[GitHub] [druid] github-code-scanning[bot] commented on a diff in pull request #14003: Allow for Input source security in native task layer

via GitHub Thu, 30 Mar 2023 15:46:11 -0700


github-code-scanning[bot] commented on code in PR #14003:
URL: https://github.com/apache/druid/pull/14003#discussion_r1153859882



##########
indexing-service/src/main/java/org/apache/druid/indexing/common/task/batch/parallel/PartialHashSegmentGenerateTask.java:
##########
@@ -131,6 +132,20 @@
     return TYPE;
   }
 
+  @Nullable
+  @Override
+  public Set<String> getInputSourceTypes()
+  {
+    return getIngestionSchema().getIOConfig().getInputSource() != null ?
+           getIngestionSchema().getIOConfig().getInputSource().getTypes() :
+           null;
+  }
+
+  @Override
+  public boolean usesFirehose() {
+    return getIngestionSchema().getIOConfig().getFirehoseFactory() != null;

Review Comment:
   ## Deprecated method or constructor invocation
   
   Invoking [IndexIOConfig.getFirehoseFactory](1) should be avoided because it 
has been deprecated.
   
   [Show more 
details](https://github.com/apache/druid/security/code-scanning/4505)



##########
indexing-service/src/main/java/org/apache/druid/indexing/common/task/batch/parallel/PartialRangeSegmentGenerateTask.java:
##########
@@ -148,6 +149,20 @@
     return TYPE;
   }
 
+  @Nullable
+  @Override
+  public Set<String> getInputSourceTypes()
+  {
+    return getIngestionSchema().getIOConfig().getInputSource() != null ?
+           getIngestionSchema().getIOConfig().getInputSource().getTypes() :
+           null;
+  }
+
+  @Override
+  public boolean usesFirehose() {
+    return getIngestionSchema().getIOConfig().getFirehoseFactory() != null;

Review Comment:
   ## Deprecated method or constructor invocation
   
   Invoking [IndexIOConfig.getFirehoseFactory](1) should be avoided because it 
has been deprecated.
   
   [Show more 
details](https://github.com/apache/druid/security/code-scanning/4506)



##########
indexing-service/src/main/java/org/apache/druid/indexing/common/task/batch/parallel/SinglePhaseSubTask.java:
##########
@@ -190,6 +190,20 @@
     return TYPE;
   }
 
+  @Nullable
+  @Override
+  public Set<String> getInputSourceTypes()
+  {
+    return ingestionSchema.getIOConfig().getInputSource() != null ?
+           ingestionSchema.getIOConfig().getInputSource().getTypes() :
+           null;
+  }
+
+  @Override
+  public boolean usesFirehose() {
+    return ingestionSchema.getIOConfig().getFirehoseFactory() != null;

Review Comment:
   ## Deprecated method or constructor invocation
   
   Invoking [IndexIOConfig.getFirehoseFactory](1) should be avoided because it 
has been deprecated.
   
   [Show more 
details](https://github.com/apache/druid/security/code-scanning/4507)



##########
indexing-service/src/main/java/org/apache/druid/indexing/common/task/batch/parallel/LegacySinglePhaseSubTask.java:
##########
@@ -56,4 +57,18 @@
   {
     return SinglePhaseSubTask.OLD_TYPE_NAME;
   }
+
+  @Nullable
+  @Override
+  public Set<String> getInputSourceTypes()
+  {
+    return getIngestionSchema().getIOConfig().getInputSource() != null ?
+           getIngestionSchema().getIOConfig().getInputSource().getTypes() :
+           null;
+  }
+
+  @Override
+  public boolean usesFirehose() {
+    return getIngestionSchema().getIOConfig().getFirehoseFactory() != null;

Review Comment:
   ## Deprecated method or constructor invocation
   
   Invoking [IndexIOConfig.getFirehoseFactory](1) should be avoided because it 
has been deprecated.
   
   [Show more 
details](https://github.com/apache/druid/security/code-scanning/4501)



##########
indexing-service/src/main/java/org/apache/druid/indexing/common/task/batch/parallel/PartialDimensionCardinalityTask.java:
##########
@@ -133,6 +134,20 @@
     return TYPE;
   }
 
+  @Nullable
+  @Override
+  public Set<String> getInputSourceTypes()
+  {
+    return getIngestionSchema().getIOConfig().getInputSource() != null ?
+           getIngestionSchema().getIOConfig().getInputSource().getTypes() :
+           null;
+  }
+
+  @Override
+  public boolean usesFirehose() {
+    return getIngestionSchema().getIOConfig().getFirehoseFactory() != null;

Review Comment:
   ## Deprecated method or constructor invocation
   
   Invoking [IndexIOConfig.getFirehoseFactory](1) should be avoided because it 
has been deprecated.
   
   [Show more 
details](https://github.com/apache/druid/security/code-scanning/4503)



##########
indexing-service/src/main/java/org/apache/druid/indexing/common/task/batch/parallel/PartialDimensionDistributionTask.java:
##########
@@ -174,6 +175,20 @@
     return TYPE;
   }
 
+  @Nullable
+  @Override
+  public Set<String> getInputSourceTypes()
+  {
+    return getIngestionSchema().getIOConfig().getInputSource() != null ?
+           getIngestionSchema().getIOConfig().getInputSource().getTypes() :
+           null;
+  }
+
+  @Override
+  public boolean usesFirehose() {
+    return getIngestionSchema().getIOConfig().getFirehoseFactory() != null;

Review Comment:
   ## Deprecated method or constructor invocation
   
   Invoking [IndexIOConfig.getFirehoseFactory](1) should be avoided because it 
has been deprecated.
   
   [Show more 
details](https://github.com/apache/druid/security/code-scanning/4504)



##########
indexing-service/src/main/java/org/apache/druid/indexing/common/task/batch/parallel/ParallelIndexSupervisorTask.java:
##########
@@ -270,6 +270,20 @@
     return TYPE;
   }
 
+  @Nullable
+  @Override
+  public Set<String> getInputSourceTypes()
+  {
+    return ingestionSchema.getIOConfig().getInputSource() != null ?
+           ingestionSchema.getIOConfig().getInputSource().getTypes() :
+           null;
+  }
+
+  @Override
+  public boolean usesFirehose() {
+    return ingestionSchema.getIOConfig().getFirehoseFactory() != null;

Review Comment:
   ## Deprecated method or constructor invocation
   
   Invoking [IndexIOConfig.getFirehoseFactory](1) should be avoided because it 
has been deprecated.
   
   [Show more 
details](https://github.com/apache/druid/security/code-scanning/4502)



##########
indexing-service/src/main/java/org/apache/druid/indexing/overlord/http/OverlordResource.java:
##########
@@ -188,14 +194,36 @@
   public Response taskPost(final Task task, @Context final HttpServletRequest 
req)
   {
     final String dataSource = task.getDataSource();
-    final ResourceAction resourceAction = new ResourceAction(
-        new Resource(dataSource, ResourceType.DATASOURCE),
-        Action.WRITE
-    );
+    final Set<ResourceAction> resourceActions = new HashSet<>();
+    resourceActions.add(new ResourceAction(new Resource(dataSource, 
ResourceType.DATASOURCE), Action.WRITE));
+    if (authConfig.isEnableInputSourceSecurity()) {
+      if (task.usesFirehose()) {
+        return Response.status(Response.Status.BAD_REQUEST)
+            .entity(
+                ImmutableMap.of(
+                    "error",
+                    StringUtils.format(
+                        "Input source based security cannot be performed for 
Task[%s] because it uses firehose."
+                        + "Change the tasks configuration, or disable 
`isEnableInputSourceSecurity`",

Review Comment:
   ## Missing space in string literal
   
   This string appears to be missing a space after 'firehose.'.
   
   [Show more 
details](https://github.com/apache/druid/security/code-scanning/4500)



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[GitHub] [druid] github-code-scanning[bot] commented on a diff in pull request #14003: Allow for Input source security in native task layer

Reply via email to