johannesploetner opened a new issue, #14266:
URL: https://github.com/apache/pinot/issues/14266
In Pinot 1.2.0, user creation via REST API seems broken when
"ZkBasicAuthAccessControlFactory" is activated.
How to reproduce:
- start pinot 1.2.0 (i.e. using docker-compose) and with
"ZkBasicAuthAccessControlFactory" enabled.
- create a schema and a table (can be empty in terms of: no data required)
- create a "BROKER" User via the API:
```
curl -X 'POST' \
'http://localhost:9000/users' \
-H 'accept: application/json' \
-H 'Authorization: YWRtaW46YWRtaW4=' \
-H 'Content-Type: application/json' \
-d '{
"username": "test",
"password": "test",
"component": "BROKER",
"role": "USER",
"permissions": [
"READ"
],
"tables": [
"ALL"
]
}
'
```
- you can check the "User Console" in the Controller UI now if you want. It
looks like the user has been created correctly. "READ" Rights have been
assigned for "ALL" tables for this broker user.
- try to make a query using this user via the API:
```
export AUTH_HEADER=`echo -n 'test:test' | base64`
curl -H "Content-Type: application/json" -H "Authorization: $AUTH_HEADER"
-X POST \
-d '{"sql":"select * from offline_table_example_OFFLINE limit 10"}' \
http://localhost:8099/query/sql
{"code":403,"error":"Permission denied.Reason: Authorization Failed for
tables: [offline_table_example_OFFLINE]"}%
```
That looks already wrong, as the user should have access to "ALL" tabes.
- Now buckle up, as we're going to fix this: Go to the "User Console" in the
Controller UI, "edit" the user. In the "tables" section, remove the activated
checkbox for "ALL" - and check it again. Submit your changes. (There weren't
really any changes, but still.)
- Now try the exact same "curl" again:
```
curl -H "Content-Type: application/json" -H "Authorization: $AUTH_HEADER"
-X POST \
-d '{"sql":"select * from offline_table_example_OFFLINE limit 10"}' \
http://localhost:8099/query/sql
{"numRowsResultSet":0,"partialResult":false,"exceptions":[],"numGroupsLimitReached":false,"timeUsedMs":1,"requestId":"1429030164000000006","brokerId":"Broker_67d510247f83_8099","numDocsScanned":0,"totalDocs":0,"numEntriesScannedInFilter":0,"numEntriesScannedPostFilter":0,"numServersQueried":0,"numServersResponded":0,"numSegmentsQueried":0,"numSegmentsProcessed":0,"numSegmentsMatched":0,"numConsumingSegmentsQueried":0,"numConsumingSegmentsProcessed":0,"numConsumingSegmentsMatched":0,"minConsumingFreshnessTimeMs":0,"numSegmentsPrunedByBroker":0,"numSegmentsPrunedByServer":0,"numSegmentsPrunedInvalid":0,"numSegmentsPrunedByLimit":0,"numSegmentsPrunedByValue":0,"brokerReduceTimeMs":0,"offlineThreadCpuTimeNs":0,"realtimeThreadCpuTimeNs":0,"offlineSystemActivitiesCpuTimeNs":0,"realtimeSystemActivitiesCpuTimeNs":0,"offlineResponseSerializationCpuTimeNs":0,"realtimeResponseSerializationCpuTimeNs":0,"offlineTotalCpuTimeNs":0,"realtimeTotalCpuTimeNs":0,"explainPlanNumEmptyFilterSegments":
0,"explainPlanNumMatchAllFilterSegments":0,"traceInfo":{}}%
```
Now we got a response...
Unfortunately, this breaks our automation for user creation via the API. Can
we get a fix?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@pinot.apache.org
For additional commands, e-mail: commits-h...@pinot.apache.org
