sajjad-moradi opened a new pull request #6507:
URL: https://github.com/apache/incubator-pinot/pull/6507
## Description
- This PR adds access control capability for REST endpoints of Controller.
- If an endpoint requires authentication, it can be simply annotated with
`@Authenticate` annotation with `AccessType` parameter. This will trigger
automatic authentication.
- Authentication happens in a container filter - `AuthFilter` - which
automatically gets called before execution of each endpoint.
- `AuthFilter` checks if `@Authenticate` annotation is available on the
requested endpoint. If available, then it calls `AccessControl` object to
perform actual authentication.
- The described approach works just fine for the endpoints that are not
table level. In other words, they don't require table name for authentication.
- For table level endpoints which require table name as an input to
authentication, there are two ways:
1. _Table name can be provided as a path (or query) parameter on the
endpoint._ In this case, `AuthFilter` can extract it and pass it to
AccessControl object. For backward compatibility, `AuthFilter` looks for
`tableName`, `tableNameWithType`, or `schemaName` in path (or query) parameters.
2. _Table name cannot be provided as a path (or query) param._ For example
in case of uploading a table or schema, tableName is deep inside the json body
of the post request and extracting table name needs to happen within the
endpoint. In this case, automatic authentication via AuthFilter is not
possible. Therefore, `@Authenticate` annotation will not be placed on these
endpoints and authentication needs to be explicitly invoked within the endpoint.
## Testing Done
Deployed locally and verified that the authentication gets called
automatically for annotated endpoints.
Also verified the expected behavior on the endpoints with no annotation and
the explicit (manual) authentication, for example POST method of `/schemas` and
`/tables`.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
