You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pinot.apache.org by ap...@apache.org on 2023/02/25 03:15:45 UTC

[pinot] branch master updated: enable readonly access to controller UI for users without table restrictions (#10329)

This is an automated email from the ASF dual-hosted git repository.

apucher pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pinot.git


The following commit(s) were added to refs/heads/master by this push:
     new 3772b55dc4 enable readonly access to controller UI for users without table restrictions (#10329)
3772b55dc4 is described below

commit 3772b55dc4c35673762a182b2ee650469560aa97
Author: Alexander Pucher <ap...@apache.org>
AuthorDate: Fri Feb 24 19:15:37 2023 -0800

    enable readonly access to controller UI for users without table restrictions (#10329)
---
 .../api/resources/PinotControllerAuthResource.java       |  3 ++-
 .../main/java/org/apache/pinot/tools/AuthQuickstart.java | 16 ++++++++++------
 2 files changed, 12 insertions(+), 7 deletions(-)

diff --git a/pinot-controller/src/main/java/org/apache/pinot/controller/api/resources/PinotControllerAuthResource.java b/pinot-controller/src/main/java/org/apache/pinot/controller/api/resources/PinotControllerAuthResource.java
index 77b77479ca..52e518cfed 100644
--- a/pinot-controller/src/main/java/org/apache/pinot/controller/api/resources/PinotControllerAuthResource.java
+++ b/pinot-controller/src/main/java/org/apache/pinot/controller/api/resources/PinotControllerAuthResource.java
@@ -28,6 +28,7 @@ import io.swagger.annotations.Authorization;
 import io.swagger.annotations.SecurityDefinition;
 import io.swagger.annotations.SwaggerDefinition;
 import javax.inject.Inject;
+import javax.ws.rs.DefaultValue;
 import javax.ws.rs.GET;
 import javax.ws.rs.Path;
 import javax.ws.rs.Produces;
@@ -72,7 +73,7 @@ public class PinotControllerAuthResource {
       @ApiResponse(code = 500, message = "Verification error")
   })
   public boolean verify(@ApiParam(value = "Table name without type") @QueryParam("tableName") String tableName,
-      @ApiParam(value = "API access type") @QueryParam("accessType") AccessType accessType,
+      @ApiParam(value = "API access type") @DefaultValue("READ") @QueryParam("accessType") AccessType accessType,
       @ApiParam(value = "Endpoint URL") @QueryParam("endpointUrl") String endpointUrl) {
     AccessControl accessControl = _accessControlFactory.create();
     return accessControl.hasAccess(tableName, accessType, _httpHeaders, endpointUrl);
diff --git a/pinot-tools/src/main/java/org/apache/pinot/tools/AuthQuickstart.java b/pinot-tools/src/main/java/org/apache/pinot/tools/AuthQuickstart.java
index 2642bbbb19..e4eaa89715 100644
--- a/pinot-tools/src/main/java/org/apache/pinot/tools/AuthQuickstart.java
+++ b/pinot-tools/src/main/java/org/apache/pinot/tools/AuthQuickstart.java
@@ -47,19 +47,23 @@ public class AuthQuickstart extends Quickstart {
     properties.put("pinot.controller.segment.fetcher.auth.token", "Basic YWRtaW46dmVyeXNlY3JldA==");
     properties.put("controller.admin.access.control.factory.class",
         "org.apache.pinot.controller.api.access.BasicAuthAccessControlFactory");
-    properties.put("controller.admin.access.control.principals", "admin, user");
+    properties.put("controller.admin.access.control.principals", "admin, user, service, tableonly");
     properties.put("controller.admin.access.control.principals.admin.password", "verysecret");
+    properties.put("controller.admin.access.control.principals.service.password", "verysecrettoo");
     properties.put("controller.admin.access.control.principals.user.password", "secret");
-    properties.put("controller.admin.access.control.principals.user.tables", "baseballStats");
-    properties.put("controller.admin.access.control.principals.user.permissions", "read");
+    properties.put("controller.admin.access.control.principals.user.permissions", "READ");
+    properties.put("controller.admin.access.control.principals.tableonly.password", "secrettoo");
+    properties.put("controller.admin.access.control.principals.tableonly.permissions", "READ");
+    properties.put("controller.admin.access.control.principals.tableonly.tables", "baseballStats");
 
     // broker
     properties.put("pinot.broker.access.control.class", "org.apache.pinot.broker.broker.BasicAuthAccessControlFactory");
-    properties.put("pinot.broker.access.control.principals", "admin, user");
+    properties.put("pinot.broker.access.control.principals", "admin, user, service, tableonly");
     properties.put("pinot.broker.access.control.principals.admin.password", "verysecret");
+    properties.put("pinot.broker.access.control.principals.service.password", "verysecrettoo");
     properties.put("pinot.broker.access.control.principals.user.password", "secret");
-    properties.put("pinot.broker.access.control.principals.user.tables", "baseballStats");
-    properties.put("pinot.broker.access.control.principals.user.permissions", "read");
+    properties.put("pinot.broker.access.control.principals.tableonly.password", "secrettoo");
+    properties.put("pinot.broker.access.control.principals.tableonly.tables", "baseballStats");
 
     // server
     properties.put("pinot.server.segment.fetcher.auth.token", "Basic YWRtaW46dmVyeXNlY3JldA==");


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org