mcvsubbu commented on a change in pull request #6613:
URL: https://github.com/apache/incubator-pinot/pull/6613#discussion_r594721563
##########
File path:
pinot-broker/src/main/java/org/apache/pinot/broker/requesthandler/BaseBrokerRequestHandler.java
##########
@@ -180,6 +180,16 @@ public BrokerResponse handleRequest(JsonNode request,
@Nullable RequesterIdentit
requestStatistics.setRequestId(requestId);
requestStatistics.setRequestArrivalTimeMillis(System.currentTimeMillis());
+ // first-stage access control to prevent unauthenticated requests from
using up resources
+ // secondary table-level check comes later
+ boolean hasAccess =
_accessControlFactory.create().hasAccess(requesterIdentity);
+ if (!hasAccess) {
+ _brokerMetrics.addMeteredTableValue(null,
BrokerMeter.REQUEST_DROPPED_DUE_TO_ACCESS_ERROR, 1);
Review comment:
You may want to consider a different metric here than in line 261
##########
File path:
pinot-common/src/main/java/org/apache/pinot/common/utils/FileUploadDownloadClient.java
##########
@@ -139,25 +140,41 @@ private static URI getURI(String protocol, String host,
int port, String path)
return new URI(protocol, null, host, port, path, null, null);
}
+ /**
+ * Deprecated due to lack of protocol/scheme support. May break for
deployments with TLS/SSL enabled
Review comment:
Can you provide a pointer to the method to be used instead? Do we need
to introduce a method that takes authToken as an additional argument ? Perhaps
it should specify "null" (the string) in the calling sequence?
##########
File path:
pinot-common/src/main/java/org/apache/pinot/common/utils/FileUploadDownloadClient.java
##########
@@ -139,25 +140,41 @@ private static URI getURI(String protocol, String host,
int port, String path)
return new URI(protocol, null, host, port, path, null, null);
}
+ /**
+ * Deprecated due to lack of protocol/scheme support. May break for
deployments with TLS/SSL enabled
+ */
+ @Deprecated
public static URI getRetrieveTableConfigHttpURI(String host, int port,
String rawTableName)
throws URISyntaxException {
return getURI(HTTP, host, port, TABLES_PATH + "/" + rawTableName);
}
+ /**
+ * Deprecated due to lack of protocol/scheme support. May break for
deployments with TLS/SSL enabled
Review comment:
same. need an alternative so the user can migrate and stop using the
deprecated methods. We can remove the deprecated ones in a subsequent release.
##########
File path:
pinot-common/src/main/java/org/apache/pinot/common/utils/fetcher/BaseSegmentFetcher.java
##########
@@ -36,6 +35,7 @@
public static final String RETRY_COUNT_CONFIG_KEY = "retry.count";
public static final String RETRY_WAIT_MS_CONFIG_KEY = "retry.wait.ms";
public static final String RETRY_DELAY_SCALE_FACTOR_CONFIG_KEY =
"retry.delay.scale.factor";
+ public static final String AUTH_TOKEN = "auth.token";
Review comment:
+1 As long as it has the same semantics as the auth token defined there,
we should be able to re-use that.
##########
File path:
pinot-common/src/main/java/org/apache/pinot/common/utils/CommonConstants.java
##########
@@ -305,6 +312,12 @@
public static final String CONFIG_OF_CONTROLLER_HTTPS_PORT =
"controller.port";
public static final String CONFIG_OF_SEGMENT_UPLOAD_REQUEST_TIMEOUT_MS =
"upload.request.timeout.ms";
+ /**
+ * Service token for accessing protected controller APIs.
Review comment:
Hmmm what is the difference between this config and the config in line
243 (and then in 371)? The comments all say the same thing :)
##########
File path:
pinot-common/src/main/java/org/apache/pinot/common/utils/FileUploadDownloadClient.java
##########
@@ -168,11 +185,19 @@ public static URI getRetrieveSchemaURI(String protocol,
String host, int port, S
return getURI(protocol, host, port, SCHEMA_PATH + "/" + schemaName);
}
+ /**
+ * Deprecated due to lack of protocol/scheme support. May break for
deployments with TLS/SSL enabled
Review comment:
same
##########
File path:
pinot-common/src/main/java/org/apache/pinot/common/utils/FileUploadDownloadClient.java
##########
@@ -139,25 +140,41 @@ private static URI getURI(String protocol, String host,
int port, String path)
return new URI(protocol, null, host, port, path, null, null);
}
+ /**
+ * Deprecated due to lack of protocol/scheme support. May break for
deployments with TLS/SSL enabled
+ */
+ @Deprecated
public static URI getRetrieveTableConfigHttpURI(String host, int port,
String rawTableName)
throws URISyntaxException {
return getURI(HTTP, host, port, TABLES_PATH + "/" + rawTableName);
}
+ /**
+ * Deprecated due to lack of protocol/scheme support. May break for
deployments with TLS/SSL enabled
+ */
+ @Deprecated
public static URI getDeleteSegmentHttpUri(String host, int port, String
rawTableName, String segmentName,
String tableType)
throws URISyntaxException {
return new URI(StringUtil.join("/", StringUtils.chomp(HTTP + "://" + host
+ ":" + port, "/"), OLD_SEGMENT_PATH,
rawTableName + "/" + URIUtils.encode(segmentName) + TYPE_DELIMITER +
tableType));
}
+ /**
+ * Deprecated due to lack of protocol/scheme support. May break for
deployments with TLS/SSL enabled
Review comment:
same
##########
File path:
pinot-common/src/main/java/org/apache/pinot/common/utils/FileUploadDownloadClient.java
##########
@@ -139,25 +140,41 @@ private static URI getURI(String protocol, String host,
int port, String path)
return new URI(protocol, null, host, port, path, null, null);
}
+ /**
+ * Deprecated due to lack of protocol/scheme support. May break for
deployments with TLS/SSL enabled
+ */
+ @Deprecated
public static URI getRetrieveTableConfigHttpURI(String host, int port,
String rawTableName)
throws URISyntaxException {
return getURI(HTTP, host, port, TABLES_PATH + "/" + rawTableName);
}
+ /**
+ * Deprecated due to lack of protocol/scheme support. May break for
deployments with TLS/SSL enabled
+ */
+ @Deprecated
Review comment:
same
##########
File path:
pinot-common/src/main/java/org/apache/pinot/common/utils/FileUploadDownloadClient.java
##########
@@ -139,25 +140,41 @@ private static URI getURI(String protocol, String host,
int port, String path)
return new URI(protocol, null, host, port, path, null, null);
}
+ /**
+ * Deprecated due to lack of protocol/scheme support. May break for
deployments with TLS/SSL enabled
+ */
+ @Deprecated
public static URI getRetrieveTableConfigHttpURI(String host, int port,
String rawTableName)
throws URISyntaxException {
return getURI(HTTP, host, port, TABLES_PATH + "/" + rawTableName);
}
+ /**
+ * Deprecated due to lack of protocol/scheme support. May break for
deployments with TLS/SSL enabled
+ */
+ @Deprecated
public static URI getDeleteSegmentHttpUri(String host, int port, String
rawTableName, String segmentName,
String tableType)
throws URISyntaxException {
return new URI(StringUtil.join("/", StringUtils.chomp(HTTP + "://" + host
+ ":" + port, "/"), OLD_SEGMENT_PATH,
rawTableName + "/" + URIUtils.encode(segmentName) + TYPE_DELIMITER +
tableType));
}
+ /**
+ * Deprecated due to lack of protocol/scheme support. May break for
deployments with TLS/SSL enabled
+ */
+ @Deprecated
public static URI getRetrieveAllSegmentWithTableTypeHttpUri(String host, int
port, String rawTableName,
String tableType)
throws URISyntaxException {
return new URI(StringUtil.join("/", StringUtils.chomp(HTTP + "://" + host
+ ":" + port, "/"), OLD_SEGMENT_PATH,
rawTableName + TYPE_DELIMITER + tableType));
}
+ /**
+ * Deprecated due to lack of protocol/scheme support. May break for
deployments with TLS/SSL enabled
Review comment:
same
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For additional commands, e-mail: commits-h...@pinot.apache.org
