vrajat commented on code in PR #16043:
URL: https://github.com/apache/pinot/pull/16043#discussion_r2135513783
##########
pinot-broker/src/main/java/org/apache/pinot/broker/broker/BasicAuthAccessControlFactory.java:
##########
@@ -129,12 +132,43 @@ public TableAuthorizationResult
authorize(RequesterIdentity requesterIdentity, S
failedTables.add(table);
}
}
- if (failedTables.isEmpty()) {
- return TableAuthorizationResult.success();
- }
+// if (failedTables.isEmpty()) {
+// return TableAuthorizationResult.success();
+// }
return new TableAuthorizationResult(failedTables);
}
+ @Override
+ public TableRowColAuthResult getRowColFilters(RequesterIdentity
requesterIdentity, String table) {
+ Optional<BasicAuthPrincipal> principalOpt =
getPrincipalOpt(requesterIdentity);
+
+ if (principalOpt.isEmpty()) {
+ throw new NotAuthorizedException("Basic");
+ }
+
+ if (table == null) {
+ return TableRowColAuthResultImpl.unrestricted();
+ }
+
+ TableRowColAuthResult tableRowColAuthResult = new
TableRowColAuthResultImpl();
+
+ BasicAuthPrincipal principal = principalOpt.get();
+
+ //precondition: The principal should have the table.
+ Preconditions.checkArgument(principal.hasTable(table),
+ "Principal: " + principal.getName() + " does not have access to
table: " + table);
+
+ Optional<Map<String, List<String>>> rlsFiltersMaybe =
principal.getRLSFilters(table);
+ Optional<Map<String, List<String>>> visibleColsMaybe =
principal.getVisibleCols(table);
Review Comment:
These are out of scope ?
##########
pinot-broker/src/main/java/org/apache/pinot/broker/broker/BasicAuthAccessControlFactory.java:
##########
@@ -129,12 +132,43 @@ public TableAuthorizationResult
authorize(RequesterIdentity requesterIdentity, S
failedTables.add(table);
}
}
- if (failedTables.isEmpty()) {
- return TableAuthorizationResult.success();
- }
+// if (failedTables.isEmpty()) {
+// return TableAuthorizationResult.success();
+// }
return new TableAuthorizationResult(failedTables);
}
+ @Override
+ public TableRowColAuthResult getRowColFilters(RequesterIdentity
requesterIdentity, String table) {
+ Optional<BasicAuthPrincipal> principalOpt =
getPrincipalOpt(requesterIdentity);
+
+ if (principalOpt.isEmpty()) {
Review Comment:
This should return an empty list ?
##########
pinot-broker/src/main/java/org/apache/pinot/broker/api/AccessControl.java:
##########
@@ -120,4 +128,39 @@ default TableAuthorizationResult
authorize(RequesterIdentity requesterIdentity,
return hasAccess(requesterIdentity, tables) ?
TableAuthorizationResult.success()
: new TableAuthorizationResult(tables);
}
+
+
+ /**
+ * Returns RLS/CLS filters for a particular table. By default, there are no
RLS/CLS filters on any table.
+ * @param requesterIdentity requested identity
+ * @param table Table used in the query. Table name can be with or without
tableType.
+ * @return {@link TableRowColAuthResult} with the result of the access
control check
+ */
+ default TableRowColAuthResult getRowColFilters(RequesterIdentity
requesterIdentity, String table) {
+ if (table.equals("upsertMeetupRsvp")) {
+ return new TableRowColAuthResultImpl(Map.of("policyID1",
List.of("event_id > 60", "event_id < 70")), Map.of(),
+ Map.of());
+ } else if (table.equals("upsertPartialMeetupRsvp")) {
+ return new TableRowColAuthResultImpl(Map.of("policyID1",
List.of("event_id > 60", "event_id < 70")), Map.of(),
+ Map.of());
+ }
+ return TableRowColAuthResultImpl.unrestricted();
+ }
+
+ /**
+ * Convenience method to get RLS/CLS filters for a set of tables. By
default, we iterate through each table and do
+ * the check using {@link AccessControl#getRowColFilters(RequesterIdentity,
String)} and construct the final
+ * response by returning an instance of {@link MultiTableRowColAuthResult}
+ * @param requesterIdentity requester identity
+ * @param tables Set of pinot tables used in the query. Table name can be
with or without tableType.
+ * @return {@link MultiTableRowColAuthResult} with the result of the access
control check.
+ */
+ default MultiTableRowColAuthResult getRowColFilters(RequesterIdentity
requesterIdentity, Set<String> tables) {
Review Comment:
This was an ongoing discussion. Its not clear to me why
`MultiTableRowColAuthResult` is required. I suggest you remove it and see if it
is still usable by MSE.
##########
pinot-broker/src/main/java/org/apache/pinot/broker/api/AccessControl.java:
##########
@@ -120,4 +128,39 @@ default TableAuthorizationResult
authorize(RequesterIdentity requesterIdentity,
return hasAccess(requesterIdentity, tables) ?
TableAuthorizationResult.success()
: new TableAuthorizationResult(tables);
}
+
+
+ /**
+ * Returns RLS/CLS filters for a particular table. By default, there are no
RLS/CLS filters on any table.
+ * @param requesterIdentity requested identity
+ * @param table Table used in the query. Table name can be with or without
tableType.
+ * @return {@link TableRowColAuthResult} with the result of the access
control check
+ */
+ default TableRowColAuthResult getRowColFilters(RequesterIdentity
requesterIdentity, String table) {
+ if (table.equals("upsertMeetupRsvp")) {
+ return new TableRowColAuthResultImpl(Map.of("policyID1",
List.of("event_id > 60", "event_id < 70")), Map.of(),
Review Comment:
IMO, the results should be a list. I dont think the concept of policy is
required.
##########
pinot-broker/src/main/java/org/apache/pinot/broker/broker/BasicAuthAccessControlFactory.java:
##########
@@ -105,9 +108,9 @@ public AuthorizationResult authorize(RequesterIdentity
requesterIdentity, Broker
if (!principal.hasTable(brokerRequest.getQuerySource().getTableName())) {
failedTables.add(brokerRequest.getQuerySource().getTableName());
}
- if (failedTables.isEmpty()) {
- return TableAuthorizationResult.success();
- }
+// if (failedTables.isEmpty()) {
Review Comment:
Is this change based on some other yet to be merged PR ?
##########
pinot-broker/src/main/java/org/apache/pinot/broker/requesthandler/MultiStageBrokerRequestHandler.java:
##########
@@ -304,6 +306,27 @@ private void checkAuthorization(RequesterIdentity
requesterIdentity, RequestCont
if (!tableAuthorizationResult.hasAccess()) {
throwTableAccessError(tableAuthorizationResult);
}
+ AccessControl accessControl = _accessControlFactory.create();
+ MultiTableRowColAuthResult rowColFilters =
accessControl.getRowColFilters(requesterIdentity, tables);
Review Comment:
Can you check if TableRowColAuthResult can be used instead ?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
