[server][auth] Support SASL/PLAIN authentication.

Author: loserwang1024

fluss-auth/fluss-auth-sasl/pom.xml

@@ -0,0 +1,63 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Copyright (c) 2025 Alibaba Group Holding Ltd.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>com.alibaba.fluss</groupId>
+        <artifactId>fluss-auth</artifactId>
+        <version>0.7-SNAPSHOT</version>
+    </parent>
+
+    <artifactId>fluss-auth-sasl</artifactId>
+
+    <dependencies>
+        <dependency>
+            <groupId>com.alibaba.fluss</groupId>
+            <artifactId>fluss-common</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.alibaba.fluss</groupId>
+            <artifactId>fluss-common</artifactId>
+            <version>${project.version}</version>
+            <type>test-jar</type>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.alibaba.fluss</groupId>
+            <artifactId>fluss-rpc</artifactId>
+            <version>${project.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.alibaba.fluss</groupId>
+            <artifactId>fluss-rpc</artifactId>
+            <version>${project.version}</version>
+            <type>test-jar</type>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.alibaba.fluss</groupId>
+            <artifactId>fluss-test-utils</artifactId>
+            <version>${project.version}</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>

fluss-auth/fluss-auth-sasl/src/main/java/com/alibaba/fluss/security/auth/sasl/AuthenticateCallbackHandler.java

@@ -0,0 +1,28 @@
+/*
+ * Copyright (c) 2025 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.fluss.security.auth.sasl;
+
+import javax.security.auth.callback.CallbackHandler;
+import javax.security.auth.login.AppConfigurationEntry;
+
+import java.util.List;
+
+/** An extension of {@link CallbackHandler} for Fluss that provides additional configuration. */
+public interface AuthenticateCallbackHandler extends CallbackHandler {
+
+    void configure(String saslMechanism, List<AppConfigurationEntry> jaasConfigEntries);
+}

fluss-auth/fluss-auth-sasl/src/main/java/com/alibaba/fluss/security/auth/sasl/authenticator/SaslAuthenticationPlugin.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright (c) 2025 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.fluss.security.auth.sasl.authenticator;
+
+import com.alibaba.fluss.config.Configuration;
+import com.alibaba.fluss.security.auth.ClientAuthenticationPlugin;
+import com.alibaba.fluss.security.auth.ClientAuthenticator;
+import com.alibaba.fluss.security.auth.ServerAuthenticationPlugin;
+import com.alibaba.fluss.security.auth.ServerAuthenticator;
+
+/** Authentication plugin for SASL. */
+public class SaslAuthenticationPlugin
+        implements ClientAuthenticationPlugin, ServerAuthenticationPlugin {
+    static final String SASL_AUTH_PROTOCOL = "sasl";
+
+    @Override
+    public ClientAuthenticator createClientAuthenticator(Configuration configuration) {
+        return new SaslClientAuthenticator(configuration);
+    }
+
+    @Override
+    public ServerAuthenticator createServerAuthenticator(Configuration configuration) {
+        return new SaslServerAuthenticator(configuration);
+    }
+
+    @Override
+    public String authProtocol() {
+        return SASL_AUTH_PROTOCOL;
+    }
+}

fluss-auth/fluss-auth-sasl/src/main/java/com/alibaba/fluss/security/auth/sasl/authenticator/SaslClientAuthenticator.java

@@ -0,0 +1,120 @@
+/*
+ * Copyright (c) 2025 Alibaba Group Holding Ltd.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package com.alibaba.fluss.security.auth.sasl.authenticator;
+
+import com.alibaba.fluss.config.ConfigOption;
+import com.alibaba.fluss.config.Configuration;
+import com.alibaba.fluss.exception.AuthenticationException;
+import com.alibaba.fluss.security.auth.ClientAuthenticator;
+import com.alibaba.fluss.security.auth.sasl.jaas.JaasContext;
+import com.alibaba.fluss.security.auth.sasl.jaas.LoginManager;
+
+import javax.annotation.Nullable;
+import javax.security.auth.login.LoginException;
+import javax.security.sasl.SaslClient;
+
+import java.util.Map;
+
+import static com.alibaba.fluss.config.ConfigBuilder.key;
+import static com.alibaba.fluss.security.auth.sasl.jaas.JaasContext.SASL_JAAS_CONFIG;
+import static com.alibaba.fluss.security.auth.sasl.jaas.SaslServerFactory.createSaslClient;
+
+/** An authenticator that uses SASL to authenticate with a server. */
+public class SaslClientAuthenticator implements ClientAuthenticator {
+    public static final String CLIENT_SECURITY_PREFIX = "client.security.sasl.";
+    private static final ConfigOption<String> CLIENT_MECHANISM =
+            key(CLIENT_SECURITY_PREFIX + "mechanism")
+                    .stringType()
+                    .noDefaultValue()
+                    .withDescription(
+                            "SASL mechanism to use for authentication.Currently, we only support plain.");
+
+    private static final ConfigOption<String> CLIENT_SASL_JAAS_CONFIG =
+            key(CLIENT_SECURITY_PREFIX + SASL_JAAS_CONFIG)
+                    .stringType()
+                    .noDefaultValue()
+                    .withDescription(
+                            "JAAS configuration string for the client. If not provided, uses the JVM option -Djava.security.auth.login.config. \n"
+                                    + "Example: com.alibaba.fluss.security.auth.sasl.plain.PlainLoginModule required username=\"admin\" password=\"wrong-secret\")");
+    private final String mechanism;
+    private final Map<String, String> pros;
+    private final String jaasConfig;
+
+    private SaslClient saslClient;
+    private LoginManager loginManager;
+
+    public SaslClientAuthenticator(Configuration configuration) {
+        this.mechanism = configuration.get(CLIENT_MECHANISM).toUpperCase();
+        this.jaasConfig = configuration.getString(CLIENT_SASL_JAAS_CONFIG);
+        this.pros = configuration.toMap();
+    }
+
+    @Override
+    public String protocol() {
+        return mechanism;
+    }
+
+    @Nullable
+    @Override
+    public byte[] authenticate(byte[] data) throws AuthenticationException {
+        try {
+            return saslClient.evaluateChallenge(data);
+        } catch (Exception e) {
+            throw new AuthenticationException("Failed to evaluate SASL challenge", e);
+        }
+    }
+
+    @Override
+    public boolean isCompleted() {
+        return saslClient.isComplete();
+    }
+
+    @Override
+    public boolean hasInitialTokenResponse() {
+        return saslClient.hasInitialResponse();
+    }
+
+    @Override
+    public void initialize(AuthenticateContext context) throws AuthenticationException {
+        String hostAddress = context.ipAddress();
+        JaasContext jaasContext = JaasContext.loadClientContext(jaasConfig);
+
+        try {
+            loginManager = LoginManager.acquireLoginManager(jaasContext);
+        } catch (LoginException exception) {
+            throw new AuthenticationException("Failed to load login manager", exception);
+        }
+
+        try {
+            saslClient = createSaslClient(mechanism, hostAddress, pros, loginManager);
+        } catch (Exception e) {
+            throw new AuthenticationException("Failed to create SASL client", e);
+        }
+
+        if (saslClient == null) {
+            throw new AuthenticationException(
+                    "Unable to find a matching SASL mechanism for " + mechanism);
+        }
+    }
+
+    @Override
+    public void close() {
+        if (loginManager != null) {
+            loginManager.release();
+        }
+    }
+}