You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2022/09/01 01:41:07 UTC
[GitHub] [druid] vogievetsky commented on a diff in pull request #12983: msq: add multi-stage-query docs
vogievetsky commented on code in PR #12983:
URL: https://github.com/apache/druid/pull/12983#discussion_r960148669
##########
docs/multi-stage-query/msq-security.md:
##########
@@ -0,0 +1,24 @@
+---
+id: security
+title: SQL-based ingestion security
+sidebar_label: Security
+---
+
+> SQL-based ingestion using the multi-stage query task engine is our recommended solution starting in Druid 24.0. Alternative ingestion solutions, such as native batch and Hadoop-based ingestion systems, will still be supported. We recommend you read all [known issues](./msq-known-issues.md) and test the feature in a development environment before rolling it out in production. Using the multi-stage query task engine with `SELECT` statements that do not write to a datasource is experimental.
+
+All authenticated users can use the multi-stage query task engine (MSQ task engine) through the UI and API if the extension is loaded. However, without additional permissions, users are not able to issue queries that read or write Druid datasources or external data. The permission you need depends on what you are trying to do.
+
+The permission required to submit a query depends on the type of query:
+
+ - SELECT from a Druid datasource requires the READ DATASOURCE permission on that
+ datasource.
+ - INSERT or REPLACE into a Druid datasource requires the WRITE DATASOURCE permission on that
+ datasource.
+ - EXTERN references to external data require READ permission on the resource name "EXTERNAL" of the resource type "EXTERNAL". Users without the correct permission encounter a 403 error when trying to run queries that include EXTERN.
+
+Query tasks that you submit to the MSQ task engine are Overlord tasks, so they follow the Overlord's (indexer) model. This means that users with access to the Overlord API can perform some actions even if they didn't submit the query. The actions include retrieving the status or canceling a query. For more information about the Overlord API and the task API, see [APIs for SQL-based ingestion](./msq-api.md).
+
+To interact with a query through the Overlord API, you need the following permissions:
+
+- INSERT or REPLACE queries: You must have READ DATASOURCE permission on the output datasource.
+- SELECT queries: You must have read permissions on the `__query_select` datasource, which is a stub datasource that gets created.
Review Comment:
This should read `... that does not get created.`
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org