-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow for Input source security in SQL layer #13989
Conversation
* fix checkstyle errors
* fix stuff
sql/src/main/java/org/apache/druid/sql/calcite/external/ExternalTableMacro.java
Outdated
Show resolved
Hide resolved
* Add javadocs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for tackling this task!
.../s3-extensions/src/test/java/org/apache/druid/catalog/model/table/S3InputSourceDefnTest.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/druid/catalog/model/table/BaseInputSourceDefn.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/druid/catalog/model/table/ExternalTableSpec.java
Outdated
Show resolved
Hide resolved
server/src/main/java/org/apache/druid/server/security/AuthConfig.java
Outdated
Show resolved
Hide resolved
sql/src/main/java/org/apache/druid/sql/calcite/external/DruidExternTableMacro.java
Outdated
Show resolved
Hide resolved
sql/src/main/java/org/apache/druid/sql/calcite/external/ExternalTableMacro.java
Outdated
Show resolved
Hide resolved
sql/src/main/java/org/apache/druid/sql/calcite/external/Externals.java
Outdated
Show resolved
Hide resolved
sql/src/test/java/org/apache/druid/sql/calcite/CalciteInsertDmlTest.java
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
A couple of nits, and ensure there is a clean build, else +1.
.../s3-extensions/src/test/java/org/apache/druid/catalog/model/table/S3InputSourceDefnTest.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Just a few minor suggestions. Thanks!
} | ||
} | ||
} | ||
// this shouldn't happen, as the sqlCall should have been validated by this point, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: sqlCall
-> call
or if you're referring to the type SqlCall
testIngestionQuery() | ||
.sql("INSERT INTO dst SELECT * FROM %s PARTITIONED BY ALL TIME", externSql(externalDataSource)) | ||
.authentication(CalciteTests.REGULAR_USER_AUTH_RESULT) | ||
.authConfig(AuthConfig.newBuilder().setEnableInputSourceSecurity(true).build()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All the tests either implicitly disable the input source security (via a default) or explicitly enable it. It'll be nice also to have a test where we explicitly disable it.
Perhaps a unit test similar to this, where setEnableInputSourceSecurity
is set to false
, and we shouldn't get a ForbiddenException
.
|
||
public SqlResourceCollectorShuttle(SqlValidator validator, PlannerContext plannerContext) | ||
{ | ||
this.validator = validator; | ||
this.resourceActions = new HashSet<>(); | ||
this.plannerContext = plannerContext; | ||
inputSourceTypeSecurityEnabled = plannerContext.getPlannerToolbox().getAuthConfig().isEnableInputSourceSecurity(); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This class already holds plannerContext
state, so we could just reference this line inline directly in the visit()
call?
thanks @abhishekrb19 ! I will take care of the minor comments in follow up pr. |
Partially Fixes #13837.
Description
This change introduces the concept of input source type security model, proposed in #13837.. With this change, this feature is only available at the SQL layer, but we will expand to native layer in a follow up PR.
To enable this feature, the user must set the following property to true:
druid.auth.enableInputSourceSecurity=true
The default value for this property is false, which will continue the existing functionality of having the usage all external sources being authorized against the hardcoded resource action
new ResourceAction(new Resource(ResourceType.EXTERNAL, ResourceType.EXTERNAL), Action.READ
When this config is enabled, the users will be required to be authorized for the following resource action
new ResourceAction(new Resource(ResourceType.EXTERNAL, {INPUT_SOURCE_TYPE}, Action.READ
where
{INPUT_SOURCE_TYPE}
is the type of the input source being used;, http, inline, s3, etc..Documentation has not been added for the feature as it is not complete at the moment, as we still need to enable this for the native layer in a follow up pr.
This PR has: