Skip to content

Input source security sql layer can handle input source with multiple types#14050

Merged
zachjsh merged 6 commits intoapache:masterfrom
zachjsh:input-source-security-sql-fix
Apr 10, 2023
Merged

Input source security sql layer can handle input source with multiple types#14050
zachjsh merged 6 commits intoapache:masterfrom
zachjsh:input-source-security-sql-fix

Conversation

@zachjsh
Copy link
Copy Markdown
Contributor

@zachjsh zachjsh commented Apr 7, 2023
edited
Loading

Description

This change allows for input sources used during MSQ ingestion to be authorized for multiple input source types, instead of just 1. Such an input source that allows for multiple types is the CombiningInputSource.

Also fixed bug that caused some input source specific functions to be authorized against the permissions

[ new ResourceAction(new Resource(ResourceType.EXTERNAL, ResourceType.EXTERNAL), Action.READ), new ResourceAction(new Resource(ResourceType.EXTERNAL, {input_source_type}), Action.READ) ]

when the inputSource based authorization feature is enabled, when it should instead be authorized against

[ new ResourceAction(new Resource(ResourceType.EXTERNAL, {input_source_type}), Action.READ) ]

Release note

Key changed/added classes in this PR
  • MyFoo
  • OurBar
  • TheirBaz

This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.
  • been tested in a test Druid cluster.

@zachjsh zachjsh requested a review from paul-rogers April 7, 2023 18:37
@zachjsh zachjsh marked this pull request as ready for review April 7, 2023 18:40
paul-rogers
paul-rogers approved these changes Apr 7, 2023
View reviewed changes
Copy link
Copy Markdown
Contributor

@paul-rogers paul-rogers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@zachjsh zachjsh merged commit 2e87b5a into apache:master Apr 10, 2023
@zachjsh zachjsh deleted the input-source-security-sql-fix branch April 10, 2023 13:49
@abhishekrb19 abhishekrb19 mentioned this pull request Apr 11, 2023
Merged
10 tasks
zachjsh added a commit to zachjsh/druid that referenced this pull request Apr 11, 2023
@zachjsh
Input source security sql layer can handle input source with multiple…
61ca8aa 
… types (apache#14050)

### Description

This change allows for input sources used during MSQ ingestion to be authorized for multiple input source types, instead of just 1. Such an input source that allows for multiple types is the CombiningInputSource.

Also fixed bug that caused some input source specific functions to be authorized against the permissions

`
[
    new ResourceAction(new Resource(ResourceType.EXTERNAL, ResourceType.EXTERNAL), Action.READ),
    new ResourceAction(new Resource(ResourceType.EXTERNAL, {input_source_type}), Action.READ)
]
`

when the inputSource based authorization feature is enabled, when it should instead be authorized against

`
[
    new ResourceAction(new Resource(ResourceType.EXTERNAL, {input_source_type}), Action.READ)
]
`
@zachjsh zachjsh mentioned this pull request Apr 11, 2023
Merged
10 tasks
@clintropolis clintropolis added this to the 26.0 milestone Apr 13, 2023
clintropolis pushed a commit that referenced this pull request Apr 13, 2023
@zachjsh
Input source security 26.0.0 backport (#14066)
8b8ce58 
* Input source security sql layer can handle input source with multiple types (#14050)

### Description

This change allows for input sources used during MSQ ingestion to be authorized for multiple input source types, instead of just 1. Such an input source that allows for multiple types is the CombiningInputSource.

Also fixed bug that caused some input source specific functions to be authorized against the permissions

`
[
    new ResourceAction(new Resource(ResourceType.EXTERNAL, ResourceType.EXTERNAL), Action.READ),
    new ResourceAction(new Resource(ResourceType.EXTERNAL, {input_source_type}), Action.READ)
]
`

when the inputSource based authorization feature is enabled, when it should instead be authorized against

`
[
    new ResourceAction(new Resource(ResourceType.EXTERNAL, {input_source_type}), Action.READ)
]
`

* Input source security feature should work for MSQ tasks (#14056)

### Description

Previously msq controller and worker tasks did not have implementations for the `getInputSourceResources()` method. This causes the submission of these tasks to fail if the following auth config is enabled:

`druid.auth.enableInputSourceSecurity=true`

Added implementations of this method for these tasks that return an empty set of input sources. This means that for these task types, if `druid.auth.enableInputSourceSecurity=true` config is used, the input source types will be properly computed and authorized in the SQL layer, but not if the equivalent controller / worker tasks are submitted to the task endpoint.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@paul-rogers paul-rogers paul-rogers approved these changes

Assignees

No one assigned

Labels

Release Notes Security

Projects

None yet

Milestone

26.0

Development

Successfully merging this pull request may close these issues.

4 participants

@zachjsh @paul-rogers @abhishekagarwal87 @clintropolis