LakshSingla commented on code in PR #14944:
URL: https://github.com/apache/druid/pull/14944#discussion_r1322419232
##########
extensions-core/multi-stage-query/src/main/java/org/apache/druid/msq/sql/resources/SqlStatementResource.java:
##########
@@ -620,15 +653,30 @@ private MSQControllerTask
getMSQControllerTaskOrThrow(String queryId, String cur
.getQuery()
.getContext()
.get(MSQTaskQueryMaker.USER_KEY));
- if (currentUser == null || !currentUser.equals(queryUser)) {
- throw new ForbiddenException(StringUtils.format(
- "The current user[%s] cannot view query id[%s] since the query is
owned by user[%s]",
- currentUser,
- queryId,
- queryUser
- ));
+
+ String currentUser = authenticationResult.getIdentity();
+
+
+ if (currentUser != null && currentUser.equals(queryUser)) {
+ return msqControllerTask;
+ }
+
+ Access access = AuthorizationUtils.authorizeAllResourceActions(
+ authenticationResult,
+ Collections.singletonList(new ResourceAction(Resource.STATE_RESOURCE,
forAction)),
+ authorizerMapper
+ );
+
+ if (access.isAllowed()) {
+ return msqControllerTask;
}
- return msqControllerTask;
+
+ throw new ForbiddenException(StringUtils.format(
+ "The current user[%s] cannot view query id[%s] since the query is
owned by user[%s]",
+ currentUser,
+ queryId,
+ queryUser
+ ));
Review Comment:
Good catch
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
