capistrant opened a new issue, #13322: URL: https://github.com/apache/druid/issues/13322
### Affected Version 0.23.X (likely exists in all prior releases, but I haven't validated) ### Description Nothing stops me from creating a groupMapping with an arbitrary and always invalid groupPattern, such as - `fajfkdjaf`. The `POST` to create the pattern will work just fine. However, the `LDAP` authorizer is now broken at this point. `LDAPRoleProvider#getRoles` will throw a `RuntimeException`. And worse yet, I cannot correct my mistake by executing `DELETE` on the groupMapping. Doing so just says the mapping doesn't exist. This leaves me with the option of doing manual surgery on the metastore entry for the groupMappings, or using a sledgehammer and just deleting the row in the druid_config table and re-building my mappings (both very unfriendly to the operator and cluster users). ### Fix Ideas #### operator specified groupPattern regex Allow the operator to specify a regex for the authorizer that restricts what kinds of groupPatterns can be used. This can help prevent us from getting to this point in the first place. #### less punitive behavior in `LDAPRoleProvider#getRoles` I think it makes much more sense to log and skip a mapping that results in an `InvalidNameException`. Completely breaking the authorizer over what was likely a mistake by the operator seems like an unnecessary reaction to the problem that will cause the cluster to be degraded or down depending on who is using the authorizer (internal user or just clients, etc.) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
