You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2019/04/28 22:19:34 UTC
[GitHub] [incubator-druid] gianm commented on issue #7563: System tables
access requires extraneous permissions
gianm commented on issue #7563: System tables access requires extraneous permissions
URL: https://github.com/apache/incubator-druid/issues/7563#issuecomment-487420310
> The permissions needed for system table access could be adjusted to not require additional permissions beyond datasource-specific permissions for non-server related info (segments, tasks) and to require STATE-read permissions for server-related tables (servers, server_segments) to be consistent with the non-SQL APIs.
IMO it makes the most sense to align the permissions for SQL system tables with the permissions for similar metadata APIs as closely as possible. So, doing the above.
> It's worth mentioning here that there is some inconsistency in the non-SQL task APIs themselves. The task APIs in OverlordResource only require datasource permissions, but the running tasks do contain information about where they exist (server-related info). On the other hand, retrieving task info from the middle managers via WorkerResource requires STATE but not datasource permissions.
One major issue here is that nothing really defines what "STATE" and "CONFIG" are supposed to mean (other than access to an enumerated list of endpoints). My general feeling is that if you have "STATE" permissions it's reasonable to be able to see any sort of metadata (including datasources you don't have specifically have read access grants for). If you couldn't, then you'd presumably get partial metadata, which would be a misleading view of cluster state. But that isn't written down anywhere that I can see, so it's a missing aspect to the permissions model and the documentation.
In the specific case you brought up, the only change I might make (given the above reasonable) is expanding the permissions such that you can see all tasks, for any datasource, if you have "STATE" permissions.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org