Controller AccessControl interface accepts Request parameter

[ilamhs]

Labels:

• feature
• release-notes (backward compatible, note the deprecation, later on major semver remove the deprecation)

Context

• Accessing Peer certificates in Access Control #13556
• Supersedes this draft solution at Accept Request in controller AccessControl #13637

This allows for using properties of the Request object in the AccessControl to achieve things like using the peer TLS certificates to assign roles ( tested and running in Production with this PR on our cluster using Request)

Notes

• Backward compatible - Existing users of AccessControl interface who only define the deprecated methods have the exact same behavior as well (ignoring the Request essentially)
• Updated the usage of AccessControl across Pinot source with the new methods only ( the deprecated methods are not used in the Pinot source anymore - comes in very handy at dropping the deprecation)
• Not quite sure on how to sequence dropping the deprecation in a next major version release, would a Github issue or a release tracker note be the right way?

[ilamhs]

@Jackie-Jiang , @mcvsubbu Adding in previous reviewers of the similar draft PR.

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 27.77778% with 39 lines in your changes missing coverage. Please review.

Project coverage is 63.83%. Comparing base (59551e4) to head (3839bac).
Report is 1325 commits behind head on master.

Files with missing lines	Patch %	Lines
...ces/PinotSegmentUploadDownloadRestletResource.java	17.64%	27 Missing and 1 partial ⚠️
...t/controller/api/resources/PinotQueryResource.java	33.33%	4 Missing ⚠️
...ller/api/access/BasicAuthAccessControlFactory.java	0.00%	3 Missing ⚠️
...er/api/access/ZkBasicAuthAccessControlFactory.java	0.00%	2 Missing ⚠️
...inot/controller/api/access/AccessControlUtils.java	50.00%	0 Missing and 1 partial ⚠️
...ler/api/resources/PinotControllerAuthResource.java	0.00%	1 Missing ⚠️

Additional details and impacted files

@@             Coverage Diff              @@
##             master   #14414      +/-   ##
============================================
+ Coverage     61.75%   63.83%   +2.08%     
- Complexity      207     1555    +1348     
============================================
  Files          2436     2660     +224     
  Lines        133233   146017   +12784     
  Branches      20636    22359    +1723     
============================================
+ Hits          82274    93206   +10932     
- Misses        44911    45909     +998     
- Partials       6048     6902     +854     

Flag	Coverage Δ
custom-integration1	100.00% <ø> (+99.99%)	⬆️
integration	100.00% <ø> (+99.99%)	⬆️
integration1	100.00% <ø> (+99.99%)	⬆️
integration2	0.00% <ø> (ø)
java-11	63.72% <27.77%> (+2.01%)	⬆️
java-21	63.73% <27.77%> (+2.10%)	⬆️
skip-bytebuffers-false	63.81% <27.77%> (+2.07%)	⬆️
skip-bytebuffers-true	63.63% <27.77%> (+35.90%)	⬆️
temurin	63.83% <27.77%> (+2.08%)	⬆️
unittests	63.82% <27.77%> (+2.08%)	⬆️
unittests1	55.43% <ø> (+8.54%)	⬆️
unittests2	34.22% <27.77%> (+6.49%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ilamhs]

The failing Integration Tests seem to be unrelated to the code in the PR above.

[shounakmk219]

Can you create a new method with the request param and deprecate the existing one, instead of changing the existing method?

[ilamhs]

I see, just for my understanding, is the concern that validatePermission function is used outside this codebase and a deprecation path will be better?

[shounakmk219]

That's correct.

[shounakmk219]

Just for my info, how is the injection handled across different requests on various endpoints?

[shounakmk219]

There are lot of formatting changes and it seems off at lot of places. Can you please revert them?