mshahid6 opened a new pull request, #19011:
URL: https://github.com/apache/druid/pull/19011
Fixes #18964
### Description
Added a broker level dynamic config and query blocklist for dynamically
blocking queries in the situation there is a rogue app/user spamming the
cluster without relying on static configs/restarts.
#### BrokerDynamicConfig
Followed a similar pattern to CoordinatorDynamicConfig. REST APIs:
- GET /druid/broker/v1/config: get current config
- POST /druid/broker/v1/config: set config
Can also be used for features like query blocklist enforcement, data
aliases, routing rules, feature flags etc.
#### QueryBlocklistRule
Enforced early in QueryLifecycle (after init) and throws DruidException when
a query matches a rule i.e. if ALL specified criteria match (AND logic). Null
or empty criteria act as wildcards (match everything):
- `dataSources`: Matches if ANY datasource in the query intersects with
the rule's datasources
- `queryTypes`: Matches if the query type is in the rule's query types
- `contextMatches`: Matches if ALL key-value pairs in the rule match the
query context (exact string match)
Reusing coordinator dynamic config for query blocklisting was considered but
it is not the appropriate enforcement point and would require broker to pull
coordinator config. Moreover, broker config can be used for other future
features such as datasource aliasing, routing rules or feature flags.
#### Release note
Added broker-level query blocklist feature for dynamically blocking queries
without restarts. Operators can block queries by datasource, query type, or
query context using the new /druid/broker/v1/config API. Rules use AND logic
(all criteria must match) and are stored in the metadata database.
##### Key changed/added classes in this PR
- BrokerDynamicConfig - Dynamic configuration class with query blocklist
- QueryBlocklistRule - Rule-based query matching with validation
- BrokerConfigManager - Manager for getting/setting broker config from
metadata database
- BrokerDynamicConfigsResource - REST endpoints for config management
- QueryLifecycle - Added blocklist enforcement before authorization
- QueryLifecycleFactory - Added BrokerConfigManager injection
- QueryBlocklistRuleTest
- QueryLifecycleTest
This PR has:
- [ ] been self-reviewed.
- [ ] using the [concurrency
checklist](https://github.com/apache/druid/blob/master/dev/code-review/concurrency.md)
(Remove this item if the PR doesn't have any relation to concurrency.)
- [ ] added documentation for new or modified features or behaviors.
- [ ] a release note entry in the PR description.
- [ ] added Javadocs for most classes and all non-trivial methods. Linked
related entities via Javadoc links.
- [ ] added or updated version, license, or notice information in
[licenses.yaml](https://github.com/apache/druid/blob/master/dev/license.md)
- [ ] added comments explaining the "why" and the intent of the code
wherever would not be obvious for an unfamiliar reader.
- [ ] added unit tests or modified existing tests to cover new code paths,
ensuring the threshold for [code
coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md)
is met.
- [ ] added integration tests.
- [ ] been tested in a test Druid cluster.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
