gianm commented on code in PR #17564:
URL: https://github.com/apache/druid/pull/17564#discussion_r1909581703
##########
server/src/main/java/org/apache/druid/server/QueryResource.java:
##########
@@ -152,14 +152,14 @@ public Response cancelQuery(@PathParam("id") String
queryId, @Context final Http
datasources = new TreeSet<>();
}
- Access authResult = AuthorizationUtils.authorizeAllResourceActions(
+ AuthorizationResult authResult =
AuthorizationUtils.authorizeAllResourceActions(
req,
Iterables.transform(datasources,
AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR),
authorizerMapper
);
- if (!authResult.isAllowed()) {
- throw new ForbiddenException(authResult.toString());
+ if (!authResult.isUserWithNoRestriction()) {
+ throw new ForbiddenException(authResult.getErrorMessage());
Review Comment:
This is weird but I am not sure what we should do about it. Ideally the way
it works is that people are only allowed to cancel their own queries, unless
they have `STATE WRITE`, in which case they should be able to cancel any query.
But that's not how cancellation works today, because we don't retain info about
which user issued a query.
IMO, it'd be good to adjust this in a follow up, so we can change things so
it works like the above ☝️. For the time being I think it is OK to deny
cancellation to people with policies.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
