New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve permission checks in File connector [HZ-2991] #25348
Improve permission checks in File connector [HZ-2991] #25348
Conversation
`SqlConnector#resolveAndValidateFields` may try to resolve field names from metadata and a sample. This is not covered by any permission check. Added `SqlConnector#permissionsForResolve` that returns permissions required to run the `resolveAndValidateFields`. Propagation of SqlSecurityContext was required for the actuall permission check. EE PR #... (adds security tests)
hazelcast-sql/src/main/java/com/hazelcast/jet/sql/impl/connector/jdbc/JdbcSqlConnector.java
Outdated
Show resolved
Hide resolved
hazelcast-sql/src/main/java/com/hazelcast/jet/sql/impl/connector/SqlConnector.java
Show resolved
Hide resolved
you need to merge current master but that will unfortunately make backporting the change harder due to changes for GET_DDL security. |
hazelcast/src/main/java/com/hazelcast/jet/impl/connector/ReadFilesP.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, however it might be better to move ReadFileP supplier to SecuredFunctions
`SqlConnector#resolveAndValidateFields` may try to resolve field names from metadata and a sample. This is not covered by any permission check. Added `SqlConnector#permissionsForResolve` that returns permissions required to run the `resolveAndValidateFields`. Propagation of SqlSecurityContext was required for the actuall permission check. EE PR #... (adds security tests) Backport of hazelcast#25348
@@ -174,8 +175,9 @@ private MetaSupplier( | |||
@Nonnull | |||
@Override | |||
public Function<? super Address, ? extends ProcessorSupplier> get(@Nonnull List<Address> addresses) { | |||
return address -> ProcessorSupplier.of(() -> new ReadFilesP<>(directory, glob, sharedFileSystem, | |||
ignoreFileNotFound, readFileFn)); | |||
return address -> ProcessorSupplier.of(SecuredFunctions.readFilesProcessorFn( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
when backported this might be a breaking change for an upgrade - old lambda will be not present in the code
`SqlConnector#resolveAndValidateFields` may try to resolve field names from metadata and a sample. This is not covered by any permission check. Added `SqlConnector#permissionsForResolve` that returns permissions required to run the `resolveAndValidateFields`. Propagation of SqlSecurityContext was required for the actuall permission check. Added permission to ProcessorSupplier returned by ReadFilesP.MetaSupplier (previously this allowed constructing unsecured DAG): https://github.com/hazelcast/hazelcast/blob/ee7e96933748283a01428e306e1b886b06b8a5ba/hazelcast/src/main/java/com/hazelcast/jet/impl/connector/ReadFilesP.java#L179-L191 EE PR hazelcast/hazelcast-enterprise#6421 (adds security tests)
`SqlConnector#resolveAndValidateFields` may try to resolve field names from metadata and a sample. This is not covered by any permission check. Added `SqlConnector#permissionsForResolve` that returns permissions required to run the `resolveAndValidateFields`. Propagation of SqlSecurityContext was required for the actuall permission check. Added permission to ProcessorSupplier returned by ReadFilesP.MetaSupplier (previously this allowed constructing unsecured DAG): https://github.com/hazelcast/hazelcast/blob/ee7e96933748283a01428e306e1b886b06b8a5ba/hazelcast/src/main/java/com/hazelcast/jet/impl/connector/ReadFilesP.java#L179-L191 EE PR hazelcast/hazelcast-enterprise#6421 (adds security tests)
Backport of #25348 to 5.3.z EE PR hazelcast/hazelcast-enterprise#6621 --------- Co-authored-by: František Hartman <frant.hartm@gmail.com>
Backport port of: #25674 and https://github.com/hazelcast/hazelcast-enterprise/pull/6631 Original PRs in master: #25348 and https://github.com/hazelcast/hazelcast-enterprise/pull/6421 --------- Co-authored-by: František Hartman <frant.hartm@gmail.com> GitOrigin-RevId: 836979eec9b74102f67e9f2a44f49c1544dad014
SqlConnector#resolveAndValidateFields
may try to resolve field names from metadata and a sample. This is not covered by any permission check.Added
SqlConnector#permissionsForResolve
that returns permissions required to run theresolveAndValidateFields
. Propagation of SqlSecurityContext was required for the actuall permission check.Added permission to ProcessorSupplier returned by ReadFilesP.MetaSupplier (previously this allowed constructing unsecured DAG):
hazelcast/hazelcast/src/main/java/com/hazelcast/jet/impl/connector/ReadFilesP.java
Lines 179 to 191 in ee7e969
EE PR https://github.com/hazelcast/hazelcast-enterprise/pull/6421 (adds security tests)
Checklist:
Team:
,Type:
,Source:
,Module:
) and Milestone setAdd to Release Notes
orNot Release Notes content
setBackports will be sent to valid branches (need to figure out - all 5.x branches?).