yuqi1129 opened a new pull request, #11622:
URL: https://github.com/apache/gravitino/pull/11622

   ### What changes were proposed in this pull request?
   
   - **#11568**: Structured per-tool-call audit logging attributed to the 
principal.
   - **#11572**: Per-request token isolation for HTTP transport — forward each 
request's `Authorization` header instead of a shared server token; accept the 
`streamable-http` transport alias and support serving the endpoint over TLS.
   - **#11575**: Forward the raw `Authorization` header instead of assuming 
Bearer; add a live-Gravitino authorization integration test wired into CI.
   - Add a localtest example and docs.
   
   Note: stacked on #11621; commits before it will drop from the diff once it 
merges.
   
   ### Why are the changes needed?
   
   Multi-user HTTP deployments need per-request identity propagation so 
Gravitino enforces each caller's permissions, plus audit attribution, TLS 
support, and integration coverage against a live Gravitino server.
   
   Fix: #11568
   Fix: #11572
   Fix: #11575
   
   ### Does this PR introduce _any_ user-facing change?
   
   Yes:
   1. HTTP transport forwards per-request `Authorization` headers.
   2. New `streamable-http` transport alias and TLS options.
   3. Structured audit logs per tool call.
   
   ### How was this patch tested?
   
   Unit tests (119 passed) plus a new live-Gravitino authorization integration 
test running in CI.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to