From 53900fc070f5df2f17ad33032eb4a467826b7dc3 Mon Sep 17 00:00:00 2001
From: Andrew Ho <andrewho135@gmail.com>
Date: Tue, 7 Apr 2026 10:21:12 -0700
Subject: [PATCH] Change auth from WRITE to READ for specGetAll

---
 .../supervisor/SupervisorResource.java        | 18 ++++++++++++++----
 .../supervisor/SupervisorResourceTest.java    | 19 +++++++++++++++++++
 2 files changed, 33 insertions(+), 4 deletions(-)

diff --git a/indexing-service/src/main/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResource.java b/indexing-service/src/main/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResource.java
index 6b145be07e4a..829c0be520ba 100644
--- a/indexing-service/src/main/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResource.java
+++ b/indexing-service/src/main/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResource.java
@@ -201,10 +201,20 @@ public Response specGetAll(
   {
     return asLeaderWithSupervisorManager(
         manager -> {
-          Set<String> authorizedSupervisorIds = filterAuthorizedSupervisorIds(
-              req,
-              manager,
-              manager.getSupervisorIds()
+          Function<String, Iterable<ResourceAction>> readRaGenerator = supervisorId -> {
+            Optional<SupervisorSpec> supervisorSpecOptional = manager.getSupervisorSpec(supervisorId);
+            return supervisorSpecOptional
+                .transform(spec -> SPEC_DATASOURCE_READ_RA_GENERATOR.apply(new VersionedSupervisorSpec(spec, null)))
+                .orNull();
+          };
+
+          Set<String> authorizedSupervisorIds = Sets.newHashSet(
+              AuthorizationUtils.filterAuthorizedResources(
+                  req,
+                  manager.getSupervisorIds(),
+                  readRaGenerator,
+                  authorizerMapper
+              )
           );
           final boolean includeFull = full != null;
           final boolean includeState = state != null && state;
diff --git a/indexing-service/src/test/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResourceTest.java b/indexing-service/src/test/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResourceTest.java
index 6c099a53b3a1..fffdb06c8727 100644
--- a/indexing-service/src/test/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResourceTest.java
+++ b/indexing-service/src/test/java/org/apache/druid/indexing/overlord/supervisor/SupervisorResourceTest.java
@@ -341,6 +341,25 @@ public void testSpecGetAll()
     Assert.assertEquals(503, response.getStatus());
   }
 
+  @Test
+  public void testSpecGetAllWithPartialAuthorizationForReadAccess()
+  {
+    EasyMock.expect(taskMaster.getSupervisorManager()).andReturn(Optional.of(supervisorManager));
+    EasyMock.expect(supervisorManager.getSupervisorIds()).andReturn(SUPERVISOR_IDS).atLeastOnce();
+    EasyMock.expect(supervisorManager.getSupervisorSpec(SPEC1.getId())).andReturn(Optional.of(SPEC1));
+    EasyMock.expect(supervisorManager.getSupervisorSpec(SPEC2.getId())).andReturn(Optional.of(SPEC2));
+    setupMockRequestForUser("notDruid");
+    replayAll();
+
+    Response response = supervisorResource.specGetAll(null, null, null, request);
+    verifyAll();
+
+    Assert.assertEquals(200, response.getStatus());
+    // Only id1 (datasource1) should be returned since user lacks READ access to datasource2
+    Set<String> returnedIds = (Set<String>) response.getEntity();
+    Assert.assertEquals(ImmutableSet.of("id1"), returnedIds);
+  }
+
   @Test
   public void testSpecGetAllFull()
   {