-
Notifications
You must be signed in to change notification settings - Fork 3.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
set DRUID_AUTHORIZATION_CHECKED attribute for router endpoints #8026
Conversation
I would think the How about adding that check to that endpoint, instead of skipping authorization for all router endpoints? (And also adding appropriate checks to any other router endpoints that might be missing them) |
Changed the code and PR description as per your recommendation. Thanks |
@pjain1 I wonder if that can be unit-tested easily? |
@egor-ryashin added |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM - thx!
…e#8026) * add state resource filter to router endpoints * add RouterResource to ResourceFilter test framework
* add state resource filter to router endpoints * add RouterResource to ResourceFilter test framework
Fixes #6786
Description
Router does not perform any authorization checks and depends on requests forwarded to other nodes to perform authorization and set
DRUID_AUTHORIZATION_CHECKED
header. It works fine in most cases, however for requests that are not forwarded to other nodes and are not in unsecured path list, this header is not set, thusPreResponseAuthorizationCheckFilter
throws exception. Example of this would be/druid/router/v1/brokers
end point on router.To fix this added appropriate resource filter to router endpoint.