Add policy config to allow sanity-check on policy in data nodes #17774
Conversation
cecemei
changed the title
| @JsonProperty("0") APPLY_WHEN_APPLICABLE(0f), | ||
| @JsonProperty("2.0f") POLICY_CHECKED_ON_ALL_TABLES_POLICY_MUST_EXIST(2.0f); |
There was a problem hiding this comment.
why is securityLevel a float?
what does 2.0f mean?
|
|
||
| public boolean allowPolicy(@Nonnull Policy policy) | ||
| { | ||
| return allowedPolicies.isEmpty() || allowedPolicies.contains(policy.getClass().getSimpleName()); |
There was a problem hiding this comment.
I was not expecting SimpleName trick here...
it seems to me that this kinda sets it in stone that a Policy may not have any state
can you please add a validation that when the PolicyConfig is created its ensured that allowedPolicies are possibly exisitng Policy-s
| * | ||
| * @see TablePolicySecurityLevel | ||
| */ | ||
| @JsonProperty |
There was a problem hiding this comment.
its odd to see that both the field and the corresponding method has @JsonProperty
| @@ -37,6 +37,7 @@ | |||
| import org.apache.druid.segment.loading.StorageLocationConfig; | |||
| import org.apache.druid.server.SegmentManager; | |||
| import org.apache.druid.server.metrics.DataSourceTaskIdHolder; | |||
| import org.apache.druid.test.utils.TestSegmentCacheManager; | |||
There was a problem hiding this comment.
nit: are there any relevant changes in this file beyond this import?
do we need all those indentation changes?
| serverConfig = new ServerConfig(); | ||
| authConfig = new AuthConfig(); | ||
|
|
||
| Guice.createInjector(BoundFieldModule.of(this)).injectMembers(this); |
There was a problem hiding this comment.
instead of BoundFieldModule - would it be possible to create the injector and populate the necessary fields from that?
| if (!(theQuery instanceof SegmentMetadataQuery) | ||
| && !dataSourceFromQuery.validate(authConfig.getTableSecurityPolicyConfig())) { | ||
| throw new ISE("Failed security validation with dataSource [%s]", dataSourceFromQuery); | ||
| } |
There was a problem hiding this comment.
I think instead of an insteanceof there could be a Query#validate which would dispatch it correctly - but for SegmentMetadataQuery that's overriden.
| /** | ||
| * Defines how strict we want to enforce the policy on tables during query execution process. | ||
| * <ol> | ||
| * <li>{@code APPLY_WHEN_APPLICABLE}, the most basic level, restriction is applied whenever seen fit. |
There was a problem hiding this comment.
I think this line should be an apidoc on the enum value
| */ | ||
| public enum TablePolicySecurityLevel | ||
| { | ||
| @JsonProperty("0") APPLY_WHEN_APPLICABLE(0f), |
There was a problem hiding this comment.
I believe this name is a bit unfortunate; I feel like this wants to be something like "allow all when not blocked"
if yes then it could be: ALLOW_MISSING_POLICY
| * Defines how strict we want to enforce the policy on tables during query execution process. | ||
| * <ol> | ||
| * <li>{@code APPLY_WHEN_APPLICABLE}, the most basic level, restriction is applied whenever seen fit. | ||
| * <li>{@code POLICY_CHECKED_ON_ALL_TABLES_POLICY_MUST_EXIST}, every table must have a policy when requests come from external users. |
There was a problem hiding this comment.
I think a shorter one would be: MANDATORY ; or ENFORCED
| * Returns true if the security level requires that, every table must have a policy during query execution stage, | ||
| * this means the table must have a non-empty value in the policy map. | ||
| */ | ||
| public boolean policyMustBeCheckedAndExistOnAllTables() |
There was a problem hiding this comment.
I was wondering about an alternate way of implementing this:
PolicyConfigis a dispatcher- it has a list of
PolicyValidator-s ; maybe those classes are instantiated with the default constructor? - the
allowPolicyand other methods are dispatched to the ones below PolicyConfigcould also implement thePolicyValidatoryinterface
I was also wondering if the whole PolicyConfig is a too much - wouldn't it be enough to enable the users to just bind a PolicyValidator they want to use; by specifying its classname somehow - and leave the dispatch or not / etc problems alone :)
|
left a few comments; happy to talk about it further! |
Description
Added
PolicyConfigclass, and data server can reject query based on the config. E.x. if config set toPOLICY_CHECKED_ON_ALL_TABLES_POLICY_MUST_EXIST, querying onTableDataSourcedirectly would be rejected.Also refactored
ServerManagerTestto use Guice bindings (new test dependency), andTestSegmentCacheManagerfor loading segments.Key changed/added classes in this PR
PolicyConfigServerManagerTestThis PR has: