-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Auth v2 Model #10571
Auth v2 Model #10571
Conversation
more docs, minor change standalone page for auth model more docs fix link in doc
compilation
- add auth v2 tests for basic auth ext, system schema - fix doc - fix Lists dependency
Checks are green @jon-wei can you have a look, thanks ! |
@pjain1 Thanks! I'll take a look this week |
@jon-wei can you please take a look |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR! This is super useful and I'm looking forward to integrating this with our internal security extensions as well.
It would be interesting to look at how certain fine grained security setups would work with the web console.
authenticationResult, | ||
AuthorizationUtils.authorizeAllResourceActions( | ||
authenticationResult, | ||
baseQuery.getDataSource() instanceof LookupDataSource ? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would this work for lookups specified in DimensionSpecs or extraction functions?
)); | ||
|
||
// if its a reindex task from druid, make sure the user has read permissions on the source druid datasource | ||
if (authorizerMapper.getAuthVersion().equals(AuthConfig.AUTH_VERSION_2) && task instanceof IndexTask |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This wouldn't work for hadoop indexing tasks would it?
)); | ||
// We're filtering, so having access to none of the objects isn't an authorization failure (in terms of whether | ||
// to send an error response or not.) | ||
request.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some level of logging would be useful here in case certain lookups are filtered out here and the cluster operator is unaware as to why it got filtered out.
|`GET /druid/indexer/v1/tasks`|overlord| | ||
|`DELETE /druid/indexer/v1/pendingSegments/{dataSource}`|overlord| | ||
|`GET /druid/indexer/v1/task/{taskid}/log`|overlord| | ||
|`GET /druid/indexer/v1/task/{taskid}/reports`|overlord| |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we add /druid/indexer/v1/supervisor
and /druid/v2/
here?
@@ -541,6 +629,7 @@ LookupStatus getLookupStatus( | |||
@GET | |||
@Produces({MediaType.APPLICATION_JSON}) | |||
@Path("/nodeStatus") | |||
@ResourceFilters({ ConfigResourceFilter.class, ServerServerResourceFilter.class }) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this be under SERVER STATUS
?
This pull request has been marked as stale due to 60 days of inactivity. |
This pull request/issue has been closed due to lack of activity. If you think that |
Fixes #9380.
Description
This PR changes the auth model to support user personas like admin, viewer etc. in an easy manner. Details about new Resource types, names and the endpoints that they protect can be found on auth-model.md page.
All the changes are backwards compatible and support rolling update, details can be found on auth-model.md page.
This PR has:
Key changed/added classes in this PR
*Resource
classes*ResourceFilter*
classesAuthorizer
class