[GitHub] [pinot] soumitra-st commented on a diff in pull request #11016: Rbac impl

Sun, 23 Jul 2023 21:24:22 -0700 


soumitra-st commented on code in PR #11016:
URL: https://github.com/apache/pinot/pull/11016#discussion_r1271726836


##########
pinot-broker/src/main/java/org/apache/pinot/broker/broker/AuthenticationFilter.java:
##########
@@ -81,10 +85,71 @@ public void filter(ContainerRequestContext requestContext)
 
     HttpRequesterIdentity httpRequestIdentity = 
HttpRequesterIdentity.fromRequest(request);
 
+    // default authorization handling
     if (!accessControl.hasAccess(httpRequestIdentity)) {
       throw new WebApplicationException("Failed access check for " + 
httpRequestIdentity.getEndpointUrl(),
           Response.Status.FORBIDDEN);
     }
+
+    handleFinerGrainAuth(endpointMethod, uriInfo, accessControl, 
httpRequestIdentity);
+  }
+
+  /**
+   * Check for finer grain authorization of APIs.
+   * There are 2 possible cases:
+   * 1. {@link Authorize} annotation is present on the method. In this case, 
do the finer grain authorization using the
+   *    fields of the annotation. There are 2 possibilities depending on the 
targetType ({@link TargetType}):
+   *    a. The targetType is {@link TargetType#CLUSTER}. In this case, the 
paramName field
+   *       ({@link Authorize#paramName()}) is not used, since the target is 
the Pinot cluster.
+   *    b. The targetType is {@link TargetType#TABLE}. In this case, the 
paramName field
+   *       ({@link Authorize#paramName()}) is mandatory, and it must be found 
in either the path parameters or the
+   *       query parameters.
+   * 2. {@link Authorize} annotation is not present on the method. In this use 
the default authorization.
+   *
+   * @param endpointMethod of the API
+   * @param uriInfo of the API
+   * @param accessControl to check the access
+   * @param httpRequestIdentity of the requester
+   */
+  private void handleFinerGrainAuth(Method endpointMethod, UriInfo uriInfo, 
AccessControl accessControl,

Review Comment:
   Added an interface for fine-grained access control to avoid code duplication 
in controller and broker request filters.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For additional commands, e-mail: commits-h...@pinot.apache.org

Reply via email to