Open rodolphogarrido opened 1 year ago
Thanks for reporting the issue!
This framework is controller by the Authenticate
annotation, and I do see it added for these ZK APIs (In ZookeeperResource
introduced in #6507), so I don't know why the check is bypassed.
@sajjad-moradi Does it work properly in your environment?
It should, but we're using a custom AccessControl in our environment (auth token is not used)!
I just debugged and stepped through AuthenticationFilter
for PUT /zk/putChildren
endpoint, and it hits the right method for authentication:
Maybe something has changed for token based authentication 🤷
I was testing the ACL feature based on this doc, and everything is working fine regarding table/schema operations (CREATE, READ, UPDATE, DELETE), but I found that if I call any other endpoint that is not related to a table operation using an user that should only have READ access to tables, such as a PUT, DELETE, GET and POST in endpoints like
/zk
,/instances/
, this user is allowed to perform the operation.Is this the intended behavior or only for table access control? I feel it could lead to a potential problem for our cluster if users decides to call these endpoints without the knowledge of what they are doing (I was even able to delete the cluster path in Zk). In our use case we'll be managing Pinot and having it as a service for other teams and thus we don't intend to let users update any config that isn't related to their own table.
Cluster ACL configs:
Controller ACL conf:
Server ACL conf:
Broker ACL conf:
Minion ACL conf:
Example of working endpoint calls (which I expected not to be allowed):
for instance in ${instances[@]}; do curl -X PUT \ "http://localhost:9000/instances/${instance}/updateTags?tags=server_untagged&updateBrokerResource=false" \ -H "accept: application/json" \ -u user:secret done
This obviously destroyed the cluster.
General cluster info
Apache Pinot version: 0.12.1
Thank you very much!