Update RBAC documentation and configuration examples in ams-config.md and ConfigurationsTest.java

xxubai · xxubai · commit 660284598237 · 2026-03-10T23:17:30.000+08:00
diff --git a/amoro-ams/src/main/java/org/apache/amoro/server/authentication/HttpAuthenticationFactory.java b/amoro-ams/src/main/java/org/apache/amoro/server/authentication/HttpAuthenticationFactory.java
@@ -58,12 +58,13 @@ private static <T> T createAuthenticationProvider(
           .newInstance(conf);
     } catch (NoSuchMethodException e) {
       throw new IllegalStateException(
-          className + " must implement " + expected.getName()
+          className
+              + " must implement "
+              + expected.getName()
               + " and provide a public constructor (Configurations) or no-arg constructor",
           e);
     } catch (Exception e) {
-      throw new IllegalStateException(
-          "Failed to create " + className + ": " + e.getMessage(), e);
+      throw new IllegalStateException("Failed to create " + className + ": " + e.getMessage(), e);
     }
   }
 
diff --git a/amoro-ams/src/main/java/org/apache/amoro/server/authorization/RoleResolver.java b/amoro-ams/src/main/java/org/apache/amoro/server/authorization/RoleResolver.java
@@ -103,7 +103,9 @@ private static Map<String, Role> loadLocalUserRoles(Configurations serviceConfig
         .collect(
             Collectors.toMap(
                 user -> String.valueOf(user.get("username")),
-                user -> parseRole(String.valueOf(user.get("username")), String.valueOf(user.get("role"))),
+                user ->
+                    parseRole(
+                        String.valueOf(user.get("username")), String.valueOf(user.get("role"))),
                 (existing, replacement) -> {
                   LOG.warn(
                       "Duplicate authorization.users entry for role resolution, keeping last user definition");
diff --git a/amoro-ams/src/test/java/org/apache/amoro/config/ConfigurationsTest.java b/amoro-ams/src/test/java/org/apache/amoro/config/ConfigurationsTest.java
@@ -32,6 +32,8 @@
 import java.nio.file.Paths;
 import java.nio.file.StandardOpenOption;
 import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
 import java.util.Comparator;
 import java.util.List;
 import java.util.Optional;
@@ -59,14 +61,59 @@ public class ConfigurationsTest {
   public static String UPDATE_CMD =
       "UPDATE=1 ./mvnw test -pl amoro-ams -am -Dtest=ConfigurationsTest";
 
+  private static final List<String> RBAC_EXAMPLE =
+      Arrays.asList(
+          "## RBAC Example",
+          "",
+          "Enable RBAC only when you need role separation for dashboard users."
+              + " When `http-server.authorization.enabled`",
+          "is `false`, all authenticated dashboard users keep admin behavior for compatibility.",
+          "",
+          "```yaml",
+          "ams:",
+          "  http-server:",
+          "    authorization:",
+          "      enabled: true",
+          "      default-role: READ_ONLY",
+          "      admin-users:",
+          "        - alice",
+          "        - bob",
+          "      users:",
+          "        - username: admin",
+          "          password: admin",
+          "          role: ADMIN",
+          "        - username: viewer",
+          "          password: viewer123",
+          "          role: READ_ONLY",
+          "```",
+          "",
+          "```yaml",
+          "ams:",
+          "  http-server:",
+          "    login-auth-provider: org.apache.amoro.server.authentication.LdapPasswdAuthenticationProvider",
+          "    login-auth-ldap-url: \"ldap://ldap.example.com:389\"",
+          "    login-auth-ldap-user-pattern: \"uid={0},ou=people,dc=example,dc=com\"",
+          "    authorization:",
+          "      enabled: true",
+          "      default-role: READ_ONLY",
+          "      ldap-role-mapping:",
+          "        enabled: true",
+          "        admin-group-dn: \"cn=amoro-admins,ou=groups,dc=example,dc=com\"",
+          "        group-member-attribute: \"member\"",
+          "        user-dn-pattern: \"uid={0},ou=people,dc=example,dc=com\"",
+          "        bind-dn: \"cn=service-account,dc=example,dc=com\"",
+          "        bind-password: \"service-password\"",
+          "```");
+
   @Test
   public void testAmoroManagementConfDocumentation() throws Exception {
     List<AmoroConfInfo> confInfoList = new ArrayList<>();
     confInfoList.add(
         new AmoroConfInfo(
             AmoroManagementConf.class,
             "Amoro Management Service Configuration",
-            "The configuration options for Amoro Management Service (AMS)."));
+            "The configuration options for Amoro Management Service (AMS).",
+            RBAC_EXAMPLE));
     confInfoList.add(
         new AmoroConfInfo(
             ConfigShadeUtils.class,
@@ -147,6 +194,12 @@ protected void generateConfigurationMarkdown(
 
       // Add some space between different configuration sections
       output.add("");
+
+      // Add appendix content if present
+      if (confInfo.appendix != null && !confInfo.appendix.isEmpty()) {
+        output.addAll(confInfo.appendix);
+      }
+
       output.add("");
     }
 
@@ -299,11 +352,21 @@ public static class AmoroConfInfo {
     Class<?> confClass;
     String title;
     String description;
+    List<String> appendix;
 
     public AmoroConfInfo(Class<?> confClass, String title, String description) {
       this.confClass = confClass;
       this.title = title;
       this.description = description;
+      this.appendix = Collections.emptyList();
+    }
+
+    public AmoroConfInfo(
+        Class<?> confClass, String title, String description, List<String> appendix) {
+      this.confClass = confClass;
+      this.title = title;
+      this.description = description;
+      this.appendix = appendix;
     }
   }
 }
diff --git a/docs/configuration/ams-config.md b/docs/configuration/ams-config.md
@@ -91,7 +91,7 @@ table td:last-child, table th:last-child { width: 40%; word-break: break-all; }
 | http-server.authorization.ldap-role-mapping.bind-password |  | Optional LDAP bind password used when querying role-mapping groups. |
 | http-server.authorization.ldap-role-mapping.enabled | false | Whether to resolve dashboard roles from LDAP group membership. |
 | http-server.authorization.ldap-role-mapping.group-member-attribute | member | LDAP group attribute that stores member references. |
-| http-server.authorization.ldap-role-mapping.user-dn-pattern | &lt;undefined&gt; | LDAP user DN pattern used to match group members. |
+| http-server.authorization.ldap-role-mapping.user-dn-pattern | &lt;undefined&gt; | LDAP user DN pattern used to match group members. Use {0} as the username placeholder. |
 | http-server.authorization.users | &lt;undefined&gt; | Local dashboard users with username/password/role entries. |
 | http-server.bind-port | 19090 | Port that the Http server is bound to. |
 | http-server.login-auth-ldap-url | &lt;undefined&gt; | LDAP connection URL(s), value could be a SPACE separated list of URLs to multiple LDAP servers for resiliency. URLs are tried in the order specified until the connection is successful |
@@ -180,7 +180,6 @@ ams:
         bind-password: "service-password"
 ```
 
-
 ## Shade Utils Configuration
 
 The configuration options for Amoro Configuration Shade Utils.
@@ -195,4 +194,6 @@ table td:last-child, table th:last-child { width: 40%; word-break: break-all; }
 | Key  | Default | Description |
 | ---  | ------- | ----------- |
 | shade.identifier | default | The identifier of the encryption method for decryption. Defaults to "default", indicating no encryption |
-| shade.sensitive-keywords | admin-password;database.password;http-server.authorization.ldap-role-mapping.bind-password | A semicolon-separated list of keywords for the configuration items to be decrypted. |
+| shade.sensitive-keywords | admin-password;database.password | A semicolon-separated list of keywords for the configuration items to be decrypted. |
+
+
