kfaraz opened a new pull request #11819:
URL: https://github.com/apache/druid/pull/11819
Reverts #11718 and #11680
### Description
Changing the required permission level for ALL Supervisor and Task APIs may
break existing
automation that users might have set up.
The motivation behind the above mentioned changes were to prevent leakage of
sensitive
information through these APIs. But there are other workarounds to prevent
that, such as
using `EnvironmentVariableDynamicConfigProvider` to provide passwords and
secrets.
While the above mentioned changes do prevent such leakage of information,
they do so
at the cost of unreasonable restrictions on even purely informative APIs.
The changes
also remove the possibility of having a user who needs to only view
Supervisor and Task
information without ever needing to make any changes to them.
Keeping these arguments in mind, the changes are being reverted. A better
solution to these
problems would be a more granular auth model in Druid.
### Changes being reverted
- Check Datasource WRITE in SystemSchema for tables "supervisors" and "tasks"
- Check Datasource WRITE for APIs /supervisor/history and
/supervisor/{id}/history
- Check Datasource for all Indexing Task APIs
- Always require DATASOURCE WRITE access in SupervisorResourceFilter and
TaskResourceFilter
<hr>
This PR has:
- [ ] been self-reviewed.
- [ ] using the [concurrency
checklist](https://github.com/apache/druid/blob/master/dev/code-review/concurrency.md)
(Remove this item if the PR doesn't have any relation to concurrency.)
- [ ] added documentation for new or modified features or behaviors.
- [ ] added Javadocs for most classes and all non-trivial methods. Linked
related entities via Javadoc links.
- [ ] added or updated version, license, or notice information in
[licenses.yaml](https://github.com/apache/druid/blob/master/dev/license.md)
- [ ] added comments explaining the "why" and the intent of the code
wherever would not be obvious for an unfamiliar reader.
- [ ] added unit tests or modified existing tests to cover new code paths,
ensuring the threshold for [code
coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md)
is met.
- [ ] added integration tests.
- [ ] been tested in a test Druid cluster.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]