Enforce namespace authorization on pipeline draft read endpoints#16163
Enforce namespace authorization on pipeline draft read endpoints#16163adilburaksen wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
Code Review
This pull request adds authorization checks to the listDrafts and getDraft endpoints in DraftHandler by enforcing StandardPermission.LIST and StandardPermission.GET respectively. Feedback indicates that enforcing StandardPermission.LIST will cause the existing testDraftAuthorization test in DraftServiceTest.java to fail, and suggests updating the test to grant the required permission.
| @QueryParam("sortOrder") @DefaultValue("ASC") String sortOrder, | ||
| @QueryParam("filter") @Nullable String filter) { | ||
|
|
||
| contextAccessEnforcer.enforce(new NamespaceId(namespaceName), StandardPermission.LIST); |
There was a problem hiding this comment.
Enforcing StandardPermission.LIST here is correct and aligns with ConnectionHandler. However, this change will cause the existing test testDraftAuthorization in DraftServiceTest.java to fail.
In DraftServiceTest.java (lines 180-183), the test only grants StandardPermission.GET to ALICE_PRINCIPAL before calling listDrafts and expecting HTTP_OK:
getPermissionManager().grant(namespaceAuthorizable,
ALICE_PRINCIPAL,
EnumSet.of(StandardPermission.GET));Since listDrafts now enforces StandardPermission.LIST, this call will return HTTP_FORBIDDEN (403) and fail the test. Please update DraftServiceTest.java to also grant StandardPermission.LIST to Alice:
getPermissionManager().grant(namespaceAuthorizable,
ALICE_PRINCIPAL,
EnumSet.of(StandardPermission.GET, StandardPermission.LIST));
Summary
The pipeline-studio
DraftHandlerread endpoints do not authorize the requested namespace, while the write endpoints on the same resource do:GET listDraftsandGET getDraftcalldraftServicedirectly with nocontextAccessEnforcer.enforce(...).PUT putDraftandDELETE deleteDraftenforcenew NamespaceId(namespaceName), StandardPermission.UPDATE.Because the namespace comes from the
{context}path parameter andDraftService.listDrafts/getDraftperform no internal authorization, a user with access to one namespace can read the pipeline drafts of any other namespace — disclosing that namespace's source/sink configuration (connection hosts, JDBC URLs, database names, usernames, and any inlined credentials).getDraftreturns the fullETLConfigandlistDrafts?includeConfig=trueincludes configs as well.The sibling handler in the same
StudioService,ConnectionHandler, already enforces on every read (listConnections→enforceOnParent(..., StandardPermission.LIST),getConnection→enforce(..., StandardPermission.GET)), so this is an omission rather than an intended difference. PRs #13436 and #13463 added enforcement to the draft write path only.Change
Mirror the write path and
ConnectionHandler: enforce namespace authorization before serving draft reads.listDrafts→contextAccessEnforcer.enforce(new NamespaceId(namespaceName), StandardPermission.LIST)getDraft→contextAccessEnforcer.enforce(new NamespaceId(namespaceName), StandardPermission.GET)No behavior change for callers already authorized on the namespace.