You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2020/02/20 07:59:20 UTC
[GitHub] [druid] pjain1 opened a new issue #9380: Fine grained config and
state resources
pjain1 opened a new issue #9380: Fine grained config and state resources
URL: https://github.com/apache/druid/issues/9380
### Motivation
This proposal is to introduce fine grained config and state resources for better access controls. For example, for a user we may want to allow them the permission to view the status of a node but do not want to allow by default access to all other state resources like load queue, list of servers or list of tasks for a worker etc. Another example, we may want to give permissions to a user to just query the datasources but not read/change any state or config of the cluster, however even for showing the datasource list on console, a read on config is required to fetch compaction status for the datasource.
### Proposed changes
The current design has the same resource name for all `STATE` and `CONFIG` resources which are _state_ and _config_ respectively. To achieve the desired results, different resource names will need to be set for these resources. For example, for `druid/coordinator/v1/config/compaction` the resource name can be _COMPACTION_ and resource type is _CONFIG_ so a `GET` on this endpoint will be a `READ on COMPACTION CONFIG` instead of `READ on CONFIG CONFIG`. Similarly appropriate names will be chosen for resources. The design always had this provision for future improvement, see [here](https://github.com/apache/druid/blob/master/server/src/main/java/org/apache/druid/server/http/security/ConfigResourceFilter.java#L38) and [here](https://github.com/apache/druid/blob/master/server/src/main/java/org/apache/druid/server/http/security/StateResourceFilter.java).
- `StateResourceFilter` and `ConfigResourceFilter` will be changed to introspect the requested url and set the resource name accordingly before performing authorization.
- Endpoints that do authorization in the method itself will be changed to set the resource names appropriately before authorizing.
### Rationale
Having fine grained access controls.
### Operational impact
If the security extension uses _state_ and _config_ as resource name for `STATE` and `CONFIG` resource types for auth checks then they would need to change the implementation to allow any name as valid and just check the resource type to preserve the old behaviour.
### Backwards Compatibility
Its backward compatible as long as exact resource name match is not done for `CONFIG` and `STATE` resource types in the security extension.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] tsmethurst commented on issue #9380: Fine grained config
and state resources
Posted by GitBox <gi...@apache.org>.
tsmethurst commented on issue #9380: Fine grained config and state resources
URL: https://github.com/apache/druid/issues/9380#issuecomment-607370644
@pjain1 I've gone ahead and implemented most of the changes for STATE on this branch of our Klarrio fork:
https://github.com/apache/druid/compare/master...Klarrio:granular_permissions?expand=1
Sharing this in the interest of getting feedback. Is that what you had in mind?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] pjain1 commented on issue #9380: Fine grained config and
state resources
Posted by GitBox <gi...@apache.org>.
pjain1 commented on issue #9380: Fine grained config and state resources
URL: https://github.com/apache/druid/issues/9380#issuecomment-606858354
@jon-wei @gianm @tsmethurst I have completed the [google docs sheet](https://docs.google.com/spreadsheets/d/1fXD5n9gHIL0RbAoiFnu9s_2So2c2K4W8dtQZVeCaux8/edit#gid=0) with what I think would be the finer permissions, any comments would be useful. I have also added possible improvement in a column.
From implementation point of view, as you can see in the sheet there is a column listing new Resource Names, so I am thinking that there would be Resource Filters corresponding to these names and they would be applied to the endpoints. These new filters will extend the existing Config and StateResourceFilter but will pass in the resource name while doing the filter. This way any extension can also extend them and provide their own resource name if needed. Here's a prototype of what I am thinking - https://github.com/apache/druid/compare/master...pjain1:finer_permissions_poc?expand=1
One question from my side is do we need to keep it backwards compatible or is it ok ?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] tsmethurst edited a comment on issue #9380: Fine grained
config and state resources
Posted by GitBox <gi...@apache.org>.
tsmethurst edited a comment on issue #9380: Fine grained config and state resources
URL: https://github.com/apache/druid/issues/9380#issuecomment-607370644
@pjain1 I've gone ahead and implemented most of the changes for STATE on this branch of our Klarrio fork:
https://github.com/apache/druid/compare/master...Klarrio:granular_permissions?expand=1
Sharing this in the interest of getting feedback. Is that what you had in mind?
Note that my preferred way of doing this would not be to create a whole bunch of new ResourceFilter implementations with just the resource name changed. Suggestions on the best way of doing this are very welcome.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] jon-wei commented on issue #9380: Fine grained config and
state resources
Posted by GitBox <gi...@apache.org>.
jon-wei commented on issue #9380: Fine grained config and state resources
URL: https://github.com/apache/druid/issues/9380#issuecomment-591081268
> StateResourceFilter and ConfigResourceFilter will be changed to introspect the requested url and set the resource name accordingly before performing authorization.
Can you describe the introspection checks in more detail?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] pjain1 commented on issue #9380: Fine grained config and
state resources
Posted by GitBox <gi...@apache.org>.
pjain1 commented on issue #9380: Fine grained config and state resources
URL: https://github.com/apache/druid/issues/9380#issuecomment-605506448
@jon-wei sorry for the delayed response, I will try to put some basic code out describing the checks soon.
@tsmethurst I have been working on defining resource names for the state and config resources here - https://docs.google.com/spreadsheets/d/1fXD5n9gHIL0RbAoiFnu9s_2So2c2K4W8dtQZVeCaux8/edit?usp=sharing any comments/contribution to it would be welcome and speed things up.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] tsmethurst commented on issue #9380: Fine grained config
and state resources
Posted by GitBox <gi...@apache.org>.
tsmethurst commented on issue #9380: Fine grained config and state resources
URL: https://github.com/apache/druid/issues/9380#issuecomment-604893755
I'm interested in implementing this for a use case we have at Klarrio, where we want to expose the Druid UI in a multi-tenant environment. Did anyone else start working on this already? What design steps does this need to go through to reach approval? Or should I just start working on it already and make a PR?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] pjain1 commented on issue #9380: Fine grained config and
state resources
Posted by GitBox <gi...@apache.org>.
pjain1 commented on issue #9380: Fine grained config and state resources
URL: https://github.com/apache/druid/issues/9380#issuecomment-607388056
Thanks @tsmethurst ! this looks good, that's what I had in mind. Apart from these, `STATE` permissions are also checked while accessing system schema through sql, so will have to apply similar fix [here](https://github.com/apache/druid/blob/master/sql/src/main/java/org/apache/druid/sql/calcite/schema/SystemSchema.java#L1009) and also check if there are any other places like these (probably not).
However, generally just waiting for feedback from others in the community that this is the right way to go.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] tsmethurst commented on issue #9380: Fine grained config
and state resources
Posted by GitBox <gi...@apache.org>.
tsmethurst commented on issue #9380: Fine grained config and state resources
URL: https://github.com/apache/druid/issues/9380#issuecomment-606021105
@pjain1 Thanks for sharing. I'm still looking through and familiarising myself with the code, but beginning to see where the necessary changes will have to be made. The google doc is very useful in terms of finding my bearings, but before I can make any really constructive suggestions I still need to work through and compare that against the API and the http part of the server code. Looks promising though, I think this is doable.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] tsmethurst commented on issue #9380: Fine grained config
and state resources
Posted by GitBox <gi...@apache.org>.
tsmethurst commented on issue #9380: Fine grained config and state resources
URL: https://github.com/apache/druid/issues/9380#issuecomment-608504273
@pjain1 quick update before the weekend: I've added the CONFIG stuff as well, and made a few other changes to avoid code duplication and hardcoded resource name strings. Feel free to have a look and see if you have any thoughts on how I've done it :)
https://github.com/apache/druid/compare/master...Klarrio:granular_permissions?expand=1
Enjoy the weekend!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] pjain1 commented on issue #9380: Fine grained config and
state resources
Posted by GitBox <gi...@apache.org>.
pjain1 commented on issue #9380: Fine grained config and state resources
URL: https://github.com/apache/druid/issues/9380#issuecomment-613541780
@tsmethurst hey this looks good, lets wait for a few days for comments from @jon-wei or any other community members, otherwise lets just a raise PR and get comments there.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org