mirror of https://github.com/apache/druid.git
Enforce allow list for JDBC properties by default (#11063)
* Enforce allow list for JDBC properties by default * fix tests
This commit is contained in:
parent
053af6815d
commit
cc12a57034
|
@ -537,7 +537,7 @@ the [HTTP input source](../ingestion/native-batch.md#http-input-source) and the
|
||||||
|`druid.ingestion.http.allowedProtocols`|List of protocols|Allowed protocols for the HTTP input source and HTTP firehose.|["http", "https"]|
|
|`druid.ingestion.http.allowedProtocols`|List of protocols|Allowed protocols for the HTTP input source and HTTP firehose.|["http", "https"]|
|
||||||
|
|
||||||
|
|
||||||
### Ingestion Security Configuration
|
### External Data Access Security Configuration
|
||||||
|
|
||||||
#### JDBC Connections to External Databases
|
#### JDBC Connections to External Databases
|
||||||
|
|
||||||
|
@ -551,7 +551,7 @@ These properties do not apply to metadata storage connections.
|
||||||
|
|
||||||
|Property|Possible Values|Description|Default|
|
|Property|Possible Values|Description|Default|
|
||||||
|--------|---------------|-----------|-------|
|
|--------|---------------|-----------|-------|
|
||||||
|`druid.access.jdbc.enforceAllowedProperties`|Boolean|When true, Druid applies `druid.access.jdbc.allowedProperties` to JDBC connections starting with `jdbc:postgresql:` or `jdbc:mysql:`. When false, Druid allows any kind of JDBC connections without JDBC property validation. This config is deprecated and will be removed in a future release.|false|
|
|`druid.access.jdbc.enforceAllowedProperties`|Boolean|When true, Druid applies `druid.access.jdbc.allowedProperties` to JDBC connections starting with `jdbc:postgresql:` or `jdbc:mysql:`. When false, Druid allows any kind of JDBC connections without JDBC property validation. This config is for backward compatibility especially during upgrades since enforcing allow list can break existing ingestion jobs or lookups based on JDBC. This config is deprecated and will be removed in a future release.|true|
|
||||||
|`druid.access.jdbc.allowedProperties`|List of JDBC properties|Defines a list of allowed JDBC properties. Druid always enforces the list for all JDBC connections starting with `jdbc:postgresql:` or `jdbc:mysql:` if `druid.access.jdbc.enforceAllowedProperties` is set to true.<br/><br/>This option is tested against MySQL connector 5.1.48 and PostgreSQL connector 42.2.14. Other connector versions might not work.|["useSSL", "requireSSL", "ssl", "sslmode"]|
|
|`druid.access.jdbc.allowedProperties`|List of JDBC properties|Defines a list of allowed JDBC properties. Druid always enforces the list for all JDBC connections starting with `jdbc:postgresql:` or `jdbc:mysql:` if `druid.access.jdbc.enforceAllowedProperties` is set to true.<br/><br/>This option is tested against MySQL connector 5.1.48 and PostgreSQL connector 42.2.14. Other connector versions might not work.|["useSSL", "requireSSL", "ssl", "sslmode"]|
|
||||||
|`druid.access.jdbc.allowUnknownJdbcUrlFormat`|Boolean|When false, Druid only accepts JDBC connections starting with `jdbc:postgresql:` or `jdbc:mysql:`. When true, Druid allows JDBC connections to any kind of database, but only enforces `druid.access.jdbc.allowedProperties` for PostgreSQL and MySQL.|true|
|
|`druid.access.jdbc.allowUnknownJdbcUrlFormat`|Boolean|When false, Druid only accepts JDBC connections starting with `jdbc:postgresql:` or `jdbc:mysql:`. When true, Druid allows JDBC connections to any kind of database, but only enforces `druid.access.jdbc.allowedProperties` for PostgreSQL and MySQL.|true|
|
||||||
|
|
||||||
|
|
|
@ -184,6 +184,12 @@ public class MySQLFirehoseDatabaseConnectorTest
|
||||||
{
|
{
|
||||||
return ImmutableSet.of("user", "nonenone");
|
return ImmutableSet.of("user", "nonenone");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isEnforceAllowedProperties()
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
new MySQLFirehoseDatabaseConnector(
|
new MySQLFirehoseDatabaseConnector(
|
||||||
|
@ -205,13 +211,12 @@ public class MySQLFirehoseDatabaseConnectorTest
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
MySQLFirehoseDatabaseConnector connector = new MySQLFirehoseDatabaseConnector(
|
expectedException.expect(IllegalArgumentException.class);
|
||||||
|
expectedException.expectMessage(StringUtils.format("Invalid URL format for MySQL: [%s]", url));
|
||||||
|
new MySQLFirehoseDatabaseConnector(
|
||||||
connectorConfig,
|
connectorConfig,
|
||||||
new JdbcAccessSecurityConfig()
|
new JdbcAccessSecurityConfig()
|
||||||
);
|
);
|
||||||
expectedException.expect(IllegalArgumentException.class);
|
|
||||||
expectedException.expectMessage(StringUtils.format("Invalid URL format for MySQL: [%s]", url));
|
|
||||||
connector.findPropertyKeysFromConnectURL(url);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
private static JdbcAccessSecurityConfig newSecurityConfigEnforcingAllowList(Set<String> allowedProperties)
|
private static JdbcAccessSecurityConfig newSecurityConfigEnforcingAllowList(Set<String> allowedProperties)
|
||||||
|
|
|
@ -183,6 +183,12 @@ public class PostgresqlFirehoseDatabaseConnectorTest
|
||||||
{
|
{
|
||||||
return ImmutableSet.of("user", "nonenone");
|
return ImmutableSet.of("user", "nonenone");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@Override
|
||||||
|
public boolean isEnforceAllowedProperties()
|
||||||
|
{
|
||||||
|
return false;
|
||||||
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
new PostgresqlFirehoseDatabaseConnector(
|
new PostgresqlFirehoseDatabaseConnector(
|
||||||
|
|
|
@ -69,13 +69,12 @@ public class JdbcAccessSecurityConfig
|
||||||
@JsonProperty
|
@JsonProperty
|
||||||
private boolean allowUnknownJdbcUrlFormat = true;
|
private boolean allowUnknownJdbcUrlFormat = true;
|
||||||
|
|
||||||
// Enforcing allow list check can break rolling upgrade. This is not good for patch releases
|
// This config is for compatibility as enforcing allow list can break existing ingestion jobs or lookups.
|
||||||
// and is why this config is added. However, from the security point of view, this config
|
// However, from the security point of view, this config should be always enabled in production to secure
|
||||||
// should be always enabled in production to secure your cluster. As a result, this config
|
// your cluster. As a result, this config is deprecated and will be removed in a future release.
|
||||||
// is deprecated and will be removed in the near future.
|
|
||||||
@Deprecated
|
@Deprecated
|
||||||
@JsonProperty
|
@JsonProperty
|
||||||
private boolean enforceAllowedProperties = false;
|
private boolean enforceAllowedProperties = true;
|
||||||
|
|
||||||
@JsonIgnore
|
@JsonIgnore
|
||||||
public Set<String> getSystemPropertyPrefixes()
|
public Set<String> getSystemPropertyPrefixes()
|
||||||
|
|
|
@ -47,7 +47,7 @@ public class ExternalStorageAccessSecurityModuleTest
|
||||||
securityConfig.getAllowedProperties()
|
securityConfig.getAllowedProperties()
|
||||||
);
|
);
|
||||||
Assert.assertTrue(securityConfig.isAllowUnknownJdbcUrlFormat());
|
Assert.assertTrue(securityConfig.isAllowUnknownJdbcUrlFormat());
|
||||||
Assert.assertFalse(securityConfig.isEnforceAllowedProperties());
|
Assert.assertTrue(securityConfig.isEnforceAllowedProperties());
|
||||||
}
|
}
|
||||||
|
|
||||||
@Test
|
@Test
|
||||||
|
|
Loading…
Reference in New Issue