gianm commented on code in PR #17864:
URL: https://github.com/apache/druid/pull/17864#discussion_r2027846342
##########
processing/src/main/java/org/apache/druid/query/metadata/metadata/SegmentMetadataQuery.java:
##########
@@ -107,7 +110,17 @@ public SegmentMetadataQuery(
this.toInclude = toInclude == null ? new AllColumnIncluderator() :
toInclude;
this.merge = merge == null ? false : merge;
this.analysisTypes = analysisTypes;
- if (!(dataSource instanceof TableDataSource || dataSource instanceof
UnionDataSource)) {
+ if (dataSource instanceof RestrictedDataSource) {
+ Policy policy = ((RestrictedDataSource) dataSource).getPolicy();
+ // Only no-restriction policy is allowed for segment metadata queries.
+ if (!(policy instanceof NoRestrictionPolicy)) {
+ throw InvalidInput.exception(
+ "Only NoRestrictionPolicy is allowed for SegmentMetadataQuery on
dataSource[%s], found policy[%s].",
+ ((RestrictedDataSource) dataSource).getBase(),
+ policy
+ );
+ }
+ } else if (!(dataSource instanceof TableDataSource || dataSource
instanceof UnionDataSource)) {
Review Comment:
Seeing `union` here makes me wonder what happens if a `segmentMetadata`
query is done on a `union` of two `restricted` datasources. I think ideally
what should happen is that if the restrictions are both `NoRestrictionPolicy`,
the `segmentMetadata` query should proceed, and if either one has some other
policy, the query should fail.
Is it possible to add a test case for this?
##########
server/src/main/java/org/apache/druid/server/QueryLifecycle.java:
##########
@@ -321,12 +320,8 @@ private AuthorizationResult doAuthorize(
transition(State.AUTHORIZING, State.UNAUTHORIZED);
} else {
transition(State.AUTHORIZING, State.AUTHORIZED);
- if (this.baseQuery instanceof SegmentMetadataQuery &&
authorizationResult.allowAccessWithNoRestriction()) {
- // skip restrictions mapping for SegmentMetadataQuery from user with
no restriction
- } else {
- this.baseQuery =
this.baseQuery.withDataSource(this.baseQuery.getDataSource()
-
.withPolicies(authorizationResult.getPolicyMap()));
- }
+ this.baseQuery =
this.baseQuery.withDataSource(this.baseQuery.getDataSource()
Review Comment:
Nice to see the special case here go away.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
