cypherean opened a new pull request, #17552:
URL: https://github.com/apache/pinot/pull/17552
Previously these endpoints had only @Authorize annotation. The
AuthenticationFilter skips authentication for endpoints without @Authenticate
when protectAnnotatedOnly=true, leaving them unprotected. This change fixes the
security vulnerability.
Affected endpoints:
- POST /tables/{tableName}/pauseConsumption
- POST /tables/{tableName}/pauseTopicConsumption
- POST /tables/{tableName}/resumeConsumption
- POST /tables/{tableName}/resumeTopicConsumption
- POST /tables/{tableName}/forceCommit
- DELETE /tables/{tableName}/timeBoundary
- DELETE /tasks/{taskType}/{tableNameWithType}/metadata
- POST /tenants/{tenantName}
BREAKING CHANGE: 8 controller endpoints now require authentication when
protectAnnotatedOnly=true with real authentication configured.
Who is affected:
Deployments with protectAnnotatedOnly=true and real authentication
configured, where clients call these endpoints without auth headers.
Who is NOT affected:
- Deployments using AllowAllAccessFactory (default)
- Deployments with protectAnnotatedOnly=false
- Clients already sending authentication headers
Migration:
Update clients to send authentication headers for these endpoints.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
