This is an automated email from the ASF dual-hosted git repository.
xiangfu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/pinot.git
The following commit(s) were added to refs/heads/master by this push:
new 7ff7270210 Support GrpcRequesterIdentity in
ZkBasicAuthAccessControlFactory (#16194)
7ff7270210 is described below
commit 7ff72702103b7152fcb7c8a13094169b25bea5c3
Author: Xiang Fu <[email protected]>
AuthorDate: Wed Jun 25 16:35:13 2025 +0800
Support GrpcRequesterIdentity in ZkBasicAuthAccessControlFactory (#16194)
---
.../pinot/broker/broker/AccessControlFactory.java | 33 ++++++++++++++++++++--
.../broker/BasicAuthAccessControlFactory.java | 26 ++---------------
.../broker/ZkBasicAuthAccessControlFactory.java | 14 ++++-----
3 files changed, 38 insertions(+), 35 deletions(-)
diff --git
a/pinot-broker/src/main/java/org/apache/pinot/broker/broker/AccessControlFactory.java
b/pinot-broker/src/main/java/org/apache/pinot/broker/broker/AccessControlFactory.java
index 46204fcf9c..40bbc862ca 100644
---
a/pinot-broker/src/main/java/org/apache/pinot/broker/broker/AccessControlFactory.java
+++
b/pinot-broker/src/main/java/org/apache/pinot/broker/broker/AccessControlFactory.java
@@ -18,9 +18,15 @@
*/
package org.apache.pinot.broker.broker;
+import com.google.common.base.Preconditions;
+import java.util.Collection;
+import java.util.List;
import org.apache.helix.store.zk.ZkHelixPropertyStore;
import org.apache.helix.zookeeper.datamodel.ZNRecord;
import org.apache.pinot.broker.api.AccessControl;
+import org.apache.pinot.broker.api.HttpRequesterIdentity;
+import org.apache.pinot.broker.grpc.GrpcRequesterIdentity;
+import org.apache.pinot.spi.auth.broker.RequesterIdentity;
import org.apache.pinot.spi.env.PinotConfiguration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -29,9 +35,10 @@ import org.slf4j.LoggerFactory;
public abstract class AccessControlFactory {
public static final Logger LOGGER =
LoggerFactory.getLogger(AccessControlFactory.class);
public static final String ACCESS_CONTROL_CLASS_CONFIG = "class";
+ public static final String HEADER_AUTHORIZATION = "authorization";
public void init(PinotConfiguration configuration) {
- };
+ }
/**
* Extend original init method inorder to support Zookeeper
BasicAuthAccessControlFactory
@@ -41,7 +48,7 @@ public abstract class AccessControlFactory {
* @param propertyStore Helix PropertyStore
*/
public void init(PinotConfiguration configuration,
ZkHelixPropertyStore<ZNRecord> propertyStore) {
- init(configuration);
+ init(configuration);
}
public abstract AccessControl create();
@@ -63,4 +70,26 @@ public abstract class AccessControlFactory {
throw new RuntimeException(e);
}
}
+
+ public static Collection<String>
extractAuthorizationTokens(RequesterIdentity requesterIdentity) {
+ Preconditions.checkArgument(requesterIdentity instanceof
HttpRequesterIdentity
+ || requesterIdentity instanceof GrpcRequesterIdentity,
+ "HttpRequesterIdentity or GrpcRequesterIdentity required");
+
+ if (requesterIdentity instanceof HttpRequesterIdentity) {
+ HttpRequesterIdentity identity = (HttpRequesterIdentity)
requesterIdentity;
+ return identity.getHttpHeaders().get(HEADER_AUTHORIZATION);
+ }
+
+ if (requesterIdentity instanceof GrpcRequesterIdentity) {
+ GrpcRequesterIdentity identity = (GrpcRequesterIdentity)
requesterIdentity;
+ for (String key : identity.getMetadata().keySet()) {
+ if (HEADER_AUTHORIZATION.equalsIgnoreCase(key)) {
+ return identity.getMetadata().get(key);
+ }
+ }
+ }
+
+ return List.of();
+ }
}
diff --git
a/pinot-broker/src/main/java/org/apache/pinot/broker/broker/BasicAuthAccessControlFactory.java
b/pinot-broker/src/main/java/org/apache/pinot/broker/broker/BasicAuthAccessControlFactory.java
index 64a43517a0..129ac75f29 100644
---
a/pinot-broker/src/main/java/org/apache/pinot/broker/broker/BasicAuthAccessControlFactory.java
+++
b/pinot-broker/src/main/java/org/apache/pinot/broker/broker/BasicAuthAccessControlFactory.java
@@ -18,7 +18,6 @@
*/
package org.apache.pinot.broker.broker;
-import com.google.common.base.Preconditions;
import java.util.Collection;
import java.util.HashSet;
import java.util.Map;
@@ -28,8 +27,6 @@ import java.util.Set;
import java.util.stream.Collectors;
import javax.ws.rs.NotAuthorizedException;
import org.apache.pinot.broker.api.AccessControl;
-import org.apache.pinot.broker.api.HttpRequesterIdentity;
-import org.apache.pinot.broker.grpc.GrpcRequesterIdentity;
import org.apache.pinot.common.request.BrokerRequest;
import org.apache.pinot.core.auth.BasicAuthPrincipal;
import org.apache.pinot.core.auth.BasicAuthUtils;
@@ -53,8 +50,6 @@ import org.apache.pinot.spi.env.PinotConfiguration;
public class BasicAuthAccessControlFactory extends AccessControlFactory {
private static final String PREFIX = "principals";
- private static final String HEADER_AUTHORIZATION = "authorization";
-
private AccessControl _accessControl;
public BasicAuthAccessControlFactory() {
@@ -137,25 +132,8 @@ public class BasicAuthAccessControlFactory extends
AccessControlFactory {
}
private Optional<BasicAuthPrincipal> getPrincipalOpt(RequesterIdentity
requesterIdentity) {
- Preconditions.checkArgument(
- requesterIdentity instanceof HttpRequesterIdentity ||
requesterIdentity instanceof GrpcRequesterIdentity,
- "BasicAuthAccessControl only supports HttpRequesterIdentity or
GrpcRequesterIdentity, got %s",
- requesterIdentity == null ? "null" :
requesterIdentity.getClass().getName());
- Collection<String> tokens = null;
- if (requesterIdentity instanceof HttpRequesterIdentity) {
- HttpRequesterIdentity identity = (HttpRequesterIdentity)
requesterIdentity;
- tokens = identity.getHttpHeaders().get(HEADER_AUTHORIZATION);
- }
- if (requesterIdentity instanceof GrpcRequesterIdentity) {
- GrpcRequesterIdentity identity = (GrpcRequesterIdentity)
requesterIdentity;
- for (String key : identity.getMetadata().keySet()) {
- if (HEADER_AUTHORIZATION.equalsIgnoreCase(key)) {
- tokens = identity.getMetadata().get(key);
- break;
- }
- }
- }
- if (tokens == null || tokens.isEmpty()) {
+ Collection<String> tokens =
extractAuthorizationTokens(requesterIdentity);
+ if (tokens.isEmpty()) {
return Optional.empty();
}
return
tokens.stream().map(org.apache.pinot.common.auth.BasicAuthUtils::normalizeBase64Token)
diff --git
a/pinot-broker/src/main/java/org/apache/pinot/broker/broker/ZkBasicAuthAccessControlFactory.java
b/pinot-broker/src/main/java/org/apache/pinot/broker/broker/ZkBasicAuthAccessControlFactory.java
index 645591386b..940760a590 100644
---
a/pinot-broker/src/main/java/org/apache/pinot/broker/broker/ZkBasicAuthAccessControlFactory.java
+++
b/pinot-broker/src/main/java/org/apache/pinot/broker/broker/ZkBasicAuthAccessControlFactory.java
@@ -18,7 +18,6 @@
*/
package org.apache.pinot.broker.broker;
-import com.google.common.base.Preconditions;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
@@ -31,7 +30,6 @@ import javax.ws.rs.NotAuthorizedException;
import org.apache.helix.store.zk.ZkHelixPropertyStore;
import org.apache.helix.zookeeper.datamodel.ZNRecord;
import org.apache.pinot.broker.api.AccessControl;
-import org.apache.pinot.broker.api.HttpRequesterIdentity;
import org.apache.pinot.common.config.provider.AccessControlUserCache;
import org.apache.pinot.common.request.BrokerRequest;
import org.apache.pinot.common.utils.BcryptUtils;
@@ -55,7 +53,6 @@ import org.apache.pinot.spi.utils.builder.TableNameBuilder;
*
*/
public class ZkBasicAuthAccessControlFactory extends AccessControlFactory {
- private static final String HEADER_AUTHORIZATION = "authorization";
private AccessControl _accessControl;
@@ -124,10 +121,10 @@ public class ZkBasicAuthAccessControlFactory extends
AccessControlFactory {
}
private Optional<ZkBasicAuthPrincipal> getPrincipalAuth(RequesterIdentity
requesterIdentity) {
- Preconditions.checkArgument(requesterIdentity instanceof
HttpRequesterIdentity, "HttpRequesterIdentity required");
- HttpRequesterIdentity identity = (HttpRequesterIdentity)
requesterIdentity;
-
- Collection<String> tokens =
identity.getHttpHeaders().get(HEADER_AUTHORIZATION);
+ Collection<String> tokens =
extractAuthorizationTokens(requesterIdentity);
+ if (tokens.isEmpty()) {
+ return Optional.empty();
+ }
_name2principal =
BasicAuthUtils.extractBasicAuthPrincipals(_userCache.getAllBrokerUserConfig()).stream()
.collect(Collectors.toMap(BasicAuthPrincipal::getName, p -> p));
@@ -138,10 +135,9 @@ public class ZkBasicAuthAccessControlFactory extends
AccessControlFactory {
Map<String, ZkBasicAuthPrincipal> password2principal =
name2password.keySet().stream().collect(Collectors.toMap(name2password::get,
_name2principal::get));
- Optional<ZkBasicAuthPrincipal> principalOpt =
password2principal.entrySet().stream().filter(
+ return password2principal.entrySet().stream().filter(
entry -> BcryptUtils.checkpwWithCache(entry.getKey(),
entry.getValue().getPassword(),
_userCache.getUserPasswordAuthCache())).map(u ->
u.getValue()).filter(Objects::nonNull).findFirst();
- return principalOpt;
}
}
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
