Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[CELEBORN-1318] Support celeborn http authentication #2440

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

[CELEBORN-1318] Support celeborn http authentication #2440

wants to merge 3 commits into from

Conversation

turboFei
Copy link
Member

@turboFei turboFei commented Apr 3, 2024
edited

What changes were proposed in this pull request?

Support celeborn master/worker http authentication.

Why are the changes needed?

Authentication is needed for celeborn admin APIs.

Does this PR introduce any user-facing change?

Yes, introduce authentication related config items, but does not break the current behavior.

How was this patch tested?

Added UT for BASIC and Bearer authentication.

@turboFei turboFei marked this pull request as draft April 3, 2024 06:14
@turboFei turboFei force-pushed the http_auth branch 2 times, most recently from c581317 to c3b0e56 Compare April 4, 2024 04:03
@codecov-commenter
Copy link

codecov-commenter commented Apr 4, 2024
edited by codecov bot

Codecov Report

Attention: Patch coverage is 19.54023% with 280 lines in your changes are missing coverage. Please review.

Project coverage is 38.75%. Comparing base (121395f) to head (3dcd221).
Report is 55 commits behind head on main.

Current head 3dcd221 differs from pull request most recent head 8802bd4

Please upload reports for the commit 8802bd4 to get more accurate results.

Files Patch % Lines
...mon/http/authentication/AuthenticationFilter.scala 0.00% 87 Missing ⚠️
...p/authentication/SpnegoAuthenticationHandler.scala 0.00% 71 Missing ⚠️
...tp/authentication/BasicAuthenticationHandler.scala 0.00% 34 Missing ⚠️
...p/authentication/BearerAuthenticationHandler.scala 0.00% 24 Missing ⚠️
...ttp/authentication/HttpAuthenticationFactory.scala 0.00% 21 Missing ⚠️
...ttp/authentication/AuthenticationAuditLogger.scala 0.00% 14 Missing ⚠️
...on/http/authentication/AuthenticationHandler.scala 0.00% 14 Missing ⚠️
...he/celeborn/server/common/http/HttpAuthUtils.scala 0.00% 6 Missing ⚠️
...rg/apache/celeborn/server/common/HttpService.scala 0.00% 4 Missing ⚠️
...tication/AnonymousAuthenticationProviderImpl.scala 0.00% 3 Missing ⚠️
... and 1 more
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2440      +/-   ##
==========================================
- Coverage   40.17%   38.75%   -1.42%     
==========================================
  Files         218      227       +9     
  Lines       13742    13779      +37     
  Branches     1214     1209       -5     
==========================================
- Hits         5520     5339     -181     
- Misses       7905     8142     +237     
+ Partials      317      298      -19

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@turboFei turboFei force-pushed the http_auth branch 2 times, most recently from 16f83e0 to f4cf2a8 Compare April 4, 2024 04:47
@turboFei turboFei changed the title Http auth [CELEBORN-1318] Support celeborn http authentication Apr 4, 2024
@turboFei turboFei force-pushed the http_auth branch 2 times, most recently from d6644cc to 3dcd221 Compare April 4, 2024 05:07
@turboFei turboFei force-pushed the http_auth branch 2 times, most recently from ae44d1c to 4b2dc43 Compare April 11, 2024 20:34
@turboFei turboFei marked this pull request as ready for review April 11, 2024 20:37
@turboFei
Copy link
Member Author

turboFei commented May 1, 2024
edited

This is PR is almost ready. cc @RexXiong @SteNicholas

I have not added spnego testing, it will introduce some testing dependencies.

@turboFei
Copy link
Member Author

turboFei commented May 1, 2024

also cc @pan3793

pan3793
pan3793 reviewed May 6, 2024
View reviewed changes
.../src/main/scala/org/apache/celeborn/common/authentication/PasswdAuthenticationProvider.scala
* @throws AuthenticationException When a user is found to be invalid by the implementation
*/
@throws[AuthenticationException]
def authenticate(user: String, password: String): Unit
Copy link
Member

@pan3793 pan3793 May 6, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

return a java.security.Principal instead. you can refer to Trino's io.trino.spi.security.HeaderAuthenticator and io.trino.spi.security.PasswordAuthenticator

pan3793
pan3793 reviewed May 6, 2024
View reviewed changes
...n/src/main/scala/org/apache/celeborn/common/authentication/TokenAuthenticationProvider.scala
* @throws AuthenticationException When the token is found to be invalid by the implementation
*/
@throws[AuthenticationException]
def authenticate(token: String): String
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ditto, Principal

pan3793
pan3793 reviewed May 6, 2024
View reviewed changes
.../src/main/scala/org/apache/celeborn/common/authentication/PasswdAuthenticationProvider.scala

package org.apache.celeborn.common.authentication

import javax.security.sasl.AuthenticationException
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this SASL related? looks like abuse

pan3793
pan3793 reviewed May 6, 2024
View reviewed changes
common/src/main/scala/org/apache/celeborn/common/CelebornConf.scala
.createWithDefault("X-Real-IP")

val MASTER_HTTP_AUTH_BASIC_PROVIDER_CLASS: ConfigEntry[String] =
buildConf("celeborn.master.http.auth.basic.provider.class")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let's remove .class and allow it to accept both the short name of the built-in implementations alias and user-provided 3-rd full class name

Suggested change
buildConf("celeborn.master.http.auth.basic.provider.class")
buildConf("celeborn.master.http.auth.basic.provider")

pan3793
pan3793 reviewed May 6, 2024
View reviewed changes
common/src/main/scala/org/apache/celeborn/common/CelebornConf.scala
.doc("A comma-separated list of master http auth supported schemes." +
"<ul>" +
" <li>SPNEGO: Kerberos/GSSAPI authentication.</li>" +
" <li>BASIC: User-defined password authentication, anonymous by default.</li>" +
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
" <li>BASIC: User-defined password authentication, anonymous by default.</li>" +
" <li>BASIC: User-defined password authentication, the concreted implementation is configurable via `celeborn.master.http.auth.basic.provider`.</li>" +

@github-actions GitHub Actions
Copy link

This PR is stale because it has been open 20 days with no activity. Remove stale label or comment or this will be closed in 10 days.

@github-actions github-actions bot added the stale label May 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pan3793 pan3793 pan3793 left review comments

Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@turboFei @codecov-commenter @pan3793