Skip to content

[KYUUBI #XXXX] Support IP and user allowlist for connection access control#7392

Open
fightBoxing wants to merge 2 commits into
apache:masterfrom
fightBoxing:feature/ip-allowlist-upstream
Open

[KYUUBI #XXXX] Support IP and user allowlist for connection access control#7392
fightBoxing wants to merge 2 commits into
apache:masterfrom
fightBoxing:feature/ip-allowlist-upstream

Conversation

@fightBoxing

@fightBoxing fightBoxing commented Apr 9, 2026

Copy link
Copy Markdown

Why are the changes needed?

Currently, Kyuubi supports deny lists (user.deny.list and ip.deny.list) to block specific users/IPs from connecting. However, in some security-sensitive environments, administrators need the opposite approach — only allowing specific trusted users/IPs to connect (allowlist/whitelist pattern). This is a common security requirement for production deployments.

This PR adds two new configurations:

  • kyuubi.server.limit.connections.ip.allowlist: when non-empty, only permits connections from the listed IPs
  • kyuubi.server.limit.connections.user.allowlist: when non-empty, only permits connections from the listed users

When the lists are empty (default), no restriction is applied.

How was this patch tested?

  • Added 10 unit test cases in SessionLimiterSuite:
    • IP allowlist: basic, multiple IPs, empty allowlist, deny list priority, refresh
    • User allowlist: basic, multiple users, empty allowlist, deny list priority, refresh

Was this patch authored or co-authored using generative AI tooling?

No

Changes:

IP Allowlist:

  • Add SERVER_LIMIT_CONNECTIONS_IP_ALLOWLIST config in KyuubiConf (kyuubi.server.limit.connections.ip.allowlist)
  • Add ipAllowlist field in SessionLimiterWithAccessControlListImpl
  • Add ip allowlist check in SessionLimiter.increment()
  • Add getIpAllowlist/refreshIpAllowlist in KyuubiSessionManager
  • Add refreshIpAllowlist() in KyuubiServer
  • Add REST API endpoint POST /api/v1/admin/refresh/ip_allowlist

User Allowlist:

  • Add SERVER_LIMIT_CONNECTIONS_USER_ALLOWLIST config in KyuubiConf (kyuubi.server.limit.connections.user.allowlist)
  • Add userAllowlist field in SessionLimiterWithAccessControlListImpl
  • Add user allowlist check in SessionLimiter.increment()
  • Add getUserAllowlist/refreshUserAllowlist in KyuubiSessionManager
  • Add refreshUserAllowlist() in KyuubiServer
  • Add REST API endpoint POST /api/v1/admin/refresh/user_allowlist

Priority Note:

  • When an IP is in both ip.deny.list and ip.allowlist, the deny list takes higher priority
  • When a user is in both user.deny.list and user.allowlist, the deny list takes higher priority
### _Why are the changes needed?_
Currently, Kyuubi supports IP deny list (ip.deny.list) to block specific IPs
from connecting. However, in some security-sensitive environments, administrators
need the opposite approach - only allowing specific trusted IPs to connect
(allowlist/whitelist pattern). This is a common security requirement for
production deployments.

### _How was this patch tested?_
- Added 5 unit test cases in SessionLimiterSuite:
  - test session limiter with ip allowlist
  - test session limiter ip allowlist with multiple ips
  - test session limiter empty ip allowlist allows all ips
  - test session limiter ip deny list has higher priority than ip allowlist
  - test refresh ip allowlist

### _Was this patch authored or co-authored using generative AI tooling?_
No

### Changes:
- Add SERVER_LIMIT_CONNECTIONS_IP_ALLOWLIST config in KyuubiConf
- Add ipAllowlist field in SessionLimiterWithAccessControlListImpl
- Add ip allowlist check in SessionLimiter.increment()
- Add getIpAllowlist/refreshIpAllowlist in KyuubiSessionManager
- Add refreshIpAllowlist() in KyuubiServer
- Add REST API endpoint POST /api/v1/admin/refresh/ip_allowlist
- When ip.deny.list and ip.allowlist both contain the same IP, deny list takes higher priority
Add user allowlist feature (kyuubi.server.limit.connections.user.allowlist)
that restricts which users can connect to Kyuubi server.

Changes:
- Add SERVER_LIMIT_CONNECTIONS_USER_ALLOWLIST config in KyuubiConf
- Add userAllowlist field in SessionLimiterWithAccessControlListImpl
- Add user allowlist check in SessionLimiter.increment()
- Add getUserAllowlist/refreshUserAllowlist in KyuubiSessionManager
- Add refreshUserAllowlist() in KyuubiServer
- Add REST API endpoint POST /api/v1/admin/refresh/user_allowlist
- Add 5 test cases in SessionLimiterSuite
- When user.deny.list and user.allowlist both contain the same user,
  deny list takes higher priority
@fightBoxing fightBoxing changed the title [KYUUBI #XXXX] Support IP client allowlist for connection access control Apr 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment