be/src/service/http/http_handler_with_auth.cpp

Source
// Licensed to the Apache Software Foundation (ASF) under one
// or more contributor license agreements.  See the NOTICE file
// distributed with this work for additional information
// regarding copyright ownership.  The ASF licenses this file
// to you under the Apache License, Version 2.0 (the
// "License"); you may not use this file except in compliance
// with the License.  You may obtain a copy of the License at
//
//   http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing,
// software distributed under the License is distributed on an
// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
// KIND, either express or implied.  See the License for the
// specific language governing permissions and limitations
// under the License.

#include "service/http/http_handler_with_auth.h"

#include <gen_cpp/HeartbeatService_types.h>

#include "service/http/http_channel.h"
#include "service/http/utils.h"
#include "util/client_cache.h"
#include "util/thrift_rpc_helper.h"

namespace doris {

class TPrivilegeType;
class TPrivilegeHier;
class ThriftRpcHelper;

HttpHandlerWithAuth::HttpHandlerWithAuth(ExecEnv* exec_env, TPrivilegeHier::type hier,
                                         TPrivilegeType::type type)
        : _exec_env(exec_env), _hier(hier), _type(type) {}

int HttpHandlerWithAuth::on_header(HttpRequest* req) {
    //if u return value isn't 0,u should `send_reply`,Avoid requesting links that never return.
    TCheckAuthRequest auth_request;
    TCheckAuthResult auth_result;
    AuthInfo auth_info;

    if (!config::enable_all_http_auth) {
        return 0;
    }

    if (!parse_basic_auth(*req, &auth_info)) {
        LOG(WARNING) << "parse basic authorization failed"
                     << ", request: " << req->debug_string();
        evhttp_add_header(evhttp_request_get_output_headers(req->get_evhttp_request()),
                          "WWW-Authenticate", "Basic realm=\"Restricted\"");
        HttpChannel::send_reply(req, HttpStatus::UNAUTHORIZED);
        return -1;
    }

    // check auth by token
    if (auth_info.token != "") {
#ifdef BE_TEST
        if (auth_info.token == "valid_token") {
            return 0;
#else
        if (_exec_env->check_auth_token(auth_info.token)) {
            return 0;
#endif
        } else {
            LOG(WARNING) << "invalid auth token, request: " << req->debug_string();
            HttpChannel::send_error(req, HttpStatus::BAD_REQUEST);
            return -1;
        }
    }

    // check auth by user/password
    auth_request.user = auth_info.user;
    auth_request.passwd = auth_info.passwd;
    auth_request.__set_cluster(auth_info.cluster);
    auth_request.__set_user_ip(auth_info.user_ip);
    auth_request.__set_thrift_rpc_timeout_ms(config::thrift_rpc_timeout_ms);

    if (!on_privilege(*req, auth_request)) {
        LOG(WARNING) << "invalid privilege, request: " << req->debug_string();
        HttpChannel::send_error(req, HttpStatus::BAD_REQUEST);
        return -1;
    }

#ifndef BE_TEST
    TNetworkAddress master_addr = _exec_env->cluster_info()->master_fe_addr;
    if (master_addr.hostname.empty() || master_addr.port == 0) {
        LOG(WARNING) << "Not found master fe, Can't auth API request: " << req->debug_string();
        HttpChannel::send_error(req, HttpStatus::SERVICE_UNAVAILABLE);
        return -1;
    }
    {
        auto status = ThriftRpcHelper::rpc<FrontendServiceClient>(
                master_addr.hostname, master_addr.port,
                [&auth_result, &auth_request](FrontendServiceConnection& client) {
                    client->checkAuth(auth_result, auth_request);
                });
        if (!status) {
            LOG(WARNING) << "CheckAuth Rpc Fail.Fe Ip:" << master_addr.hostname
                         << ", Fe port:" << master_addr.port << ".Status:" << status.to_string()
                         << ".Request: " << req->debug_string();
            HttpChannel::send_error(req, HttpStatus::SERVICE_UNAVAILABLE);
            return -1;
        }
    }
#else
    if (auth_request.user == "root" && auth_request.passwd.empty()) {
        auth_result.status.status_code = TStatusCode::type::OK;
        auth_result.status.error_msgs.clear();
    } else {
        HttpChannel::send_reply(req, HttpStatus::FORBIDDEN);
        return -1;
    }
#endif
    Status status(Status::create(auth_result.status));
    if (!status.ok()) {
        LOG(WARNING) << "permission verification failed, request: " << auth_request;
        HttpChannel::send_reply(req, HttpStatus::FORBIDDEN);
        return -1;
    }
    return 0;
}

} // namespace doris

Line	Count	Source
1		// Licensed to the Apache Software Foundation (ASF) under one
2		// or more contributor license agreements. See the NOTICE file
3		// distributed with this work for additional information
4		// regarding copyright ownership. The ASF licenses this file
5		// to you under the Apache License, Version 2.0 (the
6		// "License"); you may not use this file except in compliance
7		// with the License. You may obtain a copy of the License at
8		//
9		// http://www.apache.org/licenses/LICENSE-2.0
10		//
11		// Unless required by applicable law or agreed to in writing,
12		// software distributed under the License is distributed on an
13		// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
14		// KIND, either express or implied. See the License for the
15		// specific language governing permissions and limitations
16		// under the License.
17
18		#include "service/http/http_handler_with_auth.h"
19
20		#include <gen_cpp/HeartbeatService_types.h>
21
22		#include "service/http/http_channel.h"
23		#include "service/http/utils.h"
24		#include "util/client_cache.h"
25		#include "util/thrift_rpc_helper.h"
26
27		namespace doris {
28
29		class TPrivilegeType;
30		class TPrivilegeHier;
31		class ThriftRpcHelper;
32
33		HttpHandlerWithAuth::HttpHandlerWithAuth(ExecEnv* exec_env, TPrivilegeHier::type hier,
34		TPrivilegeType::type type)
35	11	: _exec_env(exec_env), _hier(hier), _type(type) {}
36
37	39	int HttpHandlerWithAuth::on_header(HttpRequest* req) {
38		//if u return value isn't 0,u should `send_reply`,Avoid requesting links that never return.
39	39	TCheckAuthRequest auth_request;
40	39	TCheckAuthResult auth_result;
41	39	AuthInfo auth_info;
42
43	39	if (!config::enable_all_http_auth) {
44	11	return 0;
45	11	}
46
47	28	if (!parse_basic_auth(*req, &auth_info)) {
48	11	LOG(WARNING) << "parse basic authorization failed"
49	11	<< ", request: " << req->debug_string();
50	11	evhttp_add_header(evhttp_request_get_output_headers(req->get_evhttp_request()),
51	11	"WWW-Authenticate", "Basic realm=\"Restricted\"");
52	11	HttpChannel::send_reply(req, HttpStatus::UNAUTHORIZED);
53	11	return -1;
54	11	}
55
56		// check auth by token
57	17	if (auth_info.token != "") {
58	2	#ifdef BE_TEST
59	2	if (auth_info.token == "valid_token") {
60	1	return 0;
61		#else
62		if (_exec_env->check_auth_token(auth_info.token)) {
63		return 0;
64		#endif
65	1	} else {
66	1	LOG(WARNING) << "invalid auth token, request: " << req->debug_string();
67	1	HttpChannel::send_error(req, HttpStatus::BAD_REQUEST);
68	1	return -1;
69	1	}
70	2	}
71
72		// check auth by user/password
73	15	auth_request.user = auth_info.user;
74	15	auth_request.passwd = auth_info.passwd;
75	15	auth_request.__set_cluster(auth_info.cluster);
76	15	auth_request.__set_user_ip(auth_info.user_ip);
77	15	auth_request.__set_thrift_rpc_timeout_ms(config::thrift_rpc_timeout_ms);
78
79	15	if (!on_privilege(*req, auth_request)) {
80	1	LOG(WARNING) << "invalid privilege, request: " << req->debug_string();
81	1	HttpChannel::send_error(req, HttpStatus::BAD_REQUEST);
82	1	return -1;
83	1	}
84
85		#ifndef BE_TEST
86		TNetworkAddress master_addr = _exec_env->cluster_info()->master_fe_addr;
87		if (master_addr.hostname.empty() \|\| master_addr.port == 0) {
88		LOG(WARNING) << "Not found master fe, Can't auth API request: " << req->debug_string();
89		HttpChannel::send_error(req, HttpStatus::SERVICE_UNAVAILABLE);
90		return -1;
91		}
92		{
93		auto status = ThriftRpcHelper::rpc<FrontendServiceClient>(
94		master_addr.hostname, master_addr.port,
95		[&auth_result, &auth_request](FrontendServiceConnection& client) {
96		client->checkAuth(auth_result, auth_request);
97		});
98		if (!status) {
99		LOG(WARNING) << "CheckAuth Rpc Fail.Fe Ip:" << master_addr.hostname
100		<< ", Fe port:" << master_addr.port << ".Status:" << status.to_string()
101		<< ".Request: " << req->debug_string();
102		HttpChannel::send_error(req, HttpStatus::SERVICE_UNAVAILABLE);
103		return -1;
104		}
105		}
106		#else
107	14	if (auth_request.user == "root" && auth_request.passwd.empty()) {
108	3	auth_result.status.status_code = TStatusCode::type::OK;
109	3	auth_result.status.error_msgs.clear();
110	11	} else {
111	11	HttpChannel::send_reply(req, HttpStatus::FORBIDDEN);
112	11	return -1;
113	11	}
114	3	#endif
115	3	Status status(Status::create(auth_result.status));
116	3	if (!status.ok()) {
117	0	LOG(WARNING) << "permission verification failed, request: " << auth_request;
118	0	HttpChannel::send_reply(req, HttpStatus::FORBIDDEN);
119	0	return -1;
120	0	}
121	3	return 0;
122	3	}
123
124		} // namespace doris

Coverage Report

Created: 2026-03-15 22:14