bowenliang123 commented on code in PR #5182:
URL: https://github.com/apache/kyuubi/pull/5182#discussion_r1306477272
##########
kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala:
##########
@@ -2614,6 +2614,17 @@ object KyuubiConf {
.toSequence()
.createWithDefault(Nil)
+ val SERVER_LIMIT_CONNECTIONS_USER_LIMITED_LIST: ConfigEntry[Seq[String]] =
+ buildConf("kyuubi.server.limit.connections.user.limited.list")
+ .doc("The user in the limited list will be limited to connect to kyuubi
server, " +
+ "if the user has configured both user.unlimited.list and
user.limited.list, " +
+ "the priority of the latter is higher.")
+ .version("1.8.0")
+ .serverOnly
+ .stringConf
+ .toSequence()
Review Comment:
> I had an offline discussion with @turboFei, and we reached a consensus
that:
>
> 1. The current implementation is **deny** semantic, which is a good
feature but **limited** is not a properly name
> 2. You could either change the configuration name to `...deny.user.list`,
or keep the `...limited.user.list` and change the implementation as I commented
above [[KYUUBI #4540] [Improvement] Support to limit some user to make
connection. #5182
(comment)](https://github.com/apache/kyuubi/pull/5182#discussion_r1304545505),
I think the latter approach is simple, and we can implement the **deny** in
another PR.
I have similar concerns in these variations. I was confused by the **deny**
and **limited**.
As for me, a limited user list is not the contrast to an unlimited user, and
only a feature for deny users list is necessary.
What's more, I would like to see when the server rejects user connection ,
this feature should be part of authentication, such as User Filter in LDAP auth
implementation, but not an injected mechanism in such Limiter. Or did I miss
any information for better understanding?
I would suggest,
1. Add detailed and summarised design and key points to this PR description,
as a simple link to the original issue is not enough
2. Add constructive discussion in proposed change and the reason for
possible approaches
I'm fine if we accept this feature, when we have a mutual understanding of
enough information.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
