amoro icon indicating copy to clipboard operation
amoro copied to clipboard
verified publisher icon apache

[Feature]: Support LDAP Authentication and Admin/Read-Only User Privileges

Open nqvuong1998 opened this issue 7 months ago • 3 comments

Description

Currently, Apache Amoro only supports a single admin user with password-based authentication. This limits the ability to integrate Amoro into enterprise environments where centralized authentication and fine-grained access control are required. To enhance Amoro's usability in such scenarios, we propose the following features:

  1. LDAP Authentication: Add support for LDAP (Lightweight Directory Access Protocol) authentication to allow integration with enterprise directory services (e.g., Active Directory, OpenLDAP). This would enable users to log in using their existing corporate credentials, improving security and administrative efficiency.

  2. Admin and Read-Only User Privileges: Introduce role-based access control (RBAC) with at least two privilege levels:

  • Admin: Full access to manage tables, configurations, and optimizations.
  • Read-Only: Limited access to view table metadata, configurations, and dashboards without the ability to modify settings or data.

Use case/motivation

  • Enterprise Integration: Many organizations rely on LDAP for centralized user management. Supporting LDAP authentication would make Amoro more compatible with enterprise security policies.

  • Security and Access Control: A single admin user creates a security bottleneck and lacks flexibility. Introducing admin and read-only roles would allow organizations to enforce least-privilege principles, reducing the risk of unauthorized changes.

  • Scalability: As Amoro is adopted in larger teams, multiple users with different roles (e.g., analysts with read-only access, admins for management) will be necessary to support collaborative workflows.

Describe the solution

  1. LDAP Authentication:
  • Integrate an LDAP client library (e.g., Apache Directory LDAP API for Java) into Amoro's authentication module.
  • Add configuration options in Amoro's settings (e.g., amoro.properties) for LDAP server details (URL, base DN, bind credentials, etc.).
  • Support LDAP group mapping to Amoro roles (e.g., map an LDAP group to admin or read-only privileges).
  • Ensure compatibility with common LDAP servers like Active Directory and OpenLDAP.
  1. Role-Based Access Control:
  • Define two roles: admin and read-only.
  • Modify the Amoro web UI and REST API to enforce role-based permissions:
    • Admin: Full access to all operations (create/delete tables, modify configurations, trigger optimizations).
    • Read-Only: Access to view dashboards, table metadata, and configurations without modification capabilities.
  • Store user roles in the Amoro catalog or an external database (if LDAP is used, roles could be derived from LDAP groups).
  • Update the authentication logic to check user roles before processing requests.

Subtasks

No response

Related issues

No response

Are you willing to submit a PR?

  • [ ] Yes I am willing to submit a PR!

Code of Conduct

nqvuong1998 avatar May 13 '25 14:05 nqvuong1998

cc @zhoujinsong @ihadoop

nqvuong1998 avatar May 13 '25 14:05 nqvuong1998

Thanks for the detailed description. Maybe we can draft an AIP for this feature

klion26 avatar May 15 '25 01:05 klion26

@nqvuong1998 Thanks for proposing this feature. We've actually been considering implementing similar functionality for a while, but due to limited resources and other practical constraints, it hasn't been realized yet.

Internally, we mainly use Amoro for datalake maintenance, so end users are typically unaware of it. However, since Amoro provides a user-friendly dashboard and detailed table information, there are indeed some users who are interested in viewing the details and optimization status of their own tables.

Therefore, I believe this is a valuable feature to implement. That said, it might require a contributor to drive the development. If you have a strong need for it, feel free to start a discussion or open a task—we'd be happy to support it.

xxubai avatar May 30 '25 14:05 xxubai

@klion26 @xxubai @nqvuong1998 Teachers, can you consider assigning this task to me? I am willing to work hard to complete it. If I encounter any problems during this period, I will communicate and feedback with you in time. I also hope that the teachers can provide some help. Thank you very much.

lsyulong avatar Jul 12 '25 10:07 lsyulong

hi @xxubai I can't log in to this website. Do I need to re-register an account? Can you help me? https://cwiki.apache.org/confluence/display/AMORO/Amoro+Improvement+Proposals

lsyulong avatar Jul 15 '25 10:07 lsyulong