tsmethurst opened a new pull request #9725: URL: https://github.com/apache/druid/pull/9725
Fixes #9380 **Note: This is a work-in-progress PR with the goal of eliciting feedback, it is not intended to be merged as-is.** ### Description This proposal is to introduce fine grained config and state resources for better access controls. The pull request follows the schema of STATE/CONFIG permissions laid out by @pjain1 in the following document: https://docs.google.com/spreadsheets/d/1fXD5n9gHIL0RbAoiFnu9s_2So2c2K4W8dtQZVeCaux8/edit?pli=1#gid=0 To make this work properly, this PR introduces several new filters in `server/src/main/java/org/apache/druid/server/http/security`, and alters the existing `ConfigResourceFilter` and `StateResourceFilter` classes: * `ConfigResourceFilter` can still be used in places where the ResourceName "CONFIG" is required. Additional filter classes have been introduced for Config ResourceNames such as "WORKER" and "LOOKUP". All of these new filter classes are named with the prefix "Config" to make clear that these are config filters specifically. * `StateResourceFilter` has been made abstract, since the resource name "STATE" is no longer used. Several new State filters now inherit from this class, to avoid duplicating logic. As with the config filters The above filters have been applied at all endpoints described in @pjain1's aforementioned document. To avoid hardcoding and repetition of resource name strings such as "COMPACTION", "CONFIG" etc throughout the code, this PR also introduces the class `server/src/main/java/org/apache/druid/server/security/ResourceName.java`, which denotes a resource name, and contains all the required `final` resource names in one class. For safety and convenience, these `static final` ResourceNames should always be used instead of hardcoding strings into the code. The class `server/src/main/java/org/apache/druid/server/security/Resource.java` has also been altered to use this new ResourceName class instead of a simple string as its `name` property. <hr> This PR has: - [x] been self-reviewed. - [ ] using the [concurrency checklist](https://github.com/apache/druid/blob/master/dev/code-review/concurrency.md) (Remove this item if the PR doesn't have any relation to concurrency.) - [ ] added documentation for new or modified features or behaviors. - [ ] added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links. - [ ] added or updated version, license, or notice information in [licenses.yaml](https://github.com/apache/druid/blob/master/licenses.yaml) - [ ] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader. - [ ] added unit tests or modified existing tests to cover new code paths. - [ ] added integration tests. - [x] been tested in a test Druid cluster. <hr> ##### Key changed/added classes in this PR * `ConfigResourceFilter` * `ConfigCompactionResourceFilter` * `ConfigInternalResourceFilter` * `ConfigLookupResourceFilter` * `ConfigWorkerResourceFilter` * `StateResourceFilter` * `StateInternalResourceFilter` * `StateReadinessResourceFilter` * `StateRulesResourceFilter` * `StateSamplerResourceFilter` * `StateServersResourceFilter` * `StateStatusResourceFilter` * `StateWorkerResourceFilter` * `Resource` * `ResourceName` ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
