apache · lightning-L · Feb 24, 2023 · Feb 26, 2023
diff --git a/docs/deployment/settings.md b/docs/deployment/settings.md
@@ -451,6 +451,7 @@ You can configure the Kyuubi properties in `$KYUUBI_HOME/conf/kyuubi-defaults.co
 
 |                           Key                            |      Default      |                                                                                                                    Meaning                                                                                                                     |   Type   | Since |
 |----------------------------------------------------------|-------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------|-------|
+| kyuubi.server.admin.users                                                   || Comma-separated list of Kyuubi service admin users. We use this config to grant admin permission to any service accounts.                                                                                                                      | seq      | 1.8.0 |
 | kyuubi.server.info.provider                              | ENGINE            | The server information provider name, some clients may rely on this information to check the server compatibilities and functionalities. <li>SERVER: Return Kyuubi server information.</li> <li>ENGINE: Return Kyuubi engine information.</li> | string   | 1.6.1 |
 | kyuubi.server.limit.batch.connections.per.ipaddress      | &lt;undefined&gt; | Maximum kyuubi server batch connections per ipaddress. Any user exceeding this limit will not be allowed to connect.                                                                                                                           | int      | 1.7.0 |
 | kyuubi.server.limit.batch.connections.per.user           | &lt;undefined&gt; | Maximum kyuubi server batch connections per user. Any user exceeding this limit will not be allowed to connect.                                                                                                                                | int      | 1.7.0 |

diff --git a/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala b/kyuubi-common/src/main/scala/org/apache/kyuubi/config/KyuubiConf.scala
@@ -2429,6 +2429,16 @@ object KyuubiConf {
       .timeConf
       .createWithDefaultString("PT30M")
 
+  val SERVER_ADMIN_USERS: ConfigEntry[Seq[String]] =
+    buildConf("kyuubi.server.admin.users")
+      .doc("Comma-separated list of Kyuubi service admin users. " +
+        "We use this config to grant admin permission to any service accounts.")
+      .version("1.8.0")
+      .serverOnly
+      .stringConf
+      .toSequence()
+      .createWithDefault(Seq.empty)
+
   val OPERATION_SPARK_LISTENER_ENABLED: ConfigEntry[Boolean] =
     buildConf("kyuubi.operation.spark.listener.enabled")
       .doc("When set to true, Spark engine registers an SQLOperationListener before executing " +

diff --git a/kyuubi-server/src/main/scala/org/apache/kyuubi/server/api/v1/AdminResource.scala b/kyuubi-server/src/main/scala/org/apache/kyuubi/server/api/v1/AdminResource.scala
@@ -41,7 +41,8 @@ import org.apache.kyuubi.server.api.ApiRequestContext
 @Tag(name = "Admin")
 @Produces(Array(MediaType.APPLICATION_JSON))
 private[v1] class AdminResource extends ApiRequestContext with Logging {
-  private lazy val administrator = Utils.currentUser
+  private lazy val administrators = Set(Utils.currentUser) ++
+    fe.getConf.get(KyuubiConf.SERVER_ADMIN_USERS)
 
   @ApiResponse(
     responseCode = "200",
@@ -54,7 +55,7 @@ private[v1] class AdminResource extends ApiRequestContext with Logging {
     val userName = fe.getSessionUser(Map.empty[String, String])
     val ipAddress = fe.getIpAddress
     info(s"Receive refresh Kyuubi server hadoop conf request from $userName/$ipAddress")
-    if (!userName.equals(administrator)) {
+    if (!administrators.contains(userName)) {
       throw new NotAllowedException(
         s"$userName is not allowed to refresh the Kyuubi server hadoop conf")
     }
@@ -73,7 +74,7 @@ private[v1] class AdminResource extends ApiRequestContext with Logging {
     val userName = fe.getSessionUser(Map.empty[String, String])
     val ipAddress = fe.getIpAddress
     info(s"Receive refresh user defaults conf request from $userName/$ipAddress")
-    if (!userName.equals(administrator)) {
+    if (!administrators.contains(userName)) {
       throw new NotAllowedException(
         s"$userName is not allowed to refresh the user defaults conf")
     }
@@ -92,7 +93,7 @@ private[v1] class AdminResource extends ApiRequestContext with Logging {
     val userName = fe.getSessionUser(Map.empty[String, String])
     val ipAddress = fe.getIpAddress
     info(s"Receive refresh unlimited users request from $userName/$ipAddress")
-    if (!userName.equals(administrator)) {
+    if (!administrators.contains(userName)) {
       throw new NotAllowedException(
         s"$userName is not allowed to refresh the unlimited users")
     }

diff --git a/kyuubi-server/src/test/scala/org/apache/kyuubi/server/api/v1/AdminResourceSuite.scala b/kyuubi-server/src/test/scala/org/apache/kyuubi/server/api/v1/AdminResourceSuite.scala
@@ -37,6 +37,9 @@ class AdminResourceSuite extends KyuubiFunSuite with RestFrontendTestHelper {
 
   private val engineMgr = new KyuubiApplicationManager()
 
+  override protected lazy val conf: KyuubiConf = KyuubiConf()
+    .set(KyuubiConf.SERVER_ADMIN_USERS, Seq("admin001"))
+
   override def beforeAll(): Unit = {
     super.beforeAll()
     engineMgr.initialize(KyuubiConf())
@@ -64,6 +67,24 @@ class AdminResourceSuite extends KyuubiFunSuite with RestFrontendTestHelper {
       .header(AUTHORIZATION_HEADER, s"BASIC $encodeAuthorization")
       .post(null)
     assert(200 == response.getStatus)
+
+    val admin001AuthHeader = new String(
+      Base64.getEncoder.encode("admin001".getBytes()),
+      "UTF-8")
+    response = webTarget.path("api/v1/admin/refresh/hadoop_conf")
+      .request()
+      .header(AUTHORIZATION_HEADER, s"BASIC $admin001AuthHeader")
+      .post(null)
+    assert(200 == response.getStatus)
+
+    val admin002AuthHeader = new String(
+      Base64.getEncoder.encode("admin002".getBytes()),
+      "UTF-8")
+    response = webTarget.path("api/v1/admin/refresh/hadoop_conf")
+      .request()
+      .header(AUTHORIZATION_HEADER, s"BASIC $admin002AuthHeader")
+      .post(null)
+    assert(405 == response.getStatus)
   }
 
   test("refresh user defaults config of the kyuubi server") {