Apache
/
druid
mirror of https://github.com/apache/druid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Return forbidden when authorization fails for sql query canceling (#11710) 

Switching http response code for authorization failures for sql query canceling to match to sql query posting.
This commit is contained in:
Jihoon Son 2021-09-15 03:32:19 -07:00 committed by GitHub
parent 7220d0466b
commit 0cbd71ebda
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 45 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
sql/src/main/java/org/apache/druid/sql/http/SqlResource.java
View File

@ -268,8 +268,7 @@ public class SqlResource
lifecycles.forEach(SqlLifecycle::cancel); lifecycles.forEach(SqlLifecycle::cancel);
return Response.status(Status.ACCEPTED).build(); return Response.status(Status.ACCEPTED).build();
} else { } else {
// Return 404 for authorization failures as well return Response.status(Status.FORBIDDEN).build();
return Response.status(Status.NOT_FOUND).build();
} }
} }
} }

52
sql/src/test/java/org/apache/druid/sql/http/SqlResourceTest.java
View File

@ -61,6 +61,7 @@ import org.apache.druid.server.metrics.NoopServiceEmitter;
import org.apache.druid.server.scheduling.HiLoQueryLaningStrategy; import org.apache.druid.server.scheduling.HiLoQueryLaningStrategy;
import org.apache.druid.server.scheduling.ManualQueryPrioritizationStrategy; import org.apache.druid.server.scheduling.ManualQueryPrioritizationStrategy;
import org.apache.druid.server.security.AuthConfig; import org.apache.druid.server.security.AuthConfig;
import org.apache.druid.server.security.AuthenticationResult;
import org.apache.druid.server.security.ForbiddenException; import org.apache.druid.server.security.ForbiddenException;
import org.apache.druid.sql.SqlLifecycle; import org.apache.druid.sql.SqlLifecycle;
import org.apache.druid.sql.SqlLifecycleFactory; import org.apache.druid.sql.SqlLifecycleFactory;
@ -986,7 +987,7 @@ public class SqlResourceTest extends CalciteTestBase
ImmutableMap.of("priority", -5, "sqlQueryId", sqlQueryId), ImmutableMap.of("priority", -5, "sqlQueryId", sqlQueryId),
null null
), ),
makeExpectedReq() makeRegularUserReq()
); );
} }
catch (Exception e) { catch (Exception e) {
@ -1053,7 +1054,7 @@ public class SqlResourceTest extends CalciteTestBase
Future<Response> future = executorService.submit( Future<Response> future = executorService.submit(
() -> resource.doPost( () -> resource.doPost(
createSimpleQueryWithId(sqlQueryId, "SELECT DISTINCT dim1 FROM foo"), createSimpleQueryWithId(sqlQueryId, "SELECT DISTINCT dim1 FROM foo"),
makeExpectedReq() makeRegularUserReq()
) )
); );
Assert.assertTrue(validateAndAuthorizeLatch.await(1, TimeUnit.SECONDS)); Assert.assertTrue(validateAndAuthorizeLatch.await(1, TimeUnit.SECONDS));
@ -1084,7 +1085,7 @@ public class SqlResourceTest extends CalciteTestBase
Future<Response> future = executorService.submit( Future<Response> future = executorService.submit(
() -> resource.doPost( () -> resource.doPost(
createSimpleQueryWithId(sqlQueryId, "SELECT DISTINCT dim1 FROM foo"), createSimpleQueryWithId(sqlQueryId, "SELECT DISTINCT dim1 FROM foo"),
makeExpectedReq() makeRegularUserReq()
) )
); );
Assert.assertTrue(planLatch.await(1, TimeUnit.SECONDS)); Assert.assertTrue(planLatch.await(1, TimeUnit.SECONDS));
@ -1114,7 +1115,7 @@ public class SqlResourceTest extends CalciteTestBase
Future<Response> future = executorService.submit( Future<Response> future = executorService.submit(
() -> resource.doPost( () -> resource.doPost(
createSimpleQueryWithId(sqlQueryId, "SELECT DISTINCT dim1 FROM foo"), createSimpleQueryWithId(sqlQueryId, "SELECT DISTINCT dim1 FROM foo"),
makeExpectedReq() makeRegularUserReq()
) )
); );
Assert.assertTrue(planLatch.await(1, TimeUnit.SECONDS)); Assert.assertTrue(planLatch.await(1, TimeUnit.SECONDS));
@ -1128,6 +1129,31 @@ public class SqlResourceTest extends CalciteTestBase
Assert.assertEquals(Status.OK.getStatusCode(), response.getStatus()); Assert.assertEquals(Status.OK.getStatusCode(), response.getStatus());
} }
@Test
public void testCancelForbidden() throws Exception
{
final String sqlQueryId = "toCancel";
CountDownLatch planLatch = new CountDownLatch(1);
planLatchSupplier.set(new NonnullPair<>(planLatch, true));
CountDownLatch execLatch = new CountDownLatch(1);
executeLatchSupplier.set(new NonnullPair<>(execLatch, false));
Future<Response> future = executorService.submit(
() -> resource.doPost(
createSimpleQueryWithId(sqlQueryId, "SELECT DISTINCT dim1 FROM forbiddenDatasource"),
makeSuperUserReq()
)
);
Assert.assertTrue(planLatch.await(1, TimeUnit.SECONDS));
Response response = resource.cancelQuery(sqlQueryId, mockRequestForCancel());
Assert.assertEquals(Status.FORBIDDEN.getStatusCode(), response.getStatus());
Assert.assertFalse(lifecycleManager.getAll(sqlQueryId).isEmpty());
execLatch.countDown();
response = future.get();
Assert.assertEquals(Status.OK.getStatusCode(), response.getStatus());
}
@SuppressWarnings("unchecked") @SuppressWarnings("unchecked")
private void checkSqlRequestLog(boolean success) private void checkSqlRequestLog(boolean success)
{ {
@ -1222,24 +1248,34 @@ public class SqlResourceTest extends CalciteTestBase
} }
} }
private HttpServletRequest makeExpectedReq() private HttpServletRequest makeSuperUserReq()
{
return makeExpectedReq(CalciteTests.SUPER_USER_AUTH_RESULT);
}
private HttpServletRequest makeRegularUserReq()
{
return makeExpectedReq(CalciteTests.REGULAR_USER_AUTH_RESULT);
}
private HttpServletRequest makeExpectedReq(AuthenticationResult authenticationResult)
{ {
HttpServletRequest req = EasyMock.createStrictMock(HttpServletRequest.class); HttpServletRequest req = EasyMock.createStrictMock(HttpServletRequest.class);
EasyMock.expect(req.getRemoteAddr()).andReturn(null).once(); EasyMock.expect(req.getRemoteAddr()).andReturn(null).once();
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)) EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
.andReturn(CalciteTests.REGULAR_USER_AUTH_RESULT) .andReturn(authenticationResult)
.anyTimes(); .anyTimes();
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes(); EasyMock.expect(req.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)) EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED))
.andReturn(null) .andReturn(null)
.anyTimes(); .anyTimes();
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)) EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
.andReturn(CalciteTests.REGULAR_USER_AUTH_RESULT) .andReturn(authenticationResult)
.anyTimes(); .anyTimes();
req.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true); req.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
EasyMock.expectLastCall().anyTimes(); EasyMock.expectLastCall().anyTimes();
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)) EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
.andReturn(CalciteTests.REGULAR_USER_AUTH_RESULT) .andReturn(authenticationResult)
.anyTimes(); .anyTimes();
EasyMock.replay(req); EasyMock.replay(req);
return req; return req;