You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@pinot.apache.org by "walterddr (via GitHub)" <gi...@apache.org> on 2023/04/06 03:58:58 UTC
[GitHub] [pinot] walterddr commented on a diff in pull request #10534: [multistage] Table level Access Validation, QPS Quota, Phase Metrics for multistage queries
walterddr commented on code in PR #10534:
URL: https://github.com/apache/pinot/pull/10534#discussion_r1159257571
##########
pinot-broker/src/main/java/org/apache/pinot/broker/broker/ZkBasicAuthAccessControlFactory.java:
##########
@@ -79,11 +80,49 @@ public BasicAuthAccessControl(AccessControlUserCache userCache) {
@Override
public boolean hasAccess(RequesterIdentity requesterIdentity) {
- return hasAccess(requesterIdentity, null);
+ return hasAccess(requesterIdentity, (BrokerRequest) null);
}
@Override
public boolean hasAccess(RequesterIdentity requesterIdentity, BrokerRequest brokerRequest) {
+ Optional<ZkBasicAuthPrincipal> principalOpt = getPrincipalAuth(requesterIdentity);
+ if (!principalOpt.isPresent()) {
+ // no matching token? reject
+ return false;
+ }
+
+ ZkBasicAuthPrincipal principal = principalOpt.get();
+ if (brokerRequest == null || !brokerRequest.isSetQuerySource() || !brokerRequest.getQuerySource()
+ .isSetTableName()) {
+ // no table restrictions? accept
+ return true;
+ }
+
+ return principal.hasTable(brokerRequest.getQuerySource().getTableName());
+ }
Review Comment:
seems we can simply call the Set<String> tables API right?
```suggestion
public boolean hasAccess(RequesterIdentity requesterIdentity, BrokerRequest brokerRequest) {
if (brokerRequest == null || !brokerRequest.isSetQuerySource() || !brokerRequest.getQuerySource()
.isSetTableName()) {
// no table restrictions? accept
return true;
}
return hasAccess(requestIdentity, Collections.singleton(brokerRequest.getQuerySource().getTableName()));
}
```
##########
pinot-broker/src/main/java/org/apache/pinot/broker/requesthandler/MultiStageBrokerRequestHandler.java:
##########
@@ -169,6 +185,36 @@ private BrokerResponse handleRequest(long requestId, String query,
return new BrokerResponseNative(QueryException.getException(QueryException.SQL_PARSING_ERROR, e));
}
+ QueryPlan queryPlan = queryPlanResult.getQueryPlan();
+ Set<String> tableNames = getTableNamesFromRelRoot(queryPlanResult.getRelRoot());
+
+ // Compilation Time. This includes the time taken for parsing, compiling, create stage plans and assigning workers.
+ long compilationEndTimeNs = System.nanoTime();
+ long compilationTime = (compilationEndTimeNs - compilationStartTimeNs) + sqlNodeAndOptions.getParseTimeNs();
+ updatePhaseTimingForTables(tableNames, BrokerQueryPhase.REQUEST_COMPILATION, compilationTime);
+
+ // Validate table access.
+ if (!hasTableAccess(requesterIdentity, tableNames)) {
+ _brokerMetrics.addMeteredGlobalValue(BrokerMeter.REQUEST_DROPPED_DUE_TO_ACCESS_ERROR, 1);
+ LOGGER.info("Access denied for requestId {}", requestId);
+ requestContext.setErrorCode(QueryException.ACCESS_DENIED_ERROR_CODE);
Review Comment:
+1 same as the access control code reuse. above
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@pinot.apache.org
For additional commands, e-mail: commits-help@pinot.apache.org