Skip to content

[Feature][Zeta] Support basic authentication for web ui #9171

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
Apr 17, 2025
Merged

[Feature][Zeta] Support basic authentication for web ui #9171

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
b960775
[Feature][Zeta] Support Basic Authentication for web ui
CosmosNi Apr 14, 2025
1e1292c
[Feature][Zeta] Support Basic Authentication for web ui
CosmosNi Apr 14, 2025
8ca473d
[Feature][Zeta] Support Basic Authentication for web ui
CosmosNi Apr 14, 2025
3824d47
[Feature][Zeta] Support Basic Authentication for web ui
CosmosNi Apr 14, 2025
b904c8a
[Feature][Zeta] Support Basic Authentication for web ui
CosmosNi Apr 14, 2025
624a54f
Merge remote-tracking branch 'upstream/dev' into feature_http_auth
CosmosNi Apr 14, 2025
9cdd190
Merge remote-tracking branch 'upstream/dev' into feature_http_auth
CosmosNi Apr 15, 2025
8e692cb
[Feature][Zeta] Support Basic Authentication for web ui
CosmosNi Apr 15, 2025
67734dc
[Feature][Zeta] Support Basic Authentication for web ui
CosmosNi Apr 16, 2025
afc3e98
[Feature][Zeta] Support Basic Authentication for web ui
CosmosNi Apr 16, 2025
b87ecd3
[Feature][Zeta] Support Basic Authentication for web ui
CosmosNi Apr 17, 2025
fb0ce8b
[Feature][Zeta] Support Basic Authentication for web ui
CosmosNi Apr 17, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions config/seatunnel.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,3 +44,7 @@ seatunnel:
enable-http: true
port: 8080
enable-dynamic-port: false
# Uncomment the following lines to enable basic authentication for web UI
# enable-basic-auth: true
# basic-auth-username: admin
# basic-auth-password: admin
21 changes: 21 additions & 0 deletions docs/en/seatunnel-engine/security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,26 @@
# Security

## Basic Authentication

You can secure your Web UI by enabling basic authentication. This will require users to enter a username and password when accessing the web interface.

| Parameter Name | Required | Description |
|----------------|----------|-------------|
| `enable-basic-auth` | No | Whether to enable basic authentication, default is `false` |
| `basic-auth-username` | No | The username for basic authentication, default is `admin` |
| `basic-auth-password` | No | The password for basic authentication, default is `admin` |

```yaml
seatunnel:
engine:
http:
enable-http: true
port: 8080
enable-basic-auth: true
basic-auth-username: "your_username"
basic-auth-password: "your_password"
```

## HTTPS Configuration

You can secure your REST-API-V2 service by enabling HTTPS. Both HTTP and HTTPS can be enabled simultaneously, or only one of them can be enabled.
Expand Down
21 changes: 21 additions & 0 deletions docs/zh/seatunnel-engine/security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,27 @@ sidebar_position: 16

# Security

## Basic 认证

您可以通过开启 Basic 认证来保护您的 Web UI。这将要求用户在访问 Web 界面时输入用户名和密码。

| 参数名称 | 是否必填 | 参数描述 |
|--------|---------|--------|
| `enable-basic-auth` | 否 | 是否开启Basic 认证,默认为 `false` |
| `basic-auth-username` | 否 | Basic 认证的用户名,默认为 `admin` |
| `basic-auth-password` | 否 | Basic 认证的密码,默认为 `admin` |

```yaml
seatunnel:
engine:
http:
enable-http: true
port: 8080
enable-basic-auth: true
basic-auth-username: "your_username"
basic-auth-password: "your_password"
```

## HTTPS 配置

您可以通过开启 HTTPS 来保护您的 API 服务。HTTP 和 HTTPS 可同时开启,也可以只开启其中一个。
Expand Down
266 changes: 266 additions & 0 deletions ...atunnel-e2e-base/src/test/java/org/apache/seatunnel/engine/e2e/BasicAuthenticationIT.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,266 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/

package org.apache.seatunnel.engine.e2e;

import org.apache.seatunnel.engine.server.rest.RestConstant;

import org.awaitility.Awaitility;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.testcontainers.containers.GenericContainer;

import io.restassured.http.ContentType;
import io.restassured.response.Response;

import java.io.IOException;
import java.util.Base64;
import java.util.concurrent.TimeUnit;

import static io.restassured.RestAssured.given;
import static org.apache.seatunnel.e2e.common.util.ContainerUtil.PROJECT_ROOT_PATH;
import static org.hamcrest.Matchers.containsString;
import static org.hamcrest.Matchers.notNullValue;

/** Integration test for basic authentication in SeaTunnel Engine. */
public class BasicAuthenticationIT extends SeaTunnelEngineContainer {

private static final String HTTP = "http://";
private static final String COLON = ":";
private static final String USERNAME = "testuser";
private static final String PASSWORD = "testpassword";
private static final String BASIC_AUTH_HEADER = "Authorization";
private static final String BASIC_AUTH_PREFIX = "Basic ";

@Override
@BeforeEach
public void startUp() throws Exception {
// Create server with basic authentication enabled

server = createSeaTunnelContainerWithBasicAuth();
// Wait for server to be ready
Awaitility.await()
.atMost(2, TimeUnit.MINUTES)
.until(
() -> {
try {
// Try to access with correct credentials
String credentials = USERNAME + ":" + PASSWORD;
String encodedCredentials =
Base64.getEncoder().encodeToString(credentials.getBytes());

given().header(
BASIC_AUTH_HEADER,
BASIC_AUTH_PREFIX + encodedCredentials)
.get(
HTTP
+ server.getHost()
+ COLON
+ server.getMappedPort(8080)
+ "/")
.then()
.statusCode(200);
return true;
} catch (Exception e) {
return false;
}
});
}

@Override
@AfterEach
public void tearDown() throws Exception {
super.tearDown();
}

/**
* Test that accessing the web UI without authentication credentials returns 401 Unauthorized.
*/
@Test
public void testAccessWithoutCredentials() {
given().get(HTTP + server.getHost() + COLON + server.getMappedPort(8080) + "/")
.then()
.statusCode(401);
}

/** Test that accessing the web UI with incorrect credentials returns 401 Unauthorized. */
@Test
public void testAccessWithIncorrectCredentials() {
String credentials = "wronguser:wrongpassword";
String encodedCredentials = Base64.getEncoder().encodeToString(credentials.getBytes());

given().header(BASIC_AUTH_HEADER, BASIC_AUTH_PREFIX + encodedCredentials)
.get(HTTP + server.getHost() + COLON + server.getMappedPort(8080) + "/")
.then()
.statusCode(401);
}

/** Test that accessing the web UI with correct credentials returns 200 OK. */
@Test
public void testAccessWithCorrectCredentials() {
String credentials = USERNAME + ":" + PASSWORD;
String encodedCredentials = Base64.getEncoder().encodeToString(credentials.getBytes());

given().header(BASIC_AUTH_HEADER, BASIC_AUTH_PREFIX + encodedCredentials)
.get(HTTP + server.getHost() + COLON + server.getMappedPort(8080) + "/")
.then()
.statusCode(200)
.contentType(containsString("text/html"))
.body(containsString("<title>Seatunnel Engine UI</title>"));
}

/** Test that accessing the REST API with correct credentials returns 200 OK. */
@Test
public void testRestApiAccessWithCorrectCredentials() {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a new test case with testRestApiAccessWithIncorrectCredentials

String credentials = USERNAME + ":" + PASSWORD;
String encodedCredentials = Base64.getEncoder().encodeToString(credentials.getBytes());

given().header(BASIC_AUTH_HEADER, BASIC_AUTH_PREFIX + encodedCredentials)
.get(
HTTP
+ server.getHost()
+ COLON
+ server.getMappedPort(8080)
+ RestConstant.REST_URL_OVERVIEW)
.then()
.statusCode(200)
.body("projectVersion", notNullValue());
}

/** Test that accessing the REST API with Incorrect credentials returns 200 OK. */
@Test
public void testRestApiAccessWithIncorrectCredentials() {
String credentials = "wronguser:wrongpassword";
String encodedCredentials = Base64.getEncoder().encodeToString(credentials.getBytes());

given().header(BASIC_AUTH_HEADER, BASIC_AUTH_PREFIX + encodedCredentials)
.get(
HTTP
+ server.getHost()
+ COLON
+ server.getMappedPort(8080)
+ RestConstant.REST_URL_OVERVIEW)
.then()
.statusCode(401);
}

/** Test submitting a job via REST API with correct credentials. */
@Test
public void testSubmitJobWithCorrectCredentials() {
String credentials = USERNAME + ":" + PASSWORD;
String encodedCredentials = Base64.getEncoder().encodeToString(credentials.getBytes());

// Simple batch job configuration
String jobConfig =
"{\n"
+ " \"env\": {\n"
+ " \"job.mode\": \"batch\"\n"
+ " },\n"
+ " \"source\": [\n"
+ " {\n"
+ " \"plugin_name\": \"FakeSource\",\n"
+ " \"plugin_output\": \"fake\",\n"
+ " \"row.num\": 100,\n"
+ " \"schema\": {\n"
+ " \"fields\": {\n"
+ " \"name\": \"string\",\n"
+ " \"age\": \"int\",\n"
+ " \"card\": \"int\"\n"
+ " }\n"
+ " }\n"
+ " }\n"
+ " ],\n"
+ " \"transform\": [\n"
+ " ],\n"
+ " \"sink\": [\n"
+ " {\n"
+ " \"plugin_name\": \"InMemory\",\n"
+ " \"plugin_input\": \"fake\",\n"
+ " \"throw_exception\": true\n"
+ " }\n"
+ " ]\n"
+ "}";

Response response =
given().header(BASIC_AUTH_HEADER, BASIC_AUTH_PREFIX + encodedCredentials)
.contentType(ContentType.JSON)
.body(jobConfig)
.post(
HTTP
+ server.getHost()
+ COLON
+ server.getMappedPort(8080)
+ RestConstant.REST_URL_SUBMIT_JOB);

response.then().statusCode(200).body("jobId", notNullValue());
}

/** Test submitting a job via REST API with incorrect credentials. */
@Test
public void testSubmitJobWithIncorrectCredentials() {
String credentials = "wronguser:wrongpassword";
String encodedCredentials = Base64.getEncoder().encodeToString(credentials.getBytes());

// Simple batch job configuration
String jobConfig =
"{\n"
+ " \"env\": {\n"
+ " \"job.mode\": \"BATCH\"\n"
+ " },\n"
+ " \"source\": {\n"
+ " \"FakeSource\": {\n"
+ " \"plugin_output\": \"fake\",\n"
+ " \"row.num\": 100,\n"
+ " \"schema\": {\n"
+ " \"fields\": {\n"
+ " \"id\": \"int\",\n"
+ " \"name\": \"string\"\n"
+ " }\n"
+ " }\n"
+ " }\n"
+ " },\n"
+ " \"sink\": {\n"
+ " \"Console\": {\n"
+ " \"plugin_input\": \"fake\"\n"
+ " }\n"
+ " }\n"
+ "}";

given().header(BASIC_AUTH_HEADER, BASIC_AUTH_PREFIX + encodedCredentials)
.contentType(ContentType.JSON)
.body(jobConfig)
.post(
HTTP
+ server.getHost()
+ COLON
+ server.getMappedPort(8080)
+ RestConstant.REST_URL_SUBMIT_JOB)
.then()
.statusCode(401);
}

/** Create a SeaTunnel container with basic authentication enabled. */
private GenericContainer<?> createSeaTunnelContainerWithBasicAuth()
throws IOException, InterruptedException {
String configPath =
PROJECT_ROOT_PATH
+ "/seatunnel-e2e/seatunnel-engine-e2e/connector-seatunnel-e2e-base/src/test/resources/basic-auth/seatunnel.yaml";

return createSeaTunnelContainerWithFakeSourceAndInMemorySink(configPath);
}
}
46 changes: 46 additions & 0 deletions ...nnel-engine-e2e/connector-seatunnel-e2e-base/src/test/resources/basic-auth/seatunnel.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
#
# Licensed to the Apache Software Foundation (ASF) under one or more
# contributor license agreements. See the NOTICE file distributed with
# this work for additional information regarding copyright ownership.
# The ASF licenses this file to You under the Apache License, Version 2.0
# (the "License"); you may not use this file except in compliance with
# the License. You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#

seatunnel:
engine:
history-job-expire-minutes: 1
backup-count: 2
queue-type: blockingqueue
print-execution-info-interval: 10
classloader-cache-mode: false
slot-service:
dynamic-slot: true
checkpoint:
interval: 300000
timeout: 100000
storage:
type: localfile
max-retained: 3
plugin-config:
namespace: /tmp/seatunnel/checkpoint_snapshot/
http:
enable-http: true
port: 8080
enable-dynamic-port: false
enable-basic-auth: true
basic-auth-username: "testuser"
basic-auth-password: "testpassword"
telemetry:
metric:
enabled: false
logs:
scheduled-deletion-enable: false
12 changes: 12 additions & 0 deletions .../main/java/org/apache/seatunnel/engine/common/config/YamlSeaTunnelDomConfigProcessor.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -549,6 +549,18 @@ private HttpConfig parseHttpConfig(Node httpNode) {
.key()
.equals(name)) {
httpConfig.setTrustStorePassword(getTextContent(node));
} else if (ServerConfigOptions.MasterServerConfigOptions.ENABLE_BASIC_AUTH
.key()
.equals(name)) {
httpConfig.setEnableBasicAuth(getBooleanValue(getTextContent(node)));
} else if (ServerConfigOptions.MasterServerConfigOptions.BASIC_AUTH_USERNAME
.key()
.equals(name)) {
httpConfig.setBasicAuthUsername(getTextContent(node));
} else if (ServerConfigOptions.MasterServerConfigOptions.BASIC_AUTH_PASSWORD
.key()
.equals(name)) {
httpConfig.setBasicAuthPassword(getTextContent(node));
} else {
LOGGER.warning("Unrecognized element: " + name);
}
Expand Down
Loading