You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pinot.apache.org by "zhtaoxiang (via GitHub)" <gi...@apache.org> on 2023/07/05 22:42:17 UTC
[GitHub] [pinot] zhtaoxiang commented on a diff in pull request #11016: Rbac impl
zhtaoxiang commented on code in PR #11016:
URL: https://github.com/apache/pinot/pull/11016#discussion_r1253713691
##########
pinot-core/src/main/java/org/apache/pinot/core/auth/RBACAuthUtils.java:
##########
@@ -0,0 +1,38 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.pinot.core.auth;
+
+import javax.ws.rs.core.MultivaluedMap;
+
+public class RBACAuthUtils {
+ public static String getTargetId(String targetIdTemplate,
Review Comment:
can we please add java doc here?
##########
pinot-broker/src/main/java/org/apache/pinot/broker/broker/AuthenticationFilter.java:
##########
@@ -81,10 +83,32 @@ public void filter(ContainerRequestContext requestContext)
HttpRequesterIdentity httpRequestIdentity = HttpRequesterIdentity.fromRequest(request);
+ // default authorization handling
if (!accessControl.hasAccess(httpRequestIdentity)) {
throw new WebApplicationException("Failed access check for " + httpRequestIdentity.getEndpointUrl(),
Response.Status.FORBIDDEN);
}
+
+ handleRBACAuthorization(endpointMethod, uriInfo, accessControl, httpRequestIdentity);
+ }
+
+ private void handleRBACAuthorization(Method endpointMethod, UriInfo uriInfo, AccessControl accessControl,
+ HttpRequesterIdentity httpRequestIdentity) {
+ if (endpointMethod.isAnnotationPresent(RBACAuthorization.class)) {
+ RBACAuthorization rbacAuthorization = endpointMethod.getAnnotation(RBACAuthorization.class);
+ String targetId = RBACAuthUtils.getTargetId(rbacAuthorization.targetId(), uriInfo.getPathParameters(),
Review Comment:
I feel that we should use different names for the variable `targetId` and `rbacAuthorization.targetId()`, it is confusing to me now.
##########
pinot-broker/src/main/java/org/apache/pinot/broker/requesthandler/BaseBrokerRequestHandler.java:
##########
@@ -381,7 +382,9 @@ private BrokerResponseNative handleRequest(long requestId, String query,
BrokerRequest brokerRequest = CalciteSqlCompiler.convertToBrokerRequest(pinotQuery);
BrokerRequest serverBrokerRequest =
serverPinotQuery == pinotQuery ? brokerRequest : CalciteSqlCompiler.convertToBrokerRequest(serverPinotQuery);
- boolean hasTableAccess = _accessControlFactory.create().hasAccess(requesterIdentity, serverBrokerRequest);
+ AccessControl accessControl = _accessControlFactory.create();
+ boolean hasTableAccess = accessControl.hasAccess(requesterIdentity, serverBrokerRequest) &&
+ accessControl.hasRBACAccess(requesterIdentity, tableName, "table", "read");
Review Comment:
We may need to define some static constant variables to represent the types and permissions.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org