soumitra-st commented on PR #14383: URL: https://github.com/apache/pinot/pull/14383#issuecomment-2481454696
> @soumitra-st Can you help take a look? Which path do we need to allow bypassing the auth check? > > I want to make this whitelist very restricted so that only the allowed path can bypass the auth check. This way we can avoid other possible attacks, instead of explicitly handling them one by one. The current whitelist paths are [HERE](https://github.com/apache/pinot/blob/b06c0613fe76c4c5e9c6989e010642a39b60c1d8/pinot-controller/src/main/java/org/apache/pinot/controller/api/access/AuthenticationFilter.java#L53): new HashSet<>(Arrays.asList("", "help", "auth/info", "auth/verify", "health")); In addition to the above whitelisted paths, all top files having at least one '.' are allowed. This is likely done to allow access to top-level resource files. If we need to remove implicit access to all the top-level resources, we must figure out the list and add it to the UNPROTECTED_PATHS. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
