jasperjiaguo commented on a change in pull request #7653:
URL: https://github.com/apache/pinot/pull/7653#discussion_r743986425
##########
File path:
pinot-core/src/main/java/org/apache/pinot/server/access/AccessControl.java
##########
@@ -27,6 +28,13 @@
@InterfaceStability.Stable
public interface AccessControl {
+ /**
+ *
+ * @param channelHandlerContext netty tls context
+ * @return Whether the client has access to query server
+ */
+ boolean hasQueryServerAccess(ChannelHandlerContext channelHandlerContext);
+
Review comment:
Yes. Both token and cert are used in Pinot to do authorization. For
admin/query/segment dowload requests we check the tokens to ensure it's from
authorized users. But in this case we only want server to accept tls connection
from pinot-broker (the query requester's access is already checked), therefore,
inspecting the host id on trusted certificate is sufficient. And it also incurs
minimum overhead to check only upon handshake.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
