FrankChen021 commented on code in PR #19231:
URL: https://github.com/apache/druid/pull/19231#discussion_r3227002379
##########
sql/src/main/java/org/apache/druid/sql/avatica/DruidMeta.java:
##########
@@ -804,6 +816,11 @@ private DruidConnection openDruidConnection(
final Map<String, Object> context
)
{
+ String remoteAddress = THREAD_LOCAL_REMOTE_ADDRESS.get();
+ if (remoteAddress != null) {
+ context.put("remoteAddress", remoteAddress);
Review Comment:
[P1] Allow the injected remoteAddress key through context auth
This stores the server-injected remoteAddress in the JDBC session context,
and later SqlQueryPlus.withContext treats every sessionContext key as an
authContextKey. In clusters with authorizeQueryContextParams enabled,
remoteAddress is not in AuthConfig.ALLOWED_CONTEXT_KEYS, so every Avatica query
opened through this path can require WRITE permission on
QUERY_CONTEXT:remoteAddress and fail authorization even though the user did not
provide that key. Please either keep remoteAddress out of the user/session
query context used for auth, or add this server-injected key to the
allowed-context list.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
