You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@pinot.apache.org by GitBox <gi...@apache.org> on 2021/11/05 20:49:50 UTC

[GitHub] [pinot] apucher commented on a change in pull request #7653: Adding config for keystore types, switching tls to native implementation, and adding authorization for server-broker tls channel

apucher commented on a change in pull request #7653:
URL: https://github.com/apache/pinot/pull/7653#discussion_r743963478



##########
File path: pinot-core/src/main/java/org/apache/pinot/core/transport/QueryServer.java
##########
@@ -56,9 +60,11 @@
    * @param port bind port
    * @param queryScheduler query scheduler
    * @param serverMetrics server metrics
+   * @param accessControlFactory access control factory for netty channel
    */
-  public QueryServer(int port, QueryScheduler queryScheduler, ServerMetrics serverMetrics) {
-    this(port, queryScheduler, serverMetrics, null);
+  public QueryServer(int port, QueryScheduler queryScheduler, ServerMetrics serverMetrics,

Review comment:
       yes. thanks.

##########
File path: pinot-core/src/main/java/org/apache/pinot/server/access/AllowAllAccessFactory.java
##########
@@ -16,13 +16,19 @@
  * specific language governing permissions and limitations
  * under the License.
  */
-package org.apache.pinot.server.api.access;
+package org.apache.pinot.server.access;

Review comment:
       At least, I would specifically call this out in the PR's release notes.
   
   I'm aware of at least one installation that explicitly sets AllowAll... as part of startup scripts.

##########
File path: pinot-core/src/main/java/org/apache/pinot/server/access/AccessControl.java
##########
@@ -27,6 +28,13 @@
 @InterfaceStability.Stable
 public interface AccessControl {
 
+  /**
+   *
+   * @param channelHandlerContext netty tls context
+   * @return Whether the client has access to query server
+   */
+  boolean hasQueryServerAccess(ChannelHandlerContext channelHandlerContext);
+

Review comment:
       If the desire is to achieve additional application-layer authentication, why not use an auth token here, similar to the rest of pinot?




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org