apucher commented on a change in pull request #6613:
URL: https://github.com/apache/incubator-pinot/pull/6613#discussion_r594751564
##########
File path:
pinot-broker/src/main/java/org/apache/pinot/broker/requesthandler/BaseBrokerRequestHandler.java
##########
@@ -180,6 +180,16 @@ public BrokerResponse handleRequest(JsonNode request,
@Nullable RequesterIdentit
requestStatistics.setRequestId(requestId);
requestStatistics.setRequestArrivalTimeMillis(System.currentTimeMillis());
+ // first-stage access control to prevent unauthenticated requests from
using up resources
+ // secondary table-level check comes later
+ boolean hasAccess =
_accessControlFactory.create().hasAccess(requesterIdentity);
+ if (!hasAccess) {
+ _brokerMetrics.addMeteredTableValue(null,
BrokerMeter.REQUEST_DROPPED_DUE_TO_ACCESS_ERROR, 1);
Review comment:
imo this is the same concern. first-stage access control simply limits
resource consumption (i.e. denial of service, leakage of non-table data) for
unauthenticated requests. second-stage performs in-depth authorization per
table. any rejections are are ACL-related.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For additional commands, e-mail: commits-h...@pinot.apache.org
