Re: [PR] Add remote address tracking for JDBC/Avatica SQL queries (druid)

Fri, 24 Apr 2026 22:13:57 -0700 


FrankChen021 commented on code in PR #19231:
URL: https://github.com/apache/druid/pull/19231#discussion_r3141492685


##########
sql/src/main/java/org/apache/druid/sql/avatica/DruidMeta.java:
##########
@@ -804,6 +816,11 @@ private DruidConnection openDruidConnection(
       final Map<String, Object> context
   )
   {
+    String remoteAddress = THREAD_LOCAL_REMOTE_ADDRESS.get();
+    if (remoteAddress != null) {
+      context.put("remoteAddress", remoteAddress);

Review Comment:
   [P2] Internal remoteAddress is treated as a user context key
   
   This adds remoteAddress to the JDBC session context before 
SqlQueryPlus.withContext(..., sessionContext) derives authContextKeys from 
sessionContext.keySet(). In clusters with query context authorization enabled, 
remoteAddress is not in AuthConfig.ALLOWED_CONTEXT_KEYS, so ordinary Avatica 
queries can now require WRITE permission on QUERY_CONTEXT remoteAddress even 
though the server, not the user, injected it. Pass this value outside the user 
context or mark it as an allowed internal key.



##########
sql/src/main/java/org/apache/druid/sql/avatica/DruidAvaticaJsonHandler.java:
##########
@@ -66,6 +66,9 @@ public DruidAvaticaJsonHandler(
   public boolean handle(Request request, Response response, Callback callback) 
throws Exception
   {
     String requestURI = request.getHttpURI().getPath();
+    String remoteAddr = Request.getRemoteAddr(request);

Review Comment:
   [P2] Remote address is still missing for protobuf Avatica clients
   
   This only captures the remote address in the JSON handler, but Druid also 
exposes the protobuf Avatica endpoint and DruidAvaticaProtobufHandlerTest runs 
the same JDBC coverage with serialization=protobuf. Protobuf requests never set 
THREAD_LOCAL_REMOTE_ADDRESS, so openDruidConnection leaves remoteAddress absent 
and JDBC/protobuf queries still emit null remoteAddress, leaving half of the 
Avatica API unfixed.



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to