NihalJain opened a new issue, #14595: URL: https://github.com/apache/pinot/issues/14595
While trying [Authentication and Authorisation feature of Pinot](https://docs.pinot.apache.org/operators/tutorials/authentication), I found that any endpoint which accesses a non-table resource, authorisation does not work as expected using either of the bundled auth options: 1. BasicAuthAccessControlFactory 2. ZkBasicAuthAccessControlFactory I would consider this a CRITICAL security flaw as it gives a normal user to do any sort of destructive action in the cluster. Consider a simple example. --- Assume we have 3 users in system: 1. admin 3. test 4. user1  --- Now we try to DELETE _user1_ who is an admin by submitting a request as _test_ who is a normal user  Voila _user1_ is deleted! :( --- But the user _test_ was not authorised to do so !!  --- This example is just tip of the iceberg. I plan to work to fix this once the team confirms this is really broken. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
