pinot icon indicating copy to clipboard operation
pinot copied to clipboard
verified publisher icon apache

Add LDAP/Active Directory Authentication Support for Broker and Controller

Open ayushbilala opened this issue 5 months ago • 8 comments

Pinot currently lacks built-in LDAP/Active Directory authentication support for securing Broker and Controller REST APIs. This feature request proposes adding configurable LDAP authentication to enable enterprise integration with existing directory services.

Problem Statement

Organizations using Apache Pinot need to:

  1. Integrate with existing LDAP/Active Directory infrastructure
  2. Authenticate users accessing Pinot Query Console and REST APIs
  3. Secure broker query endpoints and controller management APIs
  4. Support standard Basic Authentication with LDAP backend validation

Currently, Pinot has limited authentication options, making it challenging for enterprises to deploy Pinot in environments with strict security requirements.

Backward Compatibility

  • Fully backward compatible: Existing deployments without LDAP config continue to work
  • Opt-in feature: Only enabled when authentication.factory.class is configured
  • No breaking changes: All changes are additive, no modifications to existing APIs

Future Enhancements (Not in Initial PR)

This feature lays the groundwork for future authentication/authorization enhancements:

  1. RBAC Authorization (Separate PR)

    • File-based authorization policies
    • Table-level permissions
    • Endpoint-level access control

  2. UI Session Management (Separate PR)

    • Browser session persistence
    • Auto-restore on page refresh

  3. Advanced Features (Future)

    • OAuth/OIDC support

ayushbilala avatar Oct 07 '25 12:10 ayushbilala

Hi @ayushbilala, thanks for raising this feature request. Are you going to work on this?

Jackie-Jiang avatar Oct 13 '25 18:10 Jackie-Jiang

Hey @Jackie-Jiang , Yes I'll pick it up.

ayushbilala avatar Oct 16 '25 18:10 ayushbilala

Hi @ayushbilala have you already started working on this? We have a draft patch with basic + ldap auth internally, which we planned on pushing to OS. Let me know if you already started working on this

NihalJain avatar Oct 22 '25 05:10 NihalJain

Hi @ayushbilala Should I go ahead and create a PR for this change?

NihalJain avatar Oct 30 '25 05:10 NihalJain

Hi @NihalJain, I would suggest to submit a PR and we can review it all together.

xiangfu0 avatar Nov 01 '25 08:11 xiangfu0

@NihalJain Sorry, I missed your comment earlier. Yes, I did spend some time on it. If you’re ready with your changes, we can review them together.

ayushbilala avatar Nov 02 '25 18:11 ayushbilala

Thank you @xiangfu0 and @ayushbilala. Thanks for your response. I will raise a PR soon.

I plan to do in the following order:

  • https://github.com/apache/pinot/pull/15861 - Will pull this change, apply on master and resubmit this by this week. This change allows us to avoid duplicate code for auth for any new implementation.
  • Then apply our internal change for LDAP change implementation on master with previous change: Tentatively will raise by following week.

NihalJain avatar Nov 03 '25 04:11 NihalJain

Sorry for delay here. I added #17295 to have a parity b/w existing implementations in terms of RLS, which is essential for a refactoring. once this is done, plan to take up changes as mentioned above

NihalJain avatar Dec 01 '25 17:12 NihalJain