jihoonson opened a new pull request, #12396: URL: https://github.com/apache/druid/pull/12396
### Description The query context is a way that the user gives a hint to the Druid query engine, so that they enforce a certain behavior or at least let the query engine prefer a certain plan during query planning. Today, there are 3 types of query context params as below. - Default context params. They are set via `druid.query.default.context` in runtime properties. Any user context params can be default params. - User context params. They are set in the user query request. See https://druid.apache.org/docs/latest/querying/query-context.html for parameters. - System context params. They are set by the Druid query engine during query processing. These params override other context params. Today, any context params are allowed to users. This can cause 1) a bad UX if the context param is not matured yet or 2) even query failure or system fault in the worst case if a sensitive param is abused, ex) `maxSubqueryRows`. This PR adds an ability to limit context params per user role. That means, a query will fail if you have a context param set in the query that is not allowed to you. To do that, this PR adds a new built-in resource type, `QUERY_CONTEXT`. The resource to authorize has a name of the context param (such as `maxSubqueryRows`) and the type of `QUERY_CONTEXT`. To allow a certain context param for a user, the user should be granted `WRITE` permission on the context param resource. Here is an example of the permission. ``` { "resourceAction" : { "resource" : { "name" : "maxSubqueryRows", "type" : "QUERY_CONTEXT" }, "action" : "WRITE" }, "resourceNamePattern" : "maxSubqueryRows" } ``` Each role can have multiple permissions for context params. Each permission should be set for different context params. When a query is issued with a query context `X`, the query will fail if the user who issued the query does not have WRITE permission on the query context `X`. In this case, - HTTP endpoints will return 403 response code. - JDBC will throw ForbiddenException. The context param authorization can be enabled using `druid.auth.authorizeQueryContextParams`. This is disabled by default to avoid any hassle when someone upgrades his cluster blindly without reading release notes. <hr> ##### Key changed/added classes in this PR * `QueryContext` tracks user params and separates them from others. * `QueryHolder` has a state indicating whether the context in the native query is valid. * `QueryLifecycle` retrieves context params from a valid source. <hr> This PR has: - [x] been self-reviewed. - [ ] added documentation for new or modified features or behaviors. - [x] added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links. - [x] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader. - [x] added unit tests or modified existing tests to cover new code paths, ensuring the threshold for [code coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md) is met. - [x] added integration tests. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
