Re: [PR] SegmentMetadataQuery should allow NoRestrictionPolicy (druid)

Wed, 02 Apr 2025 21:31:38 -0700 


cryptoe commented on code in PR #17864:
URL: https://github.com/apache/druid/pull/17864#discussion_r2026146163


##########
processing/src/main/java/org/apache/druid/query/metadata/metadata/SegmentMetadataQuery.java:
##########
@@ -107,7 +110,13 @@ public SegmentMetadataQuery(
     this.toInclude = toInclude == null ? new AllColumnIncluderator() : 
toInclude;
     this.merge = merge == null ? false : merge;
     this.analysisTypes = analysisTypes;
-    if (!(dataSource instanceof TableDataSource || dataSource instanceof 
UnionDataSource)) {
+    if (dataSource instanceof RestrictedDataSource) {
+      Policy policy = ((RestrictedDataSource) dataSource).getPolicy();
+      // Only no-restriction policy is allowed for segment metadata queries.
+      if (!(policy instanceof NoRestrictionPolicy)) {
+        throw InvalidInput.exception("DataSource[%s] is restricted with 
policy[%s].", dataSource, policy);

Review Comment:
   ```suggestion
           throw InvalidInput.exception("Segment metadata queries for 
dataSource[%s] should have NoRestrictionPolicy. Found policy[%s].", dataSource, 
policy);
   ```



##########
processing/src/main/java/org/apache/druid/query/metadata/metadata/SegmentMetadataQuery.java:
##########
@@ -107,7 +110,13 @@ public SegmentMetadataQuery(
     this.toInclude = toInclude == null ? new AllColumnIncluderator() : 
toInclude;
     this.merge = merge == null ? false : merge;
     this.analysisTypes = analysisTypes;
-    if (!(dataSource instanceof TableDataSource || dataSource instanceof 
UnionDataSource)) {
+    if (dataSource instanceof RestrictedDataSource) {

Review Comment:
   Is the following case possible?
   The user has certain row permissions on the data source. In that case, the 
user will never be able to issue a segment metadata query since the authorizee 
would always work on resource, action and has no way of knowing if the calling 
code is for a segment metadata query so the authorizer will attach the 
rowFilterPolicy and then stuff would break at line 113. 
   I might be missing some context or maybe completely off. Just wanted to 
check . 



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to