This is an automated email from the ASF dual-hosted git repository.
suneet pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push:
new 573de3b clarify security requirements around HTTPInputSource (#10914)
573de3b is described below
commit 573de3bc0da892e4575f72afe46ceab480ca29ce
Author: Charles Smith <38529548+techdocsm...@users.noreply.github.com>
AuthorDate: Fri Feb 26 09:37:47 2021 -0800
clarify security requirements around HTTPInputSource (#10914)
* clarify security requirements around HTTPInputSource
* explicitly mention write/datasource in best practices. clarify that the
ingestion task is the risk
* Update docs/operations/security-overview.md
Co-authored-by: Suneet Saldanha <sun...@apache.org>
Co-authored-by: Suneet Saldanha <sun...@apache.org>
---
docs/ingestion/native-batch.md | 10 ++++++++--
docs/operations/security-overview.md | 1 +
2 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/docs/ingestion/native-batch.md b/docs/ingestion/native-batch.md
index b49f837..cc06475 100644
--- a/docs/ingestion/native-batch.md
+++ b/docs/ingestion/native-batch.md
@@ -1133,8 +1133,14 @@ the [S3 input source](#s3-input-source) or the [Google
Cloud Storage input sourc
### HTTP Input Source
-The HTTP input source is to support reading files directly
-from remote sites via HTTP.
+The HTTP input source is to support reading files directly from remote sites
via HTTP.
+
+> **NOTE:** Ingestion tasks run under the operating system account that runs
the Druid processes, for example the Indexer, Middle Manager, and Peon. This
means any user who can submit an ingestion task can specify an
`HTTPInputSource` at any location where the Druid process has permissions. For
example, using `HTTPInputSource`, a console user has access to internal network
locations where the they would be denied access otherwise.
+
+> **WARNING:** `HTTPInputSource` is not limited to the HTTP or HTTPS
protocols. It uses the Java `URI` class that supports HTTP, HTTPS, FTP, file,
and jar protocols by default. This means you should never run Druid under the
`root` account, because a user can use the file protocol to access any files on
the local disk.
+
+For more information about security best practices, see [Security
overview](../operations/security-overview.md#best-practices).
+
The HTTP input source is _splittable_ and can be used by the [Parallel
task](#parallel-task),
where each worker task of `index_parallel` will read only one file. This input
source does not support Split Hint Spec.
diff --git a/docs/operations/security-overview.md
b/docs/operations/security-overview.md
index 150d992..d65e9f5 100644
--- a/docs/operations/security-overview.md
+++ b/docs/operations/security-overview.md
@@ -41,6 +41,7 @@ This document gives you an overview of security features in
Druid and how to con
## Best practices
* Do not expose the Druid Console without authentication on untrusted
networks. Access to the console effectively confers access the file system on
the installation machine, via file browsers in the UI. You should use an API
gateway that restricts who can connect from untrusted networks, allow list the
specific APIs that your users need to access, and implements account lockout
and throttling features.
+* You should only grant `WRITE` permissions to a `DATASOURCE` to trusted
users. Druid assumes that these users have the same privileges as the operating
system user that runs the Druid process.
* Grant users the minimum permissions necessary to perform their functions.
For instance, do not allow users who only need to query data to write to data
sources or view state.
* Disable JavaScript, as noted in the [Security
section](https://druid.apache.org/docs/latest/development/javascript.html#security)
of the JavaScript guide.
* Run Druid as an unprivileged Unix user on the installation machine (not
root).
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@druid.apache.org
For additional commands, e-mail: commits-h...@druid.apache.org
