be/src/service/http/http_handler_with_auth.cpp

Source
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements.  See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership.  The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License.  You may obtain a copy of the License at
//
//   http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied.  See the License for the
// specific language governing permissions and limitations
// under the License.

#include "service/http/http_handler_with_auth.h"

#include <gen_cpp/HeartbeatService_types.h>

#include "service/http/http_channel.h"
#include "service/http/utils.h"
#include "util/client_cache.h"
#include "util/thrift_rpc_helper.h"

namespace doris {

class TPrivilegeType;
class TPrivilegeHier;
class ThriftRpcHelper;

HttpHandlerWithAuth::HttpHandlerWithAuth(ExecEnv* exec_env, TPrivilegeHier::type hier,
                                         TPrivilegeType::type type)
        : _exec_env(exec_env), _hier(hier), _type(type) {}

int HttpHandlerWithAuth::on_header(HttpRequest* req) {
    //if u return value isn't 0,u should `send_reply`,Avoid requesting links that never return.
    TCheckAuthRequest auth_request;
    TCheckAuthResult auth_result;
    AuthInfo auth_info;

    if (!config::enable_all_http_auth) {
        return 0;
    }

    // When enable_all_http_auth is true, even NONE type APIs require authentication
    // (enable_all_http_auth means "enable authentication for ALL HTTP APIs")
    // Note: This overrides the default behavior where NONE type APIs bypass auth

    if (!parse_basic_auth(*req, &auth_info)) {
        LOG(WARNING) << "parse basic authorization failed"
                     << ", request: " << req->debug_string();
        evhttp_add_header(evhttp_request_get_output_headers(req->get_evhttp_request()),
                          "WWW-Authenticate", "Basic realm=\"Restricted\"");
        HttpChannel::send_reply(req, HttpStatus::UNAUTHORIZED);
        return -1;
    }

    // check auth by token
    if (auth_info.token != "") {
#ifdef BE_TEST
        if (auth_info.token == "valid_token") {
            return 0;
#else
        if (_exec_env->check_auth_token(auth_info.token)) {
            return 0;
#endif
        } else {
            LOG(WARNING) << "invalid auth token, request: " << req->debug_string();
            HttpChannel::send_error(req, HttpStatus::BAD_REQUEST);
            return -1;
        }
    }

    // check auth by user/password
    auth_request.user = auth_info.user;
    auth_request.passwd = auth_info.passwd;
    auth_request.__set_cluster(auth_info.cluster);
    auth_request.__set_user_ip(auth_info.user_ip);
    auth_request.__set_thrift_rpc_timeout_ms(config::thrift_rpc_timeout_ms);

    if (!on_privilege(*req, auth_request)) {
        LOG(WARNING) << "invalid privilege, request: " << req->debug_string();
        HttpChannel::send_error(req, HttpStatus::BAD_REQUEST);
        return -1;
    }

#ifndef BE_TEST
    TNetworkAddress master_addr = _exec_env->cluster_info()->master_fe_addr;
    if (master_addr.hostname.empty() || master_addr.port == 0) {
        LOG(WARNING) << "Not found master fe, Can't auth API request: " << req->debug_string();
        HttpChannel::send_error(req, HttpStatus::SERVICE_UNAVAILABLE);
        return -1;
    }
    {
        auto status = ThriftRpcHelper::rpc<FrontendServiceClient>(
                master_addr.hostname, master_addr.port,
                [&auth_result, &auth_request](FrontendServiceConnection& client) {
                    client->checkAuth(auth_result, auth_request);
                });
        if (!status) {
            LOG(WARNING) << "CheckAuth Rpc Fail.Fe Ip:" << master_addr.hostname
                         << ", Fe port:" << master_addr.port << ".Status:" << status.to_string()
                         << ".Request: " << req->debug_string();
            HttpChannel::send_error(req, HttpStatus::SERVICE_UNAVAILABLE);
            return -1;
        }
    }
#else
    if (auth_request.user == "root" && auth_request.passwd.empty()) {
        auth_result.status.status_code = TStatusCode::type::OK;
        auth_result.status.error_msgs.clear();
    } else {
        HttpChannel::send_reply(req, HttpStatus::FORBIDDEN);
        return -1;
    }
#endif
    Status status(Status::create(auth_result.status));
    if (!status.ok()) {
        LOG(WARNING) << "permission verification failed, request: " << auth_request;
        HttpChannel::send_reply(req, HttpStatus::FORBIDDEN);
        return -1;
    }
    return 0;
}

} // namespace doris

Line	Count	Source
1		// Licensed to the Apache Software Foundation (ASF) under one
2		// or more contributor license agreements. See the NOTICE file
3		// distributed with this work for additional information
4		// regarding copyright ownership. The ASF licenses this file
5		// to you under the Apache License, Version 2.0 (the
6		// "License"); you may not use this file except in compliance
7		// with the License. You may obtain a copy of the License at
8		//
9		// http://www.apache.org/licenses/LICENSE-2.0
10		//
11		// Unless required by applicable law or agreed to in writing,
12		// software distributed under the License is distributed on an
13		// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
14		// KIND, either express or implied. See the License for the
15		// specific language governing permissions and limitations
16		// under the License.
17
18		#include "service/http/http_handler_with_auth.h"
19
20		#include <gen_cpp/HeartbeatService_types.h>
21
22		#include "service/http/http_channel.h"
23		#include "service/http/utils.h"
24		#include "util/client_cache.h"
25		#include "util/thrift_rpc_helper.h"
26
27		namespace doris {
28
29		class TPrivilegeType;
30		class TPrivilegeHier;
31		class ThriftRpcHelper;
32
33		HttpHandlerWithAuth::HttpHandlerWithAuth(ExecEnv* exec_env, TPrivilegeHier::type hier,
34		TPrivilegeType::type type)
35	20	: _exec_env(exec_env), _hier(hier), _type(type) {}
36
37	46	int HttpHandlerWithAuth::on_header(HttpRequest* req) {
38		//if u return value isn't 0,u should `send_reply`,Avoid requesting links that never return.
39	46	TCheckAuthRequest auth_request;
40	46	TCheckAuthResult auth_result;
41	46	AuthInfo auth_info;
42
43	46	if (!config::enable_all_http_auth) {
44	12	return 0;
45	12	}
46
47		// When enable_all_http_auth is true, even NONE type APIs require authentication
48		// (enable_all_http_auth means "enable authentication for ALL HTTP APIs")
49		// Note: This overrides the default behavior where NONE type APIs bypass auth
50
51	34	if (!parse_basic_auth(*req, &auth_info)) {
52	15	LOG(WARNING) << "parse basic authorization failed"
53	15	<< ", request: " << req->debug_string();
54	15	evhttp_add_header(evhttp_request_get_output_headers(req->get_evhttp_request()),
55	15	"WWW-Authenticate", "Basic realm=\"Restricted\"");
56	15	HttpChannel::send_reply(req, HttpStatus::UNAUTHORIZED);
57	15	return -1;
58	15	}
59
60		// check auth by token
61	19	if (auth_info.token != "") {
62	2	#ifdef BE_TEST
63	2	if (auth_info.token == "valid_token") {
64	1	return 0;
65		#else
66		if (_exec_env->check_auth_token(auth_info.token)) {
67		return 0;
68		#endif
69	1	} else {
70	1	LOG(WARNING) << "invalid auth token, request: " << req->debug_string();
71	1	HttpChannel::send_error(req, HttpStatus::BAD_REQUEST);
72	1	return -1;
73	1	}
74	2	}
75
76		// check auth by user/password
77	17	auth_request.user = auth_info.user;
78	17	auth_request.passwd = auth_info.passwd;
79	17	auth_request.__set_cluster(auth_info.cluster);
80	17	auth_request.__set_user_ip(auth_info.user_ip);
81	17	auth_request.__set_thrift_rpc_timeout_ms(config::thrift_rpc_timeout_ms);
82
83	17	if (!on_privilege(*req, auth_request)) {
84	1	LOG(WARNING) << "invalid privilege, request: " << req->debug_string();
85	1	HttpChannel::send_error(req, HttpStatus::BAD_REQUEST);
86	1	return -1;
87	1	}
88
89		#ifndef BE_TEST
90		TNetworkAddress master_addr = _exec_env->cluster_info()->master_fe_addr;
91		if (master_addr.hostname.empty() \|\| master_addr.port == 0) {
92		LOG(WARNING) << "Not found master fe, Can't auth API request: " << req->debug_string();
93		HttpChannel::send_error(req, HttpStatus::SERVICE_UNAVAILABLE);
94		return -1;
95		}
96		{
97		auto status = ThriftRpcHelper::rpc<FrontendServiceClient>(
98		master_addr.hostname, master_addr.port,
99		[&auth_result, &auth_request](FrontendServiceConnection& client) {
100		client->checkAuth(auth_result, auth_request);
101		});
102		if (!status) {
103		LOG(WARNING) << "CheckAuth Rpc Fail.Fe Ip:" << master_addr.hostname
104		<< ", Fe port:" << master_addr.port << ".Status:" << status.to_string()
105		<< ".Request: " << req->debug_string();
106		HttpChannel::send_error(req, HttpStatus::SERVICE_UNAVAILABLE);
107		return -1;
108		}
109		}
110		#else
111	16	if (auth_request.user == "root" && auth_request.passwd.empty()) {
112	5	auth_result.status.status_code = TStatusCode::type::OK;
113	5	auth_result.status.error_msgs.clear();
114	11	} else {
115	11	HttpChannel::send_reply(req, HttpStatus::FORBIDDEN);
116	11	return -1;
117	11	}
118	5	#endif
119	5	Status status(Status::create(auth_result.status));
120	5	if (!status.ok()) {
121	0	LOG(WARNING) << "permission verification failed, request: " << auth_request;
122	0	HttpChannel::send_reply(req, HttpStatus::FORBIDDEN);
123	0	return -1;
124	0	}
125	5	return 0;
126	5	}
127
128		} // namespace doris

Coverage Report

Created: 2026-04-09 19:46