walterddr commented on code in PR #10534:
URL: https://github.com/apache/pinot/pull/10534#discussion_r1159257571
##########
pinot-broker/src/main/java/org/apache/pinot/broker/broker/ZkBasicAuthAccessControlFactory.java:
##########
@@ -79,11 +80,49 @@ public BasicAuthAccessControl(AccessControlUserCache
userCache) {
@Override
public boolean hasAccess(RequesterIdentity requesterIdentity) {
- return hasAccess(requesterIdentity, null);
+ return hasAccess(requesterIdentity, (BrokerRequest) null);
}
@Override
public boolean hasAccess(RequesterIdentity requesterIdentity,
BrokerRequest brokerRequest) {
+ Optional<ZkBasicAuthPrincipal> principalOpt =
getPrincipalAuth(requesterIdentity);
+ if (!principalOpt.isPresent()) {
+ // no matching token? reject
+ return false;
+ }
+
+ ZkBasicAuthPrincipal principal = principalOpt.get();
+ if (brokerRequest == null || !brokerRequest.isSetQuerySource() ||
!brokerRequest.getQuerySource()
+ .isSetTableName()) {
+ // no table restrictions? accept
+ return true;
+ }
+
+ return
principal.hasTable(brokerRequest.getQuerySource().getTableName());
+ }
Review Comment:
seems we can simply call the Set<String> tables API right?
```suggestion
public boolean hasAccess(RequesterIdentity requesterIdentity,
BrokerRequest brokerRequest) {
if (brokerRequest == null || !brokerRequest.isSetQuerySource()
|| !brokerRequest.getQuerySource()
.isSetTableName()) {
// no table restrictions? accept
return true;
}
return hasAccess(requestIdentity,
Collections.singleton(brokerRequest.getQuerySource().getTableName()));
}
```
##########
pinot-broker/src/main/java/org/apache/pinot/broker/requesthandler/MultiStageBrokerRequestHandler.java:
##########
@@ -169,6 +185,36 @@ private BrokerResponse handleRequest(long requestId,
String query,
return new
BrokerResponseNative(QueryException.getException(QueryException.SQL_PARSING_ERROR,
e));
}
+ QueryPlan queryPlan = queryPlanResult.getQueryPlan();
+ Set<String> tableNames =
getTableNamesFromRelRoot(queryPlanResult.getRelRoot());
+
+ // Compilation Time. This includes the time taken for parsing, compiling,
create stage plans and assigning workers.
+ long compilationEndTimeNs = System.nanoTime();
+ long compilationTime = (compilationEndTimeNs - compilationStartTimeNs) +
sqlNodeAndOptions.getParseTimeNs();
+ updatePhaseTimingForTables(tableNames,
BrokerQueryPhase.REQUEST_COMPILATION, compilationTime);
+
+ // Validate table access.
+ if (!hasTableAccess(requesterIdentity, tableNames)) {
+
_brokerMetrics.addMeteredGlobalValue(BrokerMeter.REQUEST_DROPPED_DUE_TO_ACCESS_ERROR,
1);
+ LOGGER.info("Access denied for requestId {}", requestId);
+ requestContext.setErrorCode(QueryException.ACCESS_DENIED_ERROR_CODE);
Review Comment:
+1 same as the access control code reuse. above
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
