[GitHub] [druid] clintropolis opened a new pull request #11720: add optional system schema authorization

Fri, 17 Sep 2021 11:48:54 -0700 


clintropolis opened a new pull request #11720:
URL: https://github.com/apache/druid/pull/11720


   ### Description
   
   Builds on top of #11692 to add optional authorization to tables of the `sys` 
in SQL as `SYSTEM_TABLE` resources, if 
    the newly added `druid.sql.planner.authorizeSystemTablesDirectly` is true. 
For backwards compatibility, this feature is off by default. This allows 
cluster operators to selectively enable access to `sys` schema tables, or even 
disallow completely while still allowing `SQL` access to Druid datasources 
(`DATASOURCE` resources).
   
   Because of the smooth way things were done in #11692, the actual code change 
here is pretty small, `NamedSystemSchema` now accepts the `PlannerConfig` so it 
can optionally return `ResourceType.SYSTEM_TABLE`. The 
   integration tests have been configured to now run with this new option 
enabled, and new authorization tests to cover this new permission. The majority 
of the changes in this PR are a slight refactoring of the authorization 
integration tests to share code a bit more effectively (and so I only had to 
add new tests once), and in fact right now at least this PR removes more lines 
than it adds even though it is adding new stuff. 
   
   This PR has:
   - [x] been self-reviewed.
   - [x] added documentation for new or modified features or behaviors.
   - [x] added Javadocs for most classes and all non-trivial methods. Linked 
related entities via Javadoc links.
   - [x] added comments explaining the "why" and the intent of the code 
wherever would not be obvious for an unfamiliar reader.
   - [x] added unit tests or modified existing tests to cover new code paths, 
ensuring the threshold for [code 
coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md)
 is met.
   - [x] added integration tests.
   - [x] been tested in a test Druid cluster.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to