Re: [PR] Add policy enforcer to sanity check on policy in query execution (druid)

Tue, 15 Apr 2025 20:25:06 -0700 


cecemei commented on code in PR #17774:
URL: https://github.com/apache/druid/pull/17774#discussion_r2045934121


##########
processing/src/main/java/org/apache/druid/segment/SegmentReference.java:
##########
@@ -19,12 +19,31 @@
 
 package org.apache.druid.segment;
 
+import org.apache.druid.query.policy.NoopPolicyEnforcer;
+import org.apache.druid.query.policy.PolicyEnforcer;
+
 /**
- * A {@link Segment} with a associated references, such as {@link 
ReferenceCountingSegment} where the reference is
+ * A {@link Segment} with an associated references, such as {@link 
ReferenceCountingSegment} where the reference is
  * the segment itself, and {@link 
org.apache.druid.segment.join.HashJoinSegment} which wraps a
  * {@link ReferenceCountingSegment} and also includes the associated list of
  * {@link org.apache.druid.segment.join.JoinableClause}
  */
 public interface SegmentReference extends Segment, ReferenceCountedObject
 {
+
+  /**
+   * Validates if the segment complies with the policy restrictions on tables.
+   * <p>
+   * This should be called right before the segment is about to be processed 
by the query stack, and after
+   * {@link 
org.apache.druid.query.planning.ExecutionVertex#createSegmentMapFunction(PolicyEnforcer)}.
+   */
+  default void validateOrElseThrow(PolicyEnforcer policyEnforcer)

Review Comment:
   I managed to run some tests based on BroadcastJoin in MSQ, disabled the 
enforcer on `DruidQuery` side, and it's actually catching security validation 
failure when I use `TableDataSource` as one of left child and right child, in 
the scanning step. And the join step (runWithInputChannel) actually don't 
enforce anything, because it's using a `FrameSegment`. 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to