"Authorization Failed" for BROKER users created via API having rights for "ALL" tables

[johannesploetner]

In Pinot 1.2.0, user creation via REST API seems broken when "ZkBasicAuthAccessControlFactory" is activated.

How to reproduce:

• start pinot 1.2.0 (i.e. using docker-compose) and with "ZkBasicAuthAccessControlFactory" enabled.
• create a schema and a table (can be empty in terms of: no data required)
• create a "BROKER" User via the API:

  curl -X 'POST' \
   'http://localhost:9000/users' \
   -H 'accept: application/json' \
   -H 'Authorization: YWRtaW46YWRtaW4=' \
   -H 'Content-Type: application/json' \
   -d '{
   "username": "test",
   "password": "test",
   "component": "BROKER",
   "role": "USER",
   "permissions": [
     "READ"
   ],
   "tables": [
     "ALL"
   ]
  }
  '
  

• you can check the "User Console" in the Controller UI now if you want. It looks like the user has been created correctly. "READ" Rights have been assigned for "ALL" tables for this broker user.
• try to make a query using this user via the API:

  export AUTH_HEADER=`echo -n 'test:test' | base64`
  curl -H "Content-Type: application/json" -H "Authorization: $AUTH_HEADER" -X POST \
   -d '{"sql":"select * from offline_table_example_OFFLINE limit 10"}' \
   http://localhost:8099/query/sql
   {"code":403,"error":"Permission denied.Reason: Authorization Failed for tables: [offline_table_example_OFFLINE]"}%
  

  That looks already wrong, as the user should have access to "ALL" tabes.
• Now buckle up, as we're going to fix this: Go to the "User Console" in the Controller UI, "edit" the user. In the "tables" section, remove the activated checkbox for "ALL" - and check it again. Submit your changes. (There weren't really any changes, but still.)
• Now try the exact same "curl" again:

  curl -H "Content-Type: application/json" -H "Authorization: $AUTH_HEADER" -X POST \
   -d '{"sql":"select * from offline_table_example_OFFLINE limit 10"}' \
   http://localhost:8099/query/sql
  {"numRowsResultSet":0,"partialResult":false,"exceptions":[],"numGroupsLimitReached":false,"timeUsedMs":1,"requestId":"1429030164000000006","brokerId":"Broker_67d510247f83_8099","numDocsScanned":0,"totalDocs":0,"numEntriesScannedInFilter":0,"numEntriesScannedPostFilter":0,"numServersQueried":0,"numServersResponded":0,"numSegmentsQueried":0,"numSegmentsProcessed":0,"numSegmentsMatched":0,"numConsumingSegmentsQueried":0,"numConsumingSegmentsProcessed":0,"numConsumingSegmentsMatched":0,"minConsumingFreshnessTimeMs":0,"numSegmentsPrunedByBroker":0,"numSegmentsPrunedByServer":0,"numSegmentsPrunedInvalid":0,"numSegmentsPrunedByLimit":0,"numSegmentsPrunedByValue":0,"brokerReduceTimeMs":0,"offlineThreadCpuTimeNs":0,"realtimeThreadCpuTimeNs":0,"offlineSystemActivitiesCpuTimeNs":0,"realtimeSystemActivitiesCpuTimeNs":0,"offlineResponseSerializationCpuTimeNs":0,"realtimeResponseSerializationCpuTimeNs":0,"offlineTotalCpuTimeNs":0,"realtimeTotalCpuTimeNs":0,"explainPlanNumEmptyFilterSegments":0,"explainPlanNumMatchAllFilterSegments":0,"traceInfo":{}}%
  

  Now we got a response...

Unfortunately, this breaks our automation for user creation via the API. Can we get a fix?

[yashmayya]

@johannesploetner if you want the user to have access to all the tables, the list of tables should be omitted rather than setting "tables": ["ALL"] (which actually has the semantic of granting the user access to a single table with the name of ALL). So your user creation request would look like the following instead:

curl -X 'POST' \
 'http://localhost:9000/users' \
 -H 'accept: application/json' \
 -H 'Authorization: YWRtaW46YWRtaW4=' \
 -H 'Content-Type: application/json' \
 -d '{
 "username": "test",
 "password": "test",
 "component": "BROKER",
 "role": "USER",
 "permissions": [
   "READ"
 ]
}
'

There's a small section relevant to this in the docs here - https://docs.pinot.apache.org/operators/tutorials/authentication/basic-auth-access-control#broker-authentication-and-authorization.

[johannesploetner]

Thanks a lot! I would still advise to make it more clear in the docs.