paul-rogers opened a new issue, #12683: URL: https://github.com/apache/druid/issues/12683
### Affected Version Latest `master`. ### Description Druid recently added the ability to apply authorization restrictions to query context keys by turning the keys into security resources. All that works just fine. However, the change had an unintended side effect. When a user cancels the query, we check that the cancelling user has permissions on the resources used in the original query. After the context change, the cancelling user also must have permissions on all the context variables used to run the query. It is likely that this is a bug: there seems no good reason to prevent an admin, say, from cancelling a query even if they don't have permission on a context variable. This issue was found during inspection of the code during the process of refactoring. ### Solution This problem is fixed in the [single-pass through the planner PR](https://github.com/apache/druid/issues/12682). The workaround is to ensure that anyone that can cancel a query has the same (or greater) context permissions as those who submit queries. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
