Reorder filters and let RealmContextResolver throw UnresolvableRealmContextException #848
Conversation
adutra
force-pushed
the
filter-order
branch
2 times, most recently
from
e542f5c to
9c45494
Compare
adutra
changed the title
adutra
requested review from
RussellSpitzer,
ashvina,
collado-mike,
dennishuo,
dimas-b,
ebyhr,
eric-maynard,
flyrain,
jackye1995,
jbonofre,
snazy,
takidau and
vvcephei
as code owners
|
This is now ready for review. |
There was a problem hiding this comment.
Would you mind moving this to a (new) method on PolarisServerManager or Server so that it is possible to customize?
There was a problem hiding this comment.
nit: maybe make internalCatalogName a parameter to this test?
There was a problem hiding this comment.
I'm not sure about 401 in this context. I believe it generally means your credentials are not valid, which is not applicable to failures in realm resolution.
I'm thinking that a 404 may fit better. For example, GH gives 404 on accessing repositories (i.e. realms) to which the user has no access.
There was a problem hiding this comment.
Makes sense, i will update the PR title and description accordingly.
quarkus/service/src/main/java/org/apache/polaris/service/quarkus/config/QuarkusProducers.java
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
I think it could be valuable to cover this with an explicit config flag. If realms are used in a particular deployment, it is probably not wise to allow potentially malicious clients to try sending requests at the default realm without knowing its ID.
There was a problem hiding this comment.
I completely agree, I think that having a default realm is a potential security issue.
adutra
changed the title
There was a problem hiding this comment.
Maybe rename to realmHeaderName() + realmId() (latter for consistency w/ Server)?
There was a problem hiding this comment.
| default String realmHeader() { | |
| default String realmHeaderName() { |
There was a problem hiding this comment.
| * <p>Note: this is actually only enforced when using {@link DefaultRealmIdResolver}. When using | |
| * {@link TestRealmIdResolver}, this setting is ignored. | |
| * <p>Note: this setting is only enforced in production setups. |
There was a problem hiding this comment.
Defaulting to true would be a behaviour change at the REST/HTTP level. I'd prefer to keep old behaviour in this PR and change defaults later.
There was a problem hiding this comment.
Yeah changing this to true would break downstreams. But we can mention this in the "Configuring for production" docs.
There was a problem hiding this comment.
Wonder if it makes more sense to change RealmIdResolver to expect a Function<String, String> rather than a "full blown map" (and use request::getHeader here).
|
@collado-mike : any concerns from your POV? |
adutra
changed the title
|
PR Rebased. @dimas-b @snazy @collado-mike can I get another review please? |
dimas-b
left a comment
dimas-b
left a comment
There was a problem hiding this comment.
LGTM 👍 I found a fresh, but tangential issue, however I think we can address it later (if people agree with my proposal below).
There was a problem hiding this comment.
tangential: When OTel is disabled, it's still ok to operate on Span.current(), we'd simply get a "no-op" Span. However, IMHO it is preferable to exercise the code that produces span values even when tracing is disabled. This is to avoid bugs that only pop up when tracing is on.
There was a problem hiding this comment.
I get the sentiment, but at the same time, it's nice to be able to turn off the functionality entirely, including any bugs that may be present that could impact the running service even though you don't want/care about tracing.
|
This has been in review for 2 weeks. Is it OK to merge now? @collado-mike |
There was a problem hiding this comment.
I get the sentiment, but at the same time, it's nice to be able to turn off the functionality entirely, including any bugs that may be present that could impact the running service even though you don't want/care about tracing.
| if (!configuration.realms().contains(realm)) { | ||
| throw new IllegalArgumentException("Unknown realm: " + realm); | ||
| throw new UnresolvableRealmContextException("Unknown realm: " + realm); | ||
| } |
There was a problem hiding this comment.
Personally, i would push the check down into the RealmContextConfiguration rather than exposing a set of valid realms and doing the check here. But for this change, I think the UnresolvableRealmContextExcpetion is the right change to make
4 participants
Fixes #819.
Summary of changes:
ContainerRequestFilterRealmIdFilterintroducedRealmIdResolvernow can throwUnresolvableRealmException=> maps to HTTP 404PolarisApplicationIntegrationTestRealmIdFilterQuarkusLoggingMDCFilterQuarkusTracingFilterPolarisPrincipalAuthenticatorFilterPolarisPrincipalRolesProviderFilterRateLimiterFilter