This is an automated email from the ASF dual-hosted git repository.
morningman pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/doris.git
The following commit(s) were added to refs/heads/master by this push:
new 9813406757 [Enhancement](HttpServer) Add http interface authentication
for BE (#17753)
9813406757 is described below
commit 9813406757423290b527e761000f0da4bb70eeb8
Author: xiaojunjie <[email protected]>
AuthorDate: Thu May 4 23:46:49 2023 +0800
[Enhancement](HttpServer) Add http interface authentication for BE (#17753)
---
be/src/common/config.h | 2 +
be/src/http/CMakeLists.txt | 2 +-
be/src/http/action/check_rpc_channel_action.cpp | 4 +-
be/src/http/action/check_rpc_channel_action.h | 9 ++-
be/src/http/action/check_tablet_segment_action.cpp | 4 +-
be/src/http/action/check_tablet_segment_action.h | 14 +++-
be/src/http/action/checksum_action.cpp | 4 +-
be/src/http/action/checksum_action.h | 9 ++-
be/src/http/action/compaction_action.cpp | 3 +
be/src/http/action/compaction_action.h | 9 ++-
be/src/http/action/download_action.cpp | 2 -
be/src/http/action/meta_action.cpp | 2 +
be/src/http/action/meta_action.h | 8 +-
be/src/http/action/metrics_action.h | 11 ++-
be/src/http/action/monitor_action.h | 44 -----------
be/src/http/action/pad_rowset_action.h | 12 ++-
be/src/http/action/reload_tablet_action.cpp | 4 +-
be/src/http/action/reload_tablet_action.h | 9 +--
be/src/http/action/reset_rpc_channel_action.cpp | 4 +-
be/src/http/action/reset_rpc_channel_action.h | 9 ++-
be/src/http/action/restore_tablet_action.cpp | 4 +-
be/src/http/action/restore_tablet_action.h | 8 +-
be/src/http/action/snapshot_action.cpp | 4 +-
be/src/http/action/snapshot_action.h | 9 ++-
be/src/http/action/tablet_migration_action.cpp | 4 -
be/src/http/action/tablet_migration_action.h | 20 ++++-
be/src/http/action/tablets_distribution_action.cpp | 4 +-
be/src/http/action/tablets_distribution_action.h | 14 +++-
be/src/http/action/tablets_info_action.cpp | 9 ++-
be/src/http/action/tablets_info_action.h | 16 ++--
be/src/http/action/version_action.cpp | 4 +-
be/src/http/action/version_action.h | 13 ++--
be/src/http/default_path_handlers.cpp | 3 +-
be/src/http/http_handler_with_auth.cpp | 86 ++++++++++++++++++++
be/src/http/http_handler_with_auth.h | 60 ++++++++++++++
be/src/http/utils.h | 1 +
be/src/service/http_service.cpp | 54 ++++++++-----
be/test/CMakeLists.txt | 1 +
be/test/http/http_auth_test.cpp | 91 ++++++++++++++++++++++
be/test/olap/tablet_test.cpp | 28 ++++---
conf/be.conf | 3 +
.../apache/doris/service/FrontendServiceImpl.java | 3 +
gensrc/thrift/FrontendService.thrift | 1 +
43 files changed, 444 insertions(+), 161 deletions(-)
diff --git a/be/src/common/config.h b/be/src/common/config.h
index fa6a516bc4..9186e5881e 100644
--- a/be/src/common/config.h
+++ b/be/src/common/config.h
@@ -390,6 +390,8 @@ CONF_Bool(enable_https, "false");
CONF_String(ssl_certificate_path, "");
// Path of private key
CONF_String(ssl_private_key_path, "");
+// Whether to check authorization
+CONF_Bool(enable_http_auth, "false");
// Number of webserver workers
CONF_Int32(webserver_num_workers, "48");
// Period to update rate counters and sampling counters in ms.
diff --git a/be/src/http/CMakeLists.txt b/be/src/http/CMakeLists.txt
index a2e1c3eb46..93ce59a986 100644
--- a/be/src/http/CMakeLists.txt
+++ b/be/src/http/CMakeLists.txt
@@ -28,13 +28,13 @@ add_library(Webserver STATIC
http_channel.cpp
http_status.cpp
http_parser.cpp
+ http_handler_with_auth.cpp
web_page_handler.cpp
default_path_handlers.cpp
utils.cpp
ev_http_server.cpp
http_client.cpp
action/download_action.cpp
- action/monitor_action.cpp
action/pad_rowset_action.cpp
action/health_action.cpp
action/tablet_migration_action.cpp
diff --git a/be/src/http/action/check_rpc_channel_action.cpp
b/be/src/http/action/check_rpc_channel_action.cpp
index d483fc4fa3..61702dc932 100644
--- a/be/src/http/action/check_rpc_channel_action.cpp
+++ b/be/src/http/action/check_rpc_channel_action.cpp
@@ -36,7 +36,9 @@
#include "util/md5.h"
namespace doris {
-CheckRPCChannelAction::CheckRPCChannelAction(ExecEnv* exec_env) :
_exec_env(exec_env) {}
+CheckRPCChannelAction::CheckRPCChannelAction(ExecEnv* exec_env,
TPrivilegeHier::type hier,
+ TPrivilegeType::type type)
+ : HttpHandlerWithAuth(exec_env, hier, type) {}
void CheckRPCChannelAction::handle(HttpRequest* req) {
std::string req_ip = req->param("ip");
std::string req_port = req->param("port");
diff --git a/be/src/http/action/check_rpc_channel_action.h
b/be/src/http/action/check_rpc_channel_action.h
index 6847c51b08..883180f02d 100644
--- a/be/src/http/action/check_rpc_channel_action.h
+++ b/be/src/http/action/check_rpc_channel_action.h
@@ -17,17 +17,18 @@
#pragma once
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
namespace doris {
class ExecEnv;
class HttpRequest;
-class CheckRPCChannelAction : public HttpHandler {
+class CheckRPCChannelAction : public HttpHandlerWithAuth {
public:
- explicit CheckRPCChannelAction(ExecEnv* exec_env);
+ explicit CheckRPCChannelAction(ExecEnv* exec_env, TPrivilegeHier::type
hier,
+ TPrivilegeType::type type);
- virtual ~CheckRPCChannelAction() {}
+ ~CheckRPCChannelAction() override = default;
void handle(HttpRequest* req) override;
diff --git a/be/src/http/action/check_tablet_segment_action.cpp
b/be/src/http/action/check_tablet_segment_action.cpp
index 4b5362a587..33c4d13fbb 100644
--- a/be/src/http/action/check_tablet_segment_action.cpp
+++ b/be/src/http/action/check_tablet_segment_action.cpp
@@ -37,7 +37,9 @@ namespace doris {
const static std::string HEADER_JSON = "application/json";
-CheckTabletSegmentAction::CheckTabletSegmentAction() {
+CheckTabletSegmentAction::CheckTabletSegmentAction(ExecEnv* exec_env,
TPrivilegeHier::type hier,
+ TPrivilegeType::type type)
+ : HttpHandlerWithAuth(exec_env, hier, type) {
_host = BackendOptions::get_localhost();
}
diff --git a/be/src/http/action/check_tablet_segment_action.h
b/be/src/http/action/check_tablet_segment_action.h
index 0cc26e8199..284c89fc21 100644
--- a/be/src/http/action/check_tablet_segment_action.h
+++ b/be/src/http/action/check_tablet_segment_action.h
@@ -19,15 +19,23 @@
#include <string>
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
+#include "util/easy_json.h"
namespace doris {
class HttpRequest;
-class CheckTabletSegmentAction : public HttpHandler {
+class ExecEnv;
+
+class CheckTabletSegmentAction : public HttpHandlerWithAuth {
public:
- CheckTabletSegmentAction();
+ CheckTabletSegmentAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
+ TPrivilegeType::type type);
+
+ ~CheckTabletSegmentAction() override = default;
+
void handle(HttpRequest* req) override;
+
std::string host() { return _host; }
private:
diff --git a/be/src/http/action/checksum_action.cpp
b/be/src/http/action/checksum_action.cpp
index 6ef7215b95..fc216ab785 100644
--- a/be/src/http/action/checksum_action.cpp
+++ b/be/src/http/action/checksum_action.cpp
@@ -37,7 +37,9 @@ const std::string TABLET_ID = "tablet_id";
const std::string TABLET_VERSION = "version";
const std::string SCHEMA_HASH = "schema_hash";
-ChecksumAction::ChecksumAction() {}
+ChecksumAction::ChecksumAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
+ TPrivilegeType::type type)
+ : HttpHandlerWithAuth(exec_env, hier, type) {}
void ChecksumAction::handle(HttpRequest* req) {
LOG(INFO) << "accept one request " << req->debug_string();
diff --git a/be/src/http/action/checksum_action.h
b/be/src/http/action/checksum_action.h
index 4ec478acfc..537bea5c96 100644
--- a/be/src/http/action/checksum_action.h
+++ b/be/src/http/action/checksum_action.h
@@ -19,17 +19,18 @@
#include <cstdint>
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
namespace doris {
class HttpRequest;
-class ChecksumAction : public HttpHandler {
+class ChecksumAction : public HttpHandlerWithAuth {
public:
- explicit ChecksumAction();
+ explicit ChecksumAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
+ TPrivilegeType::type type);
- virtual ~ChecksumAction() {}
+ ~ChecksumAction() override = default;
void handle(HttpRequest* req) override;
diff --git a/be/src/http/action/compaction_action.cpp
b/be/src/http/action/compaction_action.cpp
index 96d450c599..48dbe78ab4 100644
--- a/be/src/http/action/compaction_action.cpp
+++ b/be/src/http/action/compaction_action.cpp
@@ -48,6 +48,9 @@ using namespace ErrorCode;
const static std::string HEADER_JSON = "application/json";
+CompactionAction::CompactionAction(CompactionActionType ctype, ExecEnv*
exec_env,
+ TPrivilegeHier::type hier,
TPrivilegeType::type ptype)
+ : HttpHandlerWithAuth(exec_env, hier, ptype), _type(ctype) {}
Status CompactionAction::_check_param(HttpRequest* req, uint64_t* tablet_id) {
std::string req_tablet_id = req->param(TABLET_ID_KEY);
if (req_tablet_id == "") {
diff --git a/be/src/http/action/compaction_action.h
b/be/src/http/action/compaction_action.h
index 8fc487d4a0..1feb7989e7 100644
--- a/be/src/http/action/compaction_action.h
+++ b/be/src/http/action/compaction_action.h
@@ -22,12 +22,14 @@
#include <string>
#include "common/status.h"
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
#include "olap/tablet.h"
namespace doris {
class HttpRequest;
+class ExecEnv;
+
enum class CompactionActionType {
SHOW_INFO = 1,
RUN_COMPACTION = 2,
@@ -40,9 +42,10 @@ const std::string PARAM_COMPACTION_CUMULATIVE = "cumulative";
/// This action is used for viewing the compaction status.
/// See compaction-action.md for details.
-class CompactionAction : public HttpHandler {
+class CompactionAction : public HttpHandlerWithAuth {
public:
- CompactionAction(CompactionActionType type) : _type(type) {}
+ CompactionAction(CompactionActionType ctype, ExecEnv* exec_env,
TPrivilegeHier::type hier,
+ TPrivilegeType::type ptype);
~CompactionAction() override = default;
diff --git a/be/src/http/action/download_action.cpp
b/be/src/http/action/download_action.cpp
index d258842f65..259bbfc7be 100644
--- a/be/src/http/action/download_action.cpp
+++ b/be/src/http/action/download_action.cpp
@@ -34,8 +34,6 @@
namespace doris {
const std::string FILE_PARAMETER = "file";
-const std::string DB_PARAMETER = "db";
-const std::string LABEL_PARAMETER = "label";
const std::string TOKEN_PARAMETER = "token";
DownloadAction::DownloadAction(ExecEnv* exec_env, const
std::vector<std::string>& allow_dirs)
diff --git a/be/src/http/action/meta_action.cpp
b/be/src/http/action/meta_action.cpp
index ede286e3d9..6344aadbfc 100644
--- a/be/src/http/action/meta_action.cpp
+++ b/be/src/http/action/meta_action.cpp
@@ -46,6 +46,8 @@ const static std::string OP = "op";
const static std::string DATA_SIZE = "data_size";
const static std::string HEADER = "header";
+MetaAction::MetaAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
TPrivilegeType::type type)
+ : HttpHandlerWithAuth(exec_env, hier, type) {}
Status MetaAction::_handle_header(HttpRequest* req, std::string* json_meta) {
req->add_output_header(HttpHeaders::CONTENT_TYPE, HEADER_JSON.c_str());
std::string req_tablet_id = req->param(TABLET_ID_KEY);
diff --git a/be/src/http/action/meta_action.h b/be/src/http/action/meta_action.h
index fe59ed2744..114ec7e388 100644
--- a/be/src/http/action/meta_action.h
+++ b/be/src/http/action/meta_action.h
@@ -20,18 +20,18 @@
#include <string>
#include "common/status.h"
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
namespace doris {
class HttpRequest;
// Get Meta Info
-class MetaAction : public HttpHandler {
+class MetaAction : public HttpHandlerWithAuth {
public:
- MetaAction() = default;
+ MetaAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
TPrivilegeType::type type);
- virtual ~MetaAction() {}
+ ~MetaAction() override = default;
void handle(HttpRequest* req) override;
diff --git a/be/src/http/action/metrics_action.h
b/be/src/http/action/metrics_action.h
index 2051aed53a..85db3031b8 100644
--- a/be/src/http/action/metrics_action.h
+++ b/be/src/http/action/metrics_action.h
@@ -17,17 +17,20 @@
#pragma once
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
namespace doris {
class HttpRequest;
class MetricRegistry;
-class MetricsAction : public HttpHandler {
+class MetricsAction : public HttpHandlerWithAuth {
public:
- MetricsAction(MetricRegistry* metric_registry) :
_metric_registry(metric_registry) {}
- virtual ~MetricsAction() {}
+ MetricsAction(MetricRegistry* metric_registry, ExecEnv* exec_env,
TPrivilegeHier::type hier,
+ TPrivilegeType::type type)
+ : HttpHandlerWithAuth(exec_env, hier, type),
_metric_registry(metric_registry) {}
+
+ ~MetricsAction() override = default;
void handle(HttpRequest* req) override;
diff --git a/be/src/http/action/monitor_action.h
b/be/src/http/action/monitor_action.h
deleted file mode 100644
index b4bbe7a09c..0000000000
--- a/be/src/http/action/monitor_action.h
+++ /dev/null
@@ -1,44 +0,0 @@
-// Licensed to the Apache Software Foundation (ASF) under one
-// or more contributor license agreements. See the NOTICE file
-// distributed with this work for additional information
-// regarding copyright ownership. The ASF licenses this file
-// to you under the Apache License, Version 2.0 (the
-// "License"); you may not use this file except in compliance
-// with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing,
-// software distributed under the License is distributed on an
-// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
-// KIND, either express or implied. See the License for the
-// specific language governing permissions and limitations
-// under the License.
-
-#pragma once
-
-#include <map>
-#include <string>
-
-#include "http/http_handler.h"
-
-namespace doris {
-
-class HttpRequest;
-class RestMonitorIface;
-
-class MonitorAction : public HttpHandler {
-public:
- MonitorAction();
-
- virtual ~MonitorAction() {}
-
- void register_module(const std::string& name, RestMonitorIface* module);
-
- void handle(HttpRequest* req) override;
-
-private:
- std::map<std::string, RestMonitorIface*> _module_by_name;
-};
-
-} // namespace doris
diff --git a/be/src/http/action/pad_rowset_action.h
b/be/src/http/action/pad_rowset_action.h
index 26ff6b6854..bf4da66c42 100644
--- a/be/src/http/action/pad_rowset_action.h
+++ b/be/src/http/action/pad_rowset_action.h
@@ -18,16 +18,20 @@
#pragma once
#include "common/status.h"
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
+#include "http/http_request.h"
#include "olap/tablet.h"
namespace doris {
class HttpRequest;
struct Version;
-class PadRowsetAction : public HttpHandler {
+class ExecEnv;
+
+class PadRowsetAction : public HttpHandlerWithAuth {
public:
- PadRowsetAction() = default;
+ PadRowsetAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
TPrivilegeType::type type)
+ : HttpHandlerWithAuth(exec_env, hier, type) {}
~PadRowsetAction() override = default;
@@ -42,4 +46,4 @@ public:
#endif
Status _pad_rowset(TabletSharedPtr tablet, const Version& version);
};
-} // end namespace doris
\ No newline at end of file
+} // end namespace doris
diff --git a/be/src/http/action/reload_tablet_action.cpp
b/be/src/http/action/reload_tablet_action.cpp
index 30f65fccce..de54ad66bb 100644
--- a/be/src/http/action/reload_tablet_action.cpp
+++ b/be/src/http/action/reload_tablet_action.cpp
@@ -38,7 +38,9 @@ const std::string PATH = "path";
const std::string TABLET_ID = "tablet_id";
const std::string SCHEMA_HASH = "schema_hash";
-ReloadTabletAction::ReloadTabletAction(ExecEnv* exec_env) :
_exec_env(exec_env) {}
+ReloadTabletAction::ReloadTabletAction(ExecEnv* exec_env, TPrivilegeHier::type
hier,
+ TPrivilegeType::type type)
+ : HttpHandlerWithAuth(exec_env, hier, type) {}
void ReloadTabletAction::handle(HttpRequest* req) {
LOG(INFO) << "accept one request " << req->debug_string();
diff --git a/be/src/http/action/reload_tablet_action.h
b/be/src/http/action/reload_tablet_action.h
index 8ecc946bb0..6c984fbf27 100644
--- a/be/src/http/action/reload_tablet_action.h
+++ b/be/src/http/action/reload_tablet_action.h
@@ -21,18 +21,18 @@
#include <string>
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
namespace doris {
class ExecEnv;
class HttpRequest;
-class ReloadTabletAction : public HttpHandler {
+class ReloadTabletAction : public HttpHandlerWithAuth {
public:
- ReloadTabletAction(ExecEnv* exec_env);
+ ReloadTabletAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
TPrivilegeType::type type);
- virtual ~ReloadTabletAction() {}
+ ~ReloadTabletAction() override = default;
void handle(HttpRequest* req) override;
@@ -40,7 +40,6 @@ private:
void reload(const std::string& path, int64_t tablet_id, int32_t
schema_hash, HttpRequest* req);
ExecEnv* _exec_env;
-
}; // end class ReloadTabletAction
} // end namespace doris
diff --git a/be/src/http/action/reset_rpc_channel_action.cpp
b/be/src/http/action/reset_rpc_channel_action.cpp
index 95f9ba9e7e..e1b180a61d 100644
--- a/be/src/http/action/reset_rpc_channel_action.cpp
+++ b/be/src/http/action/reset_rpc_channel_action.cpp
@@ -32,7 +32,9 @@
#include "util/string_util.h"
namespace doris {
-ResetRPCChannelAction::ResetRPCChannelAction(ExecEnv* exec_env) :
_exec_env(exec_env) {}
+ResetRPCChannelAction::ResetRPCChannelAction(ExecEnv* exec_env,
TPrivilegeHier::type hier,
+ TPrivilegeType::type type)
+ : HttpHandlerWithAuth(exec_env, hier, type) {}
void ResetRPCChannelAction::handle(HttpRequest* req) {
std::string endpoints = req->param("endpoints");
if (iequal(endpoints, "all")) {
diff --git a/be/src/http/action/reset_rpc_channel_action.h
b/be/src/http/action/reset_rpc_channel_action.h
index 52df0d6817..16efecfee2 100644
--- a/be/src/http/action/reset_rpc_channel_action.h
+++ b/be/src/http/action/reset_rpc_channel_action.h
@@ -17,17 +17,18 @@
#pragma once
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
namespace doris {
class ExecEnv;
class HttpRequest;
-class ResetRPCChannelAction : public HttpHandler {
+class ResetRPCChannelAction : public HttpHandlerWithAuth {
public:
- explicit ResetRPCChannelAction(ExecEnv* exec_env);
+ explicit ResetRPCChannelAction(ExecEnv* exec_env, TPrivilegeHier::type
hier,
+ TPrivilegeType::type type);
- virtual ~ResetRPCChannelAction() {}
+ ~ResetRPCChannelAction() override = default;
void handle(HttpRequest* req) override;
diff --git a/be/src/http/action/restore_tablet_action.cpp
b/be/src/http/action/restore_tablet_action.cpp
index 7ff9aa37f3..363c895788 100644
--- a/be/src/http/action/restore_tablet_action.cpp
+++ b/be/src/http/action/restore_tablet_action.cpp
@@ -51,7 +51,9 @@ namespace doris {
const std::string TABLET_ID = "tablet_id";
const std::string SCHEMA_HASH = "schema_hash";
-RestoreTabletAction::RestoreTabletAction(ExecEnv* exec_env) :
_exec_env(exec_env) {}
+RestoreTabletAction::RestoreTabletAction(ExecEnv* exec_env,
TPrivilegeHier::type hier,
+ TPrivilegeType::type type)
+ : HttpHandlerWithAuth(exec_env, hier, type) {}
void RestoreTabletAction::handle(HttpRequest* req) {
LOG(INFO) << "accept one request " << req->debug_string();
diff --git a/be/src/http/action/restore_tablet_action.h
b/be/src/http/action/restore_tablet_action.h
index 2eccb22303..845061789f 100644
--- a/be/src/http/action/restore_tablet_action.h
+++ b/be/src/http/action/restore_tablet_action.h
@@ -24,18 +24,18 @@
#include <string>
#include "common/status.h"
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
namespace doris {
class ExecEnv;
class HttpRequest;
-class RestoreTabletAction : public HttpHandler {
+class RestoreTabletAction : public HttpHandlerWithAuth {
public:
- RestoreTabletAction(ExecEnv* exec_env);
+ RestoreTabletAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
TPrivilegeType::type type);
- virtual ~RestoreTabletAction() {}
+ ~RestoreTabletAction() override = default;
void handle(HttpRequest* req) override;
diff --git a/be/src/http/action/snapshot_action.cpp
b/be/src/http/action/snapshot_action.cpp
index 19e603fa34..c705d3c9ba 100644
--- a/be/src/http/action/snapshot_action.cpp
+++ b/be/src/http/action/snapshot_action.cpp
@@ -36,7 +36,9 @@ namespace doris {
const std::string TABLET_ID = "tablet_id";
const std::string SCHEMA_HASH = "schema_hash";
-SnapshotAction::SnapshotAction() {}
+SnapshotAction::SnapshotAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
+ TPrivilegeType::type type)
+ : HttpHandlerWithAuth(exec_env, hier, type) {}
void SnapshotAction::handle(HttpRequest* req) {
LOG(INFO) << "accept one request " << req->debug_string();
diff --git a/be/src/http/action/snapshot_action.h
b/be/src/http/action/snapshot_action.h
index b1b58bee10..677d04e125 100644
--- a/be/src/http/action/snapshot_action.h
+++ b/be/src/http/action/snapshot_action.h
@@ -20,7 +20,7 @@
#include <cstdint>
#include <string>
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
namespace doris {
@@ -28,11 +28,12 @@ class HttpRequest;
// make snapshot
// be_host:be_http_port/api/snapshot?tablet_id=123&schema_hash=456
-class SnapshotAction : public HttpHandler {
+class SnapshotAction : public HttpHandlerWithAuth {
public:
- explicit SnapshotAction();
+ explicit SnapshotAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
+ TPrivilegeType::type type);
- virtual ~SnapshotAction() {}
+ ~SnapshotAction() override = default;
void handle(HttpRequest* req) override;
diff --git a/be/src/http/action/tablet_migration_action.cpp
b/be/src/http/action/tablet_migration_action.cpp
index 3f0fbed297..9720b8863d 100644
--- a/be/src/http/action/tablet_migration_action.cpp
+++ b/be/src/http/action/tablet_migration_action.cpp
@@ -36,10 +36,6 @@ namespace doris {
const static std::string HEADER_JSON = "application/json";
-TabletMigrationAction::TabletMigrationAction() {
- _init_migration_action();
-}
-
void TabletMigrationAction::_init_migration_action() {
int32_t max_thread_num = config::max_tablet_migration_threads;
int32_t min_thread_num = config::min_tablet_migration_threads;
diff --git a/be/src/http/action/tablet_migration_action.h
b/be/src/http/action/tablet_migration_action.h
index 11933e7fc7..0401ee8fe2 100644
--- a/be/src/http/action/tablet_migration_action.h
+++ b/be/src/http/action/tablet_migration_action.h
@@ -28,8 +28,11 @@
#include <utility>
#include "common/status.h"
+#include "gutil/stringprintf.h"
+#include "gutil/strings/numbers.h"
#include "gutil/strings/substitute.h"
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
+#include "olap/data_dir.h"
#include "olap/tablet.h"
#include "util/threadpool.h"
@@ -37,13 +40,24 @@ namespace doris {
class DataDir;
class HttpRequest;
+class ExecEnv;
+
// Migrate a tablet from a disk to another.
-class TabletMigrationAction : public HttpHandler {
+class TabletMigrationAction : public HttpHandlerWithAuth {
public:
- TabletMigrationAction();
+ TabletMigrationAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
TPrivilegeType::type type)
+ : HttpHandlerWithAuth(exec_env, hier, type) {
+ _init_migration_action();
+ }
+
+ ~TabletMigrationAction() override = default;
+
void handle(HttpRequest* req) override;
+
void _init_migration_action();
+
Status _execute_tablet_migration(TabletSharedPtr tablet, DataDir*
dest_store);
+
Status _check_param(HttpRequest* req, int64_t& tablet_id, int32_t&
schema_hash,
string& dest_disk, string& goal);
Status _check_migrate_request(int64_t tablet_id, int32_t schema_hash,
string dest_disk,
diff --git a/be/src/http/action/tablets_distribution_action.cpp
b/be/src/http/action/tablets_distribution_action.cpp
index 605f900b17..95ece915a0 100644
--- a/be/src/http/action/tablets_distribution_action.cpp
+++ b/be/src/http/action/tablets_distribution_action.cpp
@@ -42,7 +42,9 @@ namespace doris {
const static std::string HEADER_JSON = "application/json";
-TabletsDistributionAction::TabletsDistributionAction() {
+TabletsDistributionAction::TabletsDistributionAction(ExecEnv* exec_env,
TPrivilegeHier::type hier,
+ TPrivilegeType::type type)
+ : HttpHandlerWithAuth(exec_env, hier, type) {
_host = BackendOptions::get_localhost();
}
diff --git a/be/src/http/action/tablets_distribution_action.h
b/be/src/http/action/tablets_distribution_action.h
index 0e400f9feb..b79d5f2c85 100644
--- a/be/src/http/action/tablets_distribution_action.h
+++ b/be/src/http/action/tablets_distribution_action.h
@@ -21,18 +21,26 @@
#include <string>
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
#include "util/easy_json.h"
namespace doris {
class HttpRequest;
+class ExecEnv;
+
// Get BE tablets distribution info from http API.
-class TabletsDistributionAction : public HttpHandler {
+class TabletsDistributionAction : public HttpHandlerWithAuth {
public:
- TabletsDistributionAction();
+ TabletsDistributionAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
+ TPrivilegeType::type type);
+
+ ~TabletsDistributionAction() override = default;
+
void handle(HttpRequest* req) override;
+
EasyJson get_tablets_distribution_group_by_partition(uint64_t
partition_id);
+
std::string host() { return _host; }
private:
diff --git a/be/src/http/action/tablets_info_action.cpp
b/be/src/http/action/tablets_info_action.cpp
index 374f7b2136..c75baee954 100644
--- a/be/src/http/action/tablets_info_action.cpp
+++ b/be/src/http/action/tablets_info_action.cpp
@@ -40,9 +40,9 @@ namespace doris {
const static std::string HEADER_JSON = "application/json";
-TabletsInfoAction::TabletsInfoAction() {
- _host = BackendOptions::get_localhost();
-}
+TabletsInfoAction::TabletsInfoAction(ExecEnv* exec_env, TPrivilegeHier::type
hier,
+ TPrivilegeType::type type)
+ : HttpHandlerWithAuth(exec_env, hier, type) {}
void TabletsInfoAction::handle(HttpRequest* req) {
const std::string& tablet_num_to_return = req->param("limit");
@@ -74,7 +74,7 @@ EasyJson TabletsInfoAction::get_tablets_info(string
tablet_num_to_return) {
tablets_info_ej["msg"] = msg;
tablets_info_ej["code"] = 0;
EasyJson data = tablets_info_ej.Set("data", EasyJson::kObject);
- data["host"] = _host;
+ data["host"] = BackendOptions::get_localhost();
EasyJson tablets = data.Set("tablets", EasyJson::kArray);
for (TabletInfo tablet_info : tablets_info) {
EasyJson tablet = tablets.PushBack(EasyJson::kObject);
@@ -84,4 +84,5 @@ EasyJson TabletsInfoAction::get_tablets_info(string
tablet_num_to_return) {
tablets_info_ej["count"] = tablets_info.size();
return tablets_info_ej;
}
+
} // namespace doris
diff --git a/be/src/http/action/tablets_info_action.h
b/be/src/http/action/tablets_info_action.h
index 22f8634faf..988ab1e4db 100644
--- a/be/src/http/action/tablets_info_action.h
+++ b/be/src/http/action/tablets_info_action.h
@@ -19,21 +19,23 @@
#include <string>
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
#include "util/easy_json.h"
namespace doris {
class HttpRequest;
+class ExecEnv;
+
// Get BE tablets info from http API.
-class TabletsInfoAction : public HttpHandler {
+class TabletsInfoAction : public HttpHandlerWithAuth {
public:
- TabletsInfoAction();
+ TabletsInfoAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
TPrivilegeType::type type);
+
+ ~TabletsInfoAction() override = default;
+
void handle(HttpRequest* req) override;
- EasyJson get_tablets_info(std::string tablet_num_to_return);
- std::string host() { return _host; }
-private:
- std::string _host;
+ static EasyJson get_tablets_info(std::string tablet_num_to_return);
};
} // namespace doris
diff --git a/be/src/http/action/version_action.cpp
b/be/src/http/action/version_action.cpp
index 18b05ed3c4..a555dfe1d2 100644
--- a/be/src/http/action/version_action.cpp
+++ b/be/src/http/action/version_action.cpp
@@ -31,7 +31,9 @@ namespace doris {
const static std::string HEADER_JSON = "application/json";
-VersionAction::VersionAction() {}
+VersionAction::VersionAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
+ TPrivilegeType::type type)
+ : HttpHandlerWithAuth(exec_env, hier, type) {}
void VersionAction::handle(HttpRequest* req) {
EasyJson be_version_info;
diff --git a/be/src/http/action/version_action.h
b/be/src/http/action/version_action.h
index ed9a48ec61..e3273d5c23 100644
--- a/be/src/http/action/version_action.h
+++ b/be/src/http/action/version_action.h
@@ -15,25 +15,22 @@
// specific language governing permissions and limitations
// under the License.
-#ifndef DORIS_BE_SRC_HTTP_ACTION_VERSION_ACTION_H
-#define DORIS_BE_SRC_HTTP_ACTION_VERSION_ACTION_H
+#pragma once
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
namespace doris {
class HttpRequest;
// Get BE version info from http API.
-class VersionAction : public HttpHandler {
+class VersionAction : public HttpHandlerWithAuth {
public:
- VersionAction();
+ VersionAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
TPrivilegeType::type type);
~VersionAction() override = default;
void handle(HttpRequest* req) override;
};
-} // end namespace doris
-
-#endif // DORIS_BE_SRC_HTTP_ACTION_VERSION_ACTION_H
+} // end namespace doris
\ No newline at end of file
diff --git a/be/src/http/default_path_handlers.cpp
b/be/src/http/default_path_handlers.cpp
index 539268f693..b997a3466c 100644
--- a/be/src/http/default_path_handlers.cpp
+++ b/be/src/http/default_path_handlers.cpp
@@ -126,7 +126,6 @@ void mem_usage_handler(const WebPageHandler::ArgumentMap&
args, std::stringstrea
}
void display_tablets_callback(const WebPageHandler::ArgumentMap& args,
EasyJson* ej) {
- TabletsInfoAction tablet_info_action;
std::string tablet_num_to_return;
WebPageHandler::ArgumentMap::const_iterator it = args.find("limit");
if (it != args.end()) {
@@ -134,7 +133,7 @@ void display_tablets_callback(const
WebPageHandler::ArgumentMap& args, EasyJson*
} else {
tablet_num_to_return = "1000"; // default
}
- (*ej) = tablet_info_action.get_tablets_info(tablet_num_to_return);
+ (*ej) = TabletsInfoAction::get_tablets_info(tablet_num_to_return);
}
// Registered to handle "/mem_tracker", and prints out memory tracker
information.
diff --git a/be/src/http/http_handler_with_auth.cpp
b/be/src/http/http_handler_with_auth.cpp
new file mode 100644
index 0000000000..6c69390c36
--- /dev/null
+++ b/be/src/http/http_handler_with_auth.cpp
@@ -0,0 +1,86 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include "http_handler_with_auth.h"
+
+#include <gen_cpp/HeartbeatService_types.h>
+
+#include "http/http_channel.h"
+#include "runtime/client_cache.h"
+#include "util/thrift_rpc_helper.h"
+#include "utils.h"
+
+namespace doris {
+
+class TPrivilegeType;
+class TPrivilegeHier;
+class ThriftRpcHelper;
+
+HttpHandlerWithAuth::HttpHandlerWithAuth(ExecEnv* exec_env,
TPrivilegeHier::type hier,
+ TPrivilegeType::type type)
+ : _exec_env(exec_env), _hier(hier), _type(type) {}
+
+int HttpHandlerWithAuth::on_header(HttpRequest* req) {
+ TCheckAuthRequest auth_request;
+ TCheckAuthResult auth_result;
+ AuthInfo auth_info;
+
+ if (!config::enable_http_auth) {
+ return 0;
+ }
+
+ if (!parse_basic_auth(*req, &auth_info)) {
+ LOG(WARNING) << "parse basic authorization failed"
+ << ", request: " << req->debug_string();
+ HttpChannel::send_error(req, HttpStatus::UNAUTHORIZED);
+ return -1;
+ }
+
+ auth_request.user = auth_info.user;
+ auth_request.passwd = auth_info.passwd;
+ auth_request.__set_cluster(auth_info.cluster);
+ auth_request.__set_user_ip(auth_info.user_ip);
+ auth_request.__set_thrift_rpc_timeout_ms(config::thrift_rpc_timeout_ms);
+
+ if (!on_privilege(*req, auth_request)) {
+ LOG(WARNING) << "invalid privilege, request: " << req->debug_string();
+ HttpChannel::send_error(req, HttpStatus::BAD_REQUEST);
+ return -1;
+ }
+
+#ifndef BE_TEST
+ TNetworkAddress master_addr = _exec_env->master_info()->network_address;
+ RETURN_WITH_WARN_IF_ERROR(
+ ThriftRpcHelper::rpc<FrontendServiceClient>(
+ master_addr.hostname, master_addr.port,
+ [&auth_result, &auth_request](FrontendServiceConnection&
client) {
+ client->checkAuth(auth_result, auth_request);
+ }),
+ -1, "checkAuth failed");
+#else
+ CHECK(_exec_env == nullptr);
+#endif
+ Status status(auth_result.status);
+ if (!status.ok()) {
+ LOG(WARNING) << "permission verification failed, request: " <<
auth_request;
+ HttpChannel::send_error(req, HttpStatus::FORBIDDEN);
+ return -1;
+ }
+ return 0;
+}
+
+} // namespace doris
diff --git a/be/src/http/http_handler_with_auth.h
b/be/src/http/http_handler_with_auth.h
new file mode 100644
index 0000000000..178971560c
--- /dev/null
+++ b/be/src/http/http_handler_with_auth.h
@@ -0,0 +1,60 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#pragma once
+
+#include <gen_cpp/FrontendService.h>
+
+#include "http_handler.h"
+#include "runtime/exec_env.h"
+
+namespace doris {
+
+class ExecEnv;
+class HttpRequest;
+class RestMonitorIface;
+class TCheckAuthRequest;
+class TPrivilegeCtrl;
+class TPrivilegeHier;
+class TPrivilegeType;
+
+// Handler for on http request with auth
+class HttpHandlerWithAuth : public HttpHandler {
+public:
+ HttpHandlerWithAuth(ExecEnv* exec_env, TPrivilegeHier::type hier,
TPrivilegeType::type type);
+
+ ~HttpHandlerWithAuth() override = default;
+
+ // return 0 if auth pass, otherwise -1.
+ int on_header(HttpRequest* req) override;
+
+ // return true if fill privilege success, otherwise false.
+ virtual bool on_privilege(const HttpRequest& req, TCheckAuthRequest&
auth_request) {
+ TPrivilegeCtrl priv_ctrl;
+ priv_ctrl.priv_hier = _hier;
+ auth_request.__set_priv_ctrl(priv_ctrl);
+ auth_request.__set_priv_type(_type);
+ return true;
+ }
+
+private:
+ ExecEnv* _exec_env;
+ TPrivilegeHier::type _hier;
+ TPrivilegeType::type _type;
+};
+
+} // namespace doris
diff --git a/be/src/http/utils.h b/be/src/http/utils.h
index dd62a9b8a9..5928039c49 100644
--- a/be/src/http/utils.h
+++ b/be/src/http/utils.h
@@ -19,6 +19,7 @@
#include <string>
+#include "common/utils.h"
#include "http/http_request.h"
namespace doris {
diff --git a/be/src/service/http_service.cpp b/be/src/service/http_service.cpp
index 91e2a85044..7e52f5f3cd 100644
--- a/be/src/service/http_service.cpp
+++ b/be/src/service/http_service.cpp
@@ -99,7 +99,8 @@ Status HttpService::start() {
error_log_download_action);
// Register BE version action
- VersionAction* version_action = _pool.add(new VersionAction());
+ VersionAction* version_action =
+ _pool.add(new VersionAction(_env, TPrivilegeHier::GLOBAL,
TPrivilegeType::NONE));
_ev_http_server->register_handler(HttpMethod::GET, "/api/be_version_info",
version_action);
// Register BE health action
@@ -107,17 +108,19 @@ Status HttpService::start() {
_ev_http_server->register_handler(HttpMethod::GET, "/api/health",
health_action);
// Register Tablets Info action
- TabletsInfoAction* tablets_info_action = _pool.add(new
TabletsInfoAction());
+ TabletsInfoAction* tablets_info_action =
+ _pool.add(new TabletsInfoAction(_env, TPrivilegeHier::GLOBAL,
TPrivilegeType::ADMIN));
_ev_http_server->register_handler(HttpMethod::GET, "/tablets_json",
tablets_info_action);
// Register Tablets Distribution action
- TabletsDistributionAction* tablets_distribution_action =
- _pool.add(new TabletsDistributionAction());
+ TabletsDistributionAction* tablets_distribution_action = _pool.add(
+ new TabletsDistributionAction(_env, TPrivilegeHier::GLOBAL,
TPrivilegeType::ADMIN));
_ev_http_server->register_handler(HttpMethod::GET,
"/api/tablets_distribution",
tablets_distribution_action);
// Register tablet migration action
- TabletMigrationAction* tablet_migration_action = _pool.add(new
TabletMigrationAction());
+ TabletMigrationAction* tablet_migration_action = _pool.add(
+ new TabletMigrationAction(_env, TPrivilegeHier::GLOBAL,
TPrivilegeType::ADMIN));
_ev_http_server->register_handler(HttpMethod::GET, "/api/tablet_migration",
tablet_migration_action);
@@ -129,42 +132,50 @@ Status HttpService::start() {
// register metrics
{
- auto action = _pool.add(new
MetricsAction(DorisMetrics::instance()->metric_registry()));
+ auto action = _pool.add(new
MetricsAction(DorisMetrics::instance()->metric_registry(), _env,
+ TPrivilegeHier::GLOBAL,
TPrivilegeType::NONE));
_ev_http_server->register_handler(HttpMethod::GET, "/metrics", action);
}
- MetaAction* meta_action = _pool.add(new MetaAction());
+ MetaAction* meta_action =
+ _pool.add(new MetaAction(_env, TPrivilegeHier::GLOBAL,
TPrivilegeType::ADMIN));
_ev_http_server->register_handler(HttpMethod::GET,
"/api/meta/{op}/{tablet_id}", meta_action);
#ifndef BE_TEST
// Register BE checksum action
- ChecksumAction* checksum_action = _pool.add(new ChecksumAction());
+ ChecksumAction* checksum_action =
+ _pool.add(new ChecksumAction(_env, TPrivilegeHier::GLOBAL,
TPrivilegeType::ADMIN));
_ev_http_server->register_handler(HttpMethod::GET, "/api/checksum",
checksum_action);
// Register BE reload tablet action
- ReloadTabletAction* reload_tablet_action = _pool.add(new
ReloadTabletAction(_env));
+ ReloadTabletAction* reload_tablet_action =
+ _pool.add(new ReloadTabletAction(_env, TPrivilegeHier::GLOBAL,
TPrivilegeType::ADMIN));
_ev_http_server->register_handler(HttpMethod::GET, "/api/reload_tablet",
reload_tablet_action);
- RestoreTabletAction* restore_tablet_action = _pool.add(new
RestoreTabletAction(_env));
+ RestoreTabletAction* restore_tablet_action =
+ _pool.add(new RestoreTabletAction(_env, TPrivilegeHier::GLOBAL,
TPrivilegeType::ADMIN));
_ev_http_server->register_handler(HttpMethod::POST, "/api/restore_tablet",
restore_tablet_action);
// Register BE snapshot action
- SnapshotAction* snapshot_action = _pool.add(new SnapshotAction());
+ SnapshotAction* snapshot_action =
+ _pool.add(new SnapshotAction(_env, TPrivilegeHier::GLOBAL,
TPrivilegeType::ADMIN));
_ev_http_server->register_handler(HttpMethod::GET, "/api/snapshot",
snapshot_action);
#endif
// 2 compaction actions
- CompactionAction* show_compaction_action =
- _pool.add(new CompactionAction(CompactionActionType::SHOW_INFO));
+ CompactionAction* show_compaction_action = _pool.add(new CompactionAction(
+ CompactionActionType::SHOW_INFO, _env, TPrivilegeHier::GLOBAL,
TPrivilegeType::ADMIN));
_ev_http_server->register_handler(HttpMethod::GET, "/api/compaction/show",
show_compaction_action);
CompactionAction* run_compaction_action =
- _pool.add(new
CompactionAction(CompactionActionType::RUN_COMPACTION));
+ _pool.add(new
CompactionAction(CompactionActionType::RUN_COMPACTION, _env,
+ TPrivilegeHier::GLOBAL,
TPrivilegeType::ADMIN));
_ev_http_server->register_handler(HttpMethod::POST, "/api/compaction/run",
run_compaction_action);
CompactionAction* run_status_compaction_action =
- _pool.add(new
CompactionAction(CompactionActionType::RUN_COMPACTION_STATUS));
+ _pool.add(new
CompactionAction(CompactionActionType::RUN_COMPACTION_STATUS, _env,
+ TPrivilegeHier::GLOBAL,
TPrivilegeType::ADMIN));
_ev_http_server->register_handler(HttpMethod::GET,
"/api/compaction/run_status",
run_status_compaction_action);
@@ -176,21 +187,24 @@ Status HttpService::start() {
_ev_http_server->register_handler(HttpMethod::GET, "/api/show_config",
show_config_action);
// 3 check action
- CheckRPCChannelAction* check_rpc_channel_action = _pool.add(new
CheckRPCChannelAction(_env));
+ CheckRPCChannelAction* check_rpc_channel_action = _pool.add(
+ new CheckRPCChannelAction(_env, TPrivilegeHier::GLOBAL,
TPrivilegeType::ADMIN));
_ev_http_server->register_handler(HttpMethod::GET,
"/api/check_rpc_channel/{ip}/{port}/{payload_size}",
check_rpc_channel_action);
- ResetRPCChannelAction* reset_rpc_channel_action = _pool.add(new
ResetRPCChannelAction(_env));
+ ResetRPCChannelAction* reset_rpc_channel_action = _pool.add(
+ new ResetRPCChannelAction(_env, TPrivilegeHier::GLOBAL,
TPrivilegeType::ADMIN));
_ev_http_server->register_handler(HttpMethod::GET,
"/api/reset_rpc_channel/{endpoints}",
reset_rpc_channel_action);
- CheckTabletSegmentAction* check_tablet_segment_action =
- _pool.add(new CheckTabletSegmentAction());
+ CheckTabletSegmentAction* check_tablet_segment_action = _pool.add(
+ new CheckTabletSegmentAction(_env, TPrivilegeHier::GLOBAL,
TPrivilegeType::ADMIN));
_ev_http_server->register_handler(HttpMethod::POST,
"/api/check_tablet_segment_lost",
check_tablet_segment_action);
- PadRowsetAction* pad_rowset_action = _pool.add(new PadRowsetAction());
+ PadRowsetAction* pad_rowset_action =
+ _pool.add(new PadRowsetAction(_env, TPrivilegeHier::GLOBAL,
TPrivilegeType::ADMIN));
_ev_http_server->register_handler(HttpMethod::POST, "api/pad_rowset",
pad_rowset_action);
_ev_http_server->start();
diff --git a/be/test/CMakeLists.txt b/be/test/CMakeLists.txt
index 50cc5ad6c4..051db1a8ef 100644
--- a/be/test/CMakeLists.txt
+++ b/be/test/CMakeLists.txt
@@ -62,6 +62,7 @@ set(HTTP_TEST_FILES
http/message_body_sink_test.cpp
http/http_utils_test.cpp
http/http_client_test.cpp
+ http/http_auth_test.cpp
# TODO this will overide HttpChannel and make other test failed
# http/metrics_action_test.cpp
)
diff --git a/be/test/http/http_auth_test.cpp b/be/test/http/http_auth_test.cpp
new file mode 100644
index 0000000000..d303a0de11
--- /dev/null
+++ b/be/test/http/http_auth_test.cpp
@@ -0,0 +1,91 @@
+// Licensed to the Apache Software Foundation (ASF) under one
+// or more contributor license agreements. See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership. The ASF licenses this file
+// to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License. You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing,
+// software distributed under the License is distributed on an
+// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+// KIND, either express or implied. See the License for the
+// specific language governing permissions and limitations
+// under the License.
+
+#include <gtest/gtest.h>
+
+#include "common/config.h"
+#include "http/ev_http_server.h"
+#include "http/http_channel.h"
+#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
+#include "http/http_headers.h"
+#include "http/http_request.h"
+#include "http/utils.h"
+
+namespace doris {
+
+class HttpAuthTestHandler : public HttpHandlerWithAuth {
+public:
+ HttpAuthTestHandler(ExecEnv* exec_env, TPrivilegeHier::type hier,
TPrivilegeType::type type)
+ : HttpHandlerWithAuth(exec_env, hier, type) {}
+
+ ~HttpAuthTestHandler() override = default;
+
+ void handle(HttpRequest* req) override {}
+
+private:
+ bool on_privilege(const HttpRequest& req, TCheckAuthRequest& auth_request)
override {
+ return !req.param("table").empty();
+ };
+};
+
+static HttpAuthTestHandler s_auth_handler =
+ HttpAuthTestHandler(nullptr, TPrivilegeHier::GLOBAL,
TPrivilegeType::ADMIN);
+
+class HttpAuthTest : public testing::Test {};
+
+TEST_F(HttpAuthTest, disable_auth) {
+ EXPECT_FALSE(config::enable_http_auth);
+
+ auto evhttp_req = evhttp_request_new(nullptr, nullptr);
+ HttpRequest req(evhttp_req);
+ EXPECT_EQ(s_auth_handler.on_header(&req), 0);
+ evhttp_request_free(evhttp_req);
+}
+
+TEST_F(HttpAuthTest, enable_http_auth) {
+ config::enable_http_auth = true;
+
+ // 1. empty auth info
+ {
+ auto evhttp_req = evhttp_request_new(nullptr, nullptr);
+ HttpRequest req1(evhttp_req);
+ EXPECT_EQ(s_auth_handler.on_header(&req1), -1);
+ }
+
+ // 2. empty param
+ {
+ auto evhttp_req = evhttp_request_new(nullptr, nullptr);
+ HttpRequest req2(evhttp_req);
+ auto auth = encode_basic_auth("doris", "passwd");
+ req2._headers.emplace(HttpHeaders::AUTHORIZATION, auth);
+ EXPECT_EQ(s_auth_handler.on_header(&req2), -1);
+ }
+
+ // 3. OK
+ {
+ auto evhttp_req = evhttp_request_new(nullptr, nullptr);
+ HttpRequest req3(evhttp_req);
+ auto auth = encode_basic_auth("doris", "passwd");
+ req3._headers.emplace(HttpHeaders::AUTHORIZATION, auth);
+ req3._params.emplace("table", "T");
+ EXPECT_EQ(s_auth_handler.on_header(&req3), 0);
+ evhttp_request_free(evhttp_req);
+ }
+}
+
+} // namespace doris
diff --git a/be/test/olap/tablet_test.cpp b/be/test/olap/tablet_test.cpp
index 7f02295209..05480a50f7 100644
--- a/be/test/olap/tablet_test.cpp
+++ b/be/test/olap/tablet_test.cpp
@@ -41,8 +41,6 @@
using namespace std;
namespace doris {
-using namespace ErrorCode;
-
using RowsetMetaSharedContainerPtr =
std::shared_ptr<std::vector<RowsetMetaSharedPtr>>;
static StorageEngine* k_engine = nullptr;
@@ -275,7 +273,7 @@ TEST_F(TestTablet, pad_rowset) {
ASSERT_FALSE(_tablet->capture_rs_readers(version, &readers).ok());
readers.clear();
- PadRowsetAction action;
+ PadRowsetAction action(nullptr, TPrivilegeHier::GLOBAL,
TPrivilegeType::ADMIN);
action._pad_rowset(_tablet, version);
ASSERT_TRUE(_tablet->capture_rs_readers(version, &readers).ok());
}
@@ -418,23 +416,31 @@ TEST_F(TestTablet, rowset_tree_update) {
RowLocation loc;
// Key not in range.
- ASSERT_TRUE(tablet->lookup_row_key("99", true, &rowset_ids, &loc,
7).is<NOT_FOUND>());
+ ASSERT_TRUE(
+ tablet->lookup_row_key("99", true, &rowset_ids, &loc,
7).is<ErrorCode::NOT_FOUND>());
// Version too low.
- ASSERT_TRUE(tablet->lookup_row_key("101", true, &rowset_ids, &loc,
3).is<NOT_FOUND>());
+ ASSERT_TRUE(
+ tablet->lookup_row_key("101", true, &rowset_ids, &loc,
3).is<ErrorCode::NOT_FOUND>());
// Hit a segment, but since we don't have real data, return an internal
error when loading the
// segment.
LOG(INFO) << tablet->lookup_row_key("101", true, &rowset_ids, &loc,
7).to_string();
- ASSERT_TRUE(tablet->lookup_row_key("101", true, &rowset_ids, &loc,
7).is<IO_ERROR>());
+ ASSERT_TRUE(
+ tablet->lookup_row_key("101", true, &rowset_ids, &loc,
7).is<ErrorCode::IO_ERROR>());
// Key not in range.
- ASSERT_TRUE(tablet->lookup_row_key("201", true, &rowset_ids, &loc,
7).is<NOT_FOUND>());
- ASSERT_TRUE(tablet->lookup_row_key("300", true, &rowset_ids, &loc,
7).is<IO_ERROR>());
+ ASSERT_TRUE(
+ tablet->lookup_row_key("201", true, &rowset_ids, &loc,
7).is<ErrorCode::NOT_FOUND>());
+ ASSERT_TRUE(
+ tablet->lookup_row_key("300", true, &rowset_ids, &loc,
7).is<ErrorCode::IO_ERROR>());
// Key not in range.
- ASSERT_TRUE(tablet->lookup_row_key("499", true, &rowset_ids, &loc,
7).is<NOT_FOUND>());
+ ASSERT_TRUE(
+ tablet->lookup_row_key("499", true, &rowset_ids, &loc,
7).is<ErrorCode::NOT_FOUND>());
// Version too low.
- ASSERT_TRUE(tablet->lookup_row_key("500", true, &rowset_ids, &loc,
7).is<NOT_FOUND>());
+ ASSERT_TRUE(
+ tablet->lookup_row_key("500", true, &rowset_ids, &loc,
7).is<ErrorCode::NOT_FOUND>());
// Hit a segment, but since we don't have real data, return an internal
error when loading the
// segment.
- ASSERT_TRUE(tablet->lookup_row_key("500", true, &rowset_ids, &loc,
8).is<IO_ERROR>());
+ ASSERT_TRUE(
+ tablet->lookup_row_key("500", true, &rowset_ids, &loc,
8).is<ErrorCode::IO_ERROR>());
}
} // namespace doris
diff --git a/conf/be.conf b/conf/be.conf
index 2b64219f31..2dc228dc07 100644
--- a/conf/be.conf
+++ b/conf/be.conf
@@ -43,6 +43,9 @@ ssl_certificate_path = "$DORIS_HOME/conf/cert.pem"
# path of private key in PEM format.
ssl_private_key_path = "$DORIS_HOME/conf/key.pem"
+# enable auth check
+enable_auth = false
+
# Choose one if there are more than one ip except loopback address.
# Note that there should at most one ip match this list.
# If no ip match this rule, will choose one randomly.
diff --git
a/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java
b/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java
index e4c3c465d7..4da51345c7 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/service/FrontendServiceImpl.java
@@ -1522,6 +1522,9 @@ public class FrontendServiceImpl implements
FrontendService.Iface {
}
private PrivPredicate getPrivPredicate(TPrivilegeType privType) {
+ if (privType == null) {
+ return null;
+ }
switch (privType) {
case SHOW:
return PrivPredicate.SHOW;
diff --git a/gensrc/thrift/FrontendService.thrift
b/gensrc/thrift/FrontendService.thrift
index 5a049ef589..d2b13bbb43 100644
--- a/gensrc/thrift/FrontendService.thrift
+++ b/gensrc/thrift/FrontendService.thrift
@@ -800,6 +800,7 @@ struct TPrivilegeCtrl {
}
enum TPrivilegeType {
+ NONE = -1,
SHOW = 0,
SHOW_RESOURCES = 1,
GRANT = 2,
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
