Skip to content

Add query integrity check in AccessControlManager#13632

Closed
hellium01 wants to merge 1 commit intoprestodb:masterfrom
hellium01:AddQueryIntegratyCheck
Closed

Add query integrity check in AccessControlManager#13632
hellium01 wants to merge 1 commit intoprestodb:masterfrom
hellium01:AddQueryIntegratyCheck

Conversation

@hellium01
Copy link
Contributor

@hellium01 hellium01 commented Oct 31, 2019
edited
Loading

This PR adds support to validate query integrity before we execute it. Client will provide certain token in Identity (most likely in extraCredentials).

== RELEASE NOTES ==

General Changes
*  Added support in `AccessControlManager` to check query integrity.

@hellium01 hellium01 force-pushed the AddQueryIntegratyCheck branch 2 times, most recently from f065d91 to 2c229ab Compare October 31, 2019 18:29
highker
highker reviewed Oct 31, 2019
View reviewed changes
Copy link

@highker highker left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

some comments

@hellium01 hellium01 force-pushed the AddQueryIntegratyCheck branch 2 times, most recently from 5ad1dcd to afdc6fa Compare October 31, 2019 22:28
@hellium01 hellium01 force-pushed the AddQueryIntegratyCheck branch from afdc6fa to 93d35e3 Compare November 14, 2019 23:23
@mayankgarg1990
Copy link

mayankgarg1990 commented Nov 18, 2019

The change overall looks good to me. My only concern is with the naming. checkQueryIntegrity does not seem to belong to AccessControl class, since it is not really gating the access, rather ensuring the integrity of the query.

Lets get some other opinion on this - @highker , @rschlussel - what are your thoughts on this?

@hellium01
Copy link
Contributor Author

hellium01 commented Nov 18, 2019

Right, checkQueryIntegrity is technically not part of authorization or AccessControl ( similar to checkCanSetUser) but moving it out to a separate class seems like an overkill.

@hellium01 hellium01 force-pushed the AddQueryIntegratyCheck branch from 93d35e3 to 47a1daf Compare November 18, 2019 23:22
@hellium01 hellium01 requested a review from rschlussel November 18, 2019 23:31
@hellium01 hellium01 force-pushed the AddQueryIntegratyCheck branch from 47a1daf to ce459ec Compare November 26, 2019 06:30
@rschlussel
Copy link
Contributor

rschlussel commented Dec 3, 2019

yeah, it's not a perfect fit, but I think it's okay. We are basically saying we won't run your query because you don't have a valid token that we're expecting, so it's a form of an access check.

@mayankgarg1990
Copy link

mayankgarg1990 commented Dec 18, 2019

@highker - can you accept or request changes. I will take over this PR and get it landed

@mayankgarg1990 mayankgarg1990 mentioned this pull request Dec 18, 2019
Merged
@mayankgarg1990
Copy link

mayankgarg1990 commented Dec 18, 2019

Rebased and opened #13878 so that I can work with the committers to land this

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@highker highker highker left review comments

@rschlussel rschlussel rschlussel approved these changes

@mayankgarg1990 mayankgarg1990 Awaiting requested review from mayankgarg1990

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@hellium01 @mayankgarg1990 @rschlussel @highker @facebook-github-bot