jtuglu1 commented on code in PR #19011: URL: https://github.com/apache/druid/pull/19011#discussion_r2801431173
########## server/src/main/java/org/apache/druid/server/QueryBlocklistRule.java: ########## @@ -0,0 +1,176 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.server; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.google.common.base.Preconditions; +import com.google.common.base.Strings; +import com.google.common.collect.Sets; +import org.apache.druid.query.Query; + +import javax.annotation.Nullable; +import java.util.Map; +import java.util.Objects; +import java.util.Set; + +/** + * A rule for matching queries against blocklist criteria. A query matches this rule if ALL + * specified criteria match (AND logic). Null or empty criteria match everything. + */ +public class QueryBlocklistRule +{ + private final String ruleName; + @Nullable + private final Set<String> dataSources; + @Nullable + private final Set<String> queryTypes; + @Nullable + private final Map<String, String> contextMatches; + + @JsonCreator + public QueryBlocklistRule( + @JsonProperty("ruleName") String ruleName, + @JsonProperty("dataSources") @Nullable Set<String> dataSources, + @JsonProperty("queryTypes") @Nullable Set<String> queryTypes, + @JsonProperty("contextMatches") @Nullable Map<String, String> contextMatches + ) + { + Preconditions.checkArgument( + !Strings.isNullOrEmpty(ruleName), + "ruleName must not be null or empty" + ); + + // At least one criterion must be specified to prevent accidentally blocking all queries + boolean hasDataSources = dataSources != null && !dataSources.isEmpty(); + boolean hasQueryTypes = queryTypes != null && !queryTypes.isEmpty(); + boolean hasContextMatches = contextMatches != null && !contextMatches.isEmpty(); + + Preconditions.checkArgument( + hasDataSources || hasQueryTypes || hasContextMatches, + "At least one criterion (dataSources, queryTypes, or contextMatches) must be specified. " + + "A rule with all null/empty criteria would block ALL queries." + ); + + this.ruleName = ruleName; + this.dataSources = dataSources; + this.queryTypes = queryTypes; + this.contextMatches = contextMatches; + } + + @JsonProperty + public String getRuleName() + { + return ruleName; + } + + @JsonProperty + @Nullable + public Set<String> getDataSources() + { + return dataSources; + } + + @JsonProperty + @Nullable + public Set<String> getQueryTypes() + { + return queryTypes; + } + + @JsonProperty + @Nullable + public Map<String, String> getContextMatches() + { + return contextMatches; + } + + /** + * Returns true if the query matches ALL specified criteria (AND logic). + * Null or empty criteria match everything. + * + * @param query the query to check + * @return true if the query matches this rule, false otherwise + */ + public boolean matches(Query<?> query) + { + if (!isNullOrEmpty(dataSources)) { + Set<String> queryDatasources = query.getDataSource().getTableNames(); + if (Sets.intersection(dataSources, queryDatasources).isEmpty()) { + return false; + } + } + + if (!isNullOrEmpty(queryTypes)) { + if (!queryTypes.contains(query.getType())) { + return false; + } + } + + if (contextMatches != null && !contextMatches.isEmpty()) { + for (Map.Entry<String, String> entry : contextMatches.entrySet()) { + Object contextValue = query.getContext().get(entry.getKey()); + if (!entry.getValue().equals(String.valueOf(contextValue))) { + return false; + } + } + } + + return true; Review Comment: I think we should invert this. Ideally, a rule matching a query <==> that query is blocked. i.e matches should return `false` by default. ########## server/src/main/java/org/apache/druid/server/coordinator/CoordinatorDynamicConfig.java: ########## @@ -454,6 +478,7 @@ public static int getDefaultBalancerComputeThreads() private static class Defaults { + static final List<QueryBlocklistRule> QUERY_BLOCKLIST = ImmutableList.of(); Review Comment: nit: `List.of()` ########## server/src/main/java/org/apache/druid/server/QueryBlocklistRule.java: ########## @@ -0,0 +1,176 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.server; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.google.common.base.Preconditions; +import com.google.common.base.Strings; +import com.google.common.collect.Sets; +import org.apache.druid.query.Query; + +import javax.annotation.Nullable; +import java.util.Map; +import java.util.Objects; +import java.util.Set; + +/** + * A rule for matching queries against blocklist criteria. A query matches this rule if ALL + * specified criteria match (AND logic). Null or empty criteria match everything. Review Comment: I think we should negate this. Queries matching all criteria in the `QueryBlocklistRule` are blocked, and those that do not match are not blocked. ########## server/src/main/java/org/apache/druid/server/coordinator/CoordinatorDynamicConfig.java: ########## @@ -172,6 +181,7 @@ public CoordinatorDynamicConfig( this.validDebugDimensions = validateDebugDimensions(debugDimensions); this.turboLoadingNodes = Configs.valueOrDefault(turboLoadingNodes, Set.of()); this.cloneServers = Configs.valueOrDefault(cloneServers, Map.of()); + this.queryBlocklist = queryBlocklist != null ? ImmutableList.copyOf(queryBlocklist) : Defaults.QUERY_BLOCKLIST; Review Comment: Is there a reason we are creating an immutable copy of this? Maybe let's use `Configs.valueOrDefault` to follow convention here with the rest of the containers being serde'd. ########## server/src/main/java/org/apache/druid/server/QueryBlocklistRule.java: ########## @@ -0,0 +1,176 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.server; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.google.common.base.Preconditions; +import com.google.common.base.Strings; +import com.google.common.collect.Sets; +import org.apache.druid.query.Query; + +import javax.annotation.Nullable; +import java.util.Map; +import java.util.Objects; +import java.util.Set; + +/** + * A rule for matching queries against blocklist criteria. A query matches this rule if ALL + * specified criteria match (AND logic). Null or empty criteria match everything. + */ +public class QueryBlocklistRule +{ + private final String ruleName; + @Nullable + private final Set<String> dataSources; + @Nullable + private final Set<String> queryTypes; + @Nullable + private final Map<String, String> contextMatches; + + @JsonCreator + public QueryBlocklistRule( + @JsonProperty("ruleName") String ruleName, + @JsonProperty("dataSources") @Nullable Set<String> dataSources, + @JsonProperty("queryTypes") @Nullable Set<String> queryTypes, + @JsonProperty("contextMatches") @Nullable Map<String, String> contextMatches + ) + { + Preconditions.checkArgument( + !Strings.isNullOrEmpty(ruleName), + "ruleName must not be null or empty" + ); + + // At least one criterion must be specified to prevent accidentally blocking all queries Review Comment: This seems backwards to me. In my mind, passing all nulls should result in the default behavior. In other words, I need to "opt-in" to the blocking behavior. IMO, we should make it easier for users to do the "default" thing which is allowing the query through. A rule matching a query <===> that query is blocked. Right now, it's the other way around. ########## server/src/main/java/org/apache/druid/server/QueryLifecycle.java: ########## @@ -310,6 +317,35 @@ private void preAuthorized( } } + /** + * Checks if the query matches any blocklist rules. If a rule matches, throws a DruidException. + * Rules are evaluated in order, and the first match wins. + * + * @throws DruidException if the query is blocklisted + */ + private void checkQueryBlocklist() + { + if (brokerViewOfCoordinatorConfig == null) { + return; // Not running on broker, skip blocklist check + } + + CoordinatorDynamicConfig config = brokerViewOfCoordinatorConfig.getDynamicConfig(); + if (config == null) { + return; // Config not loaded yet, allow query (best effort) + } + + for (QueryBlocklistRule rule : config.getQueryBlocklist()) { + if (rule.matches(this.baseQuery)) { + throw DruidException.forPersona(DruidException.Persona.USER) + .ofCategory(DruidException.Category.FORBIDDEN) + .build( + "Query blocked by rule[%s]", Review Comment: Does this log the query ID? It'd be nice to co-locate the query ID and the rule name in a log so users/operators don't need to grep that separately. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
