Add additional context about the authorization request that can be passed to Authorizer#19247
Open
maytasm wants to merge 1 commit intoapache:masterfrom
Open
Add additional context about the authorization request that can be passed to Authorizer#19247maytasm wants to merge 1 commit intoapache:masterfrom
maytasm wants to merge 1 commit intoapache:masterfrom
Conversation
…itted with metrics
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add additional context about the authorization request that can be passed to Authorizer
Description
Currently, the
Authorizer#authorizeinterface only acceptsAuthenticationResult,Resource, andAction, which provides no context about where an authorization request originated. As a result, authorization requests for the same resource from different code paths look identical. For example, an authorization request for a resource initiated by a user query is indistinguishable from one initiated by aSystemSchemarequest triggered by the UI.This becomes a problem when analyzing authorization denials. If a user wants to investigate denials for their datasource, those denials are aggregated with denials from
SystemSchema/InformationSchema, making it difficult to distinguish genuine unauthorized access attempts from routine internal checks. When a user refreshes the UI, it iterates over all datasources and issues an internal authorization check for each one; this happens in many places, such as the Supervisors tab, Query tab, and others. As a result, metrics emitted by theAuthorizer(such as authorization outcomes) become noisy, since denials from internal UI-driven checks are mixed together with denials from actual user queries.This change adds an optional
Map<String, Object>contextparameter toAuthorizer#authorize. Callers such asInformationSchemaandSystemSchemapopulate this context map with acallerPathkey to indicate the source of the authorization request. This context can then be included in the metrics emitted byAuthorizer#authorize, allowing users to filter out internal authorization checks from user-initiated ones.Key changed/added classes in this PR
server/src/main/java/org/apache/druid/server/security/Authorizer.javaserver/src/main/java/org/apache/druid/server/security/AuthorizationUtils.javasql/src/main/java/org/apache/druid/sql/calcite/schema/InformationSchema.javasql/src/main/java/org/apache/druid/sql/calcite/schema/SystemSchema.javaThis PR has: