This is an automated email from the ASF dual-hosted git repository.
dataroaring pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new 25d7242e559 [feature](merge-cloud) Add `SecurityChecker` for cloud
(#32906)
25d7242e559 is described below
commit 25d7242e5590473388c70bf3b69c8b0d5c833b84
Author: Lei Zhang <[email protected]>
AuthorDate: Thu Apr 4 20:58:59 2024 +0800
[feature](merge-cloud) Add `SecurityChecker` for cloud (#32906)
---
.../org/apache/doris/jdbc/BaseJdbcExecutor.java | 3 +-
.../org/apache/doris/jdbc/DefaultJdbcExecutor.java | 3 +-
.../doris/cloud/security/DummySecurityChecker.java | 37 +++++++++++
.../doris/cloud/security/SecurityChecker.java | 56 ++++++++++++++++
.../doris/cloud/security/UrlSecurityChecker.java | 76 ++++++++++++++++++++++
.../main/java/org/apache/doris/common/Config.java | 6 ++
.../org/apache/doris/common/util/HttpURLUtil.java | 26 +++++---
.../org/apache/doris/common/util/SmallFileMgr.java | 7 +-
.../java/org/apache/doris/common/util/Util.java | 31 ++++++---
.../apache/doris/datasource/es/EsRestClient.java | 17 +++--
.../doris/datasource/jdbc/client/JdbcClient.java | 5 +-
.../org/apache/doris/httpv2/rest/LoadAction.java | 46 +++++++++++--
.../org/apache/doris/httpv2/rest/UploadAction.java | 4 ++
13 files changed, 284 insertions(+), 33 deletions(-)
diff --git
a/fe/be-java-extensions/jdbc-scanner/src/main/java/org/apache/doris/jdbc/BaseJdbcExecutor.java
b/fe/be-java-extensions/jdbc-scanner/src/main/java/org/apache/doris/jdbc/BaseJdbcExecutor.java
index 40ef980a174..a9117e69627 100644
---
a/fe/be-java-extensions/jdbc-scanner/src/main/java/org/apache/doris/jdbc/BaseJdbcExecutor.java
+++
b/fe/be-java-extensions/jdbc-scanner/src/main/java/org/apache/doris/jdbc/BaseJdbcExecutor.java
@@ -17,6 +17,7 @@
package org.apache.doris.jdbc;
+import org.apache.doris.cloud.security.SecurityChecker;
import org.apache.doris.common.exception.InternalException;
import org.apache.doris.common.exception.UdfRuntimeException;
import org.apache.doris.common.jni.utils.UdfUtils;
@@ -316,7 +317,7 @@ public abstract class BaseJdbcExecutor implements
JdbcExecutor {
DruidDataSource ds = new DruidDataSource();
ds.setDriverClassLoader(classLoader);
ds.setDriverClassName(config.getJdbcDriverClass());
- ds.setUrl(config.getJdbcUrl());
+
ds.setUrl(SecurityChecker.getInstance().getSafeJdbcUrl(config.getJdbcUrl()));
ds.setUsername(config.getJdbcUser());
ds.setPassword(config.getJdbcPassword());
ds.setMinIdle(config.getConnectionPoolMinSize()); //
default 1
diff --git
a/fe/be-java-extensions/jdbc-scanner/src/main/java/org/apache/doris/jdbc/DefaultJdbcExecutor.java
b/fe/be-java-extensions/jdbc-scanner/src/main/java/org/apache/doris/jdbc/DefaultJdbcExecutor.java
index 243abb0ada3..fd10ea74a70 100644
---
a/fe/be-java-extensions/jdbc-scanner/src/main/java/org/apache/doris/jdbc/DefaultJdbcExecutor.java
+++
b/fe/be-java-extensions/jdbc-scanner/src/main/java/org/apache/doris/jdbc/DefaultJdbcExecutor.java
@@ -17,6 +17,7 @@
package org.apache.doris.jdbc;
+import org.apache.doris.cloud.security.SecurityChecker;
import org.apache.doris.common.exception.InternalException;
import org.apache.doris.common.exception.UdfRuntimeException;
import org.apache.doris.common.jni.utils.UdfUtils;
@@ -362,7 +363,7 @@ public class DefaultJdbcExecutor {
DruidDataSource ds = new DruidDataSource();
ds.setDriverClassLoader(classLoader);
ds.setDriverClassName(config.getJdbcDriverClass());
- ds.setUrl(config.getJdbcUrl());
+
ds.setUrl(SecurityChecker.getInstance().getSafeJdbcUrl(config.getJdbcUrl()));
ds.setUsername(config.getJdbcUser());
ds.setPassword(config.getJdbcPassword());
ds.setMinIdle(config.getConnectionPoolMinSize());
// default 1
diff --git
a/fe/fe-common/src/main/java/org/apache/doris/cloud/security/DummySecurityChecker.java
b/fe/fe-common/src/main/java/org/apache/doris/cloud/security/DummySecurityChecker.java
new file mode 100644
index 00000000000..c270eb75e3b
--- /dev/null
+++
b/fe/fe-common/src/main/java/org/apache/doris/cloud/security/DummySecurityChecker.java
@@ -0,0 +1,37 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.cloud.security;
+
+public class DummySecurityChecker extends SecurityChecker {
+ protected DummySecurityChecker() {}
+
+ @Override
+ public String getSafeJdbcUrl(String originJdbcUrl) throws Exception {
+ return originJdbcUrl;
+ }
+
+ @Override
+ public void startSSRFChecking(String originUri) throws Exception {
+ return;
+ }
+
+ @Override
+ public void stopSSRFChecking() {
+ return;
+ }
+}
diff --git
a/fe/fe-common/src/main/java/org/apache/doris/cloud/security/SecurityChecker.java
b/fe/fe-common/src/main/java/org/apache/doris/cloud/security/SecurityChecker.java
new file mode 100644
index 00000000000..10b0e87c888
--- /dev/null
+++
b/fe/fe-common/src/main/java/org/apache/doris/cloud/security/SecurityChecker.java
@@ -0,0 +1,56 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.cloud.security;
+
+import org.apache.doris.common.Config;
+
+import com.google.common.base.Strings;
+
+/**
+ * SecurityChecker is used to check if the url is safe
+ */
+public abstract class SecurityChecker {
+ private static class SingletonHolder {
+ private static final SecurityChecker INSTANCE =
Strings.isNullOrEmpty(Config.security_checker_class_name)
+ ? new DummySecurityChecker() : new UrlSecurityChecker();
+ }
+
+ protected SecurityChecker() {}
+
+ public static SecurityChecker getInstance() {
+ return SingletonHolder.INSTANCE;
+ }
+
+ /**
+ * Check and return safe jdbc url, avoid sql injection or other security
issues
+ * @param originJdbcUrl
+ * @return
+ * @throws Exception
+ */
+ public abstract String getSafeJdbcUrl(String originJdbcUrl) throws
Exception;
+
+ /**
+ * Check if the uri is safe, avoid SSRF attack
+ * Only handle http:// https://
+ * @param originUri
+ * @throws Exception
+ */
+ public abstract void startSSRFChecking(String originUri) throws Exception;
+
+ public abstract void stopSSRFChecking();
+}
diff --git
a/fe/fe-common/src/main/java/org/apache/doris/cloud/security/UrlSecurityChecker.java
b/fe/fe-common/src/main/java/org/apache/doris/cloud/security/UrlSecurityChecker.java
new file mode 100644
index 00000000000..8d4056595e1
--- /dev/null
+++
b/fe/fe-common/src/main/java/org/apache/doris/cloud/security/UrlSecurityChecker.java
@@ -0,0 +1,76 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+package org.apache.doris.cloud.security;
+
+import org.apache.doris.common.Config;
+
+import org.apache.logging.log4j.LogManager;
+import org.apache.logging.log4j.Logger;
+
+import java.lang.reflect.Method;
+
+public class UrlSecurityChecker extends SecurityChecker {
+ private static final Logger LOG =
LogManager.getLogger(UrlSecurityChecker.class);
+ private static Method jdbcUrlCheckMethod = null;
+ private static Method urlSecurityCheckMethod = null;
+ private static Method urlSecurityStopCheckMethod = null;
+
+ static {
+ try {
+ Class clazz = Class.forName(Config.security_checker_class_name);
+ jdbcUrlCheckMethod = clazz.getMethod("filterJdbcConnectionSource",
String.class);
+ urlSecurityCheckMethod =
clazz.getMethod("startSSRFNetHookChecking", String.class);
+ urlSecurityStopCheckMethod =
clazz.getMethod("stopSSRFNetHookChecking", String.class);
+ } catch (Exception e) {
+ LOG.warn("security_checker_class_name:{} exception:",
Config.security_checker_class_name, e);
+ e.printStackTrace();
+ System.out.println("Failed to find
com.aliyun.securitysdk.SecurityUtil's method");
+ }
+ }
+
+ protected UrlSecurityChecker() {}
+
+ @Override
+ public String getSafeJdbcUrl(String originJdbcUrl) throws Exception {
+ if (jdbcUrlCheckMethod != null) {
+ return (String) (jdbcUrlCheckMethod.invoke(null, originJdbcUrl));
+ }
+ throw new Exception("SecurityUtil.filterJdbcConnectionSource not
found");
+ }
+
+ @Override
+ public void startSSRFChecking(String originUri) throws Exception {
+ if (urlSecurityCheckMethod != null) {
+ urlSecurityCheckMethod.invoke(null, originUri);
+ return;
+ }
+ throw new Exception("SecurityUtil.startSSRFNetHookChecking not found");
+ }
+
+ @Override
+ public void stopSSRFChecking() {
+ if (urlSecurityStopCheckMethod != null) {
+ try {
+ urlSecurityStopCheckMethod.invoke(null);
+ } catch (Exception e) {
+ LOG.warn("failed to stop SSRF checking, log and ignore.", e);
+ }
+ return;
+ }
+ }
+}
diff --git a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
index 4b050e57808..e3ae48d3a31 100644
--- a/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
+++ b/fe/fe-common/src/main/java/org/apache/doris/common/Config.java
@@ -17,6 +17,8 @@
package org.apache.doris.common;
+import org.apache.doris.common.ConfigBase.ConfField;
+
public class Config extends ConfigBase {
@ConfField(description = {"用户自定义配置文件的路径,用于存放 fe_custom.conf。该文件中的配置会覆盖
fe.conf 中的配置",
@@ -2642,6 +2644,7 @@ public class Config extends ConfigBase {
public static int drop_user_notify_ms_max_times = 86400;
@ConfField(mutable = true)
+
public static long cloud_tablet_rebalancer_interval_second = 20;
@ConfField(mutable = true)
@@ -2670,6 +2673,9 @@ public class Config extends ConfigBase {
@ConfField(mutable = true)
public static boolean cloud_preheating_enabled = true;
+
+ @ConfField(mutable = true, masterOnly = false)
+ public static String security_checker_class_name = "";
//==========================================================================
// end of cloud config
//==========================================================================
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/common/util/HttpURLUtil.java
b/fe/fe-core/src/main/java/org/apache/doris/common/util/HttpURLUtil.java
index 23026432f59..70b3e68450a 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/common/util/HttpURLUtil.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/common/util/HttpURLUtil.java
@@ -17,8 +17,8 @@
package org.apache.doris.common.util;
-
import org.apache.doris.catalog.Env;
+import org.apache.doris.cloud.security.SecurityChecker;
import org.apache.doris.system.SystemInfoService.HostInfo;
import com.google.common.collect.Maps;
@@ -30,16 +30,22 @@ import java.util.Map;
public class HttpURLUtil {
-
public static HttpURLConnection getConnectionWithNodeIdent(String request)
throws IOException {
- URL url = new URL(request);
- HttpURLConnection conn = (HttpURLConnection) url.openConnection();
- // Must use Env.getServingEnv() instead of getCurrentEnv(),
- // because here we need to obtain selfNode through the official
service catalog.
- HostInfo selfNode = Env.getServingEnv().getSelfNode();
- conn.setRequestProperty(Env.CLIENT_NODE_HOST_KEY, selfNode.getHost());
- conn.setRequestProperty(Env.CLIENT_NODE_PORT_KEY, selfNode.getPort() +
"");
- return conn;
+ try {
+ SecurityChecker.getInstance().startSSRFChecking(request);
+ URL url = new URL(request);
+ HttpURLConnection conn = (HttpURLConnection) url.openConnection();
+ // Must use Env.getServingEnv() instead of getCurrentEnv(),
+ // because here we need to obtain selfNode through the official
service catalog.
+ HostInfo selfNode = Env.getServingEnv().getSelfNode();
+ conn.setRequestProperty(Env.CLIENT_NODE_HOST_KEY,
selfNode.getHost());
+ conn.setRequestProperty(Env.CLIENT_NODE_PORT_KEY,
selfNode.getPort() + "");
+ return conn;
+ } catch (Exception e) {
+ throw new IOException(e);
+ } finally {
+ SecurityChecker.getInstance().stopSSRFChecking();
+ }
}
public static Map<String, String> getNodeIdentHeaders() throws IOException
{
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/common/util/SmallFileMgr.java
b/fe/fe-core/src/main/java/org/apache/doris/common/util/SmallFileMgr.java
index a95015f04b5..a6552d3ace7 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/common/util/SmallFileMgr.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/common/util/SmallFileMgr.java
@@ -21,6 +21,7 @@ import org.apache.doris.analysis.CreateFileStmt;
import org.apache.doris.analysis.DropFileStmt;
import org.apache.doris.catalog.Database;
import org.apache.doris.catalog.Env;
+import org.apache.doris.cloud.security.SecurityChecker;
import org.apache.doris.common.Config;
import org.apache.doris.common.DdlException;
import org.apache.doris.common.io.Text;
@@ -49,7 +50,6 @@ import java.net.URL;
import java.net.URLConnection;
import java.nio.file.Paths;
import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
import java.util.Base64;
import java.util.List;
import java.util.Map;
@@ -289,6 +289,7 @@ public class SmallFileMgr implements Writable {
private SmallFile downloadAndCheck(long dbId, String catalog, String
fileName,
String downloadUrl, String md5sum, boolean saveContent) throws
DdlException {
try {
+ SecurityChecker.getInstance().startSSRFChecking(downloadUrl);
URL url = new URL(downloadUrl);
// get file length
URLConnection urlConnection = url.openConnection();
@@ -366,13 +367,15 @@ public class SmallFileMgr implements Writable {
checksum, false /* not content */);
}
return smallFile;
- } catch (IOException | NoSuchAlgorithmException e) {
+ } catch (Exception e) {
LOG.warn("failed to get file from url: {}", downloadUrl, e);
String errorMsg = e.getMessage();
if (e instanceof FileNotFoundException) {
errorMsg = "File not found";
}
throw new DdlException("Failed to get file from url: " +
downloadUrl + ". Error: " + errorMsg);
+ } finally {
+ SecurityChecker.getInstance().stopSSRFChecking();
}
}
diff --git a/fe/fe-core/src/main/java/org/apache/doris/common/util/Util.java
b/fe/fe-core/src/main/java/org/apache/doris/common/util/Util.java
index c454c6cab5c..f86b5e49f20 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/common/util/Util.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/common/util/Util.java
@@ -19,6 +19,7 @@ package org.apache.doris.common.util;
import org.apache.doris.catalog.Column;
import org.apache.doris.catalog.PrimitiveType;
+import org.apache.doris.cloud.security.SecurityChecker;
import org.apache.doris.common.AnalysisException;
import org.apache.doris.common.FeNameFormat;
import org.apache.doris.datasource.InternalCatalog;
@@ -323,6 +324,7 @@ public class Util {
StringBuilder sb = new StringBuilder();
InputStream stream = null;
try {
+ SecurityChecker.getInstance().startSSRFChecking(urlStr);
URL url = new URL(urlStr);
URLConnection conn = url.openConnection();
if (encodedAuthInfo != null) {
@@ -350,6 +352,7 @@ public class Util {
return null;
}
}
+ SecurityChecker.getInstance().stopSSRFChecking();
}
if (LOG.isDebugEnabled()) {
LOG.debug("get result from url {}: {}", urlStr, sb.toString());
@@ -471,14 +474,26 @@ public class Util {
// If no auth info, pass a null.
public static InputStream getInputStreamFromUrl(String urlStr, String
encodedAuthInfo, int connectTimeoutMs,
int readTimeoutMs) throws IOException {
- URL url = new URL(urlStr);
- URLConnection conn = url.openConnection();
- if (encodedAuthInfo != null) {
- conn.setRequestProperty("Authorization", "Basic " +
encodedAuthInfo);
- }
- conn.setConnectTimeout(connectTimeoutMs);
- conn.setReadTimeout(readTimeoutMs);
- return conn.getInputStream();
+ boolean needSecurityCheck = !(urlStr.startsWith("/") ||
urlStr.startsWith("file://"));
+ try {
+ if (needSecurityCheck) {
+ SecurityChecker.getInstance().startSSRFChecking(urlStr);
+ }
+ URL url = new URL(urlStr);
+ URLConnection conn = url.openConnection();
+ if (encodedAuthInfo != null) {
+ conn.setRequestProperty("Authorization", "Basic " +
encodedAuthInfo);
+ }
+ conn.setConnectTimeout(connectTimeoutMs);
+ conn.setReadTimeout(readTimeoutMs);
+ return conn.getInputStream();
+ } catch (Exception e) {
+ throw new IOException(e);
+ } finally {
+ if (needSecurityCheck) {
+ SecurityChecker.getInstance().stopSSRFChecking();
+ }
+ }
}
public static boolean showHiddenColumns() {
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/datasource/es/EsRestClient.java
b/fe/fe-core/src/main/java/org/apache/doris/datasource/es/EsRestClient.java
index a57814f69a8..21a85126c9e 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/datasource/es/EsRestClient.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/datasource/es/EsRestClient.java
@@ -17,6 +17,7 @@
package org.apache.doris.datasource.es;
+import org.apache.doris.cloud.security.SecurityChecker;
import org.apache.doris.common.util.JsonUtil;
import com.fasterxml.jackson.databind.JsonNode;
@@ -235,11 +236,19 @@ public class EsRestClient {
if (!currentNode.endsWith("/")) {
currentNode = currentNode + "/";
}
- Request request = builder.get().url(currentNode + path).build();
- if (LOG.isInfoEnabled()) {
- LOG.info("es rest client request URL: {}",
request.url().toString());
+ String url = currentNode + path;
+ try {
+ SecurityChecker.getInstance().startSSRFChecking(url);
+ Request request = builder.get().url(currentNode + path).build();
+ if (LOG.isInfoEnabled()) {
+ LOG.info("es rest client request URL: {}",
request.url().toString());
+ }
+ return httpClient.newCall(request).execute();
+ } catch (Exception e) {
+ throw new IOException(e);
+ } finally {
+ SecurityChecker.getInstance().stopSSRFChecking();
}
- return httpClient.newCall(request).execute();
}
/**
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/datasource/jdbc/client/JdbcClient.java
b/fe/fe-core/src/main/java/org/apache/doris/datasource/jdbc/client/JdbcClient.java
index 7e093f1008c..55bfe79ef29 100644
---
a/fe/fe-core/src/main/java/org/apache/doris/datasource/jdbc/client/JdbcClient.java
+++
b/fe/fe-core/src/main/java/org/apache/doris/datasource/jdbc/client/JdbcClient.java
@@ -21,6 +21,7 @@ import org.apache.doris.catalog.Column;
import org.apache.doris.catalog.JdbcResource;
import org.apache.doris.catalog.ScalarType;
import org.apache.doris.catalog.Type;
+import org.apache.doris.cloud.security.SecurityChecker;
import org.apache.doris.common.DdlException;
import org.apache.doris.common.util.Util;
import org.apache.doris.datasource.jdbc.JdbcIdentifierMapping;
@@ -127,7 +128,7 @@ public abstract class JdbcClient {
dataSource = new DruidDataSource();
dataSource.setDriverClassLoader(classLoader);
dataSource.setDriverClassName(config.getDriverClass());
- dataSource.setUrl(config.getJdbcUrl());
+
dataSource.setUrl(SecurityChecker.getInstance().getSafeJdbcUrl(config.getJdbcUrl()));
dataSource.setUsername(config.getUser());
dataSource.setPassword(config.getPassword());
dataSource.setMinIdle(config.getConnectionPoolMinSize()); //
default 1
@@ -149,6 +150,8 @@ public abstract class JdbcClient {
+ ", ConnectionPoolMaxLifeTime = " +
config.getConnectionPoolMaxLifeTime());
} catch (MalformedURLException e) {
throw new JdbcClientException("MalformedURLException to load class
about " + config.getDriverUrl(), e);
+ } catch (Exception e) {
+ throw new JdbcClientException(e.getMessage());
} finally {
Thread.currentThread().setContextClassLoader(oldClassLoader);
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/LoadAction.java
b/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/LoadAction.java
index 387259c056f..692f0cc8ad3 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/LoadAction.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/LoadAction.java
@@ -54,6 +54,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.web.servlet.view.RedirectView;
+import java.net.InetAddress;
import java.net.URI;
import java.util.List;
import java.util.Set;
@@ -428,13 +429,46 @@ public class LoadAction extends RestBaseController {
throw new LoadException("Invalid header host: " + reqHost);
}
- if (InetAddressValidator.getInstance().isValid(reqHost)
- && publicHostPort != null && reqHost == publicHostPort.first) {
- return new TNetworkAddress(publicHostPort.first,
publicHostPort.second);
- } else if (privateHostPort != null) {
- return new TNetworkAddress(reqHost, privateHostPort.second);
+ if (!Strings.isNullOrEmpty(Config.security_checker_class_name)) {
+ // ip
+ if (InetAddressValidator.getInstance().isValid(reqHost)) {
+ InetAddress addr;
+ try {
+ addr = InetAddress.getByName(reqHost);
+ } catch (Exception e) {
+ LOG.warn("unknown host expection: {}", e.getMessage());
+ throw new LoadException(e.getMessage());
+ }
+ if (addr.isSiteLocalAddress() && privateHostPort != null) {
+ return new TNetworkAddress(privateHostPort.first,
privateHostPort.second);
+ } else if (publicHostPort != null) {
+ return new TNetworkAddress(publicHostPort.first,
publicHostPort.second);
+ } else {
+ LOG.warn("Invalid ip or wrong cluster, host: {}, public
endpoint: {}, private endpoint: {}",
+ reqHostStr, publicHostPort, privateHostPort);
+ throw new LoadException("Invalid header host: " + reqHost);
+ }
+ }
+
+ // domin
+ if (publicHostPort != null &&
reqHost.toLowerCase().contains("public")) {
+ return new TNetworkAddress(publicHostPort.first,
publicHostPort.second);
+ } else if (privateHostPort != null) {
+ return new TNetworkAddress(privateHostPort.first,
privateHostPort.second);
+ } else {
+ LOG.warn("Invalid host or wrong cluster, host: {}, public
endpoint: {}, private endpoint: {}",
+ reqHostStr, publicHostPort, privateHostPort);
+ throw new LoadException("Invalid header host: " + reqHost);
+ }
} else {
- return new TNetworkAddress(backend.getHost(),
backend.getHttpPort());
+ if (InetAddressValidator.getInstance().isValid(reqHost)
+ && publicHostPort != null && reqHost ==
publicHostPort.first) {
+ return new TNetworkAddress(publicHostPort.first,
publicHostPort.second);
+ } else if (privateHostPort != null) {
+ return new TNetworkAddress(reqHost, privateHostPort.second);
+ } else {
+ return new TNetworkAddress(backend.getHost(),
backend.getHttpPort());
+ }
}
}
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/UploadAction.java
b/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/UploadAction.java
index 6b58fcefcf1..4fc2eeebb87 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/UploadAction.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/httpv2/rest/UploadAction.java
@@ -131,6 +131,10 @@ public class UploadAction extends RestBaseController {
@PathVariable(value = TABLE_KEY) String tblName,
HttpServletRequest request, HttpServletResponse response) {
+ if (!Strings.isNullOrEmpty(Config.security_checker_class_name)) {
+ return ResponseEntityBuilder.badRequest("Not support upload data
api in security env");
+ }
+
ActionAuthorizationInfo authInfo = checkWithCookie(request, response,
false);
if (!ns.equalsIgnoreCase(SystemInfoService.DEFAULT_CLUSTER)) {
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
