Add missing authentication for RPC calls

[LiebingYu]

Search before asking

• I searched in the issues and found nothing similar.

Description

Currently, nearly half of the RPC calls in Fluss do not have authentication implemented, which poses a significant risk in production environments. I have listed all the RPC calls along with the current status of their authentication implementation.

In the "action" column, entries marked as "OK" indicate that authentication has been fully implemented, while those marked as "Fix" indicate that improvements are needed.

RPC Call	Resource Type	Operation Type	IS Internal	Action
apiVersions	CLUSTER	DESCRIBE	F	OK
listDatabases	DATABASE	DESCRIBE	F	OK
getDatabaseInfo	DATABASE	DESCRIBE	F	OK
databaseExists	DATABASE	DESCRIBE	F	Fix
listTables	TABLE	DESCRIBE	F	OK
getTableInfo	TABLE	DESCRIBE	F	OK
getTableSchema	TABLE	DESCRIBE	F	Fix
tableExists	TABLE	DESCRIBE	F	Fix
getLatestKvSnapshots	TABLE	DESCRIBE	F	Fix
getKvSnapshotMetadata	TABLE	DESCRIBE	F	Fix
getFileSystemSecurityToken	TABLE	READ	F	#752
listPartitionInfos	TABLE	DESCRIBE	F	Fix
getLatestLakeSnapshot	TABLE	DESCRIBE	F	Fix
listAcls		DESCRIBE	F	OK
describeClusterConfigs	CLUSTER	DESCRIBE	F	OK
createDatabase	CLUSTER	CREATE	F	OK
dropDatabase	CLUSTER	DROP	F	OK
createTable	DATABASE	CREATE	F	OK
alterTable	TABLE	ALTER	F	OK
dropTable	TABLE	DROP	F	OK
createPartition	TABLE	WRITE	F	OK
dropPartition	TABLE	WRITE	F	OK
metadata	TABLE	DESCRIBE	F	OK
adjustIsr	CLUSTER	WRITE	T	Fix
commitKvSnapshot	CLUSTER	WRITE	T	Fix
commitRemoteLogManifest	CLUSTER	WRITE	T	Fix
createAcls	TABLE/DATABASE	ALTER	F	OK
dropAcls	TABLE/DATABASE	ALTER	F	OK
commitLakeTableSnapshot	CLUSTER	WRITE	T	Fix
lakeTieringHeartbeat	CLUSTER	WRITE	T	Fix
controlledShutdown	CLUSTER	WRITE	T	Fix
alterClusterConfigs	CLUSTER	ALTER	F	OK
produceLog	TABLE	WRITE	F	OK
fetchLog	TABLE	READ	Both internal and external	OK
putKv	TABLE	WRITE	F	OK
lookup	TABLE	READ	F	OK
prefixLookup	TABLE	READ	F	OK
limitScan	TABLE	READ	F	OK
notifyLeaderAndIsr	CLUSTER	WRITE	T	Fix
updateMetadata	CLUSTER	WRITE	T	Fix
stopReplica	CLUSTER	WRITE	T	Fix
listOffsets	TABLE	DESCRIBE	F	Fix
initWriter	TABLE	WRITE	F	OK
notifyRemoteLogOffsets	CLUSTER	WRITE	T	Fix
notifyKvSnapshotOffset	CLUSTER	WRITE	T	Fix
notifyLakeTableOffset	CLUSTER	WRITE	T	Fix

Willingness to contribute

• I'm willing to submit a PR!

[vaibhavk1992]

Hi @LiebingYu , I see this issue is assigned but hasn’t had activity for a while. Just checking if it’s still being worked on—if not, I’d be happy to help or take it up.

[LiebingYu]

Hi @LiebingYu , I see this issue is assigned but hasn’t had activity for a while. Just checking if it’s still being worked on—if not, I’d be happy to help or take it up.

@vaibhavk1992 Hi! Thanks for checking in. Please feel free to take this up! I'll assign to you. Just a friendly reminder: since there are quite a few missing authentication methods, it would be best to categorize them and implement them across multiple PRs for easier merging.

[vaibhavk1992]

@LiebingYu
Thanks for assigning this to me! Really appreciate the thorough audit in the issue description—makes it much easier to tackle systematically.

Approach

I'm planning to categorize the fixes into two phases:

Phase 1: External RPCs (client-facing metadata operations)
databaseExists, tableExists, getTableSchema, getLatestKvSnapshots,
getKvSnapshotMetadata, listPartitionInfos, getLatestLakeSnapshot,
listOffsets

→ Add authorizer.authorize(session, DESCRIBE, resource) checks following the
pattern in createDatabase().

Phase 2: Internal RPCs (server-to-server coordination)
adjustIsr, commitKvSnapshot, notifyLeaderAndIsr, updateMetadata, etc.

→ These need both authorization checks + validation that session.isInternal() is
true to prevent external clients from calling internal APIs.

Quick Questions

• Any prior discussions, design docs, or reference PRs I should review?
• Preferred pattern for internal RPC auth? Should I follow a specific "OK" RPC as a
  template?
• Existing test patterns for unauthorized access scenarios?

Happy to adjust the approach based on feedback!

[vaibhavk1992]

Hi @LiebingYu , just a gentle follow-up on this in case you have some thoughts to share. Would really appreciate any guidance 🙂

[LiebingYu]

Hi @LiebingYu , just a gentle follow-up on this in case you have some thoughts to share. Would really appreciate any guidance 🙂

Sorry for the dely response.

• I think is ok to categorize to External RPCs and Internal RPCs. But there are too many External RPCs, you can further categorize them, for example, kv snapshot, lake snapshot ...
• There's an unmerged PR: [hotfix] Add missing authentication for CoordinatorService RPC calls #2359
• For test you can refer to FlussAuthorizationITCase

By the way, the RPCs organized in issue may be outdated, and some new methods may have been added during this time...

[vaibhavk1992]

I am planning to do it the below way let me know if this looks good, also shall I track these multiple PRs under different issues?
FYI @wuchong
Phase 1: External RPCs (User-Facing) - Higher Priority

These are directly exposed to clients and have higher security risk:

PR 1: Database & Table Existence Checks ─

• databaseExists - DATABASE/DESCRIBE
• tableExists - TABLE/DESCRIBE

PR 2: Table Metadata Read Operations

• getTableSchema - TABLE/DESCRIBE
• listPartitionInfos - TABLE/DESCRIBE
• listOffsets - TABLE/DESCRIBE

PR 3: Snapshot Read Operations

• getLatestKvSnapshots - TABLE/DESCRIBE
• getKvSnapshotMetadata - TABLE/DESCRIBE
• getLatestLakeSnapshot - TABLE/DESCRIBE

Phase 2: Internal RPCs (Server-to-Server) - Lower Priority

These are server-to-server calls, less exposed but still need fixing:

PR 4: Replication Control (High Impact)

• notifyLeaderAndIsr - CLUSTER/WRITE
• updateMetadata - CLUSTER/WRITE
• stopReplica - CLUSTER/WRITE
• adjustIsr - CLUSTER/WRITE

PR 5: Snapshot Management

• commitKvSnapshot - CLUSTER/WRITE
• notifyKvSnapshotOffset - CLUSTER/WRITE
• commitLakeTableSnapshot - CLUSTER/WRITE
• notifyLakeTableOffset - CLUSTER/WRITE

PR 6: Remote Log & Tiering

• commitRemoteLogManifest - CLUSTER/WRITE
• notifyRemoteLogOffsets - CLUSTER/WRITE
• lakeTieringHeartbeat - CLUSTER/WRITE

PR 7: Server Lifecycle

• controlledShutdown - CLUSTER/WRITE

[vaibhavk1992]

PR for Database & Table Existence Checks
#3078