Support user allowlist for connection access control

Add user allowlist feature (kyuubi.server.limit.connections.user.allowlist)
that restricts which users can connect to Kyuubi server.

Changes:
- Add SERVER_LIMIT_CONNECTIONS_USER_ALLOWLIST config in KyuubiConf
- Add userAllowlist field in SessionLimiterWithAccessControlListImpl
- Add user allowlist check in SessionLimiter.increment()
- Add getUserAllowlist/refreshUserAllowlist in KyuubiSessionManager
- Add refreshUserAllowlist() in KyuubiServer
- Add REST API endpoint POST /api/v1/admin/refresh/user_allowlist
- Add 5 test cases in SessionLimiterSuite
- When user.deny.list and user.allowlist both contain the same user,
  deny list takes higher priority

Author: rockyyin

kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala

@@ -3296,6 +3296,19 @@ object KyuubiConf {
       .toSet()
       .createWithDefault(Set.empty)
 
+  val SERVER_LIMIT_CONNECTIONS_USER_ALLOWLIST: ConfigEntry[Set[String]] =
+    buildConf("kyuubi.server.limit.connections.user.allowlist")
+      .doc("When this list is not empty, only the user in the allow list will be" +
+        " permitted to connect to kyuubi server, all other users will be denied." +
+        " If this list is empty (default), no user allowlist restriction is applied." +
+        " Note: if a user is in both user.allowlist and user.deny.list," +
+        " the deny list takes higher priority.")
+      .version("1.10.0")
+      .serverOnly
+      .stringConf
+      .toSet()
+      .createWithDefault(Set.empty)
+
   val SERVER_LIMIT_BATCH_CONNECTIONS_PER_USER: OptionalConfigEntry[Int] =
     buildConf("kyuubi.server.limit.batch.connections.per.user")
       .doc("Maximum kyuubi server batch connections per user." +

kyuubi-server/src/main/scala/org/apache/kyuubi/server/KyuubiServer.scala

@@ -183,6 +183,14 @@ object KyuubiServer extends Logging {
     info(s"Refreshed ip allowlist from $existingIpAllowlist to $refreshedIpAllowlist")
   }
 
+  private[kyuubi] def refreshUserAllowlist(): Unit = synchronized {
+    val sessionMgr = kyuubiServer.backendService.sessionManager.asInstanceOf[KyuubiSessionManager]
+    val existingUserAllowlist = sessionMgr.getUserAllowlist
+    sessionMgr.refreshUserAllowlist(createKyuubiConf())
+    val refreshedUserAllowlist = sessionMgr.getUserAllowlist
+    info(s"Refreshed user allowlist from $existingUserAllowlist to $refreshedUserAllowlist")
+  }
+
   private def createKyuubiConf(): KyuubiConf = {
     KyuubiConf().loadFileDefaults().loadFromArgs(commandArgs)
   }

kyuubi-server/src/main/scala/org/apache/kyuubi/server/api/v1/AdminResource.scala

@@ -180,6 +180,25 @@ private[v1] class AdminResource extends ApiRequestContext with Logging {
     Response.ok(s"Refresh the ip allowlist successfully.").build()
   }
 
+  @ApiResponse(
+    responseCode = "200",
+    content = Array(new Content(mediaType = MediaType.APPLICATION_JSON)),
+    description = "refresh the user allowlist")
+  @POST
+  @Path("refresh/user_allowlist")
+  def refreshUserAllowlist(): Response = {
+    val userName = fe.getSessionUser(Map.empty[String, String])
+    val ipAddress = fe.getIpAddress
+    info(s"Receive refresh user allowlist request from $userName/$ipAddress")
+    if (!fe.isAdministrator(userName)) {
+      throw new ForbiddenException(
+        s"$userName is not allowed to refresh the user allowlist")
+    }
+    info(s"Reloading user allowlist")
+    KyuubiServer.refreshUserAllowlist()
+    Response.ok(s"Refresh the user allowlist successfully.").build()
+  }
+
   @ApiResponse(
     responseCode = "200",
     content = Array(new Content(

kyuubi-server/src/main/scala/org/apache/kyuubi/session/KyuubiSessionManager.scala

@@ -397,14 +397,16 @@ class KyuubiSessionManager private (name: String) extends SessionManager(name) {
     val userDenyList = conf.get(SERVER_LIMIT_CONNECTIONS_USER_DENY_LIST).filter(_.nonEmpty)
     val ipDenyList = conf.get(SERVER_LIMIT_CONNECTIONS_IP_DENY_LIST).filter(_.nonEmpty)
     val ipAllowlist = conf.get(SERVER_LIMIT_CONNECTIONS_IP_ALLOWLIST).filter(_.nonEmpty)
+    val userAllowlist = conf.get(SERVER_LIMIT_CONNECTIONS_USER_ALLOWLIST).filter(_.nonEmpty)
     limiter = applySessionLimiter(
       userLimit,
       ipAddressLimit,
       userIpAddressLimit,
       userUnlimitedList,
       userDenyList,
       ipDenyList,
-      ipAllowlist)
+      ipAllowlist,
+      userAllowlist)
 
     val userBatchLimit = conf.get(SERVER_LIMIT_BATCH_CONNECTIONS_PER_USER).getOrElse(0)
     val ipAddressBatchLimit = conf.get(SERVER_LIMIT_BATCH_CONNECTIONS_PER_IPADDRESS).getOrElse(0)
@@ -417,7 +419,8 @@ class KyuubiSessionManager private (name: String) extends SessionManager(name) {
       userUnlimitedList,
       userDenyList,
       ipDenyList,
-      ipAllowlist)
+      ipAllowlist,
+      userAllowlist)
   }
 
   private[kyuubi] def getUnlimitedUsers: Set[String] = {
@@ -462,24 +465,38 @@ class KyuubiSessionManager private (name: String) extends SessionManager(name) {
     batchLimiter.foreach(SessionLimiter.resetIpAllowlist(_, ipAllowlist))
   }
 
+  private[kyuubi] def getUserAllowlist: Set[String] = {
+    limiter.orElse(batchLimiter).map(SessionLimiter.getUserAllowlist).getOrElse(Set.empty)
+  }
+
+  private[kyuubi] def refreshUserAllowlist(conf: KyuubiConf): Unit = {
+    val userAllowlist =
+      conf.get(SERVER_LIMIT_CONNECTIONS_USER_ALLOWLIST).filter(_.nonEmpty)
+    limiter.foreach(SessionLimiter.resetUserAllowlist(_, userAllowlist))
+    batchLimiter.foreach(SessionLimiter.resetUserAllowlist(_, userAllowlist))
+  }
+
   private def applySessionLimiter(
       userLimit: Int,
       ipAddressLimit: Int,
       userIpAddressLimit: Int,
       userUnlimitedList: Set[String],
       userDenyList: Set[String],
       ipDenyList: Set[String],
-      ipAllowlist: Set[String] = Set.empty): Option[SessionLimiter] = {
+      ipAllowlist: Set[String] = Set.empty,
+      userAllowlist: Set[String] = Set.empty): Option[SessionLimiter] = {
     if (Seq(userLimit, ipAddressLimit, userIpAddressLimit).exists(_ > 0) ||
-      userDenyList.nonEmpty || ipDenyList.nonEmpty || ipAllowlist.nonEmpty) {
+      userDenyList.nonEmpty || ipDenyList.nonEmpty ||
+      ipAllowlist.nonEmpty || userAllowlist.nonEmpty) {
       Some(SessionLimiter(
         userLimit,
         ipAddressLimit,
         userIpAddressLimit,
         userUnlimitedList,
         userDenyList,
         ipDenyList,
-        ipAllowlist))
+        ipAllowlist,
+        userAllowlist))
     } else {
       None
     }

kyuubi-server/src/main/scala/org/apache/kyuubi/session/SessionLimiter.scala

@@ -109,7 +109,8 @@ class SessionLimiterWithAccessControlListImpl(
     var unlimitedUsers: Set[String],
     var denyUsers: Set[String],
     var denyIps: Set[String],
-    var ipAllowlist: Set[String] = Set.empty)
+    var ipAllowlist: Set[String] = Set.empty,
+    var userAllowlist: Set[String] = Set.empty)
   extends SessionLimiterImpl(userLimit, ipAddressLimit, userIpAddressLimit) {
   override def increment(userIpAddress: UserIpAddress): Unit = {
     val user = userIpAddress.user
@@ -124,6 +125,13 @@ class SessionLimiterWithAccessControlListImpl(
         s"Connection denied because the client ip is in the deny ip list. (ipAddress: $ip)"
       throw KyuubiSQLException(errorMsg)
     }
+    // user allowlist check: when allowlist is not empty, only allowed users can connect
+    if (userAllowlist.nonEmpty && StringUtils.isNotBlank(user) &&
+      !userAllowlist.contains(user)) {
+      val errorMsg =
+        s"Connection denied because the user is not in the user allowlist. (user: $user)"
+      throw KyuubiSQLException(errorMsg)
+    }
     // ip allowlist check: when allowlist is not empty, only allowed ips can connect
     if (ipAllowlist.nonEmpty && StringUtils.isNotBlank(ip) && !ipAllowlist.contains(ip)) {
       val errorMsg =
@@ -151,6 +159,10 @@ class SessionLimiterWithAccessControlListImpl(
   private[kyuubi] def setIpAllowlist(ipAllowlist: Set[String]): Unit = {
     this.ipAllowlist = ipAllowlist
   }
+
+  private[kyuubi] def setUserAllowlist(userAllowlist: Set[String]): Unit = {
+    this.userAllowlist = userAllowlist
+  }
 }
 
 object SessionLimiter {
@@ -162,15 +174,17 @@ object SessionLimiter {
       unlimitedUsers: Set[String] = Set.empty,
       denyUsers: Set[String] = Set.empty,
       denyIps: Set[String] = Set.empty,
-      ipAllowlist: Set[String] = Set.empty): SessionLimiter = {
+      ipAllowlist: Set[String] = Set.empty,
+      userAllowlist: Set[String] = Set.empty): SessionLimiter = {
     new SessionLimiterWithAccessControlListImpl(
       userLimit,
       ipAddressLimit,
       userIpAddressLimit,
       unlimitedUsers,
       denyUsers,
       denyIps,
-      ipAllowlist)
+      ipAllowlist,
+      userAllowlist)
   }
 
   def resetUnlimitedUsers(limiter: SessionLimiter, unlimitedUsers: Set[String]): Unit =
@@ -216,4 +230,15 @@ object SessionLimiter {
     case l: SessionLimiterWithAccessControlListImpl => l.ipAllowlist
     case _ => Set.empty
   }
+
+  def resetUserAllowlist(limiter: SessionLimiter, userAllowlist: Set[String]): Unit =
+    limiter match {
+      case l: SessionLimiterWithAccessControlListImpl => l.setUserAllowlist(userAllowlist)
+      case _ =>
+    }
+
+  def getUserAllowlist(limiter: SessionLimiter): Set[String] = limiter match {
+    case l: SessionLimiterWithAccessControlListImpl => l.userAllowlist
+    case _ => Set.empty
+  }
 }

kyuubi-server/src/test/scala/org/apache/kyuubi/session/SessionLimiterSuite.scala

@@ -328,4 +328,123 @@ class SessionLimiterSuite extends KyuubiFunSuite {
     SessionLimiter.resetIpAllowlist(limiter, Set.empty)
     limiter.increment(UserIpAddress("user003", "172.16.0.1"))
   }
+
+  test("test session limiter with user allowlist") {
+    val allowedUser = "user001"
+    val blockedUser = "user002"
+    val userAllowlist = Set(allowedUser)
+    val limiter = SessionLimiter(
+      100,
+      100,
+      100,
+      Set.empty,
+      Set.empty,
+      Set.empty,
+      Set.empty,
+      userAllowlist)
+
+    // allowed user should be able to connect
+    limiter.increment(UserIpAddress(allowedUser, "10.0.0.1"))
+
+    // blocked user should be denied
+    val caught = intercept[KyuubiSQLException] {
+      limiter.increment(UserIpAddress(blockedUser, "10.0.0.1"))
+    }
+    assert(caught.getMessage.equals(
+      s"Connection denied because the user is not in the user allowlist." +
+        s" (user: $blockedUser)"))
+  }
+
+  test("test session limiter user allowlist with multiple users") {
+    val allowedUser1 = "user001"
+    val allowedUser2 = "user002"
+    val blockedUser = "user003"
+    val userAllowlist = Set(allowedUser1, allowedUser2)
+    val limiter = SessionLimiter(
+      100,
+      100,
+      100,
+      Set.empty,
+      Set.empty,
+      Set.empty,
+      Set.empty,
+      userAllowlist)
+
+    // both allowed users should be able to connect
+    limiter.increment(UserIpAddress(allowedUser1, "10.0.0.1"))
+    limiter.increment(UserIpAddress(allowedUser2, "10.0.0.2"))
+
+    // blocked user should be denied
+    val caught = intercept[KyuubiSQLException] {
+      limiter.increment(UserIpAddress(blockedUser, "192.168.1.100"))
+    }
+    assert(caught.getMessage.contains("not in the user allowlist"))
+  }
+
+  test("test session limiter empty user allowlist allows all users") {
+    val limiter = SessionLimiter(
+      100,
+      100,
+      100,
+      Set.empty,
+      Set.empty,
+      Set.empty,
+      Set.empty,
+      Set.empty)
+
+    // when allowlist is empty, all users should be allowed
+    limiter.increment(UserIpAddress("user001", "10.0.0.1"))
+    limiter.increment(UserIpAddress("user002", "192.168.1.100"))
+    limiter.increment(UserIpAddress("user003", "172.16.0.1"))
+  }
+
+  test("test session limiter user deny list has higher priority than user allowlist") {
+    val user = "user001"
+    val denyUsers = Set(user)
+    val userAllowlist = Set(user)
+    val limiter = SessionLimiter(
+      100,
+      100,
+      100,
+      Set.empty,
+      denyUsers,
+      Set.empty,
+      Set.empty,
+      userAllowlist)
+
+    // deny user list check happens before allowlist check
+    val caught = intercept[KyuubiSQLException] {
+      limiter.increment(UserIpAddress(user, "10.0.0.1"))
+    }
+    assert(caught.getMessage.equals(
+      s"Connection denied because the user is in the deny user list. (user: $user)"))
+  }
+
+  test("test refresh user allowlist") {
+    val allowedUser = "user001"
+    val blockedUser = "user002"
+    val limiter = SessionLimiter(
+      100,
+      100,
+      100,
+      Set.empty,
+      Set.empty,
+      Set.empty,
+      Set.empty,
+      Set(allowedUser))
+
+    // initially only allowedUser can connect
+    limiter.increment(UserIpAddress(allowedUser, "10.0.0.1"))
+    intercept[KyuubiSQLException] {
+      limiter.increment(UserIpAddress(blockedUser, "10.0.0.1"))
+    }
+
+    // refresh allowlist to include blockedUser
+    SessionLimiter.resetUserAllowlist(limiter, Set(allowedUser, blockedUser))
+    limiter.increment(UserIpAddress(blockedUser, "10.0.0.1"))
+
+    // refresh allowlist to empty (allow all)
+    SessionLimiter.resetUserAllowlist(limiter, Set.empty)
+    limiter.increment(UserIpAddress("user003", "172.16.0.1"))
+  }
 }