[Feature-14802][api] Use Casdoor SSO to log in, add admin user config…

…uration (#14814)

* [Feature-14802][feat] Use Casdoor SSO to log in, add admin user configuration

    Use Casdoor SSO to log in, add admin user configuration

This closes #14802

* [Feature-14802][feat] Use Casdoor SSO to log in, add admin user configuration

    Use Casdoor SSO to log in, add admin user configuration

This closes #14802

* update doc

* [Feature-14802][feat] Use Casdoor SSO to log in, add admin user configuration

    Use Casdoor SSO to log in, add admin user configuration

This closes #14802

---------

Co-authored-by: Eric Gao <ericgao.apache@gmail.com>
Co-authored-by: 旺阳 <qingwli@cisco.com>

docs/docs/en/architecture/configuration.md

@@ -261,6 +261,14 @@ Location: `api-server/conf/application.yaml`
 |security.authentication.ldap.ssl.enable|false|LDAP switch|
 |security.authentication.ldap.ssl.trust-store|ldapkeystore.jks|LDAP jks file absolute path|
 |security.authentication.ldap.ssl.trust-store-password|password|LDAP jks password|
+|security.authentication.casdoor.user.admin||admin user account when you log-in with Casdoor|
+|casdoor.endpoint||Casdoor server url|
+|casdoor.client-id||id in Casdoor|
+|casdoor.client-secret||secret in Casdoor|
+|casdoor.certificate||certificate in Casdoor|
+|casdoor.organization-name||organization name in Casdoor|
+|casdoor.application-name||application name in Casdoor|
+|casdoor.redirect-url||doplhinscheduler login url|
 |api.traffic.control.global.switch|false|traffic control global switch|
 |api.traffic.control.max-global-qps-rate|300|global max request number per second|
 |api.traffic.control.tenant-switch|false|traffic control tenant switch|

docs/docs/en/guide/security/authentication-type.md

@@ -30,6 +30,9 @@ security:
         # jks file absolute path && password
         trust-store: "/ldapkeystore.jks"
         trust-store-password: "password"
+    casdoor:
+      user:
+        admin: ""
     oauth2:
       enable: false
       provider:
@@ -53,6 +56,19 @@ security:
           callbackUrl: ""
           iconUri: ""
           provider: google
+casdoor:
+   # Your Casdoor server url
+   endpoint: ""
+   client-id: ""
+   client-secret: ""
+   # The certificate may be multi-line, you can use `|-` for ease
+   certificate: ""
+   # Your organization name added in Casdoor
+   organization-name: ""
+   # Your application name added in Casdoor
+   application-name: ""
+   # Doplhinscheduler login url
+   redirect-url: ""
 ```
 
 For detailed explanation of specific fields, please see: [Api-server related configuration](../../architecture/configuration.md)

docs/docs/zh/architecture/configuration.md

@@ -260,6 +260,14 @@ common.properties配置文件目前主要是配置hadoop/s3/yarn/applicationId
 |security.authentication.ldap.ssl.enable|false|LDAP ssl开关|
 |security.authentication.ldap.ssl.trust-store|ldapkeystore.jks|LDAP jks文件绝对路径|
 |security.authentication.ldap.ssl.trust-store-password|password|LDAP jks密码|
+|security.authentication.casdoor.user.admin||Casdoor登陆时，系统管理员账号|
+|casdoor.endpoint||Casdoor服务器URL|
+|casdoor.client-id||Casdoor中的ID|
+|casdoor.client-secret||Casdoor中的密钥|
+|casdoor.certificate||Casdoor中的证书|
+|casdoor.organization-name||Casdoor中的组织名称|
+|casdoor.application-name||Casdoor中的应用名称|
+|casdoor.redirect-url||dolphinscheduler登录URL|
 |api.traffic.control.global.switch|false|流量控制全局开关|
 |api.traffic.control.max-global-qps-rate|300|全局最大请求数/秒|
 |api.traffic.control.tenant-switch|false|流量控制租户开关|

docs/docs/zh/guide/security/authentication-type.md

@@ -30,6 +30,9 @@ security:
         # jks file absolute path && password
         trust-store: "/ldapkeystore.jks"
         trust-store-password: "password"
+    casdoor:
+      user:
+        admin: ""
     oauth2:
       enable: false
       provider:
@@ -53,6 +56,19 @@ security:
           callbackUrl: ""
           iconUri: ""
           provider: google
+casdoor:
+   # Your Casdoor server url
+   endpoint: ""
+   client-id: ""
+   client-secret: ""
+   # The certificate may be multi-line, you can use `|-` for ease
+   certificate: ""
+   # Your organization name added in Casdoor
+   organization-name: ""
+   # Your application name added in Casdoor
+   application-name: ""
+   # Doplhinscheduler login url
+   redirect-url: ""
 ```
 
 具体字段解释详见：[Api-server相关配置](../../architecture/configuration.md)

dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/security/impl/sso/CasdoorAuthenticator.java

@@ -42,6 +42,8 @@ public class CasdoorAuthenticator extends AbstractSsoAuthenticator {
     private CasdoorAuthService casdoorAuthService;
     @Value("${casdoor.redirect-url}")
     private String redirectUrl;
+    @Value("${security.authentication.casdoor.user.admin:#{null}}")
+    private String adminUserName;
 
     @Override
     public User login(String state, String code, String extra) {
@@ -66,12 +68,17 @@ public User login(String state, String code, String extra) {
             // check if user exist
             user = usersService.getUserByUserName(casdoorUser.getName());
             if (user == null) {
-                user = usersService.createUser(UserType.GENERAL_USER, casdoorUser.getName(), casdoorUser.getEmail());
+                user = usersService.createUser(getUserType(casdoorUser.getName()), casdoorUser.getName(),
+                        casdoorUser.getEmail());
             }
         }
         return user;
     }
 
+    public UserType getUserType(String userName) {
+        return adminUserName.equalsIgnoreCase(userName) ? UserType.ADMIN_USER : UserType.GENERAL_USER;
+    }
+
     @Override
     public String getSignInUrl(String state) {
         return casdoorAuthService.getSigninUrl(redirectUrl, state);

dolphinscheduler-api/src/main/resources/application.yaml

@@ -181,6 +181,9 @@ security:
         # jks file absolute path && password
         trust-store: "/ldapkeystore.jks"
         trust-store-password: "password"
+    casdoor:
+      user:
+        admin: ""
     oauth2:
       enable: false
       provider:
@@ -204,6 +207,20 @@ security:
           callbackUrl: ""
           iconUri: ""
           provider: google
+casdoor:
+  # Your Casdoor server url
+  endpoint: ""
+  client-id: ""
+  client-secret: ""
+  # The certificate may be multi-line, you can use `|-` for ease
+  certificate: ""
+  # Your organization name added in Casdoor
+  organization-name: ""
+  # Your application name added in Casdoor
+  application-name: ""
+  # Doplhinscheduler login url
+  redirect-url: ""
+
 
 # Override by profile
 

dolphinscheduler-api/src/test/java/org/apache/dolphinscheduler/api/security/impl/sso/CasdoorAuthenticatorTest.java

@@ -55,7 +55,8 @@
         "casdoor.certificate=public-key",
         "casdoor.organization-name=built-in",
         "casdoor.application-name=app-built-in",
-        "casdoor.redirect-url=http://localhost:8888/view/login/index.html"
+        "casdoor.redirect-url=http://localhost:8888/view/login/index.html",
+        "security.authentication.casdoor.user.admin=admin"
 })
 public class CasdoorAuthenticatorTest extends AbstractControllerTest {
 

dolphinscheduler-api/src/test/resources/application.yaml

@@ -87,6 +87,9 @@ security:
         # jks file absolute path && password
         trust-store: "/ldapkeystore.jks"
         trust-store-password: "password"
+    casdoor:
+      user:
+        admin: ""
     oauth2:
       enable: true
       provider:

dolphinscheduler-standalone-server/src/main/resources/application.yaml

@@ -111,6 +111,9 @@ security:
         # jks file absolute path && password
         trust-store: "/ldapkeystore.jks"
         trust-store-password: ""
+    casdoor:
+      user:
+        admin: admin
     oauth2:
       enable: false
       provider:
@@ -135,7 +138,19 @@ security:
           iconUri: ""
           provider: gitee
 
-
+casdoor:
+  # Your Casdoor server url
+  endpoint: http://localhost:8000
+  client-id: ""
+  client-secret: ""
+  # The certificate may be multi-line, you can use `|-` for ease
+  certificate: ""
+  # Your organization name added in Casdoor
+  organization-name: built-in
+  # Your application name added in Casdoor
+  application-name: dolphinscheduler
+  # Doplhinscheduler login url
+  redirect-url: http://localhost:5173/login