Skip to content

Commit 7f691b4

Browse files
loserwang1024loserwang1024
authored
[docs] Add security documents including authentication and authorization. (#1060)
1 parent 2ee8664 commit 7f691b4

File tree

10 files changed

+570
-64
lines changed

10 files changed

+570
-64
lines changed

fluss-common/src/main/java/com/alibaba/fluss/config/ConfigOptions.java

Lines changed: 47 additions & 47 deletions
Original file line numberDiff line numberDiff line change
@@ -177,6 +177,53 @@ public class ConfigOptions {
177177
"The maximum number of buckets that can be created for a table."
178178
+ "The default value is 128000");
179179

180+
/**
181+
* The network address and port the server binds to for accepting connections.
182+
*
183+
* <p>This specifies the interface and port where the server will listen for incoming requests.
184+
* The format is {@code listener_name://host:port}, supporting multiple addresses separated by
185+
* commas.
186+
*
187+
* <p>The default value {@code "CLIENT://localhost:9123"} is suitable for local development.
188+
*/
189+
public static final ConfigOption<String> BIND_LISTENERS =
190+
key("bind.listeners")
191+
.stringType()
192+
.noDefaultValue()
193+
.withDescription(
194+
"The network address and port to which the server binds for accepting connections. "
195+
+ "This defines the interface and port where the server will listen for incoming requests. "
196+
+ "The format is `listener_name://host:port`, and multiple addresses can be specified, separated by commas. "
197+
+ "Use `0.0.0.0` for the `host` to bind to all available interfaces which is dangerous on production and not suggested for production usage. "
198+
+ "The `listener_name` serves as an identifier for the address in the configuration. For example, "
199+
+ "`internal.listener.name` specifies the address used for internal server communication. "
200+
+ "If multiple addresses are configured, ensure that the `listener_name` values are unique.");
201+
202+
/**
203+
* The externally advertised address and port for client connections.
204+
*
205+
* <p>This specifies the address other nodes/clients should use to connect to this server. It is
206+
* required when the bind address ({@link #BIND_LISTENERS}) is not publicly reachable (e.g.,
207+
* when using {@code localhost} in {@code bind.listeners}). <b>Must be configured in distributed
208+
* environments</b> to ensure proper cluster discovery. If not explicitly set, the value of
209+
* {@code bind.listeners} will be used as fallback.
210+
*/
211+
public static final ConfigOption<String> ADVERTISED_LISTENERS =
212+
key("advertised.listeners")
213+
.stringType()
214+
.noDefaultValue()
215+
.withDescription(
216+
"The externally advertised address and port for client connections. "
217+
+ "Required in distributed environments when the bind address is not publicly reachable. "
218+
+ "Format matches `bind.listeners` (listener_name://host:port). "
219+
+ "Defaults to the value of `bind.listeners` if not explicitly configured.");
220+
221+
public static final ConfigOption<String> INTERNAL_LISTENER_NAME =
222+
key("internal.listener.name")
223+
.stringType()
224+
.defaultValue(DEFAULT_LISTENER_NAME)
225+
.withDescription("The listener for server internal communication.");
226+
180227
public static final ConfigOption<List<String>> SERVER_SASL_ENABLED_MECHANISMS_CONFIG =
181228
key("security.sasl.enabled.mechanisms").stringType().asList().noDefaultValue();
182229

@@ -237,53 +284,6 @@ public class ConfigOptions {
237284
+ " (“50100,50101”), ranges (“50100-50200”) or a combination of both."
238285
+ "This option is deprecated. Please use bind.listeners instead, which provides a more flexible configuration for multiple ports");
239286

240-
/**
241-
* The network address and port the server binds to for accepting connections.
242-
*
243-
* <p>This specifies the interface and port where the server will listen for incoming requests.
244-
* The format is {@code listener_name://host:port}, supporting multiple addresses separated by
245-
* commas.
246-
*
247-
* <p>The default value {@code "CLIENT://localhost:9123"} is suitable for local development.
248-
*/
249-
public static final ConfigOption<String> BIND_LISTENERS =
250-
key("bind.listeners")
251-
.stringType()
252-
.noDefaultValue()
253-
.withDescription(
254-
"The network address and port to which the server binds for accepting connections. "
255-
+ "This defines the interface and port where the server will listen for incoming requests. "
256-
+ "The format is `listener_name://host:port`, and multiple addresses can be specified, separated by commas. "
257-
+ "Use `0.0.0.0` for the `host` to bind to all available interfaces which is dangerous on production and not suggested for production usage. "
258-
+ "The `listener_name` serves as an identifier for the address in the configuration. For example, "
259-
+ "`internal.listener.name` specifies the address used for internal server communication. "
260-
+ "If multiple addresses are configured, ensure that the `listener_name` values are unique.");
261-
262-
/**
263-
* The externally advertised address and port for client connections.
264-
*
265-
* <p>This specifies the address other nodes/clients should use to connect to this server. It is
266-
* required when the bind address ({@link #BIND_LISTENERS}) is not publicly reachable (e.g.,
267-
* when using {@code localhost} in {@code bind.listeners}). <b>Must be configured in distributed
268-
* environments</b> to ensure proper cluster discovery. If not explicitly set, the value of
269-
* {@code bind.listeners} will be used as fallback.
270-
*/
271-
public static final ConfigOption<String> ADVERTISED_LISTENERS =
272-
key("advertised.listeners")
273-
.stringType()
274-
.noDefaultValue()
275-
.withDescription(
276-
"The externally advertised address and port for client connections. "
277-
+ "Required in distributed environments when the bind address is not publicly reachable. "
278-
+ "Format matches `bind.listeners` (listener_name://host:port). "
279-
+ "Defaults to the value of `bind.listeners` if not explicitly configured.");
280-
281-
public static final ConfigOption<String> INTERNAL_LISTENER_NAME =
282-
key("internal.listener.name")
283-
.stringType()
284-
.defaultValue(DEFAULT_LISTENER_NAME)
285-
.withDescription("The listener for server internal communication.");
286-
287287
public static final ConfigOption<Integer> COORDINATOR_IO_POOL_SIZE =
288288
key("coordinator.io-pool.size")
289289
.intType()

website/docs/apis/_category_.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
11
{
22
"label": "Fluss APIs",
3-
"position": 9
3+
"position": 10
44
}

website/docs/apis/java-client.md

Lines changed: 25 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,13 +52,14 @@ single `Connection` instance per application and use it to create multiple `Admi
5252
`Table` and `Admin` instances, on the other hand, are not thread-safe and should be created for each thread that needs to access them.
5353
Caching or pooling of `Table` and `Admin` is not recommended.
5454

55-
Create a new `Admin` instance:
55+
Create a new `Admin` instance :
5656
```java
5757
// creating Connection object to connect with Fluss cluster
5858
Configuration conf = new Configuration();
5959
conf.setString("bootstrap.servers", "localhost:9123");
6060
Connection connection = ConnectionFactory.createConnection(conf);
6161

62+
6263
// obtain Admin instance from the Connection
6364
Admin admin = connection.getAdmin();
6465
admin.listDatabases().get().forEach(System.out::println);
@@ -68,6 +69,29 @@ Table table = connection.getTable(TablePath.of("my_db", "my_table");
6869
System.out.println(table.getTableInfo());
6970
```
7071

72+
if you are using SASL authentication, you need to set the following properties:
73+
```java
74+
// creating Connection object to connect with Fluss cluster
75+
Configuration conf = new Configuration();
76+
conf.setString("bootstrap.servers", "localhost:9123");
77+
conf.setString("client.security.protocol", "sasl");
78+
conf.setString("client.security.sasl.mechanism", "PLAIN");
79+
conf.setString("client.security.sasl.username", "alice");
80+
conf.setString("client.security.sasl.password", "alice-secret");
81+
Connection connection = ConnectionFactory.createConnection(conf);
82+
83+
84+
// obtain Admin instance from the Connection
85+
Admin admin = connection.getAdmin();
86+
admin.listDatabases().get().forEach(System.out::println);
87+
88+
// obtain Table instance from the Connection
89+
Table table = connection.getTable(TablePath.of("my_db", "my_table");
90+
System.out.println(table.getTableInfo());
91+
```
92+
93+
94+
7195
## Working Operations
7296
All methods in `FlussAdmin` return `CompletableFuture` objects. You can handle these in two ways:
7397

website/docs/engine-flink/ddl.md

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -37,11 +37,13 @@ USE CATALOG fluss_catalog;
3737

3838
The following properties can be set if using the Fluss catalog:
3939

40-
| Option | Required | Default | Description |
41-
|-------------------|----------|---------|-------------------------------------------------------------|
42-
| type | required | (none) | Catalog type, must to be 'fluss' here. |
43-
| bootstrap.servers | required | (none) | Comma separated list of Fluss servers. |
44-
| default-database | optional | fluss | The default database to use when switching to this catalog. |
40+
| Option | Required | Default | Description |
41+
|--------------------------------|----------|-----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
42+
| type | required | (none) | Catalog type, must to be 'fluss' here. |
43+
| bootstrap.servers | required | (none) | Comma separated list of Fluss servers. |
44+
| default-database | optional | fluss | The default database to use when switching to this catalog. |
45+
| client.security.protocol | optional | PLAINTEXT | The security protocol used to communicate with brokers. Currently, only `PLAINTEXT` and `SASL` are supported, the configuration value is case insensitive. |
46+
| `client.security.{protocol}.*` | optional | (none) | Client-side configuration properties for a specific authentication protocol. E.g., client.security.sasl.jaas.config. More Details in [authentication](../security/authentication.md) | (none) |
4547

4648
The following introduced statements assuming the current catalog is switched to the Fluss catalog using `USE CATALOG <catalog_name>` statement.
4749

website/docs/engine-flink/options.md

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -165,4 +165,5 @@ ALTER TABLE log_table SET ('table.log.ttl' = '7d');
165165
| client.filesystem.security.token.renewal.backoff | Duration | 1h | The time period how long to wait before retrying to obtain new security tokens for filesystem after a failure. |
166166
| client.filesystem.security.token.renewal.time-ratio | Double | 0.75 | Ratio of the token's expiration time when new credentials for access filesystem should be re-obtained. |
167167
| client.metrics.enabled | Boolean | false | Enable metrics for client. When metrics is enabled, the client will collect metrics and report by the JMX metrics reporter. |
168-
| client.security.protocol | String | PLAINTEXT | The authentication protocol used to authenticate the client. |
168+
| client.security.protocol | String | PLAINTEXT | The security protocol used to communicate with brokers. Currently, only `PLAINTEXT` and `SASL` are supported, the configuration value is case insensitive. |
169+
| `client.security.{protocol}.*` | optional | (none) | Client-side configuration properties for a specific authentication protocol. E.g., client.security.sasl.jaas.config. More Details in [authentication](../security/authentication.md) |

0 commit comments

Comments
 (0)