apache · Hisoka-X · Apr 17, 2025 · Apr 14, 2025 · Apr 14, 2025 · Apr 14, 2025
diff --git a/config/seatunnel.yaml b/config/seatunnel.yaml
@@ -44,3 +44,7 @@ seatunnel:
       enable-http: true
       port: 8080
       enable-dynamic-port: false
+      # Uncomment the following lines to enable basic authentication for web UI
+      # enable-basic-auth: true
+      # basic-auth-username: admin
+      # basic-auth-password: admin
diff --git a/docs/en/seatunnel-engine/security.md b/docs/en/seatunnel-engine/security.md
@@ -1,5 +1,26 @@
 # Security
 
+## Basic Authentication
+
+You can secure your Web UI by enabling basic authentication. This will require users to enter a username and password when accessing the web interface.
+
+| Parameter Name | Required | Description |
+|----------------|----------|-------------|
+| `enable-basic-auth` | No | Whether to enable basic authentication, default is `false` |
+| `basic-auth-username` | No | The username for basic authentication, default is `admin` |
+| `basic-auth-password` | No | The password for basic authentication, default is `admin` |
+
+```yaml
+seatunnel:
+  engine:
+    http:
+      enable-http: true
+      port: 8080
+      enable-basic-auth: true
+      basic-auth-username: "your_username"
+      basic-auth-password: "your_password"
+```
+
 ## HTTPS Configuration
 
 You can secure your REST-API-V2 service by enabling HTTPS. Both HTTP and HTTPS can be enabled simultaneously, or only one of them can be enabled.

diff --git a/docs/zh/seatunnel-engine/security.md b/docs/zh/seatunnel-engine/security.md
@@ -4,6 +4,27 @@ sidebar_position: 16
 
 # Security
 
+## Basic 认证
+
+您可以通过开启 Basic 认证来保护您的 Web UI。这将要求用户在访问 Web 界面时输入用户名和密码。
+
+| 参数名称 | 是否必填 | 参数描述 |
+|--------|---------|--------|
+| `enable-basic-auth` | 否 | 是否开启Basic 认证，默认为 `false` |
+| `basic-auth-username` | 否 | Basic 认证的用户名，默认为 `admin` |
+| `basic-auth-password` | 否 | Basic 认证的密码，默认为 `admin` |
+
+```yaml
+seatunnel:
+  engine:
+    http:
+      enable-http: true
+      port: 8080
+      enable-basic-auth: true
+      basic-auth-username: "your_username"
+      basic-auth-password: "your_password"
+```
+
 ## HTTPS 配置
 
 您可以通过开启 HTTPS 来保护您的 API 服务。HTTP 和 HTTPS 可同时开启，也可以只开启其中一个。

diff --git a/...atunnel-e2e-base/src/test/java/org/apache/seatunnel/engine/e2e/BasicAuthenticationIT.java b/...atunnel-e2e-base/src/test/java/org/apache/seatunnel/engine/e2e/BasicAuthenticationIT.java
@@ -0,0 +1,266 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.seatunnel.engine.e2e;
+
+import org.apache.seatunnel.engine.server.rest.RestConstant;
+
+import org.awaitility.Awaitility;
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.testcontainers.containers.GenericContainer;
+
+import io.restassured.http.ContentType;
+import io.restassured.response.Response;
+
+import java.io.IOException;
+import java.util.Base64;
+import java.util.concurrent.TimeUnit;
+
+import static io.restassured.RestAssured.given;
+import static org.apache.seatunnel.e2e.common.util.ContainerUtil.PROJECT_ROOT_PATH;
+import static org.hamcrest.Matchers.containsString;
+import static org.hamcrest.Matchers.notNullValue;
+
+/** Integration test for basic authentication in SeaTunnel Engine. */
+public class BasicAuthenticationIT extends SeaTunnelEngineContainer {
+
+    private static final String HTTP = "http://";
+    private static final String COLON = ":";
+    private static final String USERNAME = "testuser";
+    private static final String PASSWORD = "testpassword";
+    private static final String BASIC_AUTH_HEADER = "Authorization";
+    private static final String BASIC_AUTH_PREFIX = "Basic ";
+
+    @Override
+    @BeforeEach
+    public void startUp() throws Exception {
+        // Create server with basic authentication enabled
+
+        server = createSeaTunnelContainerWithBasicAuth();
+        // Wait for server to be ready
+        Awaitility.await()
+                .atMost(2, TimeUnit.MINUTES)
+                .until(
+                        () -> {
+                            try {
+                                // Try to access with correct credentials
+                                String credentials = USERNAME + ":" + PASSWORD;
+                                String encodedCredentials =
+                                        Base64.getEncoder().encodeToString(credentials.getBytes());
+
+                                given().header(
+                                                BASIC_AUTH_HEADER,
+                                                BASIC_AUTH_PREFIX + encodedCredentials)
+                                        .get(
+                                                HTTP
+                                                        + server.getHost()
+                                                        + COLON
+                                                        + server.getMappedPort(8080)
+                                                        + "/")
+                                        .then()
+                                        .statusCode(200);
+                                return true;
+                            } catch (Exception e) {
+                                return false;
+                            }
+                        });
+    }
+
+    @Override
+    @AfterEach
+    public void tearDown() throws Exception {
+        super.tearDown();
+    }
+
+    /**
+     * Test that accessing the web UI without authentication credentials returns 401 Unauthorized.
+     */
+    @Test
+    public void testAccessWithoutCredentials() {
+        given().get(HTTP + server.getHost() + COLON + server.getMappedPort(8080) + "/")
+                .then()
+                .statusCode(401);
+    }
+
+    /** Test that accessing the web UI with incorrect credentials returns 401 Unauthorized. */
+    @Test
+    public void testAccessWithIncorrectCredentials() {
+        String credentials = "wronguser:wrongpassword";
+        String encodedCredentials = Base64.getEncoder().encodeToString(credentials.getBytes());
+
+        given().header(BASIC_AUTH_HEADER, BASIC_AUTH_PREFIX + encodedCredentials)
+                .get(HTTP + server.getHost() + COLON + server.getMappedPort(8080) + "/")
+                .then()
+                .statusCode(401);
+    }
+
+    /** Test that accessing the web UI with correct credentials returns 200 OK. */
+    @Test
+    public void testAccessWithCorrectCredentials() {
+        String credentials = USERNAME + ":" + PASSWORD;
+        String encodedCredentials = Base64.getEncoder().encodeToString(credentials.getBytes());
+
+        given().header(BASIC_AUTH_HEADER, BASIC_AUTH_PREFIX + encodedCredentials)
+                .get(HTTP + server.getHost() + COLON + server.getMappedPort(8080) + "/")
+                .then()
+                .statusCode(200)
+                .contentType(containsString("text/html"))
+                .body(containsString("<title>Seatunnel Engine UI</title>"));
+    }
+
+    /** Test that accessing the REST API with correct credentials returns 200 OK. */
+    @Test
+    public void testRestApiAccessWithCorrectCredentials() {
+        String credentials = USERNAME + ":" + PASSWORD;
+        String encodedCredentials = Base64.getEncoder().encodeToString(credentials.getBytes());
+
+        given().header(BASIC_AUTH_HEADER, BASIC_AUTH_PREFIX + encodedCredentials)
+                .get(
+                        HTTP
+                                + server.getHost()
+                                + COLON
+                                + server.getMappedPort(8080)
+                                + RestConstant.REST_URL_OVERVIEW)
+                .then()
+                .statusCode(200)
+                .body("projectVersion", notNullValue());
+    }
+
+    /** Test that accessing the REST API with Incorrect credentials returns 200 OK. */
+    @Test
+    public void testRestApiAccessWithIncorrectCredentials() {
+        String credentials = "wronguser:wrongpassword";
+        String encodedCredentials = Base64.getEncoder().encodeToString(credentials.getBytes());
+
+        given().header(BASIC_AUTH_HEADER, BASIC_AUTH_PREFIX + encodedCredentials)
+                .get(
+                        HTTP
+                                + server.getHost()
+                                + COLON
+                                + server.getMappedPort(8080)
+                                + RestConstant.REST_URL_OVERVIEW)
+                .then()
+                .statusCode(401);
+    }
+
+    /** Test submitting a job via REST API with correct credentials. */
+    @Test
+    public void testSubmitJobWithCorrectCredentials() {
+        String credentials = USERNAME + ":" + PASSWORD;
+        String encodedCredentials = Base64.getEncoder().encodeToString(credentials.getBytes());
+
+        // Simple batch job configuration
+        String jobConfig =
+                "{\n"
+                        + "    \"env\": {\n"
+                        + "        \"job.mode\": \"batch\"\n"
+                        + "    },\n"
+                        + "    \"source\": [\n"
+                        + "        {\n"
+                        + "            \"plugin_name\": \"FakeSource\",\n"
+                        + "            \"plugin_output\": \"fake\",\n"
+                        + "            \"row.num\": 100,\n"
+                        + "            \"schema\": {\n"
+                        + "                \"fields\": {\n"
+                        + "                    \"name\": \"string\",\n"
+                        + "                    \"age\": \"int\",\n"
+                        + "                    \"card\": \"int\"\n"
+                        + "                }\n"
+                        + "            }\n"
+                        + "        }\n"
+                        + "    ],\n"
+                        + "    \"transform\": [\n"
+                        + "    ],\n"
+                        + "    \"sink\": [\n"
+                        + "        {\n"
+                        + "            \"plugin_name\": \"InMemory\",\n"
+                        + "            \"plugin_input\": \"fake\",\n"
+                        + "            \"throw_exception\": true\n"
+                        + "        }\n"
+                        + "    ]\n"
+                        + "}";
+
+        Response response =
+                given().header(BASIC_AUTH_HEADER, BASIC_AUTH_PREFIX + encodedCredentials)
+                        .contentType(ContentType.JSON)
+                        .body(jobConfig)
+                        .post(
+                                HTTP
+                                        + server.getHost()
+                                        + COLON
+                                        + server.getMappedPort(8080)
+                                        + RestConstant.REST_URL_SUBMIT_JOB);
+
+        response.then().statusCode(200).body("jobId", notNullValue());
+    }
+
+    /** Test submitting a job via REST API with incorrect credentials. */
+    @Test
+    public void testSubmitJobWithIncorrectCredentials() {
+        String credentials = "wronguser:wrongpassword";
+        String encodedCredentials = Base64.getEncoder().encodeToString(credentials.getBytes());
+
+        // Simple batch job configuration
+        String jobConfig =
+                "{\n"
+                        + "  \"env\": {\n"
+                        + "    \"job.mode\": \"BATCH\"\n"
+                        + "  },\n"
+                        + "  \"source\": {\n"
+                        + "    \"FakeSource\": {\n"
+                        + "      \"plugin_output\": \"fake\",\n"
+                        + "      \"row.num\": 100,\n"
+                        + "      \"schema\": {\n"
+                        + "        \"fields\": {\n"
+                        + "          \"id\": \"int\",\n"
+                        + "          \"name\": \"string\"\n"
+                        + "        }\n"
+                        + "      }\n"
+                        + "    }\n"
+                        + "  },\n"
+                        + "  \"sink\": {\n"
+                        + "    \"Console\": {\n"
+                        + "      \"plugin_input\": \"fake\"\n"
+                        + "    }\n"
+                        + "  }\n"
+                        + "}";
+
+        given().header(BASIC_AUTH_HEADER, BASIC_AUTH_PREFIX + encodedCredentials)
+                .contentType(ContentType.JSON)
+                .body(jobConfig)
+                .post(
+                        HTTP
+                                + server.getHost()
+                                + COLON
+                                + server.getMappedPort(8080)
+                                + RestConstant.REST_URL_SUBMIT_JOB)
+                .then()
+                .statusCode(401);
+    }
+
+    /** Create a SeaTunnel container with basic authentication enabled. */
+    private GenericContainer<?> createSeaTunnelContainerWithBasicAuth()
+            throws IOException, InterruptedException {
+        String configPath =
+                PROJECT_ROOT_PATH
+                        + "/seatunnel-e2e/seatunnel-engine-e2e/connector-seatunnel-e2e-base/src/test/resources/basic-auth/seatunnel.yaml";
+
+        return createSeaTunnelContainerWithFakeSourceAndInMemorySink(configPath);
+    }
+}
diff --git a/...nnel-engine-e2e/connector-seatunnel-e2e-base/src/test/resources/basic-auth/seatunnel.yaml b/...nnel-engine-e2e/connector-seatunnel-e2e-base/src/test/resources/basic-auth/seatunnel.yaml
@@ -0,0 +1,46 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#    http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+seatunnel:
+  engine:
+    history-job-expire-minutes: 1
+    backup-count: 2
+    queue-type: blockingqueue
+    print-execution-info-interval: 10
+    classloader-cache-mode: false
+    slot-service:
+      dynamic-slot: true
+    checkpoint:
+      interval: 300000
+      timeout: 100000
+      storage:
+        type: localfile
+        max-retained: 3
+        plugin-config:
+          namespace: /tmp/seatunnel/checkpoint_snapshot/
+    http:
+        enable-http: true
+        port: 8080
+        enable-dynamic-port: false
+        enable-basic-auth: true
+        basic-auth-username: "testuser"
+        basic-auth-password: "testpassword"
+    telemetry:
+      metric:
+         enabled: false
+      logs:
+         scheduled-deletion-enable: false
diff --git a/.../main/java/org/apache/seatunnel/engine/common/config/YamlSeaTunnelDomConfigProcessor.java b/.../main/java/org/apache/seatunnel/engine/common/config/YamlSeaTunnelDomConfigProcessor.java
@@ -549,6 +549,18 @@ private HttpConfig parseHttpConfig(Node httpNode) {
                     .key()
                     .equals(name)) {
                 httpConfig.setTrustStorePassword(getTextContent(node));
+            } else if (ServerConfigOptions.MasterServerConfigOptions.ENABLE_BASIC_AUTH
+                    .key()
+                    .equals(name)) {
+                httpConfig.setEnableBasicAuth(getBooleanValue(getTextContent(node)));
+            } else if (ServerConfigOptions.MasterServerConfigOptions.BASIC_AUTH_USERNAME
+                    .key()
+                    .equals(name)) {
+                httpConfig.setBasicAuthUsername(getTextContent(node));
+            } else if (ServerConfigOptions.MasterServerConfigOptions.BASIC_AUTH_PASSWORD
+                    .key()
+                    .equals(name)) {
+                httpConfig.setBasicAuthPassword(getTextContent(node));
             } else {
                 LOGGER.warning("Unrecognized element: " + name);
             }