diff --git a/indexing-service/src/main/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResource.java b/indexing-service/src/main/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResource.java index 6b145be07e4a..dcf30a53a015 100644 --- a/indexing-service/src/main/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResource.java +++ b/indexing-service/src/main/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResource.java @@ -204,7 +204,8 @@ public Response specGetAll( Set authorizedSupervisorIds = filterAuthorizedSupervisorIds( req, manager, - manager.getSupervisorIds() + manager.getSupervisorIds(), + AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR ); final boolean includeFull = full != null; final boolean includeState = state != null && state; @@ -499,7 +500,8 @@ public Response terminateAll(@Context final HttpServletRequest req) Set authorizedSupervisorIds = filterAuthorizedSupervisorIds( req, manager, - manager.getSupervisorIds() + manager.getSupervisorIds(), + AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR ); for (final String supervisorId : authorizedSupervisorIds) { @@ -642,7 +644,8 @@ private Response asLeaderWithSupervisorManager(Function filterAuthorizedSupervisorIds( final HttpServletRequest req, SupervisorManager manager, - Collection supervisorIds + Collection supervisorIds, + Function authorizationFn ) { Function> raGenerator = supervisorId -> { @@ -650,7 +653,7 @@ private Set filterAuthorizedSupervisorIds( if (supervisorSpecOptional.isPresent()) { return Iterables.transform( supervisorSpecOptional.get().getDataSources(), - AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR + authorizationFn ); } else { return null; @@ -700,7 +703,8 @@ private Response suspendOrResumeAll(final HttpServletRequest req, final boolean Set authorizedSupervisorIds = filterAuthorizedSupervisorIds( req, manager, - manager.getSupervisorIds() + manager.getSupervisorIds(), + AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR ); for (final String supervisorId : authorizedSupervisorIds) { diff --git a/indexing-service/src/test/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResourceTest.java b/indexing-service/src/test/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResourceTest.java index 6c099a53b3a1..fffdb06c8727 100644 --- a/indexing-service/src/test/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResourceTest.java +++ b/indexing-service/src/test/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResourceTest.java @@ -341,6 +341,25 @@ public void testSpecGetAll() Assert.assertEquals(503, response.getStatus()); } + @Test + public void testSpecGetAllWithPartialAuthorizationForReadAccess() + { + EasyMock.expect(taskMaster.getSupervisorManager()).andReturn(Optional.of(supervisorManager)); + EasyMock.expect(supervisorManager.getSupervisorIds()).andReturn(SUPERVISOR_IDS).atLeastOnce(); + EasyMock.expect(supervisorManager.getSupervisorSpec(SPEC1.getId())).andReturn(Optional.of(SPEC1)); + EasyMock.expect(supervisorManager.getSupervisorSpec(SPEC2.getId())).andReturn(Optional.of(SPEC2)); + setupMockRequestForUser("notDruid"); + replayAll(); + + Response response = supervisorResource.specGetAll(null, null, null, request); + verifyAll(); + + Assert.assertEquals(200, response.getStatus()); + // Only id1 (datasource1) should be returned since user lacks READ access to datasource2 + Set returnedIds = (Set) response.getEntity(); + Assert.assertEquals(ImmutableSet.of("id1"), returnedIds); + } + @Test public void testSpecGetAllFull() {