[KYUUBI #XXXX] Support IP and user allowlist for connection access control#7392
Open
fightBoxing wants to merge 2 commits intoapache:masterfrom
Open
[KYUUBI #XXXX] Support IP and user allowlist for connection access control#7392fightBoxing wants to merge 2 commits intoapache:masterfrom
fightBoxing wants to merge 2 commits intoapache:masterfrom
Conversation
### _Why are the changes needed?_ Currently, Kyuubi supports IP deny list (ip.deny.list) to block specific IPs from connecting. However, in some security-sensitive environments, administrators need the opposite approach - only allowing specific trusted IPs to connect (allowlist/whitelist pattern). This is a common security requirement for production deployments. ### _How was this patch tested?_ - Added 5 unit test cases in SessionLimiterSuite: - test session limiter with ip allowlist - test session limiter ip allowlist with multiple ips - test session limiter empty ip allowlist allows all ips - test session limiter ip deny list has higher priority than ip allowlist - test refresh ip allowlist ### _Was this patch authored or co-authored using generative AI tooling?_ No ### Changes: - Add SERVER_LIMIT_CONNECTIONS_IP_ALLOWLIST config in KyuubiConf - Add ipAllowlist field in SessionLimiterWithAccessControlListImpl - Add ip allowlist check in SessionLimiter.increment() - Add getIpAllowlist/refreshIpAllowlist in KyuubiSessionManager - Add refreshIpAllowlist() in KyuubiServer - Add REST API endpoint POST /api/v1/admin/refresh/ip_allowlist - When ip.deny.list and ip.allowlist both contain the same IP, deny list takes higher priority
Add user allowlist feature (kyuubi.server.limit.connections.user.allowlist) that restricts which users can connect to Kyuubi server. Changes: - Add SERVER_LIMIT_CONNECTIONS_USER_ALLOWLIST config in KyuubiConf - Add userAllowlist field in SessionLimiterWithAccessControlListImpl - Add user allowlist check in SessionLimiter.increment() - Add getUserAllowlist/refreshUserAllowlist in KyuubiSessionManager - Add refreshUserAllowlist() in KyuubiServer - Add REST API endpoint POST /api/v1/admin/refresh/user_allowlist - Add 5 test cases in SessionLimiterSuite - When user.deny.list and user.allowlist both contain the same user, deny list takes higher priority
fightBoxing
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why are the changes needed?
Currently, Kyuubi supports deny lists (
user.deny.listandip.deny.list) to block specific users/IPs from connecting. However, in some security-sensitive environments, administrators need the opposite approach — only allowing specific trusted users/IPs to connect (allowlist/whitelist pattern). This is a common security requirement for production deployments.This PR adds two new configurations:
kyuubi.server.limit.connections.ip.allowlist: when non-empty, only permits connections from the listed IPskyuubi.server.limit.connections.user.allowlist: when non-empty, only permits connections from the listed usersWhen the lists are empty (default), no restriction is applied.
How was this patch tested?
SessionLimiterSuite:Was this patch authored or co-authored using generative AI tooling?
No
Changes:
IP Allowlist:
SERVER_LIMIT_CONNECTIONS_IP_ALLOWLISTconfig in KyuubiConf (kyuubi.server.limit.connections.ip.allowlist)ipAllowlistfield inSessionLimiterWithAccessControlListImplSessionLimiter.increment()getIpAllowlist/refreshIpAllowlistinKyuubiSessionManagerrefreshIpAllowlist()inKyuubiServerPOST /api/v1/admin/refresh/ip_allowlistUser Allowlist:
SERVER_LIMIT_CONNECTIONS_USER_ALLOWLISTconfig in KyuubiConf (kyuubi.server.limit.connections.user.allowlist)userAllowlistfield inSessionLimiterWithAccessControlListImplSessionLimiter.increment()getUserAllowlist/refreshUserAllowlistinKyuubiSessionManagerrefreshUserAllowlist()inKyuubiServerPOST /api/v1/admin/refresh/user_allowlistPriority Note:
ip.deny.listandip.allowlist, the deny list takes higher priorityuser.deny.listanduser.allowlist, the deny list takes higher priority