This is an automated email from the ASF dual-hosted git repository.
jackie pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pinot.git
The following commit(s) were added to refs/heads/master by this push:
new 08a3083b6a Adding RBAC authorization checks for multi-stage query
engine (#11830)
08a3083b6a is described below
commit 08a3083b6a6242abd8e865b81a0ddc2c6dcdb340
Author: soumitra-st <[email protected]>
AuthorDate: Fri Oct 20 17:02:17 2023 -0700
Adding RBAC authorization checks for multi-stage query engine (#11830)
---
.../requesthandler/MultiStageBrokerRequestHandler.java | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
diff --git
a/pinot-broker/src/main/java/org/apache/pinot/broker/requesthandler/MultiStageBrokerRequestHandler.java
b/pinot-broker/src/main/java/org/apache/pinot/broker/requesthandler/MultiStageBrokerRequestHandler.java
index 5c4e86a7d4..772f021fce 100644
---
a/pinot-broker/src/main/java/org/apache/pinot/broker/requesthandler/MultiStageBrokerRequestHandler.java
+++
b/pinot-broker/src/main/java/org/apache/pinot/broker/requesthandler/MultiStageBrokerRequestHandler.java
@@ -30,6 +30,7 @@ import javax.ws.rs.WebApplicationException;
import javax.ws.rs.core.HttpHeaders;
import javax.ws.rs.core.Response;
import org.apache.calcite.jdbc.CalciteSchemaBuilder;
+import org.apache.pinot.broker.api.AccessControl;
import org.apache.pinot.broker.api.RequesterIdentity;
import org.apache.pinot.broker.broker.AccessControlFactory;
import org.apache.pinot.broker.querylog.QueryLogger;
@@ -51,6 +52,8 @@ import org.apache.pinot.common.utils.DataSchema;
import org.apache.pinot.common.utils.ExceptionUtils;
import org.apache.pinot.common.utils.config.QueryOptionsUtils;
import org.apache.pinot.common.utils.request.RequestUtils;
+import org.apache.pinot.core.auth.Actions;
+import org.apache.pinot.core.auth.TargetType;
import org.apache.pinot.core.query.reduce.ExecutionStatsAggregator;
import org.apache.pinot.core.transport.ServerInstance;
import org.apache.pinot.query.QueryEnvironment;
@@ -128,7 +131,7 @@ public class MultiStageBrokerRequestHandler extends
BaseBrokerRequestHandler {
queryPlanResult = _queryEnvironment.explainQuery(query,
sqlNodeAndOptions, requestId);
String plan = queryPlanResult.getExplainPlan();
Set<String> tableNames = queryPlanResult.getTableNames();
- if (!hasTableAccess(requesterIdentity, tableNames, requestContext)) {
+ if (!hasTableAccess(requesterIdentity, tableNames, requestContext,
httpHeaders)) {
throw new WebApplicationException("Permission denied",
Response.Status.FORBIDDEN);
}
@@ -164,7 +167,7 @@ public class MultiStageBrokerRequestHandler extends
BaseBrokerRequestHandler {
updatePhaseTimingForTables(tableNames,
BrokerQueryPhase.REQUEST_COMPILATION, compilationTimeNs);
// Validate table access.
- if (!hasTableAccess(requesterIdentity, tableNames, requestContext)) {
+ if (!hasTableAccess(requesterIdentity, tableNames, requestContext,
httpHeaders)) {
throw new WebApplicationException("Permission denied",
Response.Status.FORBIDDEN);
}
updatePhaseTimingForTables(tableNames, BrokerQueryPhase.AUTHORIZATION,
System.nanoTime() - compilationEndTimeNs);
@@ -251,8 +254,10 @@ public class MultiStageBrokerRequestHandler extends
BaseBrokerRequestHandler {
* Validates whether the requester has access to all the tables.
*/
private boolean hasTableAccess(RequesterIdentity requesterIdentity,
Set<String> tableNames,
- RequestContext requestContext) {
- boolean hasAccess =
_accessControlFactory.create().hasAccess(requesterIdentity, tableNames);
+ RequestContext requestContext, HttpHeaders httpHeaders) {
+ AccessControl accessControl = _accessControlFactory.create();
+ boolean hasAccess = accessControl.hasAccess(requesterIdentity, tableNames)
&& tableNames.stream()
+ .allMatch(table -> accessControl.hasAccess(httpHeaders,
TargetType.TABLE, table, Actions.Table.QUERY));
if (!hasAccess) {
_brokerMetrics.addMeteredGlobalValue(BrokerMeter.REQUEST_DROPPED_DUE_TO_ACCESS_ERROR,
1);
LOGGER.warn("Access denied for requestId {}",
requestContext.getRequestId());
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
