From 53900fc070f5df2f17ad33032eb4a467826b7dc3 Mon Sep 17 00:00:00 2001 From: Andrew Ho Date: Tue, 7 Apr 2026 10:21:12 -0700 Subject: [PATCH 1/3] Change auth from WRITE to READ for specGetAll --- .../supervisor/SupervisorResource.java | 18 ++++++++++++++---- .../supervisor/SupervisorResourceTest.java | 19 +++++++++++++++++++ 2 files changed, 33 insertions(+), 4 deletions(-) diff --git a/indexing-service/src/main/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResource.java b/indexing-service/src/main/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResource.java index 6b145be07e4a..829c0be520ba 100644 --- a/indexing-service/src/main/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResource.java +++ b/indexing-service/src/main/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResource.java @@ -201,10 +201,20 @@ public Response specGetAll( { return asLeaderWithSupervisorManager( manager -> { - Set authorizedSupervisorIds = filterAuthorizedSupervisorIds( - req, - manager, - manager.getSupervisorIds() + Function> readRaGenerator = supervisorId -> { + Optional supervisorSpecOptional = manager.getSupervisorSpec(supervisorId); + return supervisorSpecOptional + .transform(spec -> SPEC_DATASOURCE_READ_RA_GENERATOR.apply(new VersionedSupervisorSpec(spec, null))) + .orNull(); + }; + + Set authorizedSupervisorIds = Sets.newHashSet( + AuthorizationUtils.filterAuthorizedResources( + req, + manager.getSupervisorIds(), + readRaGenerator, + authorizerMapper + ) ); final boolean includeFull = full != null; final boolean includeState = state != null && state; diff --git a/indexing-service/src/test/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResourceTest.java b/indexing-service/src/test/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResourceTest.java index 6c099a53b3a1..fffdb06c8727 100644 --- a/indexing-service/src/test/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResourceTest.java +++ b/indexing-service/src/test/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResourceTest.java @@ -341,6 +341,25 @@ public void testSpecGetAll() Assert.assertEquals(503, response.getStatus()); } + @Test + public void testSpecGetAllWithPartialAuthorizationForReadAccess() + { + EasyMock.expect(taskMaster.getSupervisorManager()).andReturn(Optional.of(supervisorManager)); + EasyMock.expect(supervisorManager.getSupervisorIds()).andReturn(SUPERVISOR_IDS).atLeastOnce(); + EasyMock.expect(supervisorManager.getSupervisorSpec(SPEC1.getId())).andReturn(Optional.of(SPEC1)); + EasyMock.expect(supervisorManager.getSupervisorSpec(SPEC2.getId())).andReturn(Optional.of(SPEC2)); + setupMockRequestForUser("notDruid"); + replayAll(); + + Response response = supervisorResource.specGetAll(null, null, null, request); + verifyAll(); + + Assert.assertEquals(200, response.getStatus()); + // Only id1 (datasource1) should be returned since user lacks READ access to datasource2 + Set returnedIds = (Set) response.getEntity(); + Assert.assertEquals(ImmutableSet.of("id1"), returnedIds); + } + @Test public void testSpecGetAllFull() { From e83c944dfa56dc068745e6f883517b07c1d64119 Mon Sep 17 00:00:00 2001 From: Andrew Ho Date: Mon, 20 Apr 2026 18:01:24 -0700 Subject: [PATCH 2/3] Add authorizationFn parameter to filterAuthorizedSupervisorIds --- .../supervisor/SupervisorResource.java | 26 +++++++------------ 1 file changed, 10 insertions(+), 16 deletions(-) diff --git a/indexing-service/src/main/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResource.java b/indexing-service/src/main/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResource.java index 829c0be520ba..b5f89fcc745b 100644 --- a/indexing-service/src/main/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResource.java +++ b/indexing-service/src/main/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResource.java @@ -201,20 +201,11 @@ public Response specGetAll( { return asLeaderWithSupervisorManager( manager -> { - Function> readRaGenerator = supervisorId -> { - Optional supervisorSpecOptional = manager.getSupervisorSpec(supervisorId); - return supervisorSpecOptional - .transform(spec -> SPEC_DATASOURCE_READ_RA_GENERATOR.apply(new VersionedSupervisorSpec(spec, null))) - .orNull(); - }; - - Set authorizedSupervisorIds = Sets.newHashSet( - AuthorizationUtils.filterAuthorizedResources( + Set authorizedSupervisorIds = filterAuthorizedSupervisorIds( req, + manager, manager.getSupervisorIds(), - readRaGenerator, - authorizerMapper - ) + AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR ); final boolean includeFull = full != null; final boolean includeState = state != null && state; @@ -509,7 +500,8 @@ public Response terminateAll(@Context final HttpServletRequest req) Set authorizedSupervisorIds = filterAuthorizedSupervisorIds( req, manager, - manager.getSupervisorIds() + manager.getSupervisorIds(), + AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR ); for (final String supervisorId : authorizedSupervisorIds) { @@ -652,7 +644,8 @@ private Response asLeaderWithSupervisorManager(Function filterAuthorizedSupervisorIds( final HttpServletRequest req, SupervisorManager manager, - Collection supervisorIds + Collection supervisorIds, + Function authorizationFn ) { Function> raGenerator = supervisorId -> { @@ -660,7 +653,7 @@ private Set filterAuthorizedSupervisorIds( if (supervisorSpecOptional.isPresent()) { return Iterables.transform( supervisorSpecOptional.get().getDataSources(), - AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR + authorizationFn ); } else { return null; @@ -710,7 +703,8 @@ private Response suspendOrResumeAll(final HttpServletRequest req, final boolean Set authorizedSupervisorIds = filterAuthorizedSupervisorIds( req, manager, - manager.getSupervisorIds() + manager.getSupervisorIds(), + AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR ); for (final String supervisorId : authorizedSupervisorIds) { From 60df07d883f6b2c2040ae96f062c7e0d98522a2d Mon Sep 17 00:00:00 2001 From: Andrew Ho Date: Mon, 20 Apr 2026 18:02:43 -0700 Subject: [PATCH 3/3] Fix indentation --- .../indexing/overlord/supervisor/SupervisorResource.java | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/indexing-service/src/main/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResource.java b/indexing-service/src/main/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResource.java index b5f89fcc745b..dcf30a53a015 100644 --- a/indexing-service/src/main/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResource.java +++ b/indexing-service/src/main/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResource.java @@ -202,10 +202,10 @@ public Response specGetAll( return asLeaderWithSupervisorManager( manager -> { Set authorizedSupervisorIds = filterAuthorizedSupervisorIds( - req, - manager, - manager.getSupervisorIds(), - AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR + req, + manager, + manager.getSupervisorIds(), + AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR ); final boolean includeFull = full != null; final boolean includeState = state != null && state;