abhioncbr commented on PR #11501: URL: https://github.com/apache/pinot/pull/11501#issuecomment-1714629766
> @Jackie-Jiang , Pinot has [Broker](https://github.com/apache/pinot/blob/61dcea6b71a99746805bc7f322daed67f9bce265/pinot-broker/src/main/java/org/apache/pinot/broker/broker/AuthenticationFilter.java#L48) and [Controller](https://github.com/apache/pinot/blob/61dcea6b71a99746805bc7f322daed67f9bce265/pinot-controller/src/main/java/org/apache/pinot/controller/api/access/AuthenticationFilter.java#L50) request filters for validating permission, i.e. authorization. Arguably, the return type is 403 for them. However, within the implementation of various hasAccess methods, we first check authentication, then authorization, and authN failures should be returned as 401, and authZ failures as 403. > > This requires a cleanup in Pinot interfaces and implementation. As a short term fix, this PR looks ok, but we need to resolve it cleanly to return 401 and 403 appropriately. Thanks @soumitra-st. Do we have any issues/document related to long term fix? Also, can we hardcode `Basic` for 401 Authorization challenge for short-term fix? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org For additional commands, e-mail: commits-h...@pinot.apache.org
