Require Datasource WRITE authorization for Supervisor and Task access#11718
Require Datasource WRITE authorization for Supervisor and Task access#11718abhishekagarwal87 merged 20 commits intoapache:masterfrom
Conversation
kfaraz
changed the title
clintropolis
left a comment
clintropolis
left a comment
There was a problem hiding this comment.
makes sense to me that these should be WRITE permissions, but I think we need to tag this design review and release notes (incompatible?) since based on the state of things, it seems like these were all maybe intentionally using READ permissions for the 'reading' ingestion APIs that use HTTP GET, and WRITE to run or otherwise actually control jobs.
| ) | ||
| { | ||
| IndexTaskUtils.datasourceAuthorizationCheck(req, Action.READ, getDataSource(), authorizerMapper); | ||
| IndexTaskUtils.datasourceAuthorizationCheck(req, Action.WRITE, getDataSource(), authorizerMapper); |
There was a problem hiding this comment.
IndexTaskUtils.datasourceAuthorizationCheck should be modified to no longer accept an Action since I think after this PR every caller will be using Action.WRITE, and it can just be hard coded in the method.
I've also noticed that no callers seem to ever be using the return value, so it could probably be changed to void since we seem to mostly be using it to explode if not authorized and otherwise ignore the return value.
| * @return authorization result | ||
| */ | ||
| private Access authorizationCheck(final HttpServletRequest req, Action action) | ||
| private Access datasourceWriteAuthCheck(final HttpServletRequest req) |
There was a problem hiding this comment.
nearly this same method is also in ParallelIndexSupervisorTask, maybe consider moving it to AbstractTask and calling it authorizeRequest, then here can just return task.authorizeRequest(req); (or dropping this wrapper method and calling the new task.authorizeRequest(req); method directly in the http api methods of SeekableStreamIndexTaskRunner)
There was a problem hiding this comment.
Done. Thanks for the suggestion. 👍
suneet-s
left a comment
suneet-s
left a comment
There was a problem hiding this comment.
Code changes LGTM - but can we add some tests to catch any changes in behavior around authorization for these endpoints? At least for the endpoints where the authorization requirements have changed.
It looks like there are some integration tests for things like this in ITBasicAuthConfigurationTest. If you think integration tests are overkill for this, I am open to unit tests being written to cover these cases instead.
|
Thanks for the review, @suneet-s . I will add some UTs/ITs as applicable today. |
…ervisor_api_auth
…ervisor_api_auth
|
I think we also need to update the system table docs here https://github.com/apache/druid/blob/master/docs/operations/security-user-auth.md#sql-permissions to indicate that some of these system tables now require write permissions. I haven't found any other places yet in docs where a |
suneet-s
left a comment
suneet-s
left a comment
There was a problem hiding this comment.
None of my comments are blocking - it would be nice to get a better understanding of what the lockGranularity if statement in IndexTaskTest#testAuthorizeResource does
| public void testAuthorizeRequest() throws Exception | ||
| { | ||
| // Need to run this only once | ||
| if (lockGranularity == LockGranularity.SEGMENT) { |
There was a problem hiding this comment.
I don't understand this part of the test.
There was a problem hiding this comment.
This is a parameterized unit test class. So every test method is run once for SEGMENT granularity and once for TIME_CHUNK. Since this test method does not depend on granularity, figured we should run it only once.
We could explain this part better in the comment or just remove the check.
Please let me know what you think would be better.
| case Datasources.WIKIPEDIA: | ||
| // All users can read wikipedia but only writer can write | ||
| return new Access( | ||
| action == Action.READ || Users.WIKI_WRITER.equals(username) |
There was a problem hiding this comment.
| action == Action.READ || Users.WIKI_WRITER.equals(username) | |
| action == Action.READ || (action == Action.WRITE && Users.WIKI_WRITER.equals(username)) |
I think a similar change is needed on line 132
There was a problem hiding this comment.
Should we include this for readability? Because the logic would remain the same.
There was a problem hiding this comment.
Primarily, yes.
Since there are only 2 actions, I suppose this is equivalent. If a new action was added later, this logic may not match what is described in the comment above.
|
@clintropolis , I have made some modifications to |
techdocsmith
left a comment
techdocsmith
left a comment
There was a problem hiding this comment.
I'm changing the language around those docs in another PR. Otherwise LGTM.
Co-authored-by: Charles Smith <techdocsmith@gmail.com>
* security recommendation * Update docs/operations/security-overview.md Co-authored-by: Victoria Lim <vtlim@users.noreply.github.com> * Update docs/operations/security-user-auth.md Co-authored-by: Victoria Lim <vtlim@users.noreply.github.com> * Update docs/operations/security-user-auth.md Co-authored-by: Victoria Lim <vtlim@users.noreply.github.com> * Update security-user-auth.md add newline * Update docs/operations/security-overview.md Co-authored-by: Victoria Lim <vtlim@users.noreply.github.com> * Update security-overview.md add suggestion for environment variable dynamic config provider Co-authored-by: Victoria Lim <vtlim@users.noreply.github.com> Co-authored-by: Clint Wylie <cwylie@apache.org>
…k access (apache#11718)" This reverts commit f2d6100.
* Revert "Require Datasource WRITE authorization for Supervisor and Task access (#11718)" This reverts commit f2d6100. * Revert "Require DATASOURCE WRITE access in SupervisorResourceFilter and TaskResourceFilter (#11680)" This reverts commit 6779c46. * Fix docs for the reverted commits * Fix and restore deleted tests * Fix and restore SystemSchemaTest
…k access (apache#11718)" This reverts commit f2d6100.
5 participants
Follow up PR for #11680
Description
Supervisor and Task APIs are related to ingestion and must always require Datasource WRITE
authorization even if they are purely informative.
Changes
SystemSchemafor tables "supervisors" and "tasks"/supervisor/historyand/supervisor/{id}/historyThis PR has: