dinoocch opened a new pull request, #16475: URL: https://github.com/apache/pinot/pull/16475
Similar in intention to https://github.com/apache/pinot/pull/7653 but for the MSE grpc channels. In particular as we roll out the MSE engine support internally we need to enforce proper authorization for all requests. The addition of tls support in https://github.com/apache/pinot/pull/14387 and https://github.com/apache/pinot/pull/14476 *does* enable a basic version of this via mutual tls auth, but requires that the instance carefully control its trust store to only broker/server instances. Another option is to restrict traffic at the network level, but we found this adds operational complexity. Initially a simple auth interceptor and interface on `(Attributes, Metadata)` is proposed since this covers a few styles of authorization a user might want to support, for example: * Validation on PeerCertificate subject/etc from `Attributes`: ```java public boolean hasAccess(Attributes attributes, Metadata metadata) { SSLSession sslSession = attributes.get(Grpc.TRANSPORT_ATTR_SSL_SESSION); if (sslSession == null) { return false; } Certificate[] peerCerts = sslSession.getPeerCertificates(); ... } ``` * From Metadata headers ```java public boolean hasAccess(Attributes attributes, Metadata metadata) { String authorization = metadata.get(AUTH_METADATA_KEY); return SECRET.equals(authorization); } ``` This is added as a new interface shared between both QueryServer and GrpcMailboxServer The default implementation is to approve all requests, similar to the current state. Another option might be to implement some `ServerTransportFilter` instead (so the auth overhead would only exist on channel creation, similar to the single-stage implementation). But I chose the `ServerInterceptor` instead since (a) per-request overhead is likely low, (b) the pattern is much more obvious, and (c) it means that request headers are available for implementing some "standard" authorization within pinot ~ for example a shared key/jwt/etc vs certificates which are often deployment specific. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
