Improve permission checks in File connector [HZ-2991] #25348
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
`SqlConnector#resolveAndValidateFields` may try to resolve field names from metadata and a sample. This is not covered by any permission check. Added `SqlConnector#permissionsForResolve` that returns permissions required to run the `resolveAndValidateFields`. Propagation of SqlSecurityContext was required for the actuall permission check. EE PR #... (adds security tests)
frant-hartm
added
Type: Defect
Source: Internal
k-jamroz
reviewed
Sep 1, 2023
hazelcast-sql/src/main/java/com/hazelcast/jet/sql/impl/connector/jdbc/JdbcSqlConnector.java
Outdated
Show resolved
Hide resolved
k-jamroz
reviewed
Sep 1, 2023
hazelcast-sql/src/main/java/com/hazelcast/jet/sql/impl/connector/SqlConnector.java
Show resolved
Hide resolved
kwart
approved these changes
Sep 6, 2023
|
you need to merge current master but that will unfortunately make backporting the change harder due to changes for GET_DDL security. |
frant-hartm
changed the title
k-jamroz
reviewed
Oct 2, 2023
hazelcast/src/main/java/com/hazelcast/jet/impl/connector/ReadFilesP.java
Outdated
Show resolved
Hide resolved
k-jamroz
approved these changes
Oct 2, 2023
kwart
approved these changes
Oct 2, 2023
frant-hartm
added a commit
to frant-hartm/hazelcast
that referenced
this pull request
Oct 2, 2023
`SqlConnector#resolveAndValidateFields` may try to resolve field names from metadata and a sample. This is not covered by any permission check. Added `SqlConnector#permissionsForResolve` that returns permissions required to run the `resolveAndValidateFields`. Propagation of SqlSecurityContext was required for the actuall permission check. EE PR #... (adds security tests) Backport of hazelcast#25348
k-jamroz
reviewed
Oct 2, 2023
| @@ -174,8 +175,9 @@ private MetaSupplier( | |||
| @Nonnull | |||
| @Override | |||
| public Function<? super Address, ? extends ProcessorSupplier> get(@Nonnull List<Address> addresses) { | |||
| return address -> ProcessorSupplier.of(() -> new ReadFilesP<>(directory, glob, sharedFileSystem, | |||
| ignoreFileNotFound, readFileFn)); | |||
| return address -> ProcessorSupplier.of(SecuredFunctions.readFilesProcessorFn( | |||
There was a problem hiding this comment.
when backported this might be a breaking change for an upgrade - old lambda will be not present in the code
kwart
pushed a commit
to kwart/hazelcast
that referenced
this pull request
Oct 4, 2023
`SqlConnector#resolveAndValidateFields` may try to resolve field names from metadata and a sample. This is not covered by any permission check. Added `SqlConnector#permissionsForResolve` that returns permissions required to run the `resolveAndValidateFields`. Propagation of SqlSecurityContext was required for the actuall permission check. Added permission to ProcessorSupplier returned by ReadFilesP.MetaSupplier (previously this allowed constructing unsecured DAG): https://github.com/hazelcast/hazelcast/blob/ee7e96933748283a01428e306e1b886b06b8a5ba/hazelcast/src/main/java/com/hazelcast/jet/impl/connector/ReadFilesP.java#L179-L191 EE PR hazelcast/hazelcast-enterprise#6421 (adds security tests)
frant-hartm
added a commit
to frant-hartm/hazelcast
that referenced
this pull request
Oct 10, 2023
`SqlConnector#resolveAndValidateFields` may try to resolve field names from metadata and a sample. This is not covered by any permission check. Added `SqlConnector#permissionsForResolve` that returns permissions required to run the `resolveAndValidateFields`. Propagation of SqlSecurityContext was required for the actuall permission check. Added permission to ProcessorSupplier returned by ReadFilesP.MetaSupplier (previously this allowed constructing unsecured DAG): https://github.com/hazelcast/hazelcast/blob/ee7e96933748283a01428e306e1b886b06b8a5ba/hazelcast/src/main/java/com/hazelcast/jet/impl/connector/ReadFilesP.java#L179-L191 EE PR hazelcast/hazelcast-enterprise#6421 (adds security tests)
4 tasks
frant-hartm
added a commit
that referenced
this pull request
Oct 10, 2023
Backport of #25348 to 5.3.z EE PR hazelcast/hazelcast-enterprise#6621 --------- Co-authored-by: František Hartman <frant.hartm@gmail.com>
frant-hartm
added a commit
that referenced
this pull request
Oct 10, 2023
frant-hartm
added a commit
to frant-hartm/hazelcast
that referenced
this pull request
Oct 11, 2023
4 tasks
frant-hartm
added a commit
to frant-hartm/hazelcast
that referenced
this pull request
Oct 11, 2023
4 tasks
frant-hartm
added a commit
that referenced
this pull request
Oct 13, 2023
frant-hartm
added a commit
that referenced
this pull request
Oct 13, 2023
devOpsHazelcast
pushed a commit
that referenced
this pull request
Feb 26, 2024
Backport port of: #25674 and https://github.com/hazelcast/hazelcast-enterprise/pull/6631 Original PRs in master: #25348 and https://github.com/hazelcast/hazelcast-enterprise/pull/6421 --------- Co-authored-by: František Hartman <frant.hartm@gmail.com> GitOrigin-RevId: 836979eec9b74102f67e9f2a44f49c1544dad014
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
SqlConnector#resolveAndValidateFieldsmay try to resolve field names from metadata and a sample. This is not covered by any permission check.Added
SqlConnector#permissionsForResolvethat returns permissions required to run theresolveAndValidateFields. Propagation of SqlSecurityContext was required for the actuall permission check.Added permission to ProcessorSupplier returned by ReadFilesP.MetaSupplier (previously this allowed constructing unsecured DAG):
hazelcast/hazelcast/src/main/java/com/hazelcast/jet/impl/connector/ReadFilesP.java
Lines 179 to 191 in ee7e969
EE PR https://github.com/hazelcast/hazelcast-enterprise/pull/6421 (adds security tests)
Checklist:
Team:,Type:,Source:,Module:) and Milestone setAdd to Release NotesorNot Release Notes contentsetBackports will be sent to valid branches (need to figure out - all 5.x branches?).