value |
Required
| Si [...]
+|-----------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------|-------------------------------------------------------------------------------------------------|---
[...]
+| `gravitino.authenticator` | It is deprecated since
Gravitino 0.6.0. Please use `gravitino.authenticators` instead.
| `simple` | No
| 0. [...]
+| `gravitino.authenticators` | The authenticators
which Gravitino uses, setting as `simple`,`oauth` or `kerberos`. Multiple
authenticators are separated by commas. If a request is supported by multiple
authenticators simultaneously, the first authenticator will be used by default.
| `simple`
| No
| 0. [...]
+| `gravitino.authenticator.oauth.serviceAudience` | The audience name when
Gravitino uses OAuth as the authenticator.
| `GravitinoServer` | No
| 0. [...]
+| `gravitino.authenticator.oauth.allowSkewSecs` | The JWT allows skew
seconds when Gravitino uses OAuth as the authenticator.
| `0` | No
| 0. [...]
+| `gravitino.authenticator.oauth.defaultSignKey` | The signing key of JWT
when Gravitino uses OAuth as the authenticator.
| (none) | Yes if
use `oauth` as the authenticator
| 0. [...]
+| `gravitino.authenticator.oauth.signAlgorithmType` | The signature
algorithm when Gravitino uses OAuth as the authenticator.
| `RS256`
| No
| 0. [...]
+| `gravitino.authenticator.oauth.serverUri` | The URI of the default
OAuth server.
| (none) | Yes if
use `oauth` as the authenticator
| 0. [...]
+| `gravitino.authenticator.oauth.tokenPath` | The path for token of
the default OAuth server.
| (none) | Yes
if use `oauth` as the authenticator
| 0. [...]
+| `gravitino.authenticator.oauth.provider` | OAuth provider type
(default, oidc). Determines the Web UI authentication flow. Use 'oidc' for Web
UI OIDC login, 'default' for legacy login or API-only authentication.
| `default` | No
| 1. [...]
+| `gravitino.authenticator.oauth.clientId` | OAuth client ID for
Web UI authentication.
| (none) | Yes
if provider is `oidc`
| 1. [...]
+| `gravitino.authenticator.oauth.authority` | OAuth authority/issuer
URL for OIDC providers for web UI authentication. (e.g., Azure AD tenant URL).
| (none) | Yes if
provider is `oidc`
| 1. [...]
+| `gravitino.authenticator.oauth.scope` | OAuth scopes for Web
UI authentication (space-separated).
| (none) | Yes
if provider is `oidc`
| 1. [...]
+| `gravitino.authenticator.oauth.jwksUri` | JWKS URI for
server-side OAuth token validation. Required when using JWKS-based validation.
| (none)
| Yes if `tokenValidatorClass` is
`org.apache.gravitino.server.authentication.JwksTokenValidator` | 1. [...]
+| `gravitino.authenticator.oauth.principalFields` | JWT claim field(s) to
use as principal identity. Comma-separated list for fallback in order (e.g.,
'preferred_username,email,sub').
| `sub` | No
| 1. [...]
+| `gravitino.authenticator.oauth.tokenValidatorClass` | Fully qualified class
name of the OAuth token validator implementation. Use
`org.apache.gravitino.server.authentication.JwksTokenValidator` for JWKS-based
validation or
`org.apache.gravitino.server.authentication.StaticSignKeyValidator` for static
key validation. |
`org.apache.gravitino.server.authentication.StaticSignKeyValidator` | No
| 1. [...]
+| `gravitino.authenticator.kerberos.principal` | Indicates the Kerberos
principal to be used for HTTP endpoint. Principal should start with `HTTP/`.
| (none) | Yes if
use `kerberos` as the authenticator
| 0. [...]
+| `gravitino.authenticator.kerberos.keytab` | Location of the keytab
file with the credentials for the principal.
| (none) | Yes if
use `kerberos` as the authenticator
| 0. [...]
The signature algorithms that Gravitino supports follows:
@@ -364,4 +366,4 @@ Use the access token to make requests to the Gravitino
server
```shell
curl -v -X GET -H "Accept: application/vnd.gravitino.v1+json" -H
"Content-Type: application/json" -H "Authorization: Bearer <access_token>"
http://localhost:8090/api/version
-```
+```
\ No newline at end of file
