[#10959] feat(idp-basic): Add Basic authentication for built-in IdP (#11226)

### What changes were proposed in this pull request?

Add built-in IdP **Basic** authentication and wire it into the Gravitino
server, Java client, and distribution:

- **`plugins:idp-basic`**: `BasicAuthenticator` validates HTTP Basic
credentials against relational IdP user metadata with Argon2id password
hashes; `ServiceAdminInitializer` creates configured service admins on
first startup when `GRAVITINO_INITIAL_ADMIN_PASSWORD` is set.
- **Server bootstrap**: Optional plugins load through
`ServerPluginBootstrap` SPI (`ServerPluginBootstrapper` in
`server-common`, `IdpServerPluginBootstrap` in `idp-basic`) so the
server module does not compile-depend on `idp-basic`.
- **Java client**: `GravitinoClient.builder(...).withBasicAuth(username,
password)` and `BasicTokenProvider`.
- **Docs**: Basic mode configuration and client usage in
`docs/security/how-to-authenticate.md`.


### Why are the changes needed?

Gravitino needs a built-in authentication path for deployments that do
not use an external OAuth provider. This PR implements the `basic`
authenticator mode, service-admin bootstrap for initial login, client
support, and packaging so the feature is available in official binaries.

Fix: #10965

### Does this PR introduce _any_ user-facing change?

Yes.

1. **Server configuration**: New authenticator value `basic` in
`gravitino.authenticators` (requires
`gravitino.entity.store=relational`).
2. **Environment variable**: `GRAVITINO_INITIAL_ADMIN_PASSWORD` — JSON
array of `username:password` entries for first-time service admin
creation.
3. **Java client API**:
`GravitinoClientBase.Builder.withBasicAuth(String username, String
password)`.

### How was this patch tested?

Unit tests added/updated in `plugins:idp-basic`, `server-common`, and
`clients:client-java`. Locally ran:

- `./gradlew :plugins:idp-basic:test -PskipITs -PskipDockerTests=true`
- `./gradlew :server-common:test --tests "*BasicAuthentication*"
-PskipITs -PskipDockerTests=true`
- `./gradlew :clients:client-java:test --tests "*BasicTokenProvider*"
-PskipITs`

---------

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: lasdf1234

.github/workflows/backend-integration-test-action.yml

@@ -88,6 +88,7 @@ jobs:
             -x :spark-connector:spark-3.3:test -x :spark-connector:spark-3.4:test -x :spark-connector:spark-3.5:test \
             -x :spark-connector:spark-runtime-3.3:test -x :spark-connector:spark-runtime-3.4:test -x :spark-connector:spark-runtime-3.5:test \
             -x :trino-connector:integration-test:test -x :trino-connector:trino-connector:test \
+            -x :plugins:idp-basic:test \
             -x :authorizations:authorization-chain:test -x :authorizations:authorization-ranger:test \
             -x :clients:cli:test -x :maintenance:jobs:test -x :maintenance:optimizer:test \
             $EXCLUDE_CONTRIB_TESTS

.github/workflows/idp-basic-test.yml

@@ -46,7 +46,7 @@ jobs:
     needs: changes
     if: needs.changes.outputs.source_changes == 'true' && needs.changes.outputs.module_exists == 'true'
     runs-on: ubuntu-22.04
-    timeout-minutes: 60
+    timeout-minutes: 30
     steps:
       - uses: actions/checkout@v4
 
@@ -56,21 +56,52 @@ jobs:
           distribution: "temurin"
           cache: "gradle"
 
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
+
+      - name: Check required command
+        run: |
+          dev/ci/check_commands.sh
+
+      - name: Package Gravitino
+        run: |
+          ./gradlew compileDistribution -PskipWeb=true -x test
+
       - name: Free up disk space
         run: |
           dev/ci/util_free_space.sh
 
       - name: Run idp-basic tests
+        id: idpBasicTest
         env:
           dockerTest: true
+          GRAVITINO_INITIAL_ADMIN_PASSWORD: Passw0rd-For-Admin1
         run: |
-          ./gradlew :plugins:idp-basic:test -PskipITs -PskipDockerTests=false -PskipWeb=true
+          set -euo pipefail
+
+          # Unit and in-process tests (no Docker, no REST IT).
+          ./gradlew :plugins:idp-basic:test -PskipITs -PskipDockerTests=true
+
+          # REST IT: embedded and deploy, each against h2 / MySQL / PostgreSQL.
+          for test_mode in embedded deploy; do
+            for backend in h2 mysql postgresql; do
+              ./gradlew :plugins:idp-basic:test \
+                -PtestMode="${test_mode}" \
+                -PjdbcBackend="${backend}" \
+                -PskipDockerTests=false \
+                --tests "org.apache.gravitino.idp.integration.test.**"
+            done
+          done
 
       - name: Upload idp-basic test reports
         uses: actions/upload-artifact@v7
-        if: failure()
+        if: ${{ (failure() && steps.idpBasicTest.outcome == 'failure') || contains(github.event.pull_request.labels.*.name, 'upload log') }}
         with:
           name: idp-basic-test-reports
           path: |
             plugins/idp-basic/build/reports
             plugins/idp-basic/build/test-results
+            distribution/package-all/logs/gravitino-server.out
+            distribution/package-all/logs/gravitino-server.log
+            distribution/package/logs/gravitino-server.out
+            distribution/package/logs/gravitino-server.log

clients/client-java/src/main/java/org/apache/gravitino/client/BasicTokenProvider.java

@@ -0,0 +1,57 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.gravitino.client;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import org.apache.gravitino.auth.AuthConstants;
+
+/** Provides HTTP Basic credentials for Gravitino built-in IdP authentication. */
+final class BasicTokenProvider implements AuthDataProvider {
+
+  private final byte[] token;
+
+  BasicTokenProvider(String username, String password) {
+    this.token = buildToken(username, password);
+  }
+
+  private static byte[] buildToken(String username, String password) {
+    String userInformation = username + ":" + password;
+    return (AuthConstants.AUTHORIZATION_BASIC_HEADER
+            + new String(
+                Base64.getEncoder().encode(userInformation.getBytes(StandardCharsets.UTF_8)),
+                StandardCharsets.UTF_8))
+        .getBytes(StandardCharsets.UTF_8);
+  }
+
+  @Override
+  public boolean hasTokenData() {
+    return true;
+  }
+
+  @Override
+  public byte[] getTokenData() {
+    return token;
+  }
+
+  @Override
+  public void close() throws IOException {}
+}

clients/client-java/src/main/java/org/apache/gravitino/client/GravitinoClientBase.java

@@ -276,6 +276,20 @@ public Builder<T> withSimpleAuth(String userName) {
       return this;
     }
 
+    /**
+     * Sets HTTP Basic authentication for Gravitino.
+     *
+     * @param username The username for Basic authentication.
+     * @param password The password for Basic authentication.
+     * @return This Builder instance for method chaining.
+     */
+    public Builder<T> withBasicAuth(String username, String password) {
+      Preconditions.checkArgument(StringUtils.isNotBlank(username), "username can't be blank");
+      Preconditions.checkArgument(StringUtils.isNotBlank(password), "password can't be blank");
+      this.authDataProvider = new BasicTokenProvider(username, password);
+      return this;
+    }
+
     /**
      * Optional, set a flag to verify the client is supported to connector the server
      *

clients/client-java/src/test/java/org/apache/gravitino/client/TestBasicTokenProvider.java

@@ -0,0 +1,47 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.gravitino.client;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.util.Base64;
+import org.apache.gravitino.auth.AuthConstants;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+public class TestBasicTokenProvider {
+
+  @Test
+  public void testAuthentication() throws IOException {
+    try (AuthDataProvider provider = new BasicTokenProvider("admin", "YourSecurePassword12")) {
+      Assertions.assertTrue(provider.hasTokenData());
+      String token = new String(provider.getTokenData(), StandardCharsets.UTF_8);
+      Assertions.assertTrue(token.startsWith(AuthConstants.AUTHORIZATION_BASIC_HEADER));
+      String tokenString =
+          new String(
+              Base64.getDecoder()
+                  .decode(
+                      token
+                          .substring(AuthConstants.AUTHORIZATION_BASIC_HEADER.length())
+                          .getBytes(StandardCharsets.UTF_8)),
+              StandardCharsets.UTF_8);
+      Assertions.assertEquals("admin:YourSecurePassword12", tokenString);
+    }
+  }
+}

clients/client-python/gravitino/auth/basic_auth_provider.py

@@ -0,0 +1,56 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+import base64
+
+from gravitino.auth.auth_constants import AuthConstants
+from gravitino.auth.auth_data_provider import AuthDataProvider
+from gravitino.exceptions.base import IllegalArgumentException
+
+
+class BasicAuthProvider(AuthDataProvider):
+    """Provides HTTP Basic credentials for Gravitino built-in IdP authentication."""
+
+    _token: bytes
+
+    def __init__(self, username: str, password: str):
+        if username is None or not username.strip():
+            raise IllegalArgumentException("username can't be blank")
+        if password is None or not password.strip():
+            raise IllegalArgumentException("password can't be blank")
+
+        self._token = self._build_basic_auth_token(username, password)
+
+    def has_token_data(self) -> bool:
+        return True
+
+    def get_token_data(self) -> bytes:
+        return self._token
+
+    def close(self):
+        pass
+
+    @staticmethod
+    def _build_basic_auth_token(username: str, password: str) -> bytes:
+        credentials = f"{username}:{password}"
+        encoded_credentials = base64.b64encode(credentials.encode("utf-8")).decode(
+            "utf-8"
+        )
+        authorization_header = (
+            AuthConstants.AUTHORIZATION_BASIC_HEADER + encoded_credentials
+        )
+        return authorization_header.encode("utf-8")

clients/client-python/gravitino/filesystem/gvfs_config.py

@@ -25,6 +25,9 @@ class GVFSConfig:
 
     AUTH_TYPE = "auth_type"
     SIMPLE_AUTH_TYPE = "simple"
+    BASIC_AUTH_TYPE = "basic"
+    BASIC_USERNAME = "basic_username"
+    BASIC_PASSWORD = "basic_password"
 
     OAUTH2_AUTH_TYPE = "oauth2"
     OAUTH2_SERVER_URI = "oauth2_server_uri"

clients/client-python/gravitino/filesystem/gvfs_utils.py

@@ -18,6 +18,7 @@
 from typing import Dict
 
 from gravitino.client.gravitino_client import GravitinoClient
+from gravitino.auth.basic_auth_provider import BasicAuthProvider
 from gravitino.auth.default_oauth2_token_provider import DefaultOAuth2TokenProvider
 from gravitino.auth.oauth2_token_provider import OAuth2TokenProvider
 from gravitino.auth.simple_auth_provider import SimpleAuthProvider
@@ -73,6 +74,21 @@ def create_client(
             client_config=client_config,
         )
 
+    if auth_type == GVFSConfig.BASIC_AUTH_TYPE:
+        basic_username = options.get(GVFSConfig.BASIC_USERNAME)
+        _check_auth_config(auth_type, GVFSConfig.BASIC_USERNAME, basic_username)
+
+        basic_password = options.get(GVFSConfig.BASIC_PASSWORD)
+        _check_auth_config(auth_type, GVFSConfig.BASIC_PASSWORD, basic_password)
+
+        return GravitinoClient(
+            uri=server_uri,
+            metalake_name=metalake_name,
+            auth_data_provider=BasicAuthProvider(basic_username, basic_password),
+            request_headers=request_headers,
+            client_config=client_config,
+        )
+
     if auth_type == GVFSConfig.OAUTH2_AUTH_TYPE:
         oauth2_server_uri = options.get(GVFSConfig.OAUTH2_SERVER_URI)
         _check_auth_config(auth_type, GVFSConfig.OAUTH2_SERVER_URI, oauth2_server_uri)

clients/client-python/tests/unittests/auth/test_basic_auth_provider.py

@@ -0,0 +1,47 @@
+# Licensed to the Apache Software Foundation (ASF) under one
+# or more contributor license agreements.  See the NOTICE file
+# distributed with this work for additional information
+# regarding copyright ownership.  The ASF licenses this file
+# to you under the Apache License, Version 2.0 (the
+# "License"); you may not use this file except in compliance
+# with the License.  You may obtain a copy of the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing,
+# software distributed under the License is distributed on an
+# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied.  See the License for the
+# specific language governing permissions and limitations
+# under the License.
+
+import base64
+import unittest
+
+from gravitino.auth.auth_constants import AuthConstants
+from gravitino.auth.auth_data_provider import AuthDataProvider
+from gravitino.auth.basic_auth_provider import BasicAuthProvider
+from gravitino.exceptions.base import IllegalArgumentException
+
+
+class TestBasicAuthProvider(unittest.TestCase):
+    def test_auth_provider(self):
+        provider: AuthDataProvider = BasicAuthProvider(
+            "admin", "YourSecureGravitinoPassword"
+        )
+        self.assertTrue(provider.has_token_data())
+        token = provider.get_token_data().decode("utf-8")
+        self.assertTrue(token.startswith(AuthConstants.AUTHORIZATION_BASIC_HEADER))
+        token_string = base64.b64decode(
+            token[len(AuthConstants.AUTHORIZATION_BASIC_HEADER) :]
+        ).decode("utf-8")
+        self.assertEqual("admin:YourSecureGravitinoPassword", token_string)
+        provider.close()
+
+    def test_blank_username(self):
+        with self.assertRaises(IllegalArgumentException):
+            BasicAuthProvider(" ", "password")
+
+    def test_blank_password(self):
+        with self.assertRaises(IllegalArgumentException):
+            BasicAuthProvider("admin", " ")

clients/client-python/tests/unittests/test_gvfs_with_local.py

@@ -197,6 +197,25 @@ def test_simple_auth(self, *mock_methods):
         if current_user is not None:
             os.environ["user.name"] = current_user
 
+    def test_basic_auth(self, *mock_methods):
+        options = {
+            GVFSConfig.AUTH_TYPE: GVFSConfig.BASIC_AUTH_TYPE,
+            GVFSConfig.BASIC_USERNAME: "admin",
+            GVFSConfig.BASIC_PASSWORD: "YourSecureGravitinoPassword",
+        }
+        fs = gvfs.GravitinoVirtualFileSystem(
+            server_uri=self._server_uri,
+            metalake_name=self._metalake_name,
+            options=options,
+            skip_instance_cache=True,
+        )
+        client = fs._operations._get_gravitino_client()
+        token = client._rest_client.auth_data_provider.get_token_data()
+        token_string = base64.b64decode(
+            token.decode("utf-8")[len(AuthConstants.AUTHORIZATION_BASIC_HEADER) :]
+        ).decode("utf-8")
+        self.assertEqual("admin:YourSecureGravitinoPassword", token_string)
+
     def test_oauth2_auth(self, *mock_methods):
         fs_options = {
             GVFSConfig.AUTH_TYPE: GVFSConfig.OAUTH2_AUTH_TYPE,