paul-rogers commented on PR #13071: URL: https://github.com/apache/druid/pull/13071#issuecomment-1276570480
@FrankChen021, thanks for the approval! So, it turns out that I had to pull the work for [Issue #13120](https://github.com/apache/druid/issues/13120) into this PR in order to get the security IT to pass. Basically, that IT does context key security checks using JDBC. JDBC inserts a key, which fails the security check. This worked previously when we separated system and user keys. (In fact, this may be the reason that the prior PR did the split.) This latest PR adds two config values, defined in the "release notes" section in the revised description. To make this work: * The `AuthConfig` is not the one-stop shop to prepare the list of context keys to use for authorization checks. * Three new set operations are added to `CollectionUtils` because Java, in its infinite wisdom, doesn't provide them. * Two context keys moved from the SQL package to `QueryContexts` so that they are visible to `AuthConfig`. * These two keys are "out-of-the-box freebies" for context security: they are always allowed because they are set by Druid itself in either the Router (query ID) or JDBC path (stringify arrays.) * The code in the planner to gather the resources is tidied up a bit. If we're good with the proposed changes, perhaps we can wrap up this PR and get it merged. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
