Add LDAP/Active Directory Authentication Support for Broker and Controller

[ayushbilala]

Pinot currently lacks built-in LDAP/Active Directory authentication support for securing Broker and Controller REST APIs. This feature request proposes adding configurable LDAP authentication to enable enterprise integration with existing directory services.

Problem Statement

Organizations using Apache Pinot need to:

1. Integrate with existing LDAP/Active Directory infrastructure
2. Authenticate users accessing Pinot Query Console and REST APIs
3. Secure broker query endpoints and controller management APIs
4. Support standard Basic Authentication with LDAP backend validation

Currently, Pinot has limited authentication options, making it challenging for enterprises to deploy Pinot in environments with strict security requirements.

Backward Compatibility

• Fully backward compatible: Existing deployments without LDAP config continue to work
• Opt-in feature: Only enabled when authentication.factory.class is configured
• No breaking changes: All changes are additive, no modifications to existing APIs

Future Enhancements (Not in Initial PR)

This feature lays the groundwork for future authentication/authorization enhancements:

1. RBAC Authorization (Separate PR)

   • File-based authorization policies
   • Table-level permissions
   • Endpoint-level access control

2. UI Session Management (Separate PR)

   • Browser session persistence
   • Auto-restore on page refresh

3. Advanced Features (Future)

   • OAuth/OIDC support

[Jackie-Jiang]

Hi @ayushbilala, thanks for raising this feature request. Are you going to work on this?

[ayushbilala]

Hey @Jackie-Jiang , Yes I'll pick it up.

[NihalJain]

Hi @ayushbilala have you already started working on this? We have a draft patch with basic + ldap auth internally, which we planned on pushing to OS. Let me know if you already started working on this

[NihalJain]

Hi @ayushbilala Should I go ahead and create a PR for this change?

[xiangfu0]

Hi @NihalJain, I would suggest to submit a PR and we can review it all together.

[ayushbilala]

@NihalJain Sorry, I missed your comment earlier. Yes, I did spend some time on it. If you’re ready with your changes, we can review them together.

[NihalJain]

Thank you @xiangfu0 and @ayushbilala. Thanks for your response. I will raise a PR soon.

I plan to do in the following order:

• Refactor authorization code to reduce duplication and inconsistency #15861 - Will pull this change, apply on master and resubmit this by this week. This change allows us to avoid duplicate code for auth for any new implementation.
• Then apply our internal change for LDAP change implementation on master with previous change: Tentatively will raise by following week.