Fix coordinator->overlord proxy auth failure (#5039)

* Fix coordinator->overlord proxy auth failure * PR comment
2017-11-03 13:54:41 -07:00 · 2017-11-03 13:54:41 -07:00 · 13c0d88ffc
parent 7c8b14f18c
commit 13c0d88ffc
3 changed files with 83 additions and 0 deletions
--- a/integration-tests/src/main/java/io/druid/testing/clients/CoordinatorResourceTestClient.java
+++ b/integration-tests/src/main/java/io/druid/testing/clients/CoordinatorResourceTestClient.java
@ -29,6 +29,7 @@ import com.metamx.http.client.Request;
 import com.metamx.http.client.response.StatusResponseHandler;
 import com.metamx.http.client.response.StatusResponseHolder;
 import io.druid.java.util.common.ISE;
+import io.druid.java.util.common.RE;
 import io.druid.java.util.common.StringUtils;
 import io.druid.testing.IntegrationTestingConfig;
 import io.druid.testing.guice.TestClient;
@ -155,6 +156,23 @@ public class CoordinatorResourceTestClient
    }
  }

+  public HttpResponseStatus getProxiedOverlordScalingResponseStatus()
+  {
+    try {
+      StatusResponseHolder response = makeRequest(
+          HttpMethod.GET,
+          StringUtils.format(
+              "%s/druid/indexer/v1/scaling",
+              coordinator
+          )
+      );
+      return response.getStatus();
+    }
+    catch (Exception e) {
+      throw new RE(e, "Unable to get scaling status from [%s]", coordinator);
+    }
+  }
+
  private StatusResponseHolder makeRequest(HttpMethod method, String url)
  {
    try {
--- a/integration-tests/src/test/java/io/druid/tests/security/ITCoordinatorOverlordProxyAuthTest.java
+++ b/integration-tests/src/test/java/io/druid/tests/security/ITCoordinatorOverlordProxyAuthTest.java
@ -0,0 +1,42 @@
+/*
+ * Licensed to Metamarkets Group Inc. (Metamarkets) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. Metamarkets licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package io.druid.tests.security;
+
+import com.google.inject.Inject;
+import io.druid.testing.clients.CoordinatorResourceTestClient;
+import io.druid.testing.guice.DruidTestModuleFactory;
+import org.jboss.netty.handler.codec.http.HttpResponseStatus;
+import org.testng.Assert;
+import org.testng.annotations.Guice;
+import org.testng.annotations.Test;
+
+@Guice(moduleFactory = DruidTestModuleFactory.class)
+public class ITCoordinatorOverlordProxyAuthTest
+{
+  @Inject
+  CoordinatorResourceTestClient coordinatorClient;
+  
+  @Test
+  public void testProxyAuth() throws Exception
+  {
+    HttpResponseStatus responseStatus = coordinatorClient.getProxiedOverlordScalingResponseStatus();
+    Assert.assertEquals(HttpResponseStatus.OK, responseStatus);
+  }
+}
--- a/server/src/main/java/io/druid/server/http/OverlordProxyServlet.java
+++ b/server/src/main/java/io/druid/server/http/OverlordProxyServlet.java
@ -24,9 +24,12 @@ import com.google.inject.Inject;
 import io.druid.client.indexing.IndexingService;
 import io.druid.discovery.DruidLeaderClient;
 import io.druid.java.util.common.ISE;
+import io.druid.server.security.AuthConfig;
+import org.eclipse.jetty.client.api.Request;
 import org.eclipse.jetty.proxy.ProxyServlet;

 import javax.servlet.http.HttpServletRequest;
+import javax.servlet.http.HttpServletResponse;
 import java.net.URI;
 import java.net.URISyntaxException;

@ -66,4 +69,24 @@ public class OverlordProxyServlet extends ProxyServlet
      throw Throwables.propagate(e);
    }
  }
+
+  @Override
+  protected void sendProxyRequest(
+      HttpServletRequest clientRequest,
+      HttpServletResponse proxyResponse,
+      Request proxyRequest
+  )
+  {
+    // Since we can't see the request object on the remote side, we can't check whether the remote side actually
+    // performed an authorization check here, so always set this to true for the proxy servlet.
+    // If the remote node failed to perform an authorization check, PreResponseAuthorizationCheckFilter
+    // will log that on the remote node.
+    clientRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
+
+    super.sendProxyRequest(
+        clientRequest,
+        proxyResponse,
+        proxyRequest
+    );
+  }
 }