fix msq compaction to apply security policies#18741
Conversation
github-actions
Bot
added
Area - Batch Ingestion
Area - MSQ
clintropolis
force-pushed
the
fix-msq-compaction-policy-stuff
branch
from
bc82725 to
675c565
Compare
kfaraz
left a comment
kfaraz
left a comment
There was a problem hiding this comment.
Left some minor suggestions.
| } | ||
| } | ||
|
|
||
| @JsonTypeName(AUTH_TYPE) |
There was a problem hiding this comment.
Why is a json type name needed for the module?
There was a problem hiding this comment.
it is not, this was an accidental copy and paste when i was setting it on the other classes
|
|
||
| public class AllowAllWithPolicyAuthResource implements EmbeddedResource | ||
| { | ||
| private static final String AUTH_TYPE = "actually-allow-all"; |
There was a problem hiding this comment.
Nit: any specific reason for the prefix "actually"? 🙂 Should we use some other name like allow-all-with-policy?
There was a problem hiding this comment.
i named it this on discovering that allowAll does not actually allow everything if you have a policy enforcer configured because it does not set policies. I considered just fixing allowAll to be able to set the NoRestrictionPolicy, on the other hand there is probably limited scenario where you would have both allowAll and also a policy enforcer configured, and this has a somewhat ugly side-effect of setting a policy always (and so making a restricted datasource on the query) even if you don't have policy enforcement or policies of any sort, which seems a bit odd for out of the box behavior, so I did this instead.
There was a problem hiding this comment.
Part of the purpose of the enforcer mechanism is to allow people to verify that allowAll is not being used by accident. So, adding a no-restriction policy to allowAll wouldn't be a "fix", it would partially defeat the purpose of the enforcer. It's fine to have an option for tests though that does this.
There was a problem hiding this comment.
i changed things so that allowAll itself can have an optional policy defined, so deleted this stuff since is no longer necessary
| import java.util.List; | ||
| import java.util.Map; | ||
|
|
||
| public class AllowAllWithPolicyAuthResource implements EmbeddedResource |
There was a problem hiding this comment.
Please add a short javadoc.
| final MapBinder<String, Authenticator> authenticatorMapBinder = PolyBind.optionBinder( | ||
| binder, | ||
| Key.get(Authenticator.class) | ||
| ); | ||
| authenticatorMapBinder.addBinding(AUTH_TYPE) |
There was a problem hiding this comment.
Nit: can be chained.
| final MapBinder<String, Authenticator> authenticatorMapBinder = PolyBind.optionBinder( | |
| binder, | |
| Key.get(Authenticator.class) | |
| ); | |
| authenticatorMapBinder.addBinding(AUTH_TYPE) | |
| PolyBind.optionBinder(binder, Key.get(Authenticator.class)) | |
| .addBinding(AUTH_TYPE) |
There was a problem hiding this comment.
guilty, i just copied these from other auth modules 🙃
| return msqControllerTasks; | ||
| } | ||
|
|
||
| private Query<?> maybeApplyPolicy(DataSchema dataSchema, Query<?> query) |
There was a problem hiding this comment.
Nit: Please add a short javadoc too.
| private Query<?> maybeApplyPolicy(DataSchema dataSchema, Query<?> query) | |
| private Query<?> maybeApplyPolicyOnDatasource(DataSchema dataSchema, Query<?> query) |
There was a problem hiding this comment.
i didn't think this was needed since Policy apply to datasources so it seemed redundant, but can rename if you feel like it isn't obvious
There was a problem hiding this comment.
this is changed now to just be getInputDataSource and is used by the 'build' query methods directly to create the DataSource instead of rewriting the query later
| .addCommonProperty("druid.auth.authenticatorChain", "[\"test\"]") | ||
| .addCommonProperty("druid.auth.authenticator.test.type", "actually-allow-all") | ||
| .addCommonProperty("druid.auth.authorizers", "[\"test\"]") | ||
| .addCommonProperty("druid.auth.authorizer.test.type", "actually-allow-all") |
There was a problem hiding this comment.
Instead of writing a new one, can't we use the allowAll authenticaator/authorizer policy itself alongwith enforcer.allowedPolicies config?
There was a problem hiding this comment.
see #18741 (comment), allowAll doesn't work if you have an enforcer defined because it does not set any policy on the auth result (and doing so would have some undesirable side-effects)
| { | ||
| final UpdateResponse updateResponse = cluster.callApi().onLeaderOverlord( | ||
| o -> o.updateClusterCompactionConfig(new ClusterCompactionConfig(1.0, 100, null, true, null)) | ||
| o -> o.updateClusterCompactionConfig(new ClusterCompactionConfig(1.0, 100, null, true, CompactionEngine.MSQ)) |
There was a problem hiding this comment.
Maybe keep both the test cases, native and MSQ.
… only auth stuff since no longer needed
PR apache#18741 flipped an AND to an OR, potentially causing policies from non-table-read authorizations to apply to a resource. This patch fixes the logic and also introduces a defensive check that only a single policy is in play per resource.
PR apache#18741 flipped an AND to an OR, potentially causing policies from non-table-read authorizations to apply to a resource. This patch fixes the logic and also introduces a defensive check that only a single policy is in play per resource.
PR #18741 flipped an AND to an OR, potentially causing policies from non-table-read authorizations to apply to a resource. This patch fixes the logic and also introduces a defensive check that only a single policy is in play per resource.
4 participants
Description
Fixes an issue with MSQ compaction tasks can fail if a policy enforcer is enabled, since compaction generates MSQ tasks directly instead of going through the broker, it would miss out on decorating the
DataSourceas a restricted datasource with the policy set.To fix,
MSQCompactionRunnernow uses an escalator to create an auth result and uses the policy from that to decorate the query it generates.To test, I hijacked
CompactionSupervisorTestand switched it to use MSQ engine and set it up with an auth config and policy enforcer (with a newly addedAllowAllWithPolicyAuthResourcewhich is essentially allow-all but withNoRestrictionPolicypermitted)