Auth v2 Model #10571
Auth v2 Model #10571
Conversation
more docs, minor change standalone page for auth model more docs fix link in doc
compilation
- add auth v2 tests for basic auth ext, system schema - fix doc - fix Lists dependency
|
Checks are green @jon-wei can you have a look, thanks ! |
|
@pjain1 Thanks! I'll take a look this week |
|
@jon-wei can you please take a look |
| authenticationResult, | ||
| AuthorizationUtils.authorizeAllResourceActions( | ||
| authenticationResult, | ||
| baseQuery.getDataSource() instanceof LookupDataSource ? |
There was a problem hiding this comment.
Would this work for lookups specified in DimensionSpecs or extraction functions?
| )); | ||
|
|
||
| // if its a reindex task from druid, make sure the user has read permissions on the source druid datasource | ||
| if (authorizerMapper.getAuthVersion().equals(AuthConfig.AUTH_VERSION_2) && task instanceof IndexTask |
There was a problem hiding this comment.
This wouldn't work for hadoop indexing tasks would it?
| )); | ||
| // We're filtering, so having access to none of the objects isn't an authorization failure (in terms of whether | ||
| // to send an error response or not.) | ||
| request.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true); |
There was a problem hiding this comment.
Some level of logging would be useful here in case certain lookups are filtered out here and the cluster operator is unaware as to why it got filtered out.
| |`GET /druid/indexer/v1/tasks`|overlord| | ||
| |`DELETE /druid/indexer/v1/pendingSegments/{dataSource}`|overlord| | ||
| |`GET /druid/indexer/v1/task/{taskid}/log`|overlord| | ||
| |`GET /druid/indexer/v1/task/{taskid}/reports`|overlord| |
There was a problem hiding this comment.
Should we add /druid/indexer/v1/supervisor and /druid/v2/ here?
| @@ -541,6 +629,7 @@ LookupStatus getLookupStatus( | |||
| @GET | |||
| @Produces({MediaType.APPLICATION_JSON}) | |||
| @Path("/nodeStatus") | |||
| @ResourceFilters({ ConfigResourceFilter.class, ServerServerResourceFilter.class }) | |||
There was a problem hiding this comment.
Shouldn't this be under SERVER STATUS ?
|
This pull request has been marked as stale due to 60 days of inactivity. |
|
This pull request/issue has been closed due to lack of activity. If you think that |
Fixes #9380.
Description
This PR changes the auth model to support user personas like admin, viewer etc. in an easy manner. Details about new Resource types, names and the endpoints that they protect can be found on auth-model.md page.
All the changes are backwards compatible and support rolling update, details can be found on auth-model.md page.
This PR has:
Key changed/added classes in this PR
*Resourceclasses*ResourceFilter*classesAuthorizerclass