[Pinot connector] Add support for basic authentication

docs/src/main/sphinx/connector/pinot.rst

@@ -33,18 +33,35 @@ Configuration properties
 
 The following configuration properties are available:
 
-============================== ========== ==============================================================================
-Property Name                  Required   Description
-============================== ========== ==============================================================================
-``pinot.controller-urls``      Yes        A comma separated list of controller hosts. If Pinot is deployed via
-                                          `Kubernetes <https://kubernetes.io/>`_ this needs to point to the controller
-                                          service endpoint. The Pinot broker and server must be accessible via DNS as
-                                          Pinot returns hostnames and not IP addresses.
-``pinot.segments-per-split``   No         The number of segments processed in a split. Setting this higher reduces the
-                                          number of requests made to Pinot. This is useful for smaller Pinot clusters.
-``pinot.request-timeout``      No         The timeout for Pinot requests. Increasing this can reduce timeouts if DNS
-                                          resolution is slow.
-============================== ========== ==============================================================================
+============================================= ========== ==============================================================================
+Property Name                                 Required   Description
+============================================= ========== ==============================================================================
+``pinot.controller-urls``                     Yes        A comma separated list of controller hosts. If Pinot is deployed via
+                                                         `Kubernetes <https://kubernetes.io/>`_ this needs to point to the controller
+                                                         service endpoint. The Pinot broker and server must be accessible via DNS as
+                                                         Pinot returns hostnames and not IP addresses.
+``pinot.segments-per-split``                  No         The number of segments processed in a split. Setting this higher reduces the
+                                                         number of requests made to Pinot. This is useful for smaller Pinot clusters.
+``pinot.request-timeout``                     No         The timeout for Pinot requests. Increasing this can reduce timeouts if DNS
+                                                         resolution is slow.
+``pinot.controller.authentication.type``      No         Pinot authentication method for controller requests. Allowed values are
+                                                         ``NONE`` and ``PASSWORD`` - defaults to ``NONE`` which is no authentication.
+``pinot.controller.authentication.user``      No         Controller username for basic authentication method.
+``pinot.controller.authentication.password``  No         Controller password for basic authentication method.
+``pinot.broker.authentication.type``          No         Pinot authentication method for broker requests. Allowed values are
+                                                         ``NONE`` and ``PASSWORD`` - defaults to ``NONE`` which is no
+                                                         authentication.
+``pinot.broker.authentication.user``          No         Broker username for basic authentication method.
+``pinot.broker.authentication.password``      No         Broker password for basic authentication method.
+============================================= ========== ==============================================================================
+
+If ``pinot.controller.authentication.type`` is set to ``PASSWORD`` then both ``pinot.controller.authentication.user`` and
+``pinot.controller.authentication.password`` are required.
+
+If ``pinot.broker.authentication.type`` is set to ``PASSWORD`` then both ``pinot.broker.authentication.user`` and
+``pinot.broker.authentication.password`` are required.
+
+You can use :doc:`secrets </security/secrets>` to avoid actual values in the catalog properties files.
 
 Querying Pinot tables
 ---------------------

plugin/trino-pinot/pom.xml

@@ -103,6 +103,18 @@
             <artifactId>guice</artifactId>
         </dependency>
 
+        <!-- Used for basic authentication only -->
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>okhttp</artifactId>
+            <exclusions>
+                <exclusion>
+                    <groupId>org.codehaus.mojo</groupId>
+                    <artifactId>*</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+
         <dependency>
             <groupId>commons-codec</groupId>
             <artifactId>commons-codec</artifactId>

plugin/trino-pinot/src/main/java/io/trino/plugin/pinot/PinotConnectorFactory.java

@@ -19,6 +19,7 @@
 import io.airlift.bootstrap.Bootstrap;
 import io.airlift.json.JsonModule;
 import io.trino.plugin.base.TypeDeserializerModule;
+import io.trino.plugin.pinot.auth.PinotAuthenticationModule;
 import io.trino.spi.connector.Connector;
 import io.trino.spi.connector.ConnectorContext;
 import io.trino.spi.connector.ConnectorFactory;
@@ -62,7 +63,8 @@ public Connector create(String catalogName, Map<String, String> config, Connecto
                 .add(new JsonModule())
                 .add(new MBeanModule())
                 .add(new TypeDeserializerModule(context.getTypeManager()))
-                .add(new PinotModule(catalogName, context.getNodeManager()));
+                .add(new PinotModule(catalogName, context.getNodeManager()))
+                .add(new PinotAuthenticationModule());
 
         extension.ifPresent(modulesBuilder::add);
 

plugin/trino-pinot/src/main/java/io/trino/plugin/pinot/auth/PinotAuthenticationModule.java

@@ -0,0 +1,127 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.plugin.pinot.auth;
+
+import com.google.inject.Binder;
+import com.google.inject.Module;
+import com.google.inject.Provides;
+import io.airlift.configuration.AbstractConfigurationAwareModule;
+import io.trino.plugin.pinot.auth.none.PinotEmptyAuthenticationProvider;
+import io.trino.plugin.pinot.auth.password.PinotPasswordAuthenticationProvider;
+import io.trino.plugin.pinot.auth.password.inline.PinotPasswordBrokerAuthenticationConfig;
+import io.trino.plugin.pinot.auth.password.inline.PinotPasswordControllerAuthenticationConfig;
+
+import javax.inject.Singleton;
+
+import static io.airlift.configuration.ConditionalModule.conditionalModule;
+import static io.airlift.configuration.ConfigBinder.configBinder;
+import static io.trino.plugin.pinot.auth.PinotAuthenticationType.NONE;
+import static io.trino.plugin.pinot.auth.PinotAuthenticationType.PASSWORD;
+
+public class PinotAuthenticationModule
+        extends AbstractConfigurationAwareModule
+{
+    @Override
+    protected void setup(Binder binder)
+    {
+        bindAuthenticationProviderModule(
+                NONE,
+                new PinotNoneControllerAuthenticationProviderModule(),
+                new PinotNoneBrokerAuthenticationProviderModule());
+        bindAuthenticationProviderModule(
+                PASSWORD,
+                new PinotPasswordControllerAuthenticationProviderModule(),
+                new PinotPasswordBrokerAuthenticationProviderModule());
+    }
+
+    private void bindAuthenticationProviderModule(PinotAuthenticationType authType, Module controllerModule, Module brokerModule)
+    {
+        install(conditionalModule(
+                PinotAuthenticationTypeConfig.class,
+                config -> authType == config.getControllerAuthenticationType(),
+                controllerModule));
+        install(conditionalModule(
+                PinotAuthenticationTypeConfig.class,
+                config -> authType == config.getBrokerAuthenticationType(),
+                brokerModule));
+    }
+
+    private static class PinotNoneControllerAuthenticationProviderModule
+            implements Module
+    {
+        @Override
+        public void configure(Binder binder)
+        {
+        }
+
+        @Provides
+        @Singleton
+        public PinotControllerAuthenticationProvider getAuthenticationProvider()
+        {
+            return PinotControllerAuthenticationProvider.create(PinotEmptyAuthenticationProvider.instance());
+        }
+    }
+
+    private static class PinotNoneBrokerAuthenticationProviderModule
+            implements Module
+    {
+        @Override
+        public void configure(Binder binder)
+        {
+        }
+
+        @Provides
+        @Singleton
+        public PinotBrokerAuthenticationProvider getAuthenticationProvider()
+        {
+            return PinotBrokerAuthenticationProvider.create(PinotEmptyAuthenticationProvider.instance());
+        }
+    }
+
+    private static class PinotPasswordControllerAuthenticationProviderModule
+            implements Module
+    {
+        @Override
+        public void configure(Binder binder)
+        {
+            configBinder(binder).bindConfig(PinotPasswordControllerAuthenticationConfig.class);
+        }
+
+        @Provides
+        @Singleton
+        public PinotControllerAuthenticationProvider getAuthenticationProvider(
+                PinotPasswordControllerAuthenticationConfig config)
+        {
+            return PinotControllerAuthenticationProvider.create(new PinotPasswordAuthenticationProvider(config.getUser(), config.getPassword()));
+        }
+    }
+
+    private static class PinotPasswordBrokerAuthenticationProviderModule
+            implements Module
+    {
+        @Override
+        public void configure(Binder binder)
+        {
+            configBinder(binder).bindConfig(PinotPasswordBrokerAuthenticationConfig.class);
+        }
+
+        @Provides
+        @Singleton
+        public PinotBrokerAuthenticationProvider getAuthenticationProvider(
+                PinotPasswordBrokerAuthenticationConfig config)
+        {
+            return PinotBrokerAuthenticationProvider.create(new PinotPasswordAuthenticationProvider(config.getUser(), config.getPassword()));
+        }
+    }
+}

plugin/trino-pinot/src/main/java/io/trino/plugin/pinot/auth/PinotAuthenticationProvider.java

@@ -0,0 +1,21 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.plugin.pinot.auth;
+
+import java.util.Optional;
+
+public interface PinotAuthenticationProvider
+{
+    Optional<String> getAuthenticationToken();
+}

plugin/trino-pinot/src/main/java/io/trino/plugin/pinot/auth/PinotAuthenticationType.java

@@ -0,0 +1,19 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.plugin.pinot.auth;
+
+public enum PinotAuthenticationType {
+    NONE,
+    PASSWORD,
+}

plugin/trino-pinot/src/main/java/io/trino/plugin/pinot/auth/PinotAuthenticationTypeConfig.java

@@ -0,0 +1,50 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.plugin.pinot.auth;
+
+import io.airlift.configuration.Config;
+
+import javax.validation.constraints.NotNull;
+
+public class PinotAuthenticationTypeConfig
+{
+    private PinotAuthenticationType controllerAuthenticationType = PinotAuthenticationType.NONE;
+    private PinotAuthenticationType brokerAuthenticationType = PinotAuthenticationType.NONE;
+
+    @NotNull
+    public PinotAuthenticationType getControllerAuthenticationType()
+    {
+        return controllerAuthenticationType;
+    }
+
+    @Config("pinot.controller.authentication.type")
+    public PinotAuthenticationTypeConfig setControllerAuthenticationType(PinotAuthenticationType controllerAuthenticationType)
+    {
+        this.controllerAuthenticationType = controllerAuthenticationType;
+        return this;
+    }
+
+    @NotNull
+    public PinotAuthenticationType getBrokerAuthenticationType()
+    {
+        return brokerAuthenticationType;
+    }
+
+    @Config("pinot.broker.authentication.type")
+    public PinotAuthenticationTypeConfig setBrokerAuthenticationType(PinotAuthenticationType brokerAuthenticationType)
+    {
+        this.brokerAuthenticationType = brokerAuthenticationType;
+        return this;
+    }
+}

plugin/trino-pinot/src/main/java/io/trino/plugin/pinot/auth/PinotBrokerAuthenticationProvider.java

@@ -0,0 +1,40 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.plugin.pinot.auth;
+
+import java.util.Optional;
+
+import static java.util.Objects.requireNonNull;
+
+public class PinotBrokerAuthenticationProvider
+        implements PinotAuthenticationProvider
+{
+    public static PinotBrokerAuthenticationProvider create(PinotAuthenticationProvider delegate)
+    {
+        return new PinotBrokerAuthenticationProvider(delegate);
+    }
+
+    private final PinotAuthenticationProvider delegate;
+
+    private PinotBrokerAuthenticationProvider(PinotAuthenticationProvider delegate)
+    {
+        this.delegate = requireNonNull(delegate, "Delegate broker authentication provider is required");
+    }
+
+    @Override
+    public Optional<String> getAuthenticationToken()
+    {
+        return delegate.getAuthenticationToken();
+    }
+}

plugin/trino-pinot/src/main/java/io/trino/plugin/pinot/auth/PinotControllerAuthenticationProvider.java

@@ -0,0 +1,40 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.trino.plugin.pinot.auth;
+
+import java.util.Optional;
+
+import static java.util.Objects.requireNonNull;
+
+public class PinotControllerAuthenticationProvider
+        implements PinotAuthenticationProvider
+{
+    public static PinotControllerAuthenticationProvider create(PinotAuthenticationProvider delegate)
+    {
+        return new PinotControllerAuthenticationProvider(delegate);
+    }
+
+    private final PinotAuthenticationProvider delegate;
+
+    private PinotControllerAuthenticationProvider(PinotAuthenticationProvider delegate)
+    {
+        this.delegate = requireNonNull(delegate, "Delegate controller authentication provider is required");
+    }
+
+    @Override
+    public Optional<String> getAuthenticationToken()
+    {
+        return delegate.getAuthenticationToken();
+    }
+}