[KYUUBI #XXXX] Support IP client allowlist for connection access control

### _Why are the changes needed?_
Currently, Kyuubi supports IP deny list (ip.deny.list) to block specific IPs
from connecting. However, in some security-sensitive environments, administrators
need the opposite approach - only allowing specific trusted IPs to connect
(allowlist/whitelist pattern). This is a common security requirement for
production deployments.

### _How was this patch tested?_
- Added 5 unit test cases in SessionLimiterSuite:
  - test session limiter with ip allowlist
  - test session limiter ip allowlist with multiple ips
  - test session limiter empty ip allowlist allows all ips
  - test session limiter ip deny list has higher priority than ip allowlist
  - test refresh ip allowlist

### _Was this patch authored or co-authored using generative AI tooling?_
No

### Changes:
- Add SERVER_LIMIT_CONNECTIONS_IP_ALLOWLIST config in KyuubiConf
- Add ipAllowlist field in SessionLimiterWithAccessControlListImpl
- Add ip allowlist check in SessionLimiter.increment()
- Add getIpAllowlist/refreshIpAllowlist in KyuubiSessionManager
- Add refreshIpAllowlist() in KyuubiServer
- Add REST API endpoint POST /api/v1/admin/refresh/ip_allowlist
- When ip.deny.list and ip.allowlist both contain the same IP, deny list takes higher priority

Author: rockyyin

kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala

@@ -3283,6 +3283,19 @@ object KyuubiConf {
       .toSet()
       .createWithDefault(Set.empty)
 
+  val SERVER_LIMIT_CONNECTIONS_IP_ALLOWLIST: ConfigEntry[Set[String]] =
+    buildConf("kyuubi.server.limit.connections.ip.allowlist")
+      .doc("When this list is not empty, only the client ip in the allow list will be" +
+        " permitted to connect to kyuubi server, all other ips will be denied." +
+        " If this list is empty (default), no ip allowlist restriction is applied." +
+        " Note: if a client ip is in both ip.allowlist and ip.deny.list," +
+        " the deny list takes higher priority.")
+      .version("1.10.0")
+      .serverOnly
+      .stringConf
+      .toSet()
+      .createWithDefault(Set.empty)
+
   val SERVER_LIMIT_BATCH_CONNECTIONS_PER_USER: OptionalConfigEntry[Int] =
     buildConf("kyuubi.server.limit.batch.connections.per.user")
       .doc("Maximum kyuubi server batch connections per user." +

kyuubi-server/src/main/scala/org/apache/kyuubi/server/KyuubiServer.scala

@@ -175,6 +175,14 @@ object KyuubiServer extends Logging {
     info(s"Refreshed deny client ips from $existingDenyIps to $refreshedDenyIps")
   }
 
+  private[kyuubi] def refreshIpAllowlist(): Unit = synchronized {
+    val sessionMgr = kyuubiServer.backendService.sessionManager.asInstanceOf[KyuubiSessionManager]
+    val existingIpAllowlist = sessionMgr.getIpAllowlist
+    sessionMgr.refreshIpAllowlist(createKyuubiConf())
+    val refreshedIpAllowlist = sessionMgr.getIpAllowlist
+    info(s"Refreshed ip allowlist from $existingIpAllowlist to $refreshedIpAllowlist")
+  }
+
   private def createKyuubiConf(): KyuubiConf = {
     KyuubiConf().loadFileDefaults().loadFromArgs(commandArgs)
   }

kyuubi-server/src/main/scala/org/apache/kyuubi/server/api/v1/AdminResource.scala

@@ -161,6 +161,25 @@ private[v1] class AdminResource extends ApiRequestContext with Logging {
     Response.ok(s"Refresh the deny ips successfully.").build()
   }
 
+  @ApiResponse(
+    responseCode = "200",
+    content = Array(new Content(mediaType = MediaType.APPLICATION_JSON)),
+    description = "refresh the ip allowlist")
+  @POST
+  @Path("refresh/ip_allowlist")
+  def refreshIpAllowlist(): Response = {
+    val userName = fe.getSessionUser(Map.empty[String, String])
+    val ipAddress = fe.getIpAddress
+    info(s"Receive refresh ip allowlist request from $userName/$ipAddress")
+    if (!fe.isAdministrator(userName)) {
+      throw new ForbiddenException(
+        s"$userName is not allowed to refresh the ip allowlist")
+    }
+    info(s"Reloading ip allowlist")
+    KyuubiServer.refreshIpAllowlist()
+    Response.ok(s"Refresh the ip allowlist successfully.").build()
+  }
+
   @ApiResponse(
     responseCode = "200",
     content = Array(new Content(

kyuubi-server/src/main/scala/org/apache/kyuubi/session/KyuubiSessionManager.scala

@@ -396,13 +396,15 @@ class KyuubiSessionManager private (name: String) extends SessionManager(name) {
       conf.get(SERVER_LIMIT_CONNECTIONS_USER_UNLIMITED_LIST).filter(_.nonEmpty)
     val userDenyList = conf.get(SERVER_LIMIT_CONNECTIONS_USER_DENY_LIST).filter(_.nonEmpty)
     val ipDenyList = conf.get(SERVER_LIMIT_CONNECTIONS_IP_DENY_LIST).filter(_.nonEmpty)
+    val ipAllowlist = conf.get(SERVER_LIMIT_CONNECTIONS_IP_ALLOWLIST).filter(_.nonEmpty)
     limiter = applySessionLimiter(
       userLimit,
       ipAddressLimit,
       userIpAddressLimit,
       userUnlimitedList,
       userDenyList,
-      ipDenyList)
+      ipDenyList,
+      ipAllowlist)
 
     val userBatchLimit = conf.get(SERVER_LIMIT_BATCH_CONNECTIONS_PER_USER).getOrElse(0)
     val ipAddressBatchLimit = conf.get(SERVER_LIMIT_BATCH_CONNECTIONS_PER_IPADDRESS).getOrElse(0)
@@ -414,7 +416,8 @@ class KyuubiSessionManager private (name: String) extends SessionManager(name) {
       userIpAddressBatchLimit,
       userUnlimitedList,
       userDenyList,
-      ipDenyList)
+      ipDenyList,
+      ipAllowlist)
   }
 
   private[kyuubi] def getUnlimitedUsers: Set[String] = {
@@ -448,22 +451,35 @@ class KyuubiSessionManager private (name: String) extends SessionManager(name) {
     batchLimiter.foreach(SessionLimiter.resetDenyIps(_, denyIps))
   }
 
+  private[kyuubi] def getIpAllowlist: Set[String] = {
+    limiter.orElse(batchLimiter).map(SessionLimiter.getIpAllowlist).getOrElse(Set.empty)
+  }
+
+  private[kyuubi] def refreshIpAllowlist(conf: KyuubiConf): Unit = {
+    val ipAllowlist =
+      conf.get(SERVER_LIMIT_CONNECTIONS_IP_ALLOWLIST).filter(_.nonEmpty)
+    limiter.foreach(SessionLimiter.resetIpAllowlist(_, ipAllowlist))
+    batchLimiter.foreach(SessionLimiter.resetIpAllowlist(_, ipAllowlist))
+  }
+
   private def applySessionLimiter(
       userLimit: Int,
       ipAddressLimit: Int,
       userIpAddressLimit: Int,
       userUnlimitedList: Set[String],
       userDenyList: Set[String],
-      ipDenyList: Set[String]): Option[SessionLimiter] = {
+      ipDenyList: Set[String],
+      ipAllowlist: Set[String] = Set.empty): Option[SessionLimiter] = {
     if (Seq(userLimit, ipAddressLimit, userIpAddressLimit).exists(_ > 0) ||
-      userDenyList.nonEmpty || ipDenyList.nonEmpty) {
+      userDenyList.nonEmpty || ipDenyList.nonEmpty || ipAllowlist.nonEmpty) {
       Some(SessionLimiter(
         userLimit,
         ipAddressLimit,
         userIpAddressLimit,
         userUnlimitedList,
         userDenyList,
-        ipDenyList))
+        ipDenyList,
+        ipAllowlist))
     } else {
       None
     }

kyuubi-server/src/main/scala/org/apache/kyuubi/session/SessionLimiter.scala

@@ -108,7 +108,8 @@ class SessionLimiterWithAccessControlListImpl(
     userIpAddressLimit: Int,
     var unlimitedUsers: Set[String],
     var denyUsers: Set[String],
-    var denyIps: Set[String])
+    var denyIps: Set[String],
+    var ipAllowlist: Set[String] = Set.empty)
   extends SessionLimiterImpl(userLimit, ipAddressLimit, userIpAddressLimit) {
   override def increment(userIpAddress: UserIpAddress): Unit = {
     val user = userIpAddress.user
@@ -123,6 +124,12 @@ class SessionLimiterWithAccessControlListImpl(
         s"Connection denied because the client ip is in the deny ip list. (ipAddress: $ip)"
       throw KyuubiSQLException(errorMsg)
     }
+    // ip allowlist check: when allowlist is not empty, only allowed ips can connect
+    if (ipAllowlist.nonEmpty && StringUtils.isNotBlank(ip) && !ipAllowlist.contains(ip)) {
+      val errorMsg =
+        s"Connection denied because the client ip is not in the ip allowlist. (ipAddress: $ip)"
+      throw KyuubiSQLException(errorMsg)
+    }
 
     if (!unlimitedUsers.contains(user)) {
       super.increment(userIpAddress)
@@ -140,6 +147,10 @@ class SessionLimiterWithAccessControlListImpl(
   private[kyuubi] def setDenyIps(denyIps: Set[String]): Unit = {
     this.denyIps = denyIps
   }
+
+  private[kyuubi] def setIpAllowlist(ipAllowlist: Set[String]): Unit = {
+    this.ipAllowlist = ipAllowlist
+  }
 }
 
 object SessionLimiter {
@@ -150,14 +161,16 @@ object SessionLimiter {
       userIpAddressLimit: Int,
       unlimitedUsers: Set[String] = Set.empty,
       denyUsers: Set[String] = Set.empty,
-      denyIps: Set[String] = Set.empty): SessionLimiter = {
+      denyIps: Set[String] = Set.empty,
+      ipAllowlist: Set[String] = Set.empty): SessionLimiter = {
     new SessionLimiterWithAccessControlListImpl(
       userLimit,
       ipAddressLimit,
       userIpAddressLimit,
       unlimitedUsers,
       denyUsers,
-      denyIps)
+      denyIps,
+      ipAllowlist)
   }
 
   def resetUnlimitedUsers(limiter: SessionLimiter, unlimitedUsers: Set[String]): Unit =
@@ -192,4 +205,15 @@ object SessionLimiter {
     case l: SessionLimiterWithAccessControlListImpl => l.denyIps
     case _ => Set.empty
   }
+
+  def resetIpAllowlist(limiter: SessionLimiter, ipAllowlist: Set[String]): Unit =
+    limiter match {
+      case l: SessionLimiterWithAccessControlListImpl => l.setIpAllowlist(ipAllowlist)
+      case _ =>
+    }
+
+  def getIpAllowlist(limiter: SessionLimiter): Set[String] = limiter match {
+    case l: SessionLimiterWithAccessControlListImpl => l.ipAllowlist
+    case _ => Set.empty
+  }
 }

kyuubi-server/src/test/scala/org/apache/kyuubi/session/SessionLimiterSuite.scala

@@ -214,4 +214,118 @@ class SessionLimiterSuite extends KyuubiFunSuite {
     limiter.asInstanceOf[SessionLimiterImpl].counters().asScala.values
       .foreach(c => assert(c.get() == 0))
   }
+
+  test("test session limiter with ip allowlist") {
+    val allowedIp = "10.0.0.1"
+    val blockedIp = "192.168.1.100"
+    val ipAllowlist = Set(allowedIp)
+    val limiter = SessionLimiter(
+      100,
+      100,
+      100,
+      Set.empty,
+      Set.empty,
+      Set.empty,
+      ipAllowlist)
+
+    // allowed ip should be able to connect
+    limiter.increment(UserIpAddress("user001", allowedIp))
+
+    // blocked ip should be denied
+    val caught = intercept[KyuubiSQLException] {
+      limiter.increment(UserIpAddress("user001", blockedIp))
+    }
+    assert(caught.getMessage.equals(
+      s"Connection denied because the client ip is not in the ip allowlist." +
+        s" (ipAddress: $blockedIp)"))
+  }
+
+  test("test session limiter ip allowlist with multiple ips") {
+    val allowedIp1 = "10.0.0.1"
+    val allowedIp2 = "10.0.0.2"
+    val blockedIp = "192.168.1.100"
+    val ipAllowlist = Set(allowedIp1, allowedIp2)
+    val limiter = SessionLimiter(
+      100,
+      100,
+      100,
+      Set.empty,
+      Set.empty,
+      Set.empty,
+      ipAllowlist)
+
+    // both allowed ips should be able to connect
+    limiter.increment(UserIpAddress("user001", allowedIp1))
+    limiter.increment(UserIpAddress("user002", allowedIp2))
+
+    // blocked ip should be denied
+    val caught = intercept[KyuubiSQLException] {
+      limiter.increment(UserIpAddress("user003", blockedIp))
+    }
+    assert(caught.getMessage.contains("not in the ip allowlist"))
+  }
+
+  test("test session limiter empty ip allowlist allows all ips") {
+    val limiter = SessionLimiter(
+      100,
+      100,
+      100,
+      Set.empty,
+      Set.empty,
+      Set.empty,
+      Set.empty)
+
+    // when allowlist is empty, all ips should be allowed
+    limiter.increment(UserIpAddress("user001", "10.0.0.1"))
+    limiter.increment(UserIpAddress("user002", "192.168.1.100"))
+    limiter.increment(UserIpAddress("user003", "172.16.0.1"))
+  }
+
+  test("test session limiter ip deny list has higher priority than ip allowlist") {
+    val ip = "10.0.0.1"
+    val denyIps = Set(ip)
+    val ipAllowlist = Set(ip)
+    val limiter = SessionLimiter(
+      100,
+      100,
+      100,
+      Set.empty,
+      Set.empty,
+      denyIps,
+      ipAllowlist)
+
+    // deny ip list check happens before allowlist check
+    val caught = intercept[KyuubiSQLException] {
+      limiter.increment(UserIpAddress("user001", ip))
+    }
+    assert(caught.getMessage.equals(
+      s"Connection denied because the client ip is in the deny ip list. (ipAddress: $ip)"))
+  }
+
+  test("test refresh ip allowlist") {
+    val allowedIp = "10.0.0.1"
+    val blockedIp = "192.168.1.100"
+    val limiter = SessionLimiter(
+      100,
+      100,
+      100,
+      Set.empty,
+      Set.empty,
+      Set.empty,
+      Set(allowedIp))
+
+    // initially only allowedIp can connect
+    limiter.increment(UserIpAddress("user001", allowedIp))
+    intercept[KyuubiSQLException] {
+      limiter.increment(UserIpAddress("user002", blockedIp))
+    }
+
+    // refresh allowlist to include blockedIp
+    SessionLimiter.resetIpAllowlist(limiter, Set(allowedIp, blockedIp))
+    limiter.increment(UserIpAddress("user002", blockedIp))
+
+    // refresh allowlist to empty (allow all)
+    SessionLimiter.resetIpAllowlist(limiter, Set.empty)
+    limiter.increment(UserIpAddress("user003", "172.16.0.1"))
+  }
 }