github-actions[bot] commented on code in PR #64935:
URL: https://github.com/apache/doris/pull/64935#discussion_r3490117473
##########
be/src/service/http/action/stream_load_forward_handler.h:
##########
@@ -98,9 +99,9 @@ class StreamLoadForwardContext {
// Stream Load request forward handler
// Forwards Stream Load requests to other BE nodes
// Supports streaming forward, maintains original request path format:
/api/{db}/{table}/_stream_load_forward
-class StreamLoadForwardHandler : public HttpHandler {
+class StreamLoadForwardHandler : public HttpHandlerWithAuth {
public:
- StreamLoadForwardHandler() = default;
+ explicit StreamLoadForwardHandler(ExecEnv* exec_env) :
HttpHandlerWithAuth(exec_env) {}
Review Comment:
`StreamLoadForwardHandler` now uses the one-argument
`HttpHandlerWithAuth(exec_env)` constructor, which leaves `_type` at the class
default of `TPrivilegeType::ADMIN`. Normal stream load registers as
`TPrivilegeType::LOAD`, and FE redirects ordinary group-commit stream-load
clients to this `_stream_load_forward` endpoint. When
`enable_all_http_auth=true`, a user with valid LOAD privilege but no ADMIN
privilege can pass the original `/api/.../_stream_load` request, follow the
307, and then be rejected by the forwarding BE before the request reaches the
final `StreamLoadAction`. Please initialize this handler with the same LOAD
privilege as `StreamLoadAction`, for example `HttpHandlerWithAuth(exec_env,
TPrivilegeHier::GLOBAL, TPrivilegeType::LOAD)`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]