somandal commented on code in PR #10534:
URL: https://github.com/apache/pinot/pull/10534#discussion_r1157514385
##########
pinot-query-planner/src/main/java/org/apache/pinot/query/QueryEnvironment.java:
##########
@@ -132,6 +134,13 @@ public QueryEnvironment(TypeFactory typeFactory,
CalciteSchema rootSchema, Worke
_hepProgram = hepProgramBuilder.build();
}
+ /**
+ * Returns the RelRoot generated after compiling the query.
+ */
+ public RelRoot getRelRoot() {
+ return _relRoot;
+ }
Review Comment:
Isn't `QueryEnvironment` a global object used for all queries going via the
`MultiStageBrokerRequestHandler`? There is a single
`MultiStageBrokerRequestHandler` object. How will this work if there are
multiple queries issues in parallel via the `MultiStageBrokerRequestHandler`?
##########
pinot-broker/src/main/java/org/apache/pinot/broker/broker/ZkBasicAuthAccessControlFactory.java:
##########
@@ -79,11 +80,49 @@ public BasicAuthAccessControl(AccessControlUserCache
userCache) {
@Override
public boolean hasAccess(RequesterIdentity requesterIdentity) {
- return hasAccess(requesterIdentity, null);
+ return hasAccess(requesterIdentity, (BrokerRequest) null);
}
@Override
public boolean hasAccess(RequesterIdentity requesterIdentity,
BrokerRequest brokerRequest) {
+ Optional<ZkBasicAuthPrincipal> principalOpt =
getPrincipalAuth(requesterIdentity);
+ if (!principalOpt.isPresent()) {
+ // no matching token? reject
+ return false;
+ }
+
+ ZkBasicAuthPrincipal principal = principalOpt.get();
+ if (brokerRequest == null || !brokerRequest.isSetQuerySource() ||
!brokerRequest.getQuerySource()
+ .isSetTableName()) {
+ // no table restrictions? accept
+ return true;
+ }
+
+ return
principal.hasTable(brokerRequest.getQuerySource().getTableName());
+ }
+
+ @Override
+ public boolean hasAccess(RequesterIdentity requesterIdentity,
Set<String> tables) {
+ Optional<ZkBasicAuthPrincipal> principalOpt =
getPrincipalAuth(requesterIdentity);
+ if (!principalOpt.isPresent()) {
+ // no matching token? reject
+ return false;
+ }
+ if (tables == null || tables.size() == 0) {
Review Comment:
nit: Can `CollectionUtils.isEmpty()` be used instead?
##########
pinot-broker/src/main/java/org/apache/pinot/broker/broker/ZkBasicAuthAccessControlFactory.java:
##########
@@ -79,11 +80,49 @@ public BasicAuthAccessControl(AccessControlUserCache
userCache) {
@Override
public boolean hasAccess(RequesterIdentity requesterIdentity) {
- return hasAccess(requesterIdentity, null);
+ return hasAccess(requesterIdentity, (BrokerRequest) null);
}
@Override
public boolean hasAccess(RequesterIdentity requesterIdentity,
BrokerRequest brokerRequest) {
+ Optional<ZkBasicAuthPrincipal> principalOpt =
getPrincipalAuth(requesterIdentity);
+ if (!principalOpt.isPresent()) {
+ // no matching token? reject
+ return false;
+ }
+
+ ZkBasicAuthPrincipal principal = principalOpt.get();
+ if (brokerRequest == null || !brokerRequest.isSetQuerySource() ||
!brokerRequest.getQuerySource()
+ .isSetTableName()) {
+ // no table restrictions? accept
+ return true;
+ }
+
+ return
principal.hasTable(brokerRequest.getQuerySource().getTableName());
+ }
+
+ @Override
+ public boolean hasAccess(RequesterIdentity requesterIdentity,
Set<String> tables) {
+ Optional<ZkBasicAuthPrincipal> principalOpt =
getPrincipalAuth(requesterIdentity);
+ if (!principalOpt.isPresent()) {
+ // no matching token? reject
+ return false;
+ }
Review Comment:
nit: empty space after this
##########
pinot-broker/src/main/java/org/apache/pinot/broker/requesthandler/MultiStageBrokerRequestHandler.java:
##########
@@ -221,6 +242,11 @@ private BrokerResponse handleRequest(long requestId,
String query,
return brokerResponse;
}
+ private boolean hasTableAccess(RequesterIdentity requesterIdentity, RelNode
relRoot) {
+ Set<String> tableNames = new
HashSet<>(RelOptUtil.findAllTableQualifiedNames(relRoot));
+ return _accessControlFactory.create().hasAccess(requesterIdentity,
tableNames);
+ }
Review Comment:
Is looking at the `RelRoot` actually necessary to get the list of table
names? Later in the code i see that the `QueryPlan` has the list of tables:
```
List<String> tableNames =
queryPlan.getStageMetadataMap().get(entry.getKey()).getScannedTables();
```
Perhaps we can reuse the above rather than trying to expose the `RelRoot`?
Optionally do you think we should push down this validation to the actual
`explainPlan` or `planQuery` methods themselves instead?
##########
pinot-broker/src/main/java/org/apache/pinot/broker/broker/BasicAuthAccessControlFactory.java:
##########
@@ -104,5 +99,39 @@ public boolean hasAccess(RequesterIdentity
requesterIdentity, BrokerRequest brok
return principal.hasTable(brokerRequest.getQuerySource().getTableName());
}
+
+ @Override
+ public boolean hasAccess(RequesterIdentity requesterIdentity, Set<String>
tables) {
+ Optional<BasicAuthPrincipal> principalOpt =
getPrincipalOpt(requesterIdentity);
+
+ if (!principalOpt.isPresent()) {
+ // no matching token? reject
+ return false;
+ }
+
+ if (tables == null || tables.size() == 0) {
+ return true;
+ }
Review Comment:
nit: Can `CollectionUtils.isEmpty()` be used instead?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
