This is an automated email from the ASF dual-hosted git repository.
yashmayya pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pinot.git
The following commit(s) were added to refs/heads/master by this push:
new 570d4f11a9b Add authz action checks to missing APIs (#17725)
570d4f11a9b is described below
commit 570d4f11a9ba11d2b5bcfaa63cfa1abbb334162f
Author: Jayesh Choudhary <[email protected]>
AuthorDate: Fri Feb 20 00:49:28 2026 +0530
Add authz action checks to missing APIs (#17725)
---
.../minion/api/resources/PinotMinionAppConfigs.java | 4 ++++
.../minion/api/resources/PinotMinionLogger.java | 8 ++++++++
.../api/resources/PinotMinionMetricsResource.java | 4 ++++
.../api/resources/PinotTaskProgressResource.java | 6 ++++++
.../api/resources/ControllerJobStatusResource.java | 5 +++++
.../pinot/server/api/resources/DebugResource.java | 9 +++++++++
.../server/api/resources/InstanceResource.java | 7 +++++++
.../server/api/resources/MmapDebugResource.java | 5 +++++
.../server/api/resources/PinotServerAppConfigs.java | 4 ++++
.../server/api/resources/PinotServerLogger.java | 8 ++++++++
.../pinot/server/api/resources/QueryResource.java | 5 +++++
.../server/api/resources/ReingestionResource.java | 5 +++++
.../server/api/resources/TableSizeResource.java | 5 +++++
.../server/api/resources/TableTierResource.java | 5 +++++
.../pinot/server/api/resources/TablesResource.java | 21 +++++++++++++++++++++
15 files changed, 101 insertions(+)
diff --git
a/pinot-minion/src/main/java/org/apache/pinot/minion/api/resources/PinotMinionAppConfigs.java
b/pinot-minion/src/main/java/org/apache/pinot/minion/api/resources/PinotMinionAppConfigs.java
index 4c943bcb19a..45f7af5d924 100644
---
a/pinot-minion/src/main/java/org/apache/pinot/minion/api/resources/PinotMinionAppConfigs.java
+++
b/pinot-minion/src/main/java/org/apache/pinot/minion/api/resources/PinotMinionAppConfigs.java
@@ -31,6 +31,9 @@ import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MediaType;
import org.apache.pinot.common.utils.PinotAppConfigs;
+import org.apache.pinot.core.auth.Actions;
+import org.apache.pinot.core.auth.Authorize;
+import org.apache.pinot.core.auth.TargetType;
import org.apache.pinot.minion.MinionAdminApiApplication;
import org.apache.pinot.spi.env.PinotConfiguration;
@@ -53,6 +56,7 @@ public class PinotMinionAppConfigs {
@GET
@Path("/appconfigs")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_APP_CONFIG)
public String getAppConfigs() {
PinotConfiguration pinotConfiguration =
(PinotConfiguration)
_application.getProperties().get(MinionAdminApiApplication.PINOT_CONFIGURATION);
diff --git
a/pinot-minion/src/main/java/org/apache/pinot/minion/api/resources/PinotMinionLogger.java
b/pinot-minion/src/main/java/org/apache/pinot/minion/api/resources/PinotMinionLogger.java
index d6dd815bd27..aa580743a06 100644
---
a/pinot-minion/src/main/java/org/apache/pinot/minion/api/resources/PinotMinionLogger.java
+++
b/pinot-minion/src/main/java/org/apache/pinot/minion/api/resources/PinotMinionLogger.java
@@ -43,6 +43,9 @@ import javax.ws.rs.core.Response;
import org.apache.pinot.common.utils.LoggerUtils;
import org.apache.pinot.common.utils.log.DummyLogFileServer;
import org.apache.pinot.common.utils.log.LogFileServer;
+import org.apache.pinot.core.auth.Actions;
+import org.apache.pinot.core.auth.Authorize;
+import org.apache.pinot.core.auth.TargetType;
import static
org.apache.pinot.spi.utils.CommonConstants.SWAGGER_AUTHORIZATION_KEY;
@@ -63,6 +66,7 @@ public class PinotMinionLogger {
@GET
@Path("/loggers")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_LOGGER)
@ApiOperation(value = "Get all the loggers", notes = "Return all the logger
names")
public List<String> getLoggers() {
return LoggerUtils.getAllConfiguredLoggers();
@@ -71,6 +75,7 @@ public class PinotMinionLogger {
@GET
@Path("/loggers/{loggerName}")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_LOGGER)
@ApiOperation(value = "Get logger configs", notes = "Return logger info")
public Map<String, String> getLogger(
@ApiParam(value = "Logger name", required = true)
@PathParam("loggerName") String loggerName) {
@@ -84,6 +89,7 @@ public class PinotMinionLogger {
@PUT
@Path("/loggers/{loggerName}")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.UPDATE_LOGGER)
@ApiOperation(value = "Set logger level", notes = "Set logger level for a
given logger")
public Map<String, String> setLoggerLevel(@ApiParam(value = "Logger name")
@PathParam("loggerName") String loggerName,
@ApiParam(value = "Logger level") @QueryParam("level") String level) {
@@ -93,6 +99,7 @@ public class PinotMinionLogger {
@GET
@Path("/loggers/files")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_LOG_FILE)
@ApiOperation(value = "Get all local log files")
public Set<String> getLocalLogFiles() {
try {
@@ -108,6 +115,7 @@ public class PinotMinionLogger {
@GET
@Path("/loggers/download")
@Produces(MediaType.APPLICATION_OCTET_STREAM)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_LOG_FILE)
@ApiOperation(value = "Download a log file")
public Response downloadLogFile(
@ApiParam(value = "Log file path", required = true)
@QueryParam("filePath") String filePath) {
diff --git
a/pinot-minion/src/main/java/org/apache/pinot/minion/api/resources/PinotMinionMetricsResource.java
b/pinot-minion/src/main/java/org/apache/pinot/minion/api/resources/PinotMinionMetricsResource.java
index 040d6f526b1..090dfdbb8cc 100644
---
a/pinot-minion/src/main/java/org/apache/pinot/minion/api/resources/PinotMinionMetricsResource.java
+++
b/pinot-minion/src/main/java/org/apache/pinot/minion/api/resources/PinotMinionMetricsResource.java
@@ -35,6 +35,9 @@ import javax.ws.rs.Produces;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MediaType;
import org.apache.pinot.common.metrics.MinionMetrics;
+import org.apache.pinot.core.auth.Actions;
+import org.apache.pinot.core.auth.Authorize;
+import org.apache.pinot.core.auth.TargetType;
import org.apache.pinot.spi.utils.JsonUtils;
import static
org.apache.pinot.spi.utils.CommonConstants.SWAGGER_AUTHORIZATION_KEY;
@@ -52,6 +55,7 @@ public class PinotMinionMetricsResource {
@GET
@Path("/gauge/{gaugeName}")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_HEALTH)
@ApiOperation("Get gauge value for the provided minion gauge name")
public String getMinionGaugeValue(@ApiParam(value = "Gauge name")
@PathParam("gaugeName") String gaugeName)
throws JsonProcessingException {
diff --git
a/pinot-minion/src/main/java/org/apache/pinot/minion/api/resources/PinotTaskProgressResource.java
b/pinot-minion/src/main/java/org/apache/pinot/minion/api/resources/PinotTaskProgressResource.java
index 95a9a8efce8..29e035c2db6 100644
---
a/pinot-minion/src/main/java/org/apache/pinot/minion/api/resources/PinotTaskProgressResource.java
+++
b/pinot-minion/src/main/java/org/apache/pinot/minion/api/resources/PinotTaskProgressResource.java
@@ -42,6 +42,9 @@ import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.apache.commons.lang3.StringUtils;
+import org.apache.pinot.core.auth.Actions;
+import org.apache.pinot.core.auth.Authorize;
+import org.apache.pinot.core.auth.TargetType;
import org.apache.pinot.minion.event.MinionEventObserver;
import org.apache.pinot.minion.event.MinionEventObservers;
import org.apache.pinot.minion.event.MinionTaskState;
@@ -68,6 +71,7 @@ public class PinotTaskProgressResource {
@GET
@Path("/tasks/subtask/progress")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_TASK)
@ApiOperation("Get finer grained task progress tracked in memory for the
given subtasks")
@ApiResponses(value = {
@ApiResponse(code = 200, message = "Success"), @ApiResponse(code = 500,
message = "Internal server error")
@@ -95,6 +99,7 @@ public class PinotTaskProgressResource {
@GET
@Path("/tasks/subtask/state/progress")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_TASK)
@ApiOperation("Get finer grained task progress tracked in memory for given
subtasks or given state")
@ApiResponses(value = {
@ApiResponse(code = 200, message = "Success"), @ApiResponse(code = 500,
message = "Internal server error")
@@ -148,6 +153,7 @@ public class PinotTaskProgressResource {
@GET
@Path("/tasks/subtask/progressStats")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_TASK)
@ApiOperation("Get task progress stats tracked for the given subtasks")
@ApiResponses(value = {
@ApiResponse(code = 200, message = "Success"), @ApiResponse(code = 500,
message = "Internal server error")
diff --git
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/ControllerJobStatusResource.java
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/ControllerJobStatusResource.java
index fc1cf1da447..b85c907f254 100644
---
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/ControllerJobStatusResource.java
+++
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/ControllerJobStatusResource.java
@@ -37,6 +37,9 @@ import javax.ws.rs.core.MediaType;
import org.apache.commons.lang3.StringUtils;
import org.apache.pinot.common.response.server.ServerReloadStatusResponse;
import org.apache.pinot.common.utils.DatabaseUtils;
+import org.apache.pinot.core.auth.Actions;
+import org.apache.pinot.core.auth.Authorize;
+import org.apache.pinot.core.auth.TargetType;
import org.apache.pinot.segment.local.data.manager.SegmentDataManager;
import org.apache.pinot.segment.local.data.manager.TableDataManager;
import org.apache.pinot.segment.local.utils.ServerReloadJobStatusCache;
@@ -63,6 +66,8 @@ public class ControllerJobStatusResource {
@GET
@Path("/controllerJob/reloadStatus/{tableNameWithType}")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableNameWithType",
+ action = Actions.Table.GET_CONTROLLER_JOBS)
@ApiOperation(value = "Task status", notes = "Return the status of a given
reload job")
public String reloadJobStatus(@PathParam("tableNameWithType") String
tableNameWithType,
@QueryParam("reloadJobTimestamp") long reloadJobSubmissionTimestamp,
diff --git
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/DebugResource.java
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/DebugResource.java
index 9ea7529a4ad..65c9c415b2c 100644
---
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/DebugResource.java
+++
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/DebugResource.java
@@ -52,6 +52,9 @@ import
org.apache.pinot.common.restlet.resources.SegmentConsumerInfo;
import org.apache.pinot.common.restlet.resources.SegmentErrorInfo;
import org.apache.pinot.common.restlet.resources.SegmentServerDebugInfo;
import org.apache.pinot.common.utils.DatabaseUtils;
+import org.apache.pinot.core.auth.Actions;
+import org.apache.pinot.core.auth.Authorize;
+import org.apache.pinot.core.auth.TargetType;
import org.apache.pinot.core.data.manager.offline.ImmutableSegmentDataManager;
import org.apache.pinot.core.data.manager.realtime.RealtimeSegmentDataManager;
import
org.apache.pinot.core.data.manager.realtime.RealtimeSegmentMetadataUtils;
@@ -102,6 +105,7 @@ public class DebugResource {
@GET
@Path("tables/{tableName}")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableName", action =
Actions.Table.GET_DEBUG_INFO)
@ApiOperation(value = "Get segments debug info for this table",
notes = "This is a debug endpoint, and won't maintain backward
compatibility")
public List<SegmentServerDebugInfo> getSegmentsDebugInfo(
@@ -115,6 +119,7 @@ public class DebugResource {
@GET
@Path("segments/{tableName}/{segmentName}")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableName", action =
Actions.Table.GET_DEBUG_INFO)
@ApiOperation(value = "Get segment debug info",
notes = "This is a debug endpoint, and won't maintain backward
compatibility")
public SegmentServerDebugInfo getSegmentDebugInfo(
@@ -147,6 +152,7 @@ public class DebugResource {
@GET
@Path("threads/resourceUsage")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.DEBUG_RESOURCE_USAGE)
@ApiOperation(value = "Get current resource usage of threads",
notes = "This is a debug endpoint, and won't maintain backward
compatibility")
public Collection<? extends ThreadResourceTracker> getThreadUsage() {
@@ -156,6 +162,7 @@ public class DebugResource {
@GET
@Path("queries/resourceUsage")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.DEBUG_RESOURCE_USAGE)
@ApiOperation(value = "Get current resource usage of queries in this
service",
notes = "This is a debug endpoint, and won't maintain backward
compatibility")
public Collection<? extends QueryResourceTracker> getQueryUsage() {
@@ -277,6 +284,7 @@ public class DebugResource {
*/
@GET
@Path("queryWorkloadCost/{workloadName}")
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.DEBUG_RESOURCE_USAGE)
@ApiOperation(value = "Get instance cost information for a specific
workload")
@ApiResponses(value = {
@ApiResponse(code = 200, message = "Success"),
@@ -340,6 +348,7 @@ public class DebugResource {
*/
@GET
@Path("queryWorkloadCosts")
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.DEBUG_RESOURCE_USAGE)
@ApiOperation(value = "Get instance cost information for all workloads")
@ApiResponses(value = {
@ApiResponse(code = 200, message = "Success"),
diff --git
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/InstanceResource.java
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/InstanceResource.java
index bfe42c47955..f3d37926dc9 100644
---
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/InstanceResource.java
+++
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/InstanceResource.java
@@ -49,6 +49,9 @@ import
org.apache.pinot.common.restlet.resources.PrimaryKeyCountInfo;
import org.apache.pinot.common.restlet.resources.ResourceUtils;
import org.apache.pinot.common.utils.config.InstanceUtils;
import org.apache.pinot.common.utils.helix.HelixHelper;
+import org.apache.pinot.core.auth.Actions;
+import org.apache.pinot.core.auth.Authorize;
+import org.apache.pinot.core.auth.TargetType;
import org.apache.pinot.core.data.manager.InstanceDataManager;
import org.apache.pinot.server.api.AdminApiApplication;
import org.apache.pinot.server.starter.ServerInstance;
@@ -76,6 +79,7 @@ public class InstanceResource {
@GET
@Path("tags")
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_INSTANCE)
@ApiOperation(value = "Tenant tags for current instance")
@ApiResponses(value = {
@ApiResponse(code = 200, message = "Success"), @ApiResponse(code = 500,
message = "Internal server error")
@@ -96,6 +100,7 @@ public class InstanceResource {
*/
@GET
@Path("pools")
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_INSTANCE)
@ApiOperation(value = "Tenant pools for current instance")
@ApiResponses(value = {
@ApiResponse(code = 200, message = "Success"), @ApiResponse(code = 500,
message = "Internal server error")
@@ -113,6 +118,7 @@ public class InstanceResource {
@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("/diskUtilization")
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_INSTANCE)
@ApiOperation(value = "Show disk utilization", notes = "Disk capacity and
usage shown in bytes")
@ApiResponses(value = {
@ApiResponse(code = 200, message = "Success"),
@@ -133,6 +139,7 @@ public class InstanceResource {
@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("/primaryKeyCount")
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_INSTANCE)
@ApiOperation(value = "Show number of primary keys", notes = "Total number
of upsert / dedup primary keys")
@ApiResponses(value = {
@ApiResponse(code = 200, message = "Success"), @ApiResponse(code = 500,
message = "Internal server error")
diff --git
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/MmapDebugResource.java
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/MmapDebugResource.java
index c9f9ef5382c..2b66aded80d 100644
---
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/MmapDebugResource.java
+++
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/MmapDebugResource.java
@@ -41,6 +41,9 @@ import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.apache.pinot.common.restlet.resources.ResourceUtils;
import org.apache.pinot.common.utils.DatabaseUtils;
+import org.apache.pinot.core.auth.Actions;
+import org.apache.pinot.core.auth.Authorize;
+import org.apache.pinot.core.auth.TargetType;
import org.apache.pinot.core.data.manager.InstanceDataManager;
import org.apache.pinot.core.data.manager.realtime.RealtimeTableDataManager;
import org.apache.pinot.segment.spi.memory.PinotDataBuffer;
@@ -73,6 +76,7 @@ public class MmapDebugResource {
@GET
@Path("memory/offheap")
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.DEBUG_RESOURCE_USAGE)
@ApiOperation(value = "View current off-heap allocations", notes = "Lists
all off-heap allocations and their "
+ "associated sizes")
@ApiResponses(value = {@ApiResponse(code = 200, message = "Success")})
@@ -84,6 +88,7 @@ public class MmapDebugResource {
@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("/memory/offheap/table/{tableName}")
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableName", action =
Actions.Table.GET_SIZE)
@ApiOperation(value = "Show off heap memory consumed by latest mutable
segment",
notes = "Returns off heap memory consumed by latest consuming segment of
realtime table")
@ApiResponses(value = {
diff --git
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/PinotServerAppConfigs.java
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/PinotServerAppConfigs.java
index 6f7d97c05de..e413c8a1767 100644
---
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/PinotServerAppConfigs.java
+++
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/PinotServerAppConfigs.java
@@ -31,6 +31,9 @@ import javax.ws.rs.core.Context;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MediaType;
import org.apache.pinot.common.utils.PinotAppConfigs;
+import org.apache.pinot.core.auth.Actions;
+import org.apache.pinot.core.auth.Authorize;
+import org.apache.pinot.core.auth.TargetType;
import org.apache.pinot.server.api.AdminApiApplication;
import org.apache.pinot.spi.env.PinotConfiguration;
@@ -54,6 +57,7 @@ public class PinotServerAppConfigs {
@GET
@Path("/appconfigs")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_APP_CONFIG)
public String getAppConfigs() {
PinotConfiguration pinotConfiguration =
(PinotConfiguration)
_application.getProperties().get(AdminApiApplication.PINOT_CONFIGURATION);
diff --git
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/PinotServerLogger.java
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/PinotServerLogger.java
index 19775f7b86b..e478a5406d0 100644
---
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/PinotServerLogger.java
+++
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/PinotServerLogger.java
@@ -43,6 +43,9 @@ import javax.ws.rs.core.Response;
import org.apache.pinot.common.utils.LoggerUtils;
import org.apache.pinot.common.utils.log.DummyLogFileServer;
import org.apache.pinot.common.utils.log.LogFileServer;
+import org.apache.pinot.core.auth.Actions;
+import org.apache.pinot.core.auth.Authorize;
+import org.apache.pinot.core.auth.TargetType;
import static
org.apache.pinot.spi.utils.CommonConstants.SWAGGER_AUTHORIZATION_KEY;
@@ -63,6 +66,7 @@ public class PinotServerLogger {
@GET
@Path("/loggers")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_LOGGER)
@ApiOperation(value = "Get all the loggers", notes = "Return all the logger
names")
public List<String> getLoggers() {
return LoggerUtils.getAllConfiguredLoggers();
@@ -71,6 +75,7 @@ public class PinotServerLogger {
@GET
@Path("/loggers/{loggerName}")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_LOGGER)
@ApiOperation(value = "Get logger configs", notes = "Return logger info")
public Map<String, String> getLogger(
@ApiParam(value = "Logger name", required = true)
@PathParam("loggerName") String loggerName) {
@@ -84,6 +89,7 @@ public class PinotServerLogger {
@PUT
@Path("/loggers/{loggerName}")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.UPDATE_LOGGER)
@ApiOperation(value = "Set logger level", notes = "Set logger level for a
given logger")
public Map<String, String> setLoggerLevel(@ApiParam(value = "Logger name")
@PathParam("loggerName") String loggerName,
@ApiParam(value = "Logger level") @QueryParam("level") String level) {
@@ -93,6 +99,7 @@ public class PinotServerLogger {
@GET
@Path("/loggers/files")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_LOG_FILE)
@ApiOperation(value = "Get all local log files")
public Set<String> getLocalLogFiles() {
try {
@@ -108,6 +115,7 @@ public class PinotServerLogger {
@GET
@Path("/loggers/download")
@Produces(MediaType.APPLICATION_OCTET_STREAM)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_LOG_FILE)
@ApiOperation(value = "Download a log file")
public Response downloadLogFile(
@ApiParam(value = "Log file path", required = true)
@QueryParam("filePath") String filePath) {
diff --git
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/QueryResource.java
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/QueryResource.java
index 2f88b509d21..1b4ecd12ddf 100644
---
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/QueryResource.java
+++
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/QueryResource.java
@@ -38,6 +38,9 @@ import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
+import org.apache.pinot.core.auth.Actions;
+import org.apache.pinot.core.auth.Authorize;
+import org.apache.pinot.core.auth.TargetType;
import org.apache.pinot.core.query.utils.QueryIdUtils;
import org.apache.pinot.core.transport.InstanceRequestHandler;
import org.apache.pinot.server.starter.ServerInstance;
@@ -60,6 +63,7 @@ public class QueryResource {
@DELETE
@Path("/query/{queryId}")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.CANCEL_QUERY)
@ApiOperation(value = "Cancel a query running on the server as identified by
the queryId", notes = "No effect if "
+ "no query exists for the given queryId. Query may continue to run for
a short while after calling cancel as "
+ "it's done in a non-blocking manner. The cancel API can be called
multiple times.")
@@ -97,6 +101,7 @@ public class QueryResource {
@GET
@Path("/queries/id")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_RUNNING_QUERY)
@ApiOperation(value = "Get queryIds of running queries on the server", notes
= "QueryIds are in the format of "
+ "<brokerId>_<requestId>_(O|R)")
@ApiResponses(value = {
diff --git
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/ReingestionResource.java
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/ReingestionResource.java
index 6386a85b52c..86f87359b84 100644
---
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/ReingestionResource.java
+++
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/ReingestionResource.java
@@ -56,6 +56,9 @@ import
org.apache.pinot.common.metadata.segment.SegmentZKMetadata;
import org.apache.pinot.common.metrics.ServerMeter;
import org.apache.pinot.common.utils.LLCSegmentName;
import org.apache.pinot.common.utils.URIUtils;
+import org.apache.pinot.core.auth.Actions;
+import org.apache.pinot.core.auth.Authorize;
+import org.apache.pinot.core.auth.TargetType;
import org.apache.pinot.core.data.manager.realtime.RealtimeTableDataManager;
import
org.apache.pinot.segment.local.realtime.writer.StatelessRealtimeSegmentWriter;
import org.apache.pinot.segment.local.segment.index.loader.IndexLoadingConfig;
@@ -134,6 +137,7 @@ public class ReingestionResource {
@GET
@Path("/reingestSegment/jobs")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_TASK)
@ApiOperation("Get all running re-ingestion jobs along with job IDs")
public Response getAllRunningReingestionJobs() {
// Filter only the jobs still marked as running
@@ -144,6 +148,7 @@ public class ReingestionResource {
@POST
@Path("/reingestSegment/{segmentName}")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.UPLOAD_SEGMENT)
@ApiOperation(value = "Re-ingest segment asynchronously", notes = "Returns a
jobId immediately; ingestion runs in "
+ "background.")
@ApiResponses(value = {
diff --git
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/TableSizeResource.java
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/TableSizeResource.java
index 489d4a6867e..d6107a9fc3e 100644
---
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/TableSizeResource.java
+++
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/TableSizeResource.java
@@ -45,6 +45,9 @@ import
org.apache.pinot.common.restlet.resources.ResourceUtils;
import org.apache.pinot.common.restlet.resources.SegmentSizeInfo;
import org.apache.pinot.common.restlet.resources.TableSizeInfo;
import org.apache.pinot.common.utils.DatabaseUtils;
+import org.apache.pinot.core.auth.Actions;
+import org.apache.pinot.core.auth.Authorize;
+import org.apache.pinot.core.auth.TargetType;
import org.apache.pinot.core.data.manager.InstanceDataManager;
import org.apache.pinot.core.data.manager.offline.ImmutableSegmentDataManager;
import org.apache.pinot.segment.local.data.manager.SegmentDataManager;
@@ -77,6 +80,7 @@ public class TableSizeResource {
@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("/tables/{tableName}/size")
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableName", action =
Actions.Table.GET_SIZE)
@ApiOperation(value = "Show table storage size", notes = "Lists size of all
the segments of the table")
@ApiResponses(value = {
@ApiResponse(code = 200, message = "Success"),
@@ -134,6 +138,7 @@ public class TableSizeResource {
@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("/table/{tableName}/size")
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableName", action =
Actions.Table.GET_SIZE)
@ApiOperation(value = "Show table storage size", notes = "Lists size of all
the segments of the table")
@ApiResponses(value = {
@ApiResponse(code = 200, message = "Success"),
diff --git
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/TableTierResource.java
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/TableTierResource.java
index b5b673cf6a5..53bbb975bf5 100644
---
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/TableTierResource.java
+++
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/TableTierResource.java
@@ -47,6 +47,9 @@ import
org.apache.pinot.common.restlet.resources.ResourceUtils;
import org.apache.pinot.common.restlet.resources.TableTierInfo;
import org.apache.pinot.common.utils.DatabaseUtils;
import org.apache.pinot.common.utils.URIUtils;
+import org.apache.pinot.core.auth.Actions;
+import org.apache.pinot.core.auth.Authorize;
+import org.apache.pinot.core.auth.TargetType;
import org.apache.pinot.core.data.manager.InstanceDataManager;
import org.apache.pinot.core.data.manager.offline.ImmutableSegmentDataManager;
import org.apache.pinot.segment.local.data.manager.SegmentDataManager;
@@ -79,6 +82,7 @@ public class TableTierResource {
@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("/tables/{tableNameWithType}/tiers")
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableNameWithType",
action = Actions.Table.GET_STORAGE_TIER)
@ApiOperation(value = "Get storage tiers of immutable segments of the given
table", notes = "Get storage tiers of "
+ "immutable segments of the given table")
@ApiResponses(value = {
@@ -121,6 +125,7 @@ public class TableTierResource {
@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("/segments/{tableNameWithType}/{segmentName}/tiers")
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableNameWithType",
action = Actions.Table.GET_STORAGE_TIER)
@ApiOperation(value = "Get storage tiers of the immutable segment of the
given table", notes = "Get storage tiers "
+ "of the immutable segment of the given table")
@ApiResponses(value = {
diff --git
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/TablesResource.java
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/TablesResource.java
index 14ecfa698d8..4d1d33860d0 100644
---
a/pinot-server/src/main/java/org/apache/pinot/server/api/resources/TablesResource.java
+++
b/pinot-server/src/main/java/org/apache/pinot/server/api/resources/TablesResource.java
@@ -153,6 +153,7 @@ public class TablesResource {
@GET
@Path("/tables")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.CLUSTER, action =
Actions.Cluster.GET_TABLE)
//swagger annotations
@ApiOperation(value = "List tables", notes = "List all the tables on this
server")
@ApiResponses(value = {
@@ -168,6 +169,7 @@ public class TablesResource {
@GET
@Path("/tables/{tableName}/segments")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableName", action =
Actions.Table.GET_SEGMENT)
@ApiOperation(value = "List table segments", notes = "List segments of table
hosted on this server")
@ApiResponses(value = {
@ApiResponse(code = 200, message = "Success", response =
TableSegments.class),
@@ -195,6 +197,7 @@ public class TablesResource {
@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("/tables/{tableName}/metadata")
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableName", action =
Actions.Table.GET_METADATA)
@ApiOperation(value = "List metadata for all segments of a given table",
notes = "List segments metadata of table "
+ "hosted on this server")
@ApiResponses(value = {
@@ -319,6 +322,7 @@ public class TablesResource {
@GET
@Path("/tables/{tableName}/indexes")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableName", action =
Actions.Table.GET_METADATA)
@ApiOperation(value = "Provide index metadata", notes = "Provide index
details for the table")
@ApiResponses(value = {
@ApiResponse(code = 200, message = "Success"),
@@ -364,6 +368,7 @@ public class TablesResource {
@GET
@Path("/tables/{tableName}/segments/{segmentName}/metadata")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableName", action =
Actions.Table.GET_METADATA)
@ApiOperation(value = "Provide segment metadata", notes = "Provide segments
metadata for the segment on server")
@ApiResponses(value = {
@ApiResponse(code = 200, message = "Success"),
@@ -400,6 +405,7 @@ public class TablesResource {
@GET
@Path("/tables/{tableName}/segments/metadata")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableName", action =
Actions.Table.GET_METADATA)
@ApiOperation(value = "Provide segments metadata", notes = "Provide segments
metadata for the segments on server")
@ApiResponses(value = {
@ApiResponse(code = 200, message = "Success"),
@@ -446,6 +452,7 @@ public class TablesResource {
@GET
@Path("/tables/{tableName}/segments/crc")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableName", action =
Actions.Table.GET_METADATA)
@ApiOperation(value = "Provide segment crc information", notes = "Provide
crc information for the segments on server")
@ApiResponses(value = {
@ApiResponse(code = 200, message = "Success"),
@@ -534,6 +541,7 @@ public class TablesResource {
@GET
@Produces(MediaType.APPLICATION_JSON)
@Path("/segments/{tableNameWithType}/{segmentName}/validDocIdsBitmap")
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableNameWithType",
action = Actions.Table.GET_SEGMENT)
@ApiOperation(value = "Download validDocIds bitmap for an REALTIME immutable
segment", notes =
"Download validDocIds for " + "an immutable segment in bitmap format.")
public ValidDocIdsBitmapResponse downloadValidDocIdsBitmap(
@@ -596,6 +604,7 @@ public class TablesResource {
@GET
@Produces(MediaType.APPLICATION_OCTET_STREAM)
@Path("/segments/{tableNameWithType}/{segmentName}/validDocIds")
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableNameWithType",
action = Actions.Table.GET_SEGMENT)
@ApiOperation(value = "Download validDocIds for an REALTIME immutable
segment", notes = "Download validDocIds for "
+ "an immutable segment in bitmap format.")
public Response downloadValidDocIds(
@@ -652,6 +661,7 @@ public class TablesResource {
@GET
@Path("/tables/{tableNameWithType}/validDocIdMetadata")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableNameWithType",
action = Actions.Table.GET_METADATA)
@ApiOperation(value = "Provides segment validDocId metadata", notes =
"Provides segment validDocId metadata")
@ApiResponses(value = {
@ApiResponse(code = 200, message = "Success"),
@@ -672,6 +682,7 @@ public class TablesResource {
@POST
@Path("/tables/{tableNameWithType}/validDocIdsMetadata")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableNameWithType",
action = Actions.Table.GET_METADATA)
@ApiOperation(value = "Provides segment validDocIds metadata", notes =
"Provides segment validDocIds metadata")
@ApiResponses(value = {
@ApiResponse(code = 200, message = "Success"),
@@ -830,6 +841,7 @@ public class TablesResource {
@POST
@Path("/segments/{realtimeTableName}/{segmentName}/upload")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.TABLE, paramName = "realtimeTableName",
action = Actions.Table.UPLOAD_SEGMENT)
@ApiOperation(value = "Upload a low level consumer segment to segment store
and return the segment download url",
notes = "Upload a low level consumer segment to segment store and return
the segment download url")
@ApiResponses(value = {
@@ -903,6 +915,8 @@ public class TablesResource {
@POST
@Path("/segments/{realtimeTableNameWithType}/{segmentName}/uploadLLCSegment")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.TABLE, paramName =
"realtimeTableNameWithType",
+ action = Actions.Table.UPLOAD_SEGMENT)
@ApiOperation(value = "Upload a low level consumer segment to segment store
and return the segment download url,"
+ "crc and other segment metadata",
notes = "Upload a low level consumer segment to segment store and return
the segment download url, crc, data crc "
@@ -980,6 +994,7 @@ public class TablesResource {
@POST
@Path("/segments/{realtimeTableName}/{segmentName}/uploadCommittedSegment")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.TABLE, paramName = "realtimeTableName",
action = Actions.Table.UPLOAD_SEGMENT)
@ApiOperation(value = "Upload a real-time committed segment to segment store
and return the segment ZK metadata",
notes = "Upload a real-time committed segment to segment store and
return the segment ZK metadata")
@ApiResponses(value = {
@@ -1088,6 +1103,8 @@ public class TablesResource {
@GET
@Path("tables/{realtimeTableName}/consumingSegmentsInfo")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.TABLE, paramName = "realtimeTableName",
+ action = Actions.Table.GET_CONSUMING_SEGMENTS)
@ApiOperation(value = "Get the info for consumers of this REALTIME table",
notes =
"Get consumers info from the table data manager. Note that the
partitionToOffsetMap has been deprecated "
+ "and will be removed in the next release. The info is now embedded
within each partition's state as "
@@ -1148,6 +1165,7 @@ public class TablesResource {
@GET
@Path("tables/{tableNameWithType}/allSegmentsLoaded")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableNameWithType",
action = Actions.Table.GET_SEGMENT_STATUS)
@ApiOperation(value = "Validates if the ideal state matches with the segment
state on this server", notes =
"Validates if the ideal state matches with the segment state on this
server")
public TableSegmentValidationInfo validateTableSegmentState(
@@ -1215,6 +1233,7 @@ public class TablesResource {
@GET
@Path("/tables/{tableName}/segments/needReload")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableName", action =
Actions.Table.GET_SEGMENT)
@ApiOperation(value = "Checks if reload is needed on any segment", notes =
"Returns true if reload is required on"
+ " any segment in this server")
@ApiResponses(value = {
@@ -1239,6 +1258,7 @@ public class TablesResource {
@GET
@Path("/tables/{tableName}/segments/isStale")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableName", action =
Actions.Table.GET_SEGMENT)
@ApiOperation(value = "Get the list of segments that are stale or deviated
from table config.",
notes = "Get the list of segments that are stale or deviated from table
config")
@ApiResponses(value = {
@@ -1260,6 +1280,7 @@ public class TablesResource {
@DELETE
@Path("/tables/{tableName}/ingestionMetrics")
@Produces(MediaType.APPLICATION_JSON)
+ @Authorize(targetType = TargetType.TABLE, paramName = "tableName", action =
Actions.Table.DELETE_INGESTION_METRICS)
@ApiOperation(value = "Remove ingestion metrics for partition(s)", notes =
"Removes ingestion-related metrics for "
+ "the given table. If no partitionId is provided, metrics for all
partitions hosted by this server will be "
+ "removed.")
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
