apucher opened a new pull request, #9252: URL: https://github.com/apache/pinot/pull/9252
Several endpoints in pinot aren't served well by the AuthFilter's heuristics for extracting table names. In particular, this includes `/tableConfigs` and `/schema` endpoints that accept opaque payloads without a table or schema name in the parameters. This causes problems with fine-grained access control, such as non-admin users creating new tables via self-serve. This PR adds a new annotation `@ManualAuthorization` for REST endpoints, which allows developers to skip the default authorization and deserialize payloads before manually invoking authorization, e.g. via `AccessControlUtils.validatePermissions()`. This annotation comes with obvious risks and should be used sparingly, as it enables requests to bypass most of the AuthFilter. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org For additional commands, e-mail: commits-h...@pinot.apache.org
