[Bug] Authorization is broken for endpoints which access any resource other than a table #14595
Comments
NihalJain
changed the title
|
@Jackie-Jiang plz have look |
|
Thanks for reporting this! @soumitra-st Can you help take a look? |
I already have a patch which disallows any user not having appropriate access on ALL tables to do any similar action on cluster level endpoint, which will fix the above issue. I need some guidance on what is the expected behaviour around the cluster level APIs because as per current logic just providing correct auth is enough to do any action at cluster level. |
|
@NihalJain , Thanks for reporting the issue and highlighting the weakness in BasicAuthAccessControlFactory and ZkBasicAuthAccessControlFactory. Any change in the behavior of these classes will be a backward in-compatible change. We added FineGrainedAccessControl to control AUTHZ at cluster and Table levels. Some of our users have implemented role based access control using this interface. Can you describe your use case? |
While trying Authentication and Authorisation feature of Pinot, I found that for controller, any endpoint which accesses a non-table resource, authorisation does not work as expected using either of the bundled auth options:
I would consider this a CRITICAL security flaw as it gives a normal user power to do any sort of destructive action in the cluster.
Consider a simple example.
Assume we have 3 users in system:
Now we try to DELETE user1 who is an admin by submitting a request as test who is a normal user
Voila user1 is deleted! :(
But the user test was not authorised to do so !!
This example is just tip of the iceberg. I plan to work to fix this once the team confirms this is really broken.
The text was updated successfully, but these errors were encountered: