[fix](auth) add auth check for manager node and query qerror REST APIs#65042
Open
CalvinKirs wants to merge 2 commits into
Open
[fix](auth) add auth check for manager node and query qerror REST APIs#65042CalvinKirs wants to merge 2 commits into
CalvinKirs wants to merge 2 commits into
Conversation
… query qerror REST APIs
The node management endpoints (POST /rest/v2/manager/node/{action}/{fe,be,broker})
allowed adding or dropping cluster nodes without any authentication or
authorization. Add executeCheckPassword + checkAdminAuth so they require an
authenticated ADMIN user, consistent with set_config/fe and set_config/be.
GET /rest/v2/manager/query/qerror/{id} (getStats) had neither authentication
nor authorization: its signature took no request/response and the global
AuthInterceptor only covers /rest/v1/**, so it was reachable anonymously even
with enable_all_http_auth=true. Add executeCheckPassword and
checkAuthByUserAndQueryId, matching the /profile and /trace_id endpoints, so a
non-admin can only read their own query stats.
Add a p0 regression test covering both gaps.
Contributor
|
Thank you for your contribution to Apache Doris. Please clearly describe your PR:
|
Member
Author
|
run buildall |
Member
Author
|
Centralize auth into one interceptor — having every v2 endpoint roll its own is a footgun. |
The admin-positive assertions used ADD with 127.0.0.1 addresses, which on a real (distributed) cluster would not match an existing node and would actually register a phantom FE observer / BE into the editlog with no cleanup, polluting cluster state and risking later tests. Switch the positive path to DROP on RFC 5737 TEST-NET addresses (192.0.2.x), which can never match a real node: it reaches the operation, returns a harmless 'does not exist' error, proves the ADMIN check passed, and mutates nothing. The negative (non-admin) cases keep ADD since the auth check rejects them before the node operation runs.
Member
Author
|
run buildall |
Contributor
FE UT Coverage ReportIncrement line coverage |
Contributor
TPC-H: Total hot run time: 29592 ms |
Contributor
TPC-H: Total hot run time: 29946 ms |
Contributor
TPC-DS: Total hot run time: 175487 ms |
Contributor
TPC-DS: Total hot run time: 174181 ms |
Contributor
ClickBench: Total hot run time: 25.5 s |
Contributor
ClickBench: Total hot run time: 25.44 s |
Contributor
FE Regression Coverage ReportIncrement line coverage |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Proposed changes
Several manager REST APIs under
/rest/v2/managerwere missing authentication and/or authorization. This PR closes those gaps.1. Node management endpoints — missing auth + authz
POST /rest/v2/manager/node/{action}/fe,/{action}/be,/{action}/broker(operateFrontends/operateBackend/operateBroker) could add or drop FE / BE / Broker nodes without any authentication or authorization. Any caller able to reach the FE HTTP port could change cluster topology.Added, consistent with the sibling
set_config/feandset_config/beendpoints:2.
GET /rest/v2/manager/query/qerror/{id}(getStats) — fully unauthenticatedThis endpoint had neither authentication nor authorization: its method signature didn't even take
HttpServletRequest/HttpServletResponse, so it could not callexecuteCheckPassword, and the globalAuthInterceptoronly covers/rest/v1/**. As a result it was reachable anonymously even withenable_all_http_auth=true, leaking per-query stats-error information.Aligned it with the
/profileand/trace_idendpoints — authenticate, then restrict non-admin users to their own queries:Test
Added
regression-test/suites/auth_p0/test_http_node_action_auth.groovy(p0,auth,nonConcurrent):ADD /feandADD /beis rejected;grant 'admin', the request passes the auth check;/qerror/{id}is rejected.FE compiles cleanly (
build.sh --fe).