Skip to content

Adding controller config for disabling Groovy in ingestionConfig #8169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Jackie-Jiang merged 2 commits into from
Feb 10, 2022
Merged

Adding controller config for disabling Groovy in ingestionConfig #8169

Jackie-Jiang merged 2 commits into from
Feb 10, 2022

Conversation

@timsants
Copy link
Contributor

@timsants timsants commented Feb 8, 2022
edited by Jackie-Jiang
Loading

Description

This change adds a broker config for disabling Groovy transform and filter functions in the table ingestion config as it is a security risk. See Github issue #7966. By default, Groovy is allowed for backwards compatibility to not break existing use cases which currently use Groovy.

This PR is a follow up to #8159 which adds the broker config for disabling groovy in Pinot queries.

Testing

Added unit tests and tested config with quick-start config override.

Upgrade Notes

Does this PR prevent a zero down-time upgrade? (Assume upgrade order: Controller, Broker, Server, Minion)

  • Yes (Please label as backward-incompat, and complete the section below on Release Notes)

Does this PR fix a zero-downtime upgrade introduced earlier?

  • Yes (Please label this as backward-incompat, and complete the section below on Release Notes)

Does this PR otherwise need attention when creating release notes? Things to consider:

  • Yes (Please label this PR as release-notes and complete the section on Release Notes)

Release Notes

Introduced new config for disabling Groovy in ingestionConfig: controller.disable.ingestion.groovy. If not defined, defaults to false.

Jackie-Jiang
Jackie-Jiang reviewed Feb 8, 2022
View reviewed changes
...nt-local/src/main/java/org/apache/pinot/segment/local/function/FunctionEvaluatorFactory.java Outdated
Copy link
Contributor

@Jackie-Jiang Jackie-Jiang Feb 8, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add a method isGroovyExpression() instead of passing disableGroovy to the getter

Copy link
Contributor Author

@timsants timsants Feb 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So are you saying that we first call isGroovyExpression(String transformExpression, boolean disableGroovy) and pass the return value to the getter? i.e.

public static FunctionEvaluator getExpressionEvaluator(String transformExpression, boolean isGroovyExpression).

Copy link
Contributor

@Jackie-Jiang Jackie-Jiang Feb 9, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Basically adding a method public static boolean isGroovyExpression(String transformExpression). The table config validator can call this method, and throw exception if it returns true

Copy link
Contributor Author

@timsants timsants Feb 10, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated. Let me know if this was what you were thinking.

@codecov-commenter
Copy link

codecov-commenter commented Feb 10, 2022
edited
Loading

Codecov Report

Merging #8169 (38e0d00) into master (6844cb3) will increase coverage by 0.00%.
The diff coverage is 18.75%.

Impacted file tree graph

@@           Coverage Diff           @@
##           master    #8169   +/-   ##
=======================================
  Coverage   30.67%   30.68%           
=======================================
  Files        1612     1612           
  Lines       83962    83970    +8     
  Branches    12602    12604    +2     
=======================================
+ Hits        25754    25764   +10     
+ Misses      55919    55917    -2     
  Partials     2289     2289
Flag Coverage Δ
integration1 28.85% <18.75%> (-0.07%) ⬇️
integration2 27.69% <18.75%> (+0.14%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files Coverage Δ
...ler/api/resources/TableConfigsRestletResource.java 0.00% <0.00%> (ø)
...gment/local/function/FunctionEvaluatorFactory.java 0.00% <0.00%> (ø)
...he/pinot/segment/local/utils/TableConfigUtils.java 0.00% <0.00%> (ø)
...oller/api/resources/PinotTableRestletResource.java 26.98% <66.66%> (ø)
...va/org/apache/pinot/controller/ControllerConf.java 51.82% <100.00%> (-0.22%) ⬇️
...nction/DistinctCountBitmapAggregationFunction.java 45.59% <0.00%> (-6.74%) ⬇️
.../common/request/context/predicate/EqPredicate.java 53.33% <0.00%> (-6.67%) ⬇️
...e/pinot/controller/helix/SegmentStatusChecker.java 66.90% <0.00%> (-4.93%) ⬇️
...core/query/pruner/SelectionQuerySegmentPruner.java 82.95% <0.00%> (-2.28%) ⬇️
...ava/org/apache/pinot/core/plan/FilterPlanNode.java 57.84% <0.00%> (-1.97%) ⬇️
... and 24 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 6844cb3...38e0d00. Read the comment docs.

@timsants timsants marked this pull request as ready for review February 10, 2022 19:00
@Jackie-Jiang Jackie-Jiang merged commit b12b7bb into apache:master Feb 10, 2022
@Jackie-Jiang Jackie-Jiang deleted the groovy_config_pt2 branch February 10, 2022 21:09
@Jackie-Jiang Jackie-Jiang added the release-notes Referenced by PRs that need attention when compiling the next release notes label Feb 10, 2022
@timsants timsants mentioned this pull request Feb 12, 2022
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jackie-Jiang Jackie-Jiang Jackie-Jiang approved these changes

Assignees

No one assigned

Labels

release-notes Referenced by PRs that need attention when compiling the next release notes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@timsants @codecov-commenter @Jackie-Jiang