[#1190] feat(server-common): Support custom filters

catalogs/catalog-lakehouse-iceberg/src/main/java/com/datastrato/gravitino/catalog/lakehouse/iceberg/IcebergRESTService.java

@@ -61,6 +61,7 @@ protected void configure() {
 
     Servlet servlet = new ServletContainer(config);
     server.addServlet(servlet, "/iceberg/*");
+    server.addCustomFilters("/iceberg/*");
     server.addFilter(new AuthenticationFilter(), "/iceberg/*");
   }
 

docs/security.md

@@ -258,3 +258,51 @@ If you want to use the command `curl`, you can follow the commands:
 openssl x509 -inform der -in $JAVA_HOME/localhost.crt -out certificate.pem
 curl -v -X GET --cacert ./certificate.pem -H "Accept: application/vnd.gravitino.v1+json" -H "Content-Type: application/json" https://localhost:8433/api/version
 ```
+
+## Custom filters
+
+Gravitino supports custom filters to implement the user specified logic to satisfy different safety needs.
+
+### Gravitino server's configuration
+| Configuration item                          | Description                                                      | Default value | Required  | Since version |
+|---------------------------------------------|------------------------------------------------------------------|---------------|-----------|---------------|
+| `gravitino.server.webserver.customFilters`  | Comma separated list of filter class names to apply to the APIs. | ``            | Yes       | 0.4.0         |
+The filter should be a standard javax servlet Filter.
+Filter parameters can also be specified in the configuration, by setting config entries of the form `gravitino.server.webserver.<class name of filter>.param.<param name>=<value>`
+
+For example:
+```text
+gravitino.server.webserver.customFilters=com.test.filter1
+gravitino.server.webserver.com.test.filter1.param.name1=foo
+gravitino.server.webserver.com.test.filter1.param.name2=ba
+```
+
+### Iceberg REST service's configuration
+| Configuration item                                  | Description                                                        | Default value | Required  | Since version |
+|-----------------------------------------------------|--------------------------------------------------------------------|---------------|-----------|---------------|
+| `gravitino.auxService.iceberg-rest.customFilters`   | Comma separated list of filter class names to apply to the APIs.   | ``            | Yes       | 0.4.0         |
+The filter should be a standard javax servlet Filter.
+Filter parameters can also be specified in the configuration, by setting config entries of the form `gravitino.auxService.iceberg-rest.<class name of filter>.param.<param name>=<value>`
+
+For example:
+```text
+gravitino.auxService.iceberg-rest.customFilters=com.test.filter1
+gravitino.auxService.iceberg-rest.com.test.filter1.param.name1=foo
+gravitino.auxService.iceberg-rest.com.test.filter1.param.name2=ba
+```
+
+### Example
+
+If you want to use a cross-origin filter for the Gravitino server, you can follow the steps.
+
+```shell
+wget https://repo1.maven.org/maven2/org/eclipse/jetty/jetty-servlets/9.4.51.v20230217/jetty-servlets-9.4.51.v20230217.jar 
+cp jetty-servlets-9.4.51.v20230217.jar <gravitno home>/libs
+```
+
+You can refer to the [Configurations](gravitino-server-config.md) and append the configurations to the conf/gravitino.conf.
+
+```text
+gravitino.server.webserver.customFilters=org.eclipse.jetty.servlets.CrossOriginFilter
+gravitino.server.webserver.org.eclipse.jetty.servlets.CrossOriginFilter.param.allowedOrigins=*
+```

server-common/src/main/java/com/datastrato/gravitino/server/web/JettyServer.java

@@ -19,6 +19,7 @@
 import java.security.AccessController;
 import java.security.PrivilegedAction;
 import java.util.EnumSet;
+import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 import java.util.concurrent.LinkedBlockingQueue;
@@ -104,7 +105,7 @@ public synchronized void initialize(
             StringUtils.isNotBlank(serverConfig.getTrustStorePath()),
             "If enables the authentication of the client, must set trustStorePath");
         Preconditions.checkArgument(
-            StringUtils.isNotBlank(serverConfig.getTrustStorePasword()),
+            StringUtils.isNotBlank(serverConfig.getTrustStorePassword()),
             "If enables the authentication of the client, must set trustStorePassword");
       }
       ServerConnector httpsConnector =
@@ -123,7 +124,7 @@ public synchronized void initialize(
               serverConfig.getSupportedAlgorithms(),
               serverConfig.isEnableClientAuth(),
               serverConfig.getTrustStorePath(),
-              serverConfig.getTrustStorePasword(),
+              serverConfig.getTrustStorePassword(),
               serverConfig.getTrustStoreType());
       server.addConnector(httpsConnector);
     } else {
@@ -433,4 +434,19 @@ public Thread run() {
   public ThreadPool getThreadPool() {
     return server.getThreadPool();
   }
+
+  public void addCustomFilters(String pathSpec) {
+    for (String filterName : serverConfig.getCustomFilters()) {
+      if (StringUtils.isBlank(filterName)) {
+        continue;
+      }
+      FilterHolder filterHolder = new FilterHolder();
+      filterHolder.setClassName(filterName);
+      for (Map.Entry<String, String> entry :
+          serverConfig.getAllWithPrefix(String.format("%s.param.", filterName)).entrySet()) {
+        filterHolder.setInitParameter(entry.getKey(), entry.getValue());
+      }
+      servletContextHandler.addFilter(filterHolder, pathSpec, EnumSet.allOf(DispatcherType.class));
+    }
+  }
 }

server-common/src/main/java/com/datastrato/gravitino/server/web/JettyServerConfig.java

@@ -171,6 +171,13 @@ public final class JettyServerConfig {
           .stringConf()
           .createWithDefault("JKS");
 
+  public static final ConfigEntry<String> CUSTOM_FILTERS =
+      new ConfigBuilder("customFilters")
+          .doc("Comma separated list of filter class names to apply to the APIs")
+          .version("0.4.0")
+          .stringConf()
+          .createWithDefault("");
+
   private final String host;
 
   private final int httpPort;
@@ -199,7 +206,9 @@ public final class JettyServerConfig {
   private final Set<String> enableCipherAlgorithms;
   private final boolean enableClientAuth;
   private final String trustStorePath;
-  private final String trustStorePasword;
+  private final String trustStorePassword;
+
+  private final Set<String> customFilters;
   private final String trustStoreType;
   private final Config internalConfig;
 
@@ -245,8 +254,11 @@ private JettyServerConfig(Map<String, String> configs) {
             Sets.newHashSet(internalConfig.get(ENABLE_CIPHER_ALGORITHMS).split(SPLITTER)));
     this.enableClientAuth = internalConfig.get(ENABLE_CLIENT_AUTH);
     this.trustStorePath = internalConfig.get(SSL_TRUST_STORE_PATH);
-    this.trustStorePasword = internalConfig.get(SSL_TRUST_STORE_PASSWORD);
+    this.trustStorePassword = internalConfig.get(SSL_TRUST_STORE_PASSWORD);
     this.trustStoreType = internalConfig.get(SSL_TRUST_STORE_TYPE);
+    this.customFilters =
+        Collections.unmodifiableSet(
+            Sets.newHashSet(internalConfig.get(CUSTOM_FILTERS).split(SPLITTER)));
   }
 
   public static JettyServerConfig fromConfig(Config config, String prefix) {
@@ -330,14 +342,18 @@ public String getTrustStorePath() {
     return trustStorePath;
   }
 
-  public String getTrustStorePasword() {
-    return trustStorePasword;
+  public String getTrustStorePassword() {
+    return trustStorePassword;
   }
 
   public String getTrustStoreType() {
     return trustStoreType;
   }
 
+  public Map<String, String> getAllWithPrefix(String prefix) {
+    return internalConfig.getConfigsWithPrefix(prefix);
+  }
+
   private SSLContext getDefaultSSLContext() {
     try {
       return SSLContext.getDefault();
@@ -366,6 +382,10 @@ public Set<String> getSupportedAlgorithms() {
     return supportedAlgorithms;
   }
 
+  public Set<String> getCustomFilters() {
+    return customFilters;
+  }
+
   @VisibleForTesting
   Set<String> getSupportedCipherSuites() {
     SSLContext context =

server/src/main/java/com/datastrato/gravitino/server/GravitinoServer.java

@@ -87,6 +87,7 @@ protected void configure() {
     server.addServlet(servlet, "/api/*");
     Servlet configServlet = new ConfigServlet(serverConfig);
     server.addServlet(configServlet, "/configs");
+    server.addCustomFilters("/api/*");
     server.addFilter(new VersioningFilter(), "/api/*");
     server.addFilter(new AuthenticationFilter(), "/api/*");
   }