This is an automated email from the ASF dual-hosted git repository.
roryqi pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/gravitino.git
The following commit(s) were added to refs/heads/main by this push:
new ee20a571b0 [#11550] docs(authn): Clarify Web UI Basic auth limits and
relocate BasicAuthOperationsIT (#11551)
ee20a571b0 is described below
commit ee20a571b0ab1c735cee04b4d38054164d703d69
Author: MaSai <[email protected]>
AuthorDate: Wed Jun 10 16:56:16 2026 +0800
[#11550] docs(authn): Clarify Web UI Basic auth limits and relocate
BasicAuthOperationsIT (#11551)
### What changes were proposed in this pull request?
1. **Documentation** — State that the Gravitino Web UI (v1 and Web V2)
does not provide a username/password login flow for built-in IDP Basic
authentication. Login pages only support `simple` and `oauth`. Users
enabling Basic auth should use REST APIs, Java/Python clients, or engine
connectors instead.
Updated:
- `docs/security/how-to-use-built-in-idp.md` — **Web UI** subsection and
end-to-end setup note
- `docs/security/how-to-authenticate.md` — note in Basic mode and
example section
- `docs/webui.md` and `docs/webui-v2.md` — initial-page guidance
2. **Test** — Move `BasicAuthOperationsIT` from `clients/client-java` to
`plugins/idp-basic` (alongside `IdpRESTApiIT`) and remove the
`idp-basic` test dependency from `client-java`.
### Why are the changes needed?
Built-in IDP Basic authentication works for the server REST API and
clients, but the Web UI has no interactive Basic login. Without
documentation, users may assume browser sign-in is supported and waste
time debugging failed logins.
Relocating the integration test keeps IdP-related ITs in the `idp-basic`
module and avoids a circular-style test dependency from `client-java` on
`idp-basic`.
Fix: #11550
### Does this PR introduce _any_ user-facing change?
Documentation only. No API or configuration changes. The test relocation
does not change product behavior.
### How was this patch tested?
- Docs reviewed for link targets and consistency with Web UI auth code
paths (`simple` / `oauth` only in `session.js`).
- `./gradlew :plugins:idp-basic:test --tests
org.apache.gravitino.idp.integration.test.BasicAuthOperationsIT`
---
.github/workflows/idp-basic-test.yml | 3 +++
clients/client-java/build.gradle.kts | 1 -
docs/security/how-to-authenticate.md | 8 ++++++++
docs/security/how-to-use-built-in-idp.md | 9 +++++++++
docs/webui-v2.md | 6 ++++++
docs/webui.md | 6 ++++++
.../gravitino/idp/integration/test}/BasicAuthOperationsIT.java | 2 +-
7 files changed, 33 insertions(+), 2 deletions(-)
diff --git a/.github/workflows/idp-basic-test.yml
b/.github/workflows/idp-basic-test.yml
index cc584e7747..3591acea81 100644
--- a/.github/workflows/idp-basic-test.yml
+++ b/.github/workflows/idp-basic-test.yml
@@ -22,6 +22,9 @@ jobs:
filters: |
source_changes:
- plugins/idp-basic/**
+ - clients/client-java/**
+ - clients/client-java-runtime/**
+ - integration-test-common/**
- core/**
- gradle/**
- gradlew
diff --git a/clients/client-java/build.gradle.kts
b/clients/client-java/build.gradle.kts
index cf13fa07ed..b3850d71fe 100644
--- a/clients/client-java/build.gradle.kts
+++ b/clients/client-java/build.gradle.kts
@@ -44,7 +44,6 @@ dependencies {
testImplementation(project(":core"))
testImplementation(project(":integration-test-common", "testArtifacts"))
- testImplementation(project(":plugins:idp-basic"))
testImplementation(project(":server"))
testImplementation(project(":server-common"))
diff --git a/docs/security/how-to-authenticate.md
b/docs/security/how-to-authenticate.md
index 5389d4a734..8cc2938a1e 100644
--- a/docs/security/how-to-authenticate.md
+++ b/docs/security/how-to-authenticate.md
@@ -86,6 +86,14 @@ curl -v -X GET \
http://localhost:8090/api/version
```
+:::note
+The Web UI does not provide a username/password login form for built-in IDP
Basic authentication.
+Use REST clients, the Java/Python client, or engine connectors instead. See
+[built-in IDP Web UI](how-to-use-built-in-idp.md#web-ui), the
+[Web UI initial page](../webui.md#initial-page), and the
+[Web V2 initial page](../webui-v2.md#initial-page).
+:::
+
### OAuth Mode
Gravitino supports external OAuth 2.0 servers with two token validation
methods:
diff --git a/docs/security/how-to-use-built-in-idp.md
b/docs/security/how-to-use-built-in-idp.md
index c25461a414..0c0a621bc3 100644
--- a/docs/security/how-to-use-built-in-idp.md
+++ b/docs/security/how-to-use-built-in-idp.md
@@ -19,6 +19,15 @@ and prefer [HTTPS](how-to-use-https.md) when credentials
travel over the network
This guide describes how to enable and operate the management APIs in
`plugins:idp-basic`. For
request and response schemas, see the [Built-in IDP
OpenAPI](../open-api/idp/openapi.yaml).
+## Web UI
+
+Built-in IdP is **incompatible** with the `simple` authenticator (the
default). The Web UI does not
+support signing in with built-in IDP Basic credentials. Login pages only
handle `simple`
+(username-only when authorization is enabled) and `oauth` (OIDC/OAuth) flows.
If you need the Web UI
+while built-in IdP is enabled, prefer [OAuth
mode](how-to-authenticate.md#oauth-mode). For Basic
+authentication, use the REST API, [Java/Python
clients](how-to-authenticate.md#basic-mode), or
+engine connectors instead.
+
---
## Prerequisites
diff --git a/docs/webui-v2.md b/docs/webui-v2.md
index 1e0d154db4..79c446301e 100644
--- a/docs/webui-v2.md
+++ b/docs/webui-v2.md
@@ -54,6 +54,12 @@ The Web V2 landing page depends on both the authentication
mode and whether auth
+:::note
+Built-in IDP Basic authentication is not supported in the Web UI. The UI does
not collect
+username and password for this mode. Use the REST API, Java/Python clients, or
engine connectors
+instead. See [built-in IDP Web UI](security/how-to-use-built-in-idp.md#web-ui).
+:::
+
### Metalakes
Overview for Metalake in the Web V2.
diff --git a/docs/webui.md b/docs/webui.md
index 00d3478259..d93ae14598 100644
--- a/docs/webui.md
+++ b/docs/webui.md
@@ -22,6 +22,12 @@ The web UI homepage displayed in Gravitino depends on the
configuration paramete
Set parameter for `gravitino.authenticators`, [`simple`](#simple-mode) or
[`oauth`](#oauth-mode). Simple mode is the default authentication option. If
multiple authenticators are set, the first one is taken by default.
+:::note
+Built-in IDP Basic authentication is not supported in the Web UI. The UI does
not collect
+username and password for this mode. Use the REST API, Java/Python clients, or
engine connectors
+instead. See [built-in IDP Web UI](security/how-to-use-built-in-idp.md#web-ui).
+:::
+
:::tip
After changing the configuration, make sure to restart the Gravitino server.
diff --git
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/BasicAuthOperationsIT.java
b/plugins/idp-basic/src/test/java/org/apache/gravitino/idp/integration/test/BasicAuthOperationsIT.java
similarity index 98%
rename from
clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/BasicAuthOperationsIT.java
rename to
plugins/idp-basic/src/test/java/org/apache/gravitino/idp/integration/test/BasicAuthOperationsIT.java
index 5d6242a20e..df16e56bf8 100644
---
a/clients/client-java/src/test/java/org/apache/gravitino/client/integration/test/authorization/BasicAuthOperationsIT.java
+++
b/plugins/idp-basic/src/test/java/org/apache/gravitino/idp/integration/test/BasicAuthOperationsIT.java
@@ -16,7 +16,7 @@
* specific language governing permissions and limitations
* under the License.
*/
-package org.apache.gravitino.client.integration.test.authorization;
+package org.apache.gravitino.idp.integration.test;
import static org.apache.gravitino.integration.test.util.BaseIT.setEnv;
