[#10960] feat(authentication): Wire basic authenticator module#10967
Open
lasdf1234 wants to merge 22 commits into
Open
[#10960] feat(authentication): Wire basic authenticator module#10967lasdf1234 wants to merge 22 commits into
lasdf1234 wants to merge 22 commits into
Conversation
Co-authored-by: Copilot <[email protected]>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR wires a new authenticators:authenticator-basic Gradle module into Gravitino’s server authentication flow, adds AuthenticatorType.BASIC, and updates server-side HTTP status mapping so malformed Basic headers can return 400 Bad Request instead of being treated as internal errors.
Changes:
- Adds the new
authenticators:authenticator-basicmodule and wires it into the Gradle build (settings + server dependency). - Extends authenticator selection to recognize
basic(AuthenticatorType.BASIC) and loadorg.apache.gravitino.auth.local.BasicAuthenticator. - Updates
AuthenticationFilterto mapBadRequestExceptionto HTTP 400 and adds/updates tests around the new wiring and error mapping.
Reviewed changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| settings.gradle.kts | Includes the new authenticator-basic submodule in the Gradle build. |
| server/build.gradle.kts | Adds a dependency from server to the new authenticator-basic module. |
| common/src/main/java/org/apache/gravitino/auth/AuthenticatorType.java | Introduces AuthenticatorType.BASIC. |
| server-common/src/main/java/org/apache/gravitino/server/authentication/AuthenticatorFactory.java | Maps basic to the Basic authenticator class name for reflective loading. |
| server-common/src/main/java/org/apache/gravitino/server/authentication/AuthenticationFilter.java | Maps BadRequestException to HTTP 400 in auth error responses. |
| server-common/src/test/java/org/apache/gravitino/server/authentication/TestAuthenticationFilter.java | Adds a regression test asserting BadRequestException maps to HTTP 400. |
| server/src/test/java/org/apache/gravitino/server/authentication/TestAuthenticatorFactory.java | Adds a test verifying basic loads BasicAuthenticator. |
| authenticators/authenticator-basic/build.gradle.kts | Defines the new module build, dependencies, and test env vars. |
| authenticators/authenticator-basic/src/main/java/org/apache/gravitino/auth/local/BasicAuthenticator.java | Implements Basic auth header parsing and exception behavior. |
| authenticators/authenticator-basic/src/test/java/org/apache/gravitino/auth/local/TestBasicAuthenticator.java | Adds unit tests for Basic header parsing/error handling. |
lasdf1234
changed the title
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
…-auth-password-hashing # Conflicts: # authenticators/authenticator-basic/build.gradle.kts # server-common/src/main/java/org/apache/gravitino/server/authentication/Argon2idPasswordHasher.java # server-common/src/main/java/org/apache/gravitino/server/authentication/PasswordHasher.java # server-common/src/main/java/org/apache/gravitino/server/authentication/PasswordHasherFactory.java # server-common/src/test/java/org/apache/gravitino/server/authentication/TestArgon2idPasswordHasher.java
Co-authored-by: Copilot <[email protected]>
roryqi
reviewed
May 6, 2026
Contributor
roryqi
left a comment
roryqi
left a comment
There was a problem hiding this comment.
I don't think this should be the first pull request. Because this relies on built-in idp.
Co-authored-by: Copilot <[email protected]>
This reverts commit f3380f9.
This reverts commit 6302c77.
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot Autofix powered by AI <[email protected]>
Co-authored-by: Copilot <[email protected]>
… into feat/local-authenticator-module-wiring
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 10 changed files in this pull request and generated 4 comments.
Comments suppressed due to low confidence (1)
server-common/src/main/java/org/apache/gravitino/server/authentication/AuthenticatorFactory.java:44
- PR description says
gravitino.authenticators=basicshould loadorg.apache.gravitino.auth.local.BasicAuthenticator, but the factory is wired toorg.apache.gravitino.server.authentication.BasicAuthenticatorinstead. Please align the implementation/package with the intended module structure (or update the PR description/design) so users and follow-up work aren’t confused about where the Basic authenticator lives.
public static final ImmutableMap<String, String> AUTHENTICATORS =
ImmutableMap.of(
AuthenticatorType.SIMPLE.name().toLowerCase(),
SimpleAuthenticator.class.getCanonicalName(),
AuthenticatorType.BASIC.name().toLowerCase(),
BasicAuthenticator.class.getCanonicalName(),
AuthenticatorType.OAUTH.name().toLowerCase(),
OAuth2TokenAuthenticator.class.getCanonicalName(),
AuthenticatorType.KERBEROS.name().toLowerCase(),
KerberosAuthenticator.class.getCanonicalName());
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 10 out of 10 changed files in this pull request and generated 5 comments.
Comments suppressed due to low confidence (1)
server/build.gradle.kts:33
- The server now declares an
implementationdependency on:authenticators:authenticator-basic, but that module currently has no main sources and theBasicAuthenticatorimplementation is in:server-common. This dependency is therefore unused/redundant as-is; either move the implementation into the new module (and have the factory load it from there) or remove this dependency until the module provides runtime code.
dependencies {
implementation(project(":authenticators:authenticator-basic"))
implementation(project(":api"))
implementation(project(":common"))
implementation(project(":core"))
implementation(project(":lineage"))
implementation(project(":server-common"))
implementation(libs.bundles.jetty)
Co-authored-by: Copilot <[email protected]>
Co-authored-by: Copilot <[email protected]>
Comment on lines
+77
to
+81
| throw new BadRequestException( | ||
| "Malformed Basic authorization header: username must not be empty"); | ||
| } | ||
|
|
||
| return new UserPrincipal(userName, authData); |
Comment on lines
38
to
+41
| AuthenticatorType.SIMPLE.name().toLowerCase(), | ||
| SimpleAuthenticator.class.getCanonicalName(), | ||
| AuthenticatorType.BASIC.name().toLowerCase(), | ||
| BasicAuthenticator.class.getCanonicalName(), |
Comment on lines
27
to
34
| /** Simple authentication. */ | ||
| SIMPLE, | ||
|
|
||
| /** Authentication that uses local basic auth. */ | ||
| BASIC, | ||
|
|
||
| /** Authentication that uses OAuth. */ | ||
| OAUTH, |
Co-authored-by: Copilot <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
This PR wires the new
authenticators:authenticator-basicmodule into the server authentication flow.The changes include:
servermodule depend onauthenticator-basicAuthenticatorType.BASICgravitino.authenticators=basicto loadorg.apache.gravitino.server.authentication.BasicAuthenticator400 Bad Requestfor malformed Basic authorization headers and401 Unauthorizedfor missing or invalid Basic authorization headersWhy are the changes needed?
This is the module wiring work for local authentication. It enables Gravitino to recognize and load the new Basic authenticator module when
gravitino.authenticators=basic, which is the foundation for the follow-up local authentication tasks.Fix: #10960
Does this PR introduce any user-facing change?
Yes.
basicas a valid value ofgravitino.authenticators400 Bad Request401 UnauthorizedHow was this patch tested?
TestAuthenticatorFactoryto verifybasicloadsBasicAuthenticatorTestBasicAuthenticatorto verify Basic header error handlingTestAuthenticationFilterto verifyBadRequestExceptionmaps to HTTP 400./gradlew --no-daemon :authenticators:authenticator-basic:build./gradlew --no-daemon :server-common:test --tests org.apache.gravitino.server.authentication.TestAuthenticationFilter./gradlew --no-daemon :server:test --tests org.apache.gravitino.server.authentication.TestAuthenticatorFactory./gradlew --no-daemon classes testClasses