Expose authorization header in Swagger API docs#18974
Conversation
|
Review request: @apucher @Jackie-Jiang GitHub did not allow this account/integration to add requested reviewers through the reviewer section, so I am tagging the relevant reviewers here for visibility. This PR fixes #7805 by adding the configured Drafted-by: Codex (GPT-5); human-reviewed by Vamsi-klu before posting |
|
Can you add the UI screenshot for the testing |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #18974 +/- ##
============================================
- Coverage 65.06% 65.05% -0.01%
Complexity 1403 1403
============================================
Files 3399 3399
Lines 212797 212805 +8
Branches 33567 33567
============================================
- Hits 138457 138449 -8
- Misses 63204 63206 +2
- Partials 11136 11150 +14
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
|
@xiangfu0 thanks for asking for the UI screenshot. I captured this from the latest PR branch/commit. Screenshot proof
Validation
|
|
Opened docs follow-up PR: pinot-contrib/pinot-docs#920 |
## What changed - documented how authenticated controller Swagger sessions now use the standard `Authorize` dialog to set the `Authorization` header - clarified that users can enter either `Basic <token>` or `Bearer <token>` there, depending on deployment auth ## Why apache/pinot#18974 exposed Pinot's existing `Authorization` header in the generated Swagger/OpenAPI security definition. ## Reader impact Users of the controller admin UI no longer need to infer or hand-edit the auth header for every Swagger request. ## Source cross-check Verified against local `apache/pinot` merge commit `00d1c88763d4015b9ce966ad7c13a52abf30f9b2`. ## Validation - `git diff --check` - lightweight local link validation for the edited files


Fixes #7805
What changed
This PR adds the configured authorization header to Pinot's generated Swagger API documentation.
SwaggerSetupUtilsnow builds a Swagger security definition for the existingAuthorizationheader and applies that security requirement to the generated API config. The runtime authentication behavior is unchanged; this only makes the OpenAPI/Swagger description accurately expose the header that secured Pinot APIs already expect.The PR also extracts the Swagger config construction into a testable helper so the generated API metadata can be validated without starting a controller.
Why it matters
When Swagger does not describe the authorization header, users can see secured endpoints in the API docs but have no standard way to supply credentials from the Swagger UI or generated clients. That makes secured controller APIs harder to try, document, and integrate with.
Pinot already has a shared
Authorizationheader constant for Swagger auth. Surfacing it in the Swagger config aligns the documentation with the actual authentication contract and avoids forcing users to infer or manually patch the header into requests.Impact
Swagger/OpenAPI consumers now see an API-key-style
Authorizationheader security definition.Swagger UI users can provide the authorization header through the documented security mechanism instead of manually editing each request.
Existing runtime auth behavior, filters, and controller authorization checks are not changed.
Testing
./mvnw -pl pinot-common -Dtest=SwaggerSetupUtilsTest test./mvnw -pl pinot-common spotless:apply./mvnw -pl pinot-common checkstyle:check./mvnw -pl pinot-common license:checkgit diff --checkThe test verifies that the generated Swagger config contains the
Authorizationheader security definition, uses the expected API key auth scheme, and attaches the security requirement to the API config.Drafted-by: Codex (GPT-5); human-reviewed by Vamsi-klu before marking ready for review