-
Notifications
You must be signed in to change notification settings - Fork 84
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[controller] Manual store deletion only can be done by specific user group. #1199
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -150,6 +150,23 @@ protected boolean isAllowListUser(Request request) { | |
return accessController.get().isAllowlistUsers(certificate, storeName, HTTP_GET); | ||
} | ||
|
||
/** | ||
* Check whether the user is within the admin users allowlist for store deletion. | ||
*/ | ||
protected boolean isAllowListUserForStoreDeletion(Request request) { | ||
if (!isAclEnabled()) { | ||
/** | ||
* Grant access if it's not required to check ACL. | ||
* {@link accessController} will be empty if ACL is not enabled. | ||
*/ | ||
return true; | ||
Comment on lines
+158
to
+162
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We want to do the opposite thing, right? If ACL is not enabled, do not allow the store deletion at all. Besides, it's cleaner to check whether ACL is enabled in AdminSparkServer - do not register this API if ACL is not enabled: |
||
} | ||
X509Certificate certificate = getCertificate(request); | ||
|
||
String storeName = request.queryParamOrDefault(NAME, STORE_UNKNOWN); | ||
return accessController.get().isAllowlistUsersForStoreDeletion(certificate, storeName, HTTP_GET); | ||
} | ||
|
||
/** | ||
* @return whether SSL is enabled | ||
*/ | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -506,6 +506,12 @@ public Route deleteStore(Admin admin) { | |
return new VeniceRouteHandler<TrackableControllerResponse>(TrackableControllerResponse.class) { | ||
@Override | ||
public void internalHandle(Request request, TrackableControllerResponse veniceResponse) { | ||
// This is to limit the manual store deletion from admin tool without https to a specific allow list users. | ||
if (!isSslEnabled() | ||
&& !checkIsAllowListUser(request, veniceResponse, () -> isAllowListUserForStoreDeletion(request))) { | ||
return; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. We should fail the request and send bad request error code to user. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The
|
||
} | ||
|
||
// Only allow allowlist users to run this command | ||
if (!checkIsAllowListUser(request, veniceResponse, () -> isAllowListUser(request))) { | ||
return; | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we rename to
hasAccessToDelete
?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, we could do that, but wondering why this naming is better?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It feels more concise to me, while conveying the same information