[GitHub] [druid] clintropolis commented on a change in pull request #11718: Require Datasource WRITE authorization for Supervisor and Task access

Tue, 21 Sep 2021 03:42:16 -0700 


clintropolis commented on a change in pull request #11718:
URL: https://github.com/apache/druid/pull/11718#discussion_r712902915



##########
File path: 
indexing-service/src/main/java/org/apache/druid/indexing/common/task/AppenderatorDriverRealtimeIndexTask.java
##########
@@ -531,7 +531,7 @@ public Response getRowStats(
       @Context final HttpServletRequest req
   )
   {
-    IndexTaskUtils.datasourceAuthorizationCheck(req, Action.READ, 
getDataSource(), authorizerMapper);
+    IndexTaskUtils.datasourceAuthorizationCheck(req, Action.WRITE, 
getDataSource(), authorizerMapper);

Review comment:
       `IndexTaskUtils.datasourceAuthorizationCheck` should be modified to no 
longer accept an `Action` since I think after this PR every caller will be 
using `Action.WRITE`, and it can just be hard coded in the method.
   
   I've also noticed that no callers seem to ever be using the return value, so 
it could probably be changed to `void` since we seem to mostly be using it to 
explode if not authorized and otherwise ignore the return value.

##########
File path: 
indexing-service/src/main/java/org/apache/druid/indexing/seekablestream/SeekableStreamIndexTaskRunner.java
##########
@@ -1354,9 +1354,9 @@ protected void sendResetRequestAndWait(
    *
    * @return authorization result
    */
-  private Access authorizationCheck(final HttpServletRequest req, Action 
action)
+  private Access datasourceWriteAuthCheck(final HttpServletRequest req)

Review comment:
       nearly this same method is also in `ParallelIndexSupervisorTask`, maybe 
consider moving it to `AbstractTask` and calling it `authorizeRequest`, then 
here can just `return task.authorizeRequest(req);` (or dropping this wrapper 
method and calling the new `task.authorizeRequest(req);` method directly in the 
http api methods of `SeekableStreamIndexTaskRunner`)




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to