cecemei commented on code in PR #17564:
URL: https://github.com/apache/druid/pull/17564#discussion_r1891027828
##########
server/src/main/java/org/apache/druid/server/security/Access.java:
##########
@@ -21,52 +21,86 @@
import com.google.common.base.Strings;
import org.apache.druid.java.util.common.StringUtils;
+import org.apache.druid.query.filter.DimFilter;
+
+import javax.annotation.Nullable;
+import java.util.Objects;
+import java.util.Optional;
public class Access
{
public static final String DEFAULT_ERROR_MESSAGE = "Unauthorized";
+ public static final String DEFAULT_AUTHORIZED_MESSAGE = "Authorized";
- public static final Access OK = new Access(true);
- public static final Access DENIED = new Access(false);
+ public static final Access OK = Access.allow();
+ public static final Access DENIED = Access.deny("");
private final boolean allowed;
private final String message;
+ // A row-level policy filter on top of table-level read access. It should be
empty if there are no policy restrictions
+ // or if access is requested for an action other than reading the table.
+ private final Optional<DimFilter> rowFilter;
+ /**
+ * @deprecated use {@link #allow()} or {@link #deny(String)} instead
+ */
+ @Deprecated
public Access(boolean allowed)
{
- this(allowed, "");
+ this(allowed, "", Optional.empty());
}
- public Access(boolean allowed, String message)
+ Access(boolean allowed, String message, Optional<DimFilter> rowFilter)
{
this.allowed = allowed;
this.message = message;
+ this.rowFilter = rowFilter;
+ }
+
+ public static Access allow()
+ {
+ return new Access(true, "", Optional.empty());
+ }
+
+ public static Access deny(@Nullable String message)
+ {
+ return new Access(false, Objects.isNull(message) ? "" : message,
Optional.empty());
+ }
+
+ public static Access allowWithRestriction(Optional<DimFilter> rowFilter)
+ {
+ return new Access(true, "", rowFilter);
}
public boolean isAllowed()
Review Comment:
i know we discussed this offline and agreed on enum class, however on a
second thought, it felt a bit unnecessary. the `Access` class should only be
used for `Authorizer` and `AuthorizationUtils`, and we now use
`AuthorizationResult` for permission check in the query and http requests.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
