sajjad-moradi commented on a change in pull request #6613:
URL: https://github.com/apache/incubator-pinot/pull/6613#discussion_r595654824
##########
File path:
pinot-controller/src/main/java/org/apache/pinot/controller/api/access/AccessControl.java
##########
@@ -64,4 +67,36 @@ default boolean hasAccess(String tableName, AccessType
accessType, HttpHeaders h
default boolean hasAccess(AccessType accessType, HttpHeaders httpHeaders,
String endpointUrl) {
return true;
}
+
+ /**
+ * Return workflow info for authenticating users. Not all workflows may be
supported by the pinot UI implementation.
+ *
+ * @return workflow info for user authentication
+ */
+ default AuthWorkflowInfo getAuthWorkflowInfo() {
+ return new AuthWorkflowInfo(WORKFLOW_NONE);
+ }
+
+ /**
+ * Container for authentication workflow info for the Pinot UI. May be
extended by implementations.
+ *
+ * Auth workflow info hold any configuration necessary to execute a UI
workflow. We currently foresee supporting NONE
+ * (auth disabled), BASIC (basic auth with username and password), and
OAUTH2 (token-based workflow via external
+ * issuer)
+ */
+ class AuthWorkflowInfo {
Review comment:
At LinkedIn, we're using both token-based & certificate-based
authentication. We don't have a UI for the endpoints and I'm not sure what kind
of information is needed to be returned to UI other than the type of
authentication. What do you have in mind?
##########
File path:
pinot-integration-tests/src/test/java/org/apache/pinot/integration/tests/BasicAuthBatchIntegrationTest.java
##########
@@ -0,0 +1,177 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pinot.integration.tests;
+
+import com.fasterxml.jackson.databind.JsonNode;
+import com.google.common.base.Preconditions;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileOutputStream;
+import java.util.Collections;
+import java.util.Map;
+import org.apache.commons.io.FileUtils;
+import org.apache.commons.io.IOUtils;
+import
org.apache.pinot.controller.helix.core.minion.generator.PinotTaskGenerator;
+import org.apache.pinot.minion.executor.PinotTaskExecutor;
+import org.apache.pinot.spi.env.PinotConfiguration;
+import org.apache.pinot.spi.utils.JsonUtils;
+import org.apache.pinot.tools.BootstrapTableTool;
+import org.testng.Assert;
+import org.testng.annotations.AfterClass;
+import org.testng.annotations.BeforeClass;
+import org.testng.annotations.Test;
+
+import static
org.apache.pinot.integration.tests.BasicAuthTestUtils.AUTH_HEADER;
+import static
org.apache.pinot.integration.tests.BasicAuthTestUtils.AUTH_HEADER_USER;
+import static org.apache.pinot.integration.tests.BasicAuthTestUtils.AUTH_TOKEN;
+
+
+/**
+ * Integration test that provides example of {@link PinotTaskGenerator} and
{@link PinotTaskExecutor} and tests simple
+ * minion functionality.
+ */
+public class BasicAuthBatchIntegrationTest extends ClusterTest {
+ private static final String BOOTSTRAP_DATA_DIR =
"/examples/batch/baseballStats";
+ private static final String SCHEMA_FILE = "baseballStats_schema.json";
+ private static final String CONFIG_FILE =
"baseballStats_offline_table_config.json";
+ private static final String DATA_FILE = "baseballStats_data.csv";
+ private static final String JOB_FILE = "ingestionJobSpec.yaml";
+
+ @BeforeClass
+ public void setUp()
+ throws Exception {
+ startZk();
+ startController();
+ startBroker();
+ startServer();
+ startMinion(Collections.emptyList(), Collections.emptyList());
+ }
+
+ @AfterClass(alwaysRun = true)
+ public void tearDown()
+ throws Exception {
+ stopMinion();
+ stopServer();
+ stopBroker();
+ stopController();
+ stopZk();
+ }
+
+ @Override
+ public Map<String, Object> getDefaultControllerConfiguration() {
+ return
BasicAuthTestUtils.addControllerConfiguration(super.getDefaultControllerConfiguration());
+ }
+
+ @Override
+ protected PinotConfiguration getDefaultBrokerConfiguration() {
+ return
BasicAuthTestUtils.addBrokerConfiguration(super.getDefaultBrokerConfiguration().toMap());
+ }
+
+ @Override
+ protected PinotConfiguration getDefaultServerConfiguration() {
+ return
BasicAuthTestUtils.addServerConfiguration(super.getDefaultServerConfiguration().toMap());
+ }
+
+ @Override
+ protected PinotConfiguration getDefaultMinionConfiguration() {
+ return
BasicAuthTestUtils.addMinionConfiguration(super.getDefaultMinionConfiguration().toMap());
+ }
+
+ @Test
+ public void testBrokerNoAuth()
+ throws Exception {
+ JsonNode response =
+
JsonUtils.stringToJsonNode(sendPostRequest("http://localhost:18099/query/sql";,
"{\"sql\":\"SELECT now()\"}"));
+ Assert.assertFalse(response.has("resultTable"), "must not return result
table");
+
Assert.assertTrue(response.get("exceptions").get(0).get("errorCode").asInt() !=
0, "must return error code");
+ }
+
+ @Test
+ public void testBroker()
+ throws Exception {
+ JsonNode response = JsonUtils.stringToJsonNode(
+ sendPostRequest("http://localhost:18099/query/sql";, "{\"sql\":\"SELECT
now()\"}", AUTH_HEADER));
+
Assert.assertEquals(response.get("resultTable").get("dataSchema").get("columnDataTypes").get(0).asText(),
"LONG",
+ "must return result with LONG value");
+ Assert.assertTrue(response.get("exceptions").isEmpty(), "must not return
exception");
+ }
+
+ @Test
+ public void testControllerGetTables()
+ throws Exception {
+ JsonNode response =
JsonUtils.stringToJsonNode(sendGetRequest("http://localhost:18998/tables";,
AUTH_HEADER));
+ Assert.assertTrue(response.get("tables").isArray(), "must return table
array");
+ }
+
+ @Test
+ public void testIngestionBatch()
+ throws Exception {
+ File quickstartTmpDir = new File(FileUtils.getTempDirectory(),
String.valueOf(System.currentTimeMillis()));
+ FileUtils.forceDeleteOnExit(quickstartTmpDir);
+
+ File baseDir = new File(quickstartTmpDir, "baseballStats");
+ File dataDir = new File(baseDir, "rawdata");
+ File schemaFile = new File(baseDir, SCHEMA_FILE);
+ File configFile = new File(baseDir, CONFIG_FILE);
+ File dataFile = new File(dataDir, DATA_FILE);
+ File jobFile = new File(baseDir, JOB_FILE);
+ Preconditions.checkState(dataDir.mkdirs());
+
+ FileUtils.copyURLToFile(getClass().getResource(BOOTSTRAP_DATA_DIR + "/" +
SCHEMA_FILE), schemaFile);
+ FileUtils.copyURLToFile(getClass().getResource(BOOTSTRAP_DATA_DIR + "/" +
CONFIG_FILE), configFile);
+ FileUtils.copyURLToFile(getClass().getResource(BOOTSTRAP_DATA_DIR +
"/rawdata/" + DATA_FILE), dataFile);
+ FileUtils.copyURLToFile(getClass().getResource(BOOTSTRAP_DATA_DIR + "/" +
JOB_FILE), jobFile);
+
+ // patch ingestion job
+ String jobFileContents = IOUtils.toString(new FileInputStream(jobFile));
+ IOUtils.write(jobFileContents.replaceAll("9000",
String.valueOf(DEFAULT_CONTROLLER_PORT)),
+ new FileOutputStream(jobFile));
+
+ new BootstrapTableTool("http", "localhost", DEFAULT_CONTROLLER_PORT,
baseDir.getAbsolutePath(), AUTH_TOKEN)
+ .execute();
+
+ Thread.sleep(5000);
+
+ // admin with full access
+ JsonNode response = JsonUtils.stringToJsonNode(
+ sendPostRequest("http://localhost:18099/query/sql";, "{\"sql\":\"SELECT
count(*) FROM baseballStats\"}",
+ AUTH_HEADER));
+
Assert.assertEquals(response.get("resultTable").get("dataSchema").get("columnDataTypes").get(0).asText(),
"LONG",
+ "must return result with LONG value");
+
Assert.assertEquals(response.get("resultTable").get("dataSchema").get("columnNames").get(0).asText(),
"count(*)",
+ "must return column name 'count(*)");
+
Assert.assertEquals(response.get("resultTable").get("rows").get(0).get(0).asInt(),
97889,
+ "must return row count 97889");
+ Assert.assertTrue(response.get("exceptions").isEmpty(), "must not return
exception");
+
+ // user with valid auth but no table access
+ JsonNode responseUser = JsonUtils.stringToJsonNode(
+ sendPostRequest("http://localhost:18099/query/sql";, "{\"sql\":\"SELECT
count(*) FROM baseballStats\"}",
+ AUTH_HEADER_USER));
+ Assert.assertFalse(responseUser.has("resultTable"), "must not return
result table");
+
Assert.assertTrue(responseUser.get("exceptions").get(0).get("errorCode").asInt()
!= 0, "must return error code");
+ }
+
+// // TODO this endpoint should be protected once UI supports auth
+// @Test
+// public void testControllerGetTablesNoAuth()
+// throws Exception {
+// System.out.println(sendGetRequest("http://localhost:18998/tables";));
+// }
Review comment:
I don't understand the TODO here!
##########
File path:
pinot-core/src/main/java/org/apache/pinot/core/auth/BasicAuthPrincipal.java
##########
@@ -0,0 +1,55 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pinot.core.auth;
+
+import java.util.Set;
+
+
+/**
+ * Container object for basic auth principal
+ */
+public class BasicAuthPrincipal {
+ private final String _name;
+ private final String _token;
+ private final Set<String> _tables;
+ private final Set<String> _permissions;
Review comment:
I think it should be "AccessType" because AccessControl.hasAccess()
takes an AccessType object as its argument. Implementations of AccessControl
can't change AccessType.
##########
File path:
pinot-controller/src/main/java/org/apache/pinot/controller/api/resources/PinotControllerAuthResource.java
##########
@@ -0,0 +1,90 @@
+/**
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+package org.apache.pinot.controller.api.resources;
+
+import io.swagger.annotations.Api;
+import io.swagger.annotations.ApiOperation;
+import io.swagger.annotations.ApiParam;
+import io.swagger.annotations.ApiResponse;
+import io.swagger.annotations.ApiResponses;
+import javax.inject.Inject;
+import javax.ws.rs.GET;
+import javax.ws.rs.Path;
+import javax.ws.rs.Produces;
+import javax.ws.rs.QueryParam;
+import javax.ws.rs.core.Context;
+import javax.ws.rs.core.HttpHeaders;
+import javax.ws.rs.core.MediaType;
+import org.apache.commons.lang3.StringUtils;
+import org.apache.pinot.controller.api.access.AccessControl;
+import org.apache.pinot.controller.api.access.AccessControlFactory;
+import org.apache.pinot.controller.api.access.AccessType;
+
+
+@Api(tags = "Auth")
+@Path("/")
+public class PinotControllerAuthResource {
+
+ @Inject
+ private AccessControlFactory _accessControlFactory;
+
+ @Context
+ HttpHeaders _httpHeaders;
+
+ /**
+ * Verify a token is both authenticated and authorized to perform an
operation.
+ *
+ * @param tableName table name (optional)
+ * @param accessType access type (optional)
+ * @param endpointUrl endpoint url (optional)
+ *
+ * @return {@code true} if authenticated and authorized, {@code false}
otherwise
+ */
+ @GET
+ @Path("auth/verify")
+ @Produces(MediaType.APPLICATION_JSON)
+ @ApiOperation(value = "Check whether authentication is enabled")
+ @ApiResponses(value = {@ApiResponse(code = 200, message = "Verification
result provided"), @ApiResponse(code = 500, message = "Verification error")})
+ public boolean verify(@ApiParam(value = "Table name without type")
@QueryParam("tableName") String tableName,
+ @ApiParam(value = "API access type") @QueryParam("accessType")
AccessType accessType,
+ @ApiParam(value = "Endpoint URL") @QueryParam("endpointUrl") String
endpointUrl) {
+ AccessControl accessControl = _accessControlFactory.create();
+
+ if (StringUtils.isBlank(tableName)) {
+ return accessControl.hasAccess(accessType, _httpHeaders, endpointUrl);
+ }
+
+ return accessControl.hasAccess(tableName, accessType, _httpHeaders,
endpointUrl);
+ }
+
+ /**
+ * Provide the auth workflow configuration for the Pinot UI to perform user
authentication. Currently supports NONE
+ * (no auth), BASIC (basic auth with username and password), and OAUTH2
(token-based via external issuer)
Review comment:
AFAIK currently there's no OAuth2 support. If that's correct, please
update the comment.
##########
File path:
pinot-controller/src/main/java/org/apache/pinot/controller/api/access/AccessControl.java
##########
@@ -26,6 +26,9 @@
@InterfaceAudience.Public
@InterfaceStability.Stable
public interface AccessControl {
+ String WORKFLOW_NONE = "NONE";
+ String WORKFLOW_BASIC = "BASIC";
+ String WORKFLOW_OAUTH2 = "OAUTH2";
Review comment:
I guess we should stick to the ones that are already available in the
code - ie none and basic. Whenever we add new implementation, we can add them
here.
Also enum is a better choice than string.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For additional commands, e-mail: commits-h...@pinot.apache.org
