This is an automated email from the ASF dual-hosted git repository. suneet pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push: new 573de3b clarify security requirements around HTTPInputSource (#10914) 573de3b is described below commit 573de3bc0da892e4575f72afe46ceab480ca29ce Author: Charles Smith <38529548+techdocsm...@users.noreply.github.com> AuthorDate: Fri Feb 26 09:37:47 2021 -0800 clarify security requirements around HTTPInputSource (#10914) * clarify security requirements around HTTPInputSource * explicitly mention write/datasource in best practices. clarify that the ingestion task is the risk * Update docs/operations/security-overview.md Co-authored-by: Suneet Saldanha <sun...@apache.org> Co-authored-by: Suneet Saldanha <sun...@apache.org> --- docs/ingestion/native-batch.md | 10 ++++++++-- docs/operations/security-overview.md | 1 + 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/docs/ingestion/native-batch.md b/docs/ingestion/native-batch.md index b49f837..cc06475 100644 --- a/docs/ingestion/native-batch.md +++ b/docs/ingestion/native-batch.md @@ -1133,8 +1133,14 @@ the [S3 input source](#s3-input-source) or the [Google Cloud Storage input sourc ### HTTP Input Source -The HTTP input source is to support reading files directly -from remote sites via HTTP. +The HTTP input source is to support reading files directly from remote sites via HTTP. + +> **NOTE:** Ingestion tasks run under the operating system account that runs the Druid processes, for example the Indexer, Middle Manager, and Peon. This means any user who can submit an ingestion task can specify an `HTTPInputSource` at any location where the Druid process has permissions. For example, using `HTTPInputSource`, a console user has access to internal network locations where the they would be denied access otherwise. + +> **WARNING:** `HTTPInputSource` is not limited to the HTTP or HTTPS protocols. It uses the Java `URI` class that supports HTTP, HTTPS, FTP, file, and jar protocols by default. This means you should never run Druid under the `root` account, because a user can use the file protocol to access any files on the local disk. + +For more information about security best practices, see [Security overview](../operations/security-overview.md#best-practices). + The HTTP input source is _splittable_ and can be used by the [Parallel task](#parallel-task), where each worker task of `index_parallel` will read only one file. This input source does not support Split Hint Spec. diff --git a/docs/operations/security-overview.md b/docs/operations/security-overview.md index 150d992..d65e9f5 100644 --- a/docs/operations/security-overview.md +++ b/docs/operations/security-overview.md @@ -41,6 +41,7 @@ This document gives you an overview of security features in Druid and how to con ## Best practices * Do not expose the Druid Console without authentication on untrusted networks. Access to the console effectively confers access the file system on the installation machine, via file browsers in the UI. You should use an API gateway that restricts who can connect from untrusted networks, allow list the specific APIs that your users need to access, and implements account lockout and throttling features. +* You should only grant `WRITE` permissions to a `DATASOURCE` to trusted users. Druid assumes that these users have the same privileges as the operating system user that runs the Druid process. * Grant users the minimum permissions necessary to perform their functions. For instance, do not allow users who only need to query data to write to data sources or view state. * Disable JavaScript, as noted in the [Security section](https://druid.apache.org/docs/latest/development/javascript.html#security) of the JavaScript guide. * Run Druid as an unprivileged Unix user on the installation machine (not root). --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@druid.apache.org For additional commands, e-mail: commits-h...@druid.apache.org