maytasm opened a new pull request, #19247:
URL: https://github.com/apache/druid/pull/19247
Add additional context about the authorization request that can be passed to
Authorizer
### Description
Currently, the `Authorizer#authorize` interface only accepts
`AuthenticationResult`, `Resource`, and `Action`, which provides no context
about where an authorization request originated. As a result, authorization
requests for the same resource from different code paths look identical. For
example, an authorization request for a resource initiated by a user query is
indistinguishable from one initiated by a `SystemSchema` request triggered by
the UI.
This becomes a problem when analyzing authorization denials. If a user wants
to investigate denials for their datasource, those denials are aggregated with
denials from `SystemSchema`/`InformationSchema`, making it difficult to
distinguish genuine unauthorized access attempts from routine internal checks.
When a user refreshes the UI, it iterates over all datasources and issues an
internal authorization check for each one; this happens in many places, such as
the Supervisors tab, Query tab, and others. As a result, metrics emitted by the
`Authorizer` (such as authorization outcomes) become noisy, since denials from
internal UI-driven checks are mixed together with denials from actual user
queries.
This change adds an optional `Map<String, Object>` `context` parameter to
`Authorizer#authorize`. Callers such as `InformationSchema` and `SystemSchema`
populate this context map with a `callerPath` key to indicate the source of the
authorization request. This context can then be included in the metrics emitted
by `Authorizer#authorize`, allowing users to filter out internal authorization
checks from user-initiated ones.
##### Key changed/added classes in this PR
* `server/src/main/java/org/apache/druid/server/security/Authorizer.java`
*
`server/src/main/java/org/apache/druid/server/security/AuthorizationUtils.java`
*
`sql/src/main/java/org/apache/druid/sql/calcite/schema/InformationSchema.java`
* `sql/src/main/java/org/apache/druid/sql/calcite/schema/SystemSchema.java`
This PR has:
- [x] been self-reviewed.
- [ ] using the [concurrency
checklist](https://github.com/apache/druid/blob/master/dev/code-review/concurrency.md)
(Remove this item if the PR doesn't have any relation to concurrency.)
- [x] added documentation for new or modified features or behaviors.
- [ ] a release note entry in the PR description.
- [x] added Javadocs for most classes and all non-trivial methods. Linked
related entities via Javadoc links.
- [ ] added or updated version, license, or notice information in
[licenses.yaml](https://github.com/apache/druid/blob/master/dev/license.md)
- [x] added comments explaining the "why" and the intent of the code
wherever would not be obvious for an unfamiliar reader.
- [x] added unit tests or modified existing tests to cover new code paths,
ensuring the threshold for [code
coverage](https://github.com/apache/druid/blob/master/dev/code-review/code-coverage.md)
is met.
- [ ] added integration tests.
- [x] been tested in a test Druid cluster.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
