Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow for Input source security in SQL layer #13989

Merged
merged 13 commits into from
Mar 30, 2023
Merged

Allow for Input source security in SQL layer #13989

merged 13 commits into from
Mar 30, 2023

Conversation

zachjsh
Copy link
Contributor

@zachjsh zachjsh commented Mar 28, 2023
edited
Loading

Partially Fixes #13837.

Description

This change introduces the concept of input source type security model, proposed in #13837.. With this change, this feature is only available at the SQL layer, but we will expand to native layer in a follow up PR.

To enable this feature, the user must set the following property to true:

druid.auth.enableInputSourceSecurity=true

The default value for this property is false, which will continue the existing functionality of having the usage all external sources being authorized against the hardcoded resource action

new ResourceAction(new Resource(ResourceType.EXTERNAL, ResourceType.EXTERNAL), Action.READ

When this config is enabled, the users will be required to be authorized for the following resource action

new ResourceAction(new Resource(ResourceType.EXTERNAL, {INPUT_SOURCE_TYPE}, Action.READ

where {INPUT_SOURCE_TYPE} is the type of the input source being used;, http, inline, s3, etc..

Documentation has not been added for the feature as it is not complete at the moment, as we still need to enable this for the native layer in a follow up pr.

This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
  • added or updated version, license, or notice information in licenses.yaml
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.
  • been tested in a test Druid cluster.

@zachjsh zachjsh changed the title Input source security Allow for Input source security in SQL layer Mar 28, 2023
@zachjsh zachjsh marked this pull request as ready for review March 28, 2023 18:13
paul-rogers
paul-rogers requested changes Mar 28, 2023
View reviewed changes
Copy link
Contributor

@paul-rogers paul-rogers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for tackling this task!

.../s3-extensions/src/test/java/org/apache/druid/catalog/model/table/S3InputSourceDefnTest.java Outdated Show resolved Hide resolved
server/src/main/java/org/apache/druid/catalog/model/table/BaseInputSourceDefn.java Outdated Show resolved Hide resolved
server/src/main/java/org/apache/druid/catalog/model/table/ExternalTableSpec.java Outdated Show resolved Hide resolved
server/src/main/java/org/apache/druid/server/security/AuthConfig.java Outdated Show resolved Hide resolved
sql/src/main/java/org/apache/druid/sql/calcite/external/DruidExternTableMacro.java Outdated Show resolved Hide resolved
sql/src/main/java/org/apache/druid/sql/calcite/external/ExternalTableMacro.java Outdated Show resolved Hide resolved
sql/src/main/java/org/apache/druid/sql/calcite/external/Externals.java Outdated Show resolved Hide resolved
sql/src/test/java/org/apache/druid/sql/calcite/CalciteInsertDmlTest.java Show resolved Hide resolved
paul-rogers
paul-rogers approved these changes Mar 28, 2023
View reviewed changes
Copy link
Contributor

@paul-rogers paul-rogers left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

A couple of nits, and ensure there is a clean build, else +1.

.../s3-extensions/src/test/java/org/apache/druid/catalog/model/table/S3InputSourceDefnTest.java Outdated Show resolved Hide resolved
abhishekrb19
abhishekrb19 reviewed Mar 29, 2023
View reviewed changes
Copy link
Contributor

@abhishekrb19 abhishekrb19 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Just a few minor suggestions. Thanks!

sql/src/main/java/org/apache/druid/sql/calcite/external/DruidExternTableMacro.java
}
}
}
// this shouldn't happen, as the sqlCall should have been validated by this point,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: sqlCall -> call or if you're referring to the type SqlCall

sql/src/test/java/org/apache/druid/sql/calcite/CalciteInsertDmlTest.java
testIngestionQuery()
.sql("INSERT INTO dst SELECT * FROM %s PARTITIONED BY ALL TIME", externSql(externalDataSource))
.authentication(CalciteTests.REGULAR_USER_AUTH_RESULT)
.authConfig(AuthConfig.newBuilder().setEnableInputSourceSecurity(true).build())
Copy link
Contributor

@abhishekrb19 abhishekrb19 Mar 29, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All the tests either implicitly disable the input source security (via a default) or explicitly enable it. It'll be nice also to have a test where we explicitly disable it.

Perhaps a unit test similar to this, where setEnableInputSourceSecurity is set to false, and we shouldn't get a ForbiddenException.

sql/src/main/java/org/apache/druid/sql/calcite/planner/SqlResourceCollectorShuttle.java

public SqlResourceCollectorShuttle(SqlValidator validator, PlannerContext plannerContext)
{
this.validator = validator;
this.resourceActions = new HashSet<>();
this.plannerContext = plannerContext;
inputSourceTypeSecurityEnabled = plannerContext.getPlannerToolbox().getAuthConfig().isEnableInputSourceSecurity();
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This class already holds plannerContext state, so we could just reference this line inline directly in the visit() call?

@zachjsh zachjsh merged commit 3bb6772 into apache:master Mar 30, 2023
@zachjsh zachjsh deleted the input-source-security branch March 30, 2023 02:16
@zachjsh
Copy link
Contributor Author

zachjsh commented Mar 30, 2023

thanks @abhishekrb19 ! I will take care of the minor comments in follow up pr.

@clintropolis clintropolis added this to the 26.0 milestone Apr 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@abhishekrb19 abhishekrb19 abhishekrb19 left review comments

@paul-rogers paul-rogers paul-rogers approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
26.0
Development

Successfully merging this pull request may close these issues.

Input source security model for MSQ table functions and more
4 participants
@zachjsh @paul-rogers @abhishekrb19 @clintropolis