[docs] Add security documents including authentication and authorization.

loserwang1024 · loserwang1024 · commit cfe654accdff · 2025-06-10T20:32:10.000+08:00
diff --git a/website/docs/security/_category_.json b/website/docs/security/_category_.json
@@ -0,0 +1,4 @@
+{
+  "label": "Security",
+  "position": 10
+}
diff --git a/website/docs/security/authentication.md b/website/docs/security/authentication.md
@@ -0,0 +1,104 @@
+---
+sidebar_label: Authentication
+title: Security Authentication
+sidebar_position: 2
+---
+
+<!--
+ Copyright (c) 2025 Alibaba Group Holding Ltd.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+# Authentication
+Fluss provides a pluggable authentication mechanism, allowing users to configure client and server authentication methods based on their security requirements.
+
+## Overview
+Authentication in Fluss is handled through listeners, where each connection triggers a specific authentication protocol based on the configuration. Supported mechanisms include:
+* **PLAINTEXT**: Default, no authentication.
+* **SASL/PLAIN**: Username/password-based authentication.
+* **Custom plugins**: Extendable via interfaces for enterprise or third-party integrations.
+
+You can configure different authentication protocols per listener using the `security.protocol.map` property.
+
+## PLAINTEXT
+The PLAINTEXT authentication method is the default used by Fluss. It does not perform any identity verification and is suitable for:
+* Local development and debugging.
+* Internal communication within trusted clusters.
+* Lightweight deployments without access control.
+
+No additional configuration is required for this mode.
+
+## SAS/PLAIN
+SASL/PLAIN is a username/password-based authentication method that provides basic but effective security for production environments.
+
+### sasl server related configuration
+| Property Name                                                  | Description                                                               | Default Value |
+|----------------------------------------------------------------|---------------------------------------------------------------------------| --- |
+| security.sasl.enabled.mechanisms                               | Comma-separated list of enabled SASL mechanisms  (e.g., PLAIN).        | PLAIN |
+| `security.sasl.listener.name.{listenerName}.plain.jaas.config` | JAAS configuration for a specific listener and mechanism. | (none) |            | (none) |
+| `security.sasl.plain.jaas.config`                              | Global JAAS configuration for all listeners using the PLAIN mechanism.   | (none) |                     |  |
+
+⚠️ The system tries to load JAAS configurations in the following order:
+1. Listener-specific config: `security.sasl.listener.name.{listenerName}.{mechanism}.jaas.config`
+2. Mechanism-wide config: `security.sasl.{mechanism}.jaas.config`
+3. System-level fallback: `-Djava.security.auth.login.config` JVM option
+
+
+
+
+Here is an example that Port 9093 requires SASL/PLAIN authentication with who user "admin" and "fluss":
+```yaml title="conf/server.yaml"
+# port 9092 use SASL authentication for clients
+listeners: INTERNAL://localhost:9092, CLIENT://localhost:9093
+advertised.listeners: CLIENT://host1:9093, INTERNAL://host2:9092
+security.protocol.map: CLIENT:SASL, INTERNAL:PLAINTEXT
+internal.listener.name: INTERNAL
+# use SASL/PLAIN
+security.sasl.enabled.mechanisms: PLAIN
+security.sasl.plain.jaas.config: com.alibaba.fluss.security.auth.sasl.plain.PlainLoginModule required user_admin="admin-pass" user_fluss="fluss-pass";
+```
+
+
+### sasl client related configuration
+Clients must specify the appropriate security protocol and authentication mechanism when connecting to Fluss brokers.
+
+| Property Name | Description | Default Value                                                         |
+| --- | --- |-----------------------------------------------------------------------|
+| client.security.protocol | The security protocol used to communicate with brokers. | PLAINTEXT                                                             |
+| client.security.sasl.mechanism | The SASL mechanism used for authentication. Only support PLAIN now, but will support more mechanisms in the future. | (none)                                                                |
+| client.security.sasl.jaas.config | JAAS configuration for SASL. If not set, falls back to system property -Djava.security.auth.login.config. |
+
+
+Here is an example client configuration(flink catalog):
+```sql title="Flink SQL"
+CREATE CATALOG fluss_catalog WITH (
+  'type' = 'fluss',
+  'bootstrap.servers' = 'fluss-server-1:9123',
+  'client.security.protocol' = 'SASL',
+  'client.sasl.mechanism' = 'PLAIN',
+  'client.sasl.jaas.plain.config' = 'com.alibaba.fluss.security.auth.sasl.plain.PlainLoginModule required username="fluss" password="fluss-pass";'
+);
+```
+
+
+## Extending Authentication Methods (For Developers)
+
+Fluss supports custom authentication logic through its plugin architecture.
+
+Steps to implement a custom authenticator:
+1. **Implement AuthenticationPlugin Interfaces**: Implement ClientAuthenticationPlugin for client-side logic and implement ServerAuthenticationPlugin for server-side logic.
+2. **Package the Plugin**: Compile your implementation into a JAR file, and then place it in the Fluss plugin directory for automatic loading.
+3. **Enable the Plugin**:  Configure the desired protocol via:
+  * `security.protocol.map` – for server-side listener authentication. 
+  * `client.security.protocol` – for client-side authentication.
diff --git a/website/docs/security/authorization.md b/website/docs/security/authorization.md
@@ -0,0 +1,141 @@
+---
+sidebar_label: Authorization
+title: Security Authorization
+sidebar_position: 3
+---
+
+<!--
+ Copyright (c) 2025 Alibaba Group Holding Ltd.
+
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+# Authorization
+
+## Configuration 
+Fluss provides a pluggable authorization framework that uses Access Control Lists (ACLs) to determine whether a given FlussPrincipal is allowed to perform an operation on a specific resource.
+
+
+| Property Name      | Description                                                      | Default Value |
+|--------------------|------------------------------------------------------------------|---------------|
+| authorizer.enabled | Specifies whether to enable the authorization feature.           | false         |
+| authorizer.type    | Specifies the type of authorizer to be used for access control. This value corresponds to the identifier of the authorization plugin. The default value is `default`, which indicates the built-in authorizer implementation. Custom authorizers can be implemented by providing a matching plugin identifier.| default       |
+| super.users        | A semicolon-separated list of superusers who have unrestricted access to all operations and resources. Each super user should be specified in the format `principal_type:principal_name`, e.g., `User:admin;User:bob`, This configuration is critical for defining administrative privileges in the system. | (none)         |
+
+## Core Components of ACLs
+
+Fluss uses an Access Control List (ACL) mechanism to enforce fine-grained permissions on resources such as clusters, databases, and tables. This allows administrators to define who (principals) can perform what actions (operations) on which objects (resources).
+
+Fluss ACLs are defined in the general format:
+```
+Principal {P} is [Allowed|Denied] Operation {O} From Host {H} on any Resource {R}.
+```
+
+### Resource
+In Fluss, a Resource represents an object to which access control can be applied. **Resources are organized in a hierarchical structure**, enabling fine-grained permission management as well as permission inheritance from higher-level scopes (e.g., database-level permissions apply to all tables within that database).
+
+There are three main types of resources:
+| Resource Type | Resource Name Format Example | Description |
+| --- | --- | --- |
+| Cluster | fluss-cluster | The cluster resource represents the entire Fluss cluster and is used for cluster-wide permissions. |
+| Database | default_db | A database resource represents a specific database within the Fluss cluster and is used for database-level permissions. |
+| Table | default_db.default_table | A table resource represents a specific table within a database and is used for table-level permissions. |
+
+This hierarchy follows this pattern:
+```text
+Cluster
+ └── Database
+     └── Table
+```
+
+### Operation
+In Fluss, an OperationType defines the type of action a principal (user or role) is attempting to perform on a resource (cluster, database, or table).
+
+| Operation Type | Description |
+|----------------| --- |
+| ANY            | Matches any operation type and is used exclusively in filters or queries to match ACL entries. It should not be used when granting actual permissions.|
+| ALL            | Grants permission for all operations on a resource. |
+| READ | Allows reading data from a resource (e.g., querying tables).|
+| WRITE | Allows writing data to a resource (e.g., inserting or updating data in tables).|
+| CREATE | Allows creating a new resource (e.g., creating a new database or table).|
+| DELETE | Allows deleting a resource (e.g., deleting a database or table).|
+| ALTER | Allows modifying the structure of a resource (e.g., altering the schema of a table).|
+| DESCRIBE | Allows describing a resource (e.g., retrieving metadata about a table).|
+
+
+Fluss implements a permission inheritance model, where certain operations imply others. This helps reduce redundancy in ACL rules by avoiding the need to explicitly grant every low-level permission.
+* ALL implies all other operations.
+* READ, WRITE, CREATE, DROP, ALTER each imply DESCRIBE.
+
+### Fluss Principal
+The FlussPrincipal is a core concept in the Fluss security architecture. It represents the identity of an authenticated entity (such as a user or service) and serves as the central bridge between authentication and authorization.Once a client successfully authenticates via a supported mechanism (e.g., SASL/PLAIN, Kerberos), a FlussPrincipal is created to represent that client's identity.
+This principal is then used throughout the system for access control decisions, linking who the user is with what they are allowed to do.
+
+The principal type indicates the category of the principal (e. g., "User", "Group", "Role"), while the name identifies the specific entity within that category. By default, the simple authorizer uses "User" as the principal type, but custom authorizers can extend this to support role-based or group-based access control lists (ACLs).
+Example usage:
+* `new FlussPrincipal("admin", "User")` – A standard user principal.
+* `new FlussPrincipal("admins", "Group")` – A group-based principal for authorization.
+
+## Operations and Resources on Protocols
+Below is a summary of the currently public protocols and their relationship with operations and resource types:
+| Protocol | Operations | Resources | Note |
+| --- | --- | --- | --- |
+| CREATE_DATABASE | CREATE | Cluster | |
+| DROP_DATABASE | DELETE | Database | |
+| LIST_DATABASES | DESCIBE | Database | Only databases that the user has permission to access are returned. Databases for which the user lacks sufficient privileges are automatically filtered from the results.  |
+| CREATE_TABLE | CREATE | Database | |
+| DROP_TABLE | DELETE | Table | |
+| GET_TABLE_INFO | DESCRIBE | Table | |
+| LIST_TABLES | DESCRIBE | Table | Only tables that the user has permission to access are returned. Tables for which the user lacks sufficient privileges are automatically filtered from the results. |
+| LIST_PARTITION_INFOS | DESCRIBE | Table | Only partitions that the user has permission to access are returned. Partitions for which the user lacks sufficient privileges are automatically filtered from the results. |
+| GET_METADATA | DESCRIBE | Table | Only metadata that the user has permission to access is returned. Metadata for which the user lacks sufficient privileges is automatically filtered from the results.|
+| PRODUCE_LOG | WRITE | Table | |
+| FETCH_LOG | READ | Table | |
+| PUT_KV | Write | Cluster | |
+| LOOKUP | Read | Cluster | |
+| INIT_WRITER | READ | TABLE | |
+| LIMIT_SCAN | READ | TABLE | |
+| PREFIX_LOOKUP | READ | TABLE | |
+| GET_DATABASE_INFO | DESCRIBE | Database | |
+| CREATE_PARTITION | WRITE | Table | |
+| DROP_PARTITION | DELETE | Table | |
+| CREATE_ACLS | ALTER | Cluster | |
+| DROP_ACLS | ALTER | Cluster | |
+| LIST_ACLS | DESCRIBE | Cluster | |
+
+## ACL Operation
+Fluss provides a FLINK SQL interface to manage Access Control Lists (ACLs) using the Flink CALL statement. This allows administrators and users to dynamically control access permissions for principals (users or roles) on various resources such as clusters, databases, and tables.
+
+The general syntax is:
+```sql title="Flink SQL"
+-- -- Use named argument
+CALL [catalog].sys.acl( action => 'LIST', resource => '%s', permission => 'ALLOW', principal => '%s', operation  => '%s');
+     
+-- Use indexed argument
+CALL [catalog].sys.acl(
+    '[action]', 
+    '[resource_type.resource_name]', 
+     '[permission]'
+    '[principal_type:principal_name]', 
+    '[operation_type]'
+);
+```
+
+| Parameter | Description                                                                                                                     |
+|----------|---------------------------------------------------------------------------------------------------------------------------------|
+| action   | The action to perform on the ACL. One of: 'ADD', 'DROP', 'LIST'                                                                 |
+| resource | The resource to apply the ACL to (e.g., fluss-cluster, fluss-cluster.db1, fluss-cluster.db1.table1)                             |
+| permission | The permission to grant or deny to the principal on the resource (e.g., ALLOW, DENY)                                            | |
+| principal | The principal to apply the ACL to (e.g., user:alice, role:admin)                                                                |
+| operation | The operation to allow or deny for the principal on the resource (e.g., READ, WRITE, CREATE, DELETE, ALTER, DESCRIBE, ANY, ALL) |
+
diff --git a/website/docs/security/overview.md b/website/docs/security/overview.md

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +{
 +  "label": "Security",
 +  "position": 10
 +}