gianm commented on issue #11929: URL: https://github.com/apache/druid/issues/11929#issuecomment-972958301
> We do have protections against SQL-injection-like malicious requests, but with the existing SQL capabilities, we knew that even if we missed something in our protections, the worst that could happen would be read-only operations, possibly from other tenants tables. If this would happen it would be very severe, but less severe than being able to modify the state of druid. @dbardbar I think there probably will end up being a flag to disable the feature (we usually add these for new features), but in your situation I'd also recommend using Druid's authorization features. You can make sure that when your app sends a user query to Druid, it does that with an account that only has read-only access to certain tables. If the user doesn't have write access then an INSERT would be rejected. Even SELECT queries to other tables will be rejected. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
