Influxdata
/
influxdb
mirror of https://github.com/influxdata/influxdb.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/main' into dom/req-mode-parsing

pull/24376/head
Dom Dwyer 2023-04-11 13:34:52 +02:00
parent 78f2b3a36a d2585002fe
commit 73d44ec9a1
No known key found for this signature in database
GPG Key ID: E4C40DBD9157879A
9 changed files with 27 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
authz/src/permission.rs
View File

@ -115,8 +115,8 @@ impl TryFrom<Permission> for proto::Permission {
/// A resource is the object that a request is trying to access.
#[derive(Clone, Debug, PartialEq)]
pub enum Resource {
/// A namespace is a named IOx namespace.
Namespace(String),
/// A database is a named IOx database.
Database(String),
}
impl Resource {
@ -125,8 +125,8 @@ impl Resource {
ri: Option<String>,
) -> Result<Self, IncompatiblePermissionError> {
match (rt, ri) {
(proto::resource_action_permission::ResourceType::Namespace, Some(s)) => {
Ok(Self::Namespace(s))
(proto::resource_action_permission::ResourceType::Database, Some(s)) => {
Ok(Self::Database(s))
}
_ => Err(IncompatiblePermissionError {}),
}
@ -142,8 +142,8 @@ impl Resource {
IncompatiblePermissionError,
> {
match self {
Self::Namespace(s) => Ok((
proto::resource_action_permission::ResourceType::Namespace,
Self::Database(s) => Ok((
proto::resource_action_permission::ResourceType::Database,
Some(s),
)),
}
@ -209,9 +209,9 @@ mod tests {
#[test]
fn resource_try_from_proto() {
assert_eq!(
Resource::Namespace("ns1".into()),
Resource::Database("ns1".into()),
Resource::try_from_proto(
proto::resource_action_permission::ResourceType::Namespace,
proto::resource_action_permission::ResourceType::Database,
Some("ns1".into())
)
.unwrap()
@ -219,7 +219,7 @@ mod tests {
assert_eq!(
IncompatiblePermissionError {},
Resource::try_from_proto(
proto::resource_action_permission::ResourceType::Namespace,
proto::resource_action_permission::ResourceType::Database,
None
)
.unwrap_err()
@ -238,17 +238,17 @@ mod tests {
fn resource_try_into_proto() {
assert_eq!(
(
proto::resource_action_permission::ResourceType::Namespace,
proto::resource_action_permission::ResourceType::Database,
Some("ns1".into())
),
Resource::Namespace("ns1".into()).try_into_proto().unwrap(),
Resource::Database("ns1".into()).try_into_proto().unwrap(),
);
}
#[test]
fn permission_try_from_proto() {
assert_eq!(
Permission::ResourceAction(Resource::Namespace("ns2".into()), Action::Create),
Permission::ResourceAction(Resource::Database("ns2".into()), Action::Create),
Permission::try_from(proto::Permission {
permission_one_of: Some(proto::permission::PermissionOneOf::ResourceAction(
proto::ResourceActionPermission {
@ -301,7 +301,7 @@ mod tests {
))
},
proto::Permission::try_from(Permission::ResourceAction(
Resource::Namespace("ns3".into()),
Resource::Database("ns3".into()),
Action::Create
))
.unwrap()

4
generated_types/protos/influxdata/iox/authz/v1/authz.proto
View File

@ -70,9 +70,9 @@ message ResourceActionPermission {
RESOURCE_TYPE_UNSPECIFIED = 0;
/*
* Permission to access a namespace.
* Permission to access a database.
*/
RESOURCE_TYPE_NAMESPACE = 1;
RESOURCE_TYPE_DATABASE = 1;
}
enum Action {

15
iox_query/src/exec.rs
View File

@ -15,7 +15,6 @@ use datafusion_util::config::register_iox_object_store;
use executor::DedicatedExecutor;
use object_store::DynObjectStore;
use parquet_file::storage::StorageId;
use trace::span::{SpanExt, SpanRecorder};
mod cross_rt_stream;
use std::{collections::HashMap, fmt::Display, num::NonZeroUsize, sync::Arc};
@ -23,13 +22,11 @@ use std::{collections::HashMap, fmt::Display, num::NonZeroUsize, sync::Arc};
use datafusion::{
self,
execution::{
context::SessionState,
disk_manager::DiskManagerConfig,
runtime_env::{RuntimeConfig, RuntimeEnv},
},
logical_expr::{expr_rewriter::normalize_col, Extension},
logical_expr::{Expr, LogicalPlan},
prelude::SessionContext,
};
pub use context::{IOxSessionConfig, IOxSessionContext, SessionContextIOxExt};
@ -203,18 +200,6 @@ impl Executor {
.with_target_partitions(self.config.target_query_partitions)
}
/// Get IOx context from DataFusion state.
pub fn new_context_from_df(
&self,
executor_type: ExecutorType,
state: &SessionState,
) -> IOxSessionContext {
let inner = SessionContext::with_state(state.clone());
let exec = self.executor(executor_type).clone();
let recorder = SpanRecorder::new(state.span_ctx().child_span("Query Execution"));
IOxSessionContext::new(inner, exec, recorder)
}
/// Create a new execution context, suitable for executing a new query or system task
///
/// Note that this context (and all its clones) will be shut down once `Executor` is dropped.

5
iox_query/src/exec/context.rs
View File

@ -678,6 +678,11 @@ impl IOxSessionContext {
self.recorder.span()
}
/// Returns a new child span of the current context
pub fn child_span(&self, name: &'static str) -> Option<Span> {
self.recorder.child_span(name)
}
/// Number of currently active tasks.
pub fn tasks(&self) -> usize {
self.exec.tasks()

4
querier/src/namespace/query_access.rs
View File

@ -59,7 +59,7 @@ impl QueryNamespace for QuerierNamespace {
let mut chunks = table
.chunks(
predicate,
ctx.span().map(|span| span.child("querier table chunks")),
ctx.child_span("QuerierNamespace chunks"),
projection,
)
.await?;
@ -360,7 +360,7 @@ mod tests {
let span = traces
.spans()
.into_iter()
.find(|s| s.name == "querier table chunks")
.find(|s| s.name == "QuerierTable chunks")
.expect("tracing span not found");
assert_eq!(span.status, SpanStatus::Ok);

2
querier/src/table/query_access/mod.rs
View File

@ -62,7 +62,7 @@ impl TableProvider for QuerierTable {
let chunks = self
.chunks(
&pruning_predicate,
ctx.child_span("querier table chunks"),
ctx.child_span("QuerierTable chunks"),
projection,
)
.await?;

2
router/src/server/http.rs
View File

@ -381,7 +381,7 @@ where
}
});
let perms = [Permission::ResourceAction(
Resource::Namespace(write_info.namespace.to_string()),
Resource::Database(write_info.namespace.to_string()),
Action::Write,
)];
self.authz.require_any_permission(token, &perms).await?;

4
service_grpc_flight/src/lib.rs
View File

@ -472,7 +472,7 @@ where
let perms = match query {
RunQuery::FlightSQL(cmd) => flightsql_permissions(namespace_name, cmd),
RunQuery::Sql(_) | RunQuery::InfluxQL(_) => vec![authz::Permission::ResourceAction(
authz::Resource::Namespace(namespace_name.to_string()),
authz::Resource::Database(namespace_name.to_string()),
authz::Action::Read,
)],
};
@ -733,7 +733,7 @@ fn get_flight_authz(metadata: &MetadataMap) -> Option<Vec<u8>> {
}
fn flightsql_permissions(namespace_name: &str, cmd: &FlightSQLCommand) -> Vec<authz::Permission> {
let resource = authz::Resource::Namespace(namespace_name.to_string());
let resource = authz::Resource::Database(namespace_name.to_string());
let action = match cmd {
FlightSQLCommand::CommandStatementQuery(_) => authz::Action::Read,
FlightSQLCommand::CommandPreparedStatementQuery(_) => authz::Action::Read,

2
test_helpers_end_to_end/src/authz.rs
View File

@ -81,7 +81,7 @@ impl Authorizer {
.map(|a| Permission {
permission_one_of: Some(PermissionOneOf::ResourceAction(
ResourceActionPermission {
resource_type: ResourceType::Namespace.into(),
resource_type: ResourceType::Database.into(),
resource_id: Some(namespace_name.to_string()),
action: a.into(),
},