jasperjiaguo commented on a change in pull request #7653:
URL: https://github.com/apache/pinot/pull/7653#discussion_r745140386
##########
File path:
pinot-core/src/main/java/org/apache/pinot/server/access/AccessControl.java
##########
@@ -27,6 +28,13 @@
@InterfaceStability.Stable
public interface AccessControl {
+ /**
+ *
+ * @param channelHandlerContext netty tls context
+ * @return Whether the client has access to query server
+ */
+ boolean hasQueryServerAccess(ChannelHandlerContext channelHandlerContext);
+
Review comment:
I'm not clear about the necessity to pass the token in the request given
the potential overhead... For the other modules with token-based authorization,
requests are all initiated by external services/users through exposed APIs,
where we do need to check client tokens for access control. In this case the
broker-server channel is private and we've already performed the token check on
the broker side; servers can trust the broker's identity based on cert. Can you
also give more details on why certificate-based check is not enough? Do we want
to expose the servers' query endpoint?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For additional commands, e-mail: commits-h...@pinot.apache.org
