soumitra-st commented on PR #11501: URL: https://github.com/apache/pinot/pull/11501#issuecomment-1714295784
@Jackie-Jiang Pinot has [Broker](https://github.com/apache/pinot/blob/61dcea6b71a99746805bc7f322daed67f9bce265/pinot-broker/src/main/java/org/apache/pinot/broker/broker/AuthenticationFilter.java#L48) and [Controller](https://github.com/apache/pinot/blob/61dcea6b71a99746805bc7f322daed67f9bce265/pinot-controller/src/main/java/org/apache/pinot/controller/api/access/AuthenticationFilter.java#L50) request filters for validating permission, i.e. authorization. Arguably, the return type is 403 for them. However, within the implementation of various hasAccess methods, we first check authentication, then authorization, and authN failures should be returned as 401, and authZ failures as 403. This requires a cleanup in Pinot interfaces and implementation. As a short term fix, this PR looks ok, but we need to resolve it cleanly to return 401 and 403 appropriately. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org For additional commands, e-mail: commits-h...@pinot.apache.org
