[GitHub] [druid] jihoonson commented on a change in pull request #11016: Update security overview with additional recommendations

Fri, 09 Apr 2021 14:59:27 -0700 


jihoonson commented on a change in pull request #11016:
URL: https://github.com/apache/druid/pull/11016#discussion_r610919733



##########
File path: docs/operations/security-overview.md
##########
@@ -264,3 +322,31 @@ As an alternative to using the basic metadata 
authenticator, as shown in the pre
 
 
 Congratulations, you have configured permissions for user-assigned roles in 
Druid!
+
+
+## Druid security trust model
+Within Druid's trust model there users can have different authorization levels:
+- Users with resource write permissions can are allowed to anything that the 
druid process can do.
+- Authenticated read only users can execute queries against resources to which 
they have permissions.
+- An authenticated user without any permissions is allowed to execute queries 
that don't require access to a resource.
+
+Additionally, Druid operates according to the following principles:
+
+From the inner most layer:
+1. Druid processes have the same access to the local files granted to the 
specified system user running the process.
+2. The Druid ingestion system can create new processes to execute tasks. Those 
tasks inherit the user of their parent process. This means that any user 
authorized to submit an ingestion task can use the ingestion task permissions 
to read or write any local files or external resources that the Druid process 
has access to.
+
+> Note: Only grant the permission to submit ingestion tasks to trusted users 
because they can  act as the Druid process.

Review comment:
       Here and [this 
figure](https://github.com/apache/druid/blob/e3eb18abcd3c8b2d71f51abf9d55a94bee6d10ea/docs/assets/security-model-2.png)
 talk about the permission to submit ingestion tasks. This seems ambiguous to 
me. Maybe it would be better to say the `DATASOURCE WRITE` permission instead.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to