[Enhancement](HttpServer) Add http interface authentication for BE (a…

…pache#17753)
jackwener · May 4, 2023 · 9813406 · 9813406
1 parent 4b85c27
commit 9813406
Show file tree

Hide file tree

Showing 43 changed files with 444 additions and 161 deletions.
diff --git a/be/src/common/config.h b/be/src/common/config.h
@@ -390,6 +390,8 @@ CONF_Bool(enable_https, "false");
 CONF_String(ssl_certificate_path, "");
 // Path of private key
 CONF_String(ssl_private_key_path, "");
+// Whether to check authorization
+CONF_Bool(enable_http_auth, "false");
 // Number of webserver workers
 CONF_Int32(webserver_num_workers, "48");
 // Period to update rate counters and sampling counters in ms.

diff --git a/be/src/http/CMakeLists.txt b/be/src/http/CMakeLists.txt
@@ -28,13 +28,13 @@ add_library(Webserver STATIC
   http_channel.cpp
   http_status.cpp
   http_parser.cpp
+  http_handler_with_auth.cpp
   web_page_handler.cpp
   default_path_handlers.cpp
   utils.cpp
   ev_http_server.cpp
   http_client.cpp
   action/download_action.cpp
-  action/monitor_action.cpp
   action/pad_rowset_action.cpp
   action/health_action.cpp
   action/tablet_migration_action.cpp

diff --git a/be/src/http/action/check_rpc_channel_action.cpp b/be/src/http/action/check_rpc_channel_action.cpp
@@ -36,7 +36,9 @@
 #include "util/md5.h"
 
 namespace doris {
-CheckRPCChannelAction::CheckRPCChannelAction(ExecEnv* exec_env) : _exec_env(exec_env) {}
+CheckRPCChannelAction::CheckRPCChannelAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
+                                             TPrivilegeType::type type)
+        : HttpHandlerWithAuth(exec_env, hier, type) {}
 void CheckRPCChannelAction::handle(HttpRequest* req) {
     std::string req_ip = req->param("ip");
     std::string req_port = req->param("port");

diff --git a/be/src/http/action/check_rpc_channel_action.h b/be/src/http/action/check_rpc_channel_action.h
@@ -17,17 +17,18 @@
 
 #pragma once
 
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
 
 namespace doris {
 class ExecEnv;
 class HttpRequest;
 
-class CheckRPCChannelAction : public HttpHandler {
+class CheckRPCChannelAction : public HttpHandlerWithAuth {
 public:
-    explicit CheckRPCChannelAction(ExecEnv* exec_env);
+    explicit CheckRPCChannelAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
+                                   TPrivilegeType::type type);
 
-    virtual ~CheckRPCChannelAction() {}
+    ~CheckRPCChannelAction() override = default;
 
     void handle(HttpRequest* req) override;
 

diff --git a/be/src/http/action/check_tablet_segment_action.cpp b/be/src/http/action/check_tablet_segment_action.cpp
@@ -37,7 +37,9 @@ namespace doris {
 
 const static std::string HEADER_JSON = "application/json";
 
-CheckTabletSegmentAction::CheckTabletSegmentAction() {
+CheckTabletSegmentAction::CheckTabletSegmentAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
+                                                   TPrivilegeType::type type)
+        : HttpHandlerWithAuth(exec_env, hier, type) {
     _host = BackendOptions::get_localhost();
 }
 

diff --git a/be/src/http/action/check_tablet_segment_action.h b/be/src/http/action/check_tablet_segment_action.h
@@ -19,15 +19,23 @@
 
 #include <string>
 
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
+#include "util/easy_json.h"
 
 namespace doris {
 class HttpRequest;
 
-class CheckTabletSegmentAction : public HttpHandler {
+class ExecEnv;
+
+class CheckTabletSegmentAction : public HttpHandlerWithAuth {
 public:
-    CheckTabletSegmentAction();
+    CheckTabletSegmentAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
+                             TPrivilegeType::type type);
+
+    ~CheckTabletSegmentAction() override = default;
+
     void handle(HttpRequest* req) override;
+
     std::string host() { return _host; }
 
 private:

diff --git a/be/src/http/action/checksum_action.cpp b/be/src/http/action/checksum_action.cpp
@@ -37,7 +37,9 @@ const std::string TABLET_ID = "tablet_id";
 const std::string TABLET_VERSION = "version";
 const std::string SCHEMA_HASH = "schema_hash";
 
-ChecksumAction::ChecksumAction() {}
+ChecksumAction::ChecksumAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
+                               TPrivilegeType::type type)
+        : HttpHandlerWithAuth(exec_env, hier, type) {}
 
 void ChecksumAction::handle(HttpRequest* req) {
     LOG(INFO) << "accept one request " << req->debug_string();

diff --git a/be/src/http/action/checksum_action.h b/be/src/http/action/checksum_action.h
@@ -19,17 +19,18 @@
 
 #include <cstdint>
 
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
 
 namespace doris {
 
 class HttpRequest;
 
-class ChecksumAction : public HttpHandler {
+class ChecksumAction : public HttpHandlerWithAuth {
 public:
-    explicit ChecksumAction();
+    explicit ChecksumAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
+                            TPrivilegeType::type type);
 
-    virtual ~ChecksumAction() {}
+    ~ChecksumAction() override = default;
 
     void handle(HttpRequest* req) override;
 

diff --git a/be/src/http/action/compaction_action.cpp b/be/src/http/action/compaction_action.cpp
@@ -48,6 +48,9 @@ using namespace ErrorCode;
 
 const static std::string HEADER_JSON = "application/json";
 
+CompactionAction::CompactionAction(CompactionActionType ctype, ExecEnv* exec_env,
+                                   TPrivilegeHier::type hier, TPrivilegeType::type ptype)
+        : HttpHandlerWithAuth(exec_env, hier, ptype), _type(ctype) {}
 Status CompactionAction::_check_param(HttpRequest* req, uint64_t* tablet_id) {
     std::string req_tablet_id = req->param(TABLET_ID_KEY);
     if (req_tablet_id == "") {

diff --git a/be/src/http/action/compaction_action.h b/be/src/http/action/compaction_action.h
@@ -22,12 +22,14 @@
 #include <string>
 
 #include "common/status.h"
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
 #include "olap/tablet.h"
 
 namespace doris {
 class HttpRequest;
 
+class ExecEnv;
+
 enum class CompactionActionType {
     SHOW_INFO = 1,
     RUN_COMPACTION = 2,
@@ -40,9 +42,10 @@ const std::string PARAM_COMPACTION_CUMULATIVE = "cumulative";
 
 /// This action is used for viewing the compaction status.
 /// See compaction-action.md for details.
-class CompactionAction : public HttpHandler {
+class CompactionAction : public HttpHandlerWithAuth {
 public:
-    CompactionAction(CompactionActionType type) : _type(type) {}
+    CompactionAction(CompactionActionType ctype, ExecEnv* exec_env, TPrivilegeHier::type hier,
+                     TPrivilegeType::type ptype);
 
     ~CompactionAction() override = default;
 

diff --git a/be/src/http/action/download_action.cpp b/be/src/http/action/download_action.cpp
@@ -34,8 +34,6 @@
 namespace doris {
 
 const std::string FILE_PARAMETER = "file";
-const std::string DB_PARAMETER = "db";
-const std::string LABEL_PARAMETER = "label";
 const std::string TOKEN_PARAMETER = "token";
 
 DownloadAction::DownloadAction(ExecEnv* exec_env, const std::vector<std::string>& allow_dirs)

diff --git a/be/src/http/action/meta_action.cpp b/be/src/http/action/meta_action.cpp
@@ -46,6 +46,8 @@ const static std::string OP = "op";
 const static std::string DATA_SIZE = "data_size";
 const static std::string HEADER = "header";
 
+MetaAction::MetaAction(ExecEnv* exec_env, TPrivilegeHier::type hier, TPrivilegeType::type type)
+        : HttpHandlerWithAuth(exec_env, hier, type) {}
 Status MetaAction::_handle_header(HttpRequest* req, std::string* json_meta) {
     req->add_output_header(HttpHeaders::CONTENT_TYPE, HEADER_JSON.c_str());
     std::string req_tablet_id = req->param(TABLET_ID_KEY);

diff --git a/be/src/http/action/meta_action.h b/be/src/http/action/meta_action.h
@@ -20,18 +20,18 @@
 #include <string>
 
 #include "common/status.h"
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
 
 namespace doris {
 
 class HttpRequest;
 
 // Get Meta Info
-class MetaAction : public HttpHandler {
+class MetaAction : public HttpHandlerWithAuth {
 public:
-    MetaAction() = default;
+    MetaAction(ExecEnv* exec_env, TPrivilegeHier::type hier, TPrivilegeType::type type);
 
-    virtual ~MetaAction() {}
+    ~MetaAction() override = default;
 
     void handle(HttpRequest* req) override;
 

diff --git a/be/src/http/action/metrics_action.h b/be/src/http/action/metrics_action.h
@@ -17,17 +17,20 @@
 
 #pragma once
 
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
 
 namespace doris {
 
 class HttpRequest;
 class MetricRegistry;
 
-class MetricsAction : public HttpHandler {
+class MetricsAction : public HttpHandlerWithAuth {
 public:
-    MetricsAction(MetricRegistry* metric_registry) : _metric_registry(metric_registry) {}
-    virtual ~MetricsAction() {}
+    MetricsAction(MetricRegistry* metric_registry, ExecEnv* exec_env, TPrivilegeHier::type hier,
+                  TPrivilegeType::type type)
+            : HttpHandlerWithAuth(exec_env, hier, type), _metric_registry(metric_registry) {}
+
+    ~MetricsAction() override = default;
 
     void handle(HttpRequest* req) override;
 

diff --git a/be/src/http/action/monitor_action.h b/be/src/http/action/monitor_action.h
diff --git a/be/src/http/action/pad_rowset_action.h b/be/src/http/action/pad_rowset_action.h
@@ -18,16 +18,20 @@
 #pragma once
 
 #include "common/status.h"
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
+#include "http/http_request.h"
 #include "olap/tablet.h"
 
 namespace doris {
 class HttpRequest;
 struct Version;
 
-class PadRowsetAction : public HttpHandler {
+class ExecEnv;
+
+class PadRowsetAction : public HttpHandlerWithAuth {
 public:
-    PadRowsetAction() = default;
+    PadRowsetAction(ExecEnv* exec_env, TPrivilegeHier::type hier, TPrivilegeType::type type)
+            : HttpHandlerWithAuth(exec_env, hier, type) {}
 
     ~PadRowsetAction() override = default;
 
@@ -42,4 +46,4 @@ class PadRowsetAction : public HttpHandler {
 #endif
     Status _pad_rowset(TabletSharedPtr tablet, const Version& version);
 };
-} // end namespace doris
+} // end namespace doris
diff --git a/be/src/http/action/reload_tablet_action.cpp b/be/src/http/action/reload_tablet_action.cpp
@@ -38,7 +38,9 @@ const std::string PATH = "path";
 const std::string TABLET_ID = "tablet_id";
 const std::string SCHEMA_HASH = "schema_hash";
 
-ReloadTabletAction::ReloadTabletAction(ExecEnv* exec_env) : _exec_env(exec_env) {}
+ReloadTabletAction::ReloadTabletAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
+                                       TPrivilegeType::type type)
+        : HttpHandlerWithAuth(exec_env, hier, type) {}
 
 void ReloadTabletAction::handle(HttpRequest* req) {
     LOG(INFO) << "accept one request " << req->debug_string();

diff --git a/be/src/http/action/reload_tablet_action.h b/be/src/http/action/reload_tablet_action.h
@@ -21,26 +21,25 @@
 
 #include <string>
 
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
 
 namespace doris {
 
 class ExecEnv;
 class HttpRequest;
 
-class ReloadTabletAction : public HttpHandler {
+class ReloadTabletAction : public HttpHandlerWithAuth {
 public:
-    ReloadTabletAction(ExecEnv* exec_env);
+    ReloadTabletAction(ExecEnv* exec_env, TPrivilegeHier::type hier, TPrivilegeType::type type);
 
-    virtual ~ReloadTabletAction() {}
+    ~ReloadTabletAction() override = default;
 
     void handle(HttpRequest* req) override;
 
 private:
     void reload(const std::string& path, int64_t tablet_id, int32_t schema_hash, HttpRequest* req);
 
     ExecEnv* _exec_env;
-
 }; // end class ReloadTabletAction
 
 } // end namespace doris
diff --git a/be/src/http/action/reset_rpc_channel_action.cpp b/be/src/http/action/reset_rpc_channel_action.cpp
@@ -32,7 +32,9 @@
 #include "util/string_util.h"
 
 namespace doris {
-ResetRPCChannelAction::ResetRPCChannelAction(ExecEnv* exec_env) : _exec_env(exec_env) {}
+ResetRPCChannelAction::ResetRPCChannelAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
+                                             TPrivilegeType::type type)
+        : HttpHandlerWithAuth(exec_env, hier, type) {}
 void ResetRPCChannelAction::handle(HttpRequest* req) {
     std::string endpoints = req->param("endpoints");
     if (iequal(endpoints, "all")) {

diff --git a/be/src/http/action/reset_rpc_channel_action.h b/be/src/http/action/reset_rpc_channel_action.h
@@ -17,17 +17,18 @@
 
 #pragma once
 
-#include "http/http_handler.h"
+#include "http/http_handler_with_auth.h"
 
 namespace doris {
 class ExecEnv;
 class HttpRequest;
 
-class ResetRPCChannelAction : public HttpHandler {
+class ResetRPCChannelAction : public HttpHandlerWithAuth {
 public:
-    explicit ResetRPCChannelAction(ExecEnv* exec_env);
+    explicit ResetRPCChannelAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
+                                   TPrivilegeType::type type);
 
-    virtual ~ResetRPCChannelAction() {}
+    ~ResetRPCChannelAction() override = default;
 
     void handle(HttpRequest* req) override;
 

diff --git a/be/src/http/action/restore_tablet_action.cpp b/be/src/http/action/restore_tablet_action.cpp
@@ -51,7 +51,9 @@ namespace doris {
 const std::string TABLET_ID = "tablet_id";
 const std::string SCHEMA_HASH = "schema_hash";
 
-RestoreTabletAction::RestoreTabletAction(ExecEnv* exec_env) : _exec_env(exec_env) {}
+RestoreTabletAction::RestoreTabletAction(ExecEnv* exec_env, TPrivilegeHier::type hier,
+                                         TPrivilegeType::type type)
+        : HttpHandlerWithAuth(exec_env, hier, type) {}
 
 void RestoreTabletAction::handle(HttpRequest* req) {
     LOG(INFO) << "accept one request " << req->debug_string();