FrankChen021 commented on code in PR #19552:
URL: https://github.com/apache/druid/pull/19552#discussion_r3369496081
##########
server/src/main/java/org/apache/druid/server/security/AuthorizationUtils.java:
##########
@@ -90,6 +96,13 @@ public static void verifyUnrestrictedAccessToDatasource(
ResourceAction resourceAction = createDatasourceResourceAction(datasource,
req);
AuthorizationResult authResult = authorizeResourceAction(req,
resourceAction, authorizerMapper);
if (!authResult.allowAccessWithNoRestriction()) {
+ emitAuthMetric(
Review Comment:
[P2] Avoid double-counting datasource denial metrics
When a datasource request is denied, verifyUnrestrictedAccessToDatasource
first calls authorizeResourceAction, which now emits auth/accessDenied from
authorizeAllResourceActions when the authorizer returns a denial. The new emit
here then records the same denial again before throwing ForbiddenException, so
endpoints using this helper double-count access-denied metrics whenever
druid.auth.emitAuthMetrics=true. Emit here only for the allowed-but-restricted
case, or keep access-denied emission in one layer.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
