Apache
/
druid
mirror of https://github.com/apache/druid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Support LDAP authentication/authorization (#6972) 

* Support LDAP authentication/authorization

* fixed integration-tests

* fixed Travis CI build errors related to druid-security module

* fixed failing test

* fixed failing test header

* added comments, force build

* fixes for strict compilation spotbugs checks

* removed authenticator rolling credential update feature

* removed escalator rolling credential update feature

* fixed teamcity inspection deprecated API usage error

* fixed checkstyle execution error, removed unused import

* removed cached config as part of removing authenticator rolling credential update feature

* removed config bundle entity as part of removing authenticator rolling credential update feature

* refactored ldao configuration

* added support for SSLContext configuration and TLSCertificateChecker

* removed check to return authentication failure when user has no group assigned, will be checked and handled by the authorizer

* Separate out authorizer checks between metadata-backed store user and LDAP user/groups

* refactored BasicSecuritySSLSocketFactory usage to fix strict compilation spotbugs checks

* fixes build issue

* final review comments updates

* final review comments updates

* fixed LGTM and spellcheck alerts

* Fixed Avatica auth failure error message check

* Updated metadata credentials validator exception message string, replaced DB with metadata store
This commit is contained in:
Mohammad J. Khan 2019-10-08 19:08:27 -05:00 committed by Jonathan Wei
parent 46ddaf3aa1
commit 18758f5228
62 changed files with 4671 additions and 461 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

143
docs/development/extensions-core/druid-basic-security.md
View File

@ -25,8 +25,8 @@ title: "Basic Security"
This Apache Druid (incubating) extension adds:
- an Authenticator which supports [HTTP Basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication)
- an Authorizer which implements basic role-based access control
- an Authenticator which supports [HTTP Basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) using the Druid metadata store or LDAP as its credentials store
- an Authorizer which implements basic role-based access control for Druid metadata store or LDAP users and groups
Make sure to [include](../../development/extensions.md#loading-extensions) `druid-basic-security` as an extension.
@ -34,7 +34,7 @@ Please see [Authentication and Authorization](../../design/auth.md) for more inf
## Configuration
The examples in the section will use "MyBasicAuthenticator" and "MyBasicAuthorizer" as names for the Authenticator and Authorizer.
The examples in the section will use "MyBasicMetadataAuthenticator", "MyBasicLDAPAuthenticator", "MyBasicMetadataAuthorizer", and "MyBasicLDAPAuthorizer" as names for the Authenticators and Authorizer.
These properties are not tied to specific Authenticator or Authorizer instances.
@ -43,23 +43,27 @@ These configuration properties should be added to the common runtime properties
### Properties
|Property|Description|Default|required|
|--------|-----------|-------|--------|
|`druid.auth.basic.common.pollingPeriod`|Defines in milliseconds how often processes should poll the Coordinator for the current authenticator/authorizer database state.|60000|No|
|`druid.auth.basic.common.pollingPeriod`|Defines in milliseconds how often processes should poll the Coordinator for the current Druid metadata store authenticator/authorizer state.|60000|No|
|`druid.auth.basic.common.maxRandomDelay`|Defines in milliseconds the amount of random delay to add to the pollingPeriod, to spread polling requests across time.|6000|No|
|`druid.auth.basic.common.maxSyncRetries`|Determines how many times a service will retry if the authentication/authorization database state sync with the Coordinator fails.|10|No|
|`druid.auth.basic.common.cacheDirectory`|If defined, snapshots of the basic Authenticator and Authorizer database caches will be stored on disk in this directory. If this property is defined, when a service is starting, it will attempt to initialize its caches from these on-disk snapshots, if the service is unable to initialize its state by communicating with the Coordinator.|null|No|
|`druid.auth.basic.common.maxSyncRetries`|Determines how many times a service will retry if the authentication/authorization Druid metadata store state sync with the Coordinator fails.|10|No|
|`druid.auth.basic.common.cacheDirectory`|If defined, snapshots of the basic Authenticator and Authorizer Druid metadata store caches will be stored on disk in this directory. If this property is defined, when a service is starting, it will attempt to initialize its caches from these on-disk snapshots, if the service is unable to initialize its state by communicating with the Coordinator.|null|No|
### Creating an Authenticator
### Creating an Authenticator that uses the Druid metadata store to lookup and validate credentials
```
druid.auth.authenticatorChain=["MyBasicAuthenticator"]
druid.auth.authenticatorChain=["MyBasicMetadataAuthenticator"]
druid.auth.authenticator.MyBasicAuthenticator.type=basic
druid.auth.authenticator.MyBasicAuthenticator.initialAdminPassword=password1
druid.auth.authenticator.MyBasicAuthenticator.initialInternalClientPassword=password2
druid.auth.authenticator.MyBasicAuthenticator.authorizerName=MyBasicAuthorizer
druid.auth.authenticator.MyBasicMetadataAuthenticator.type=basic
druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword=password1
druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword=password2
druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type=metadata
druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure=false
druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName=MyBasicMetadataAuthorizer
```
To use the Basic authenticator, add an authenticator with type `basic` to the authenticatorChain.
The authenticator needs to also define a credentialsValidator with type 'metadata' or 'ldap'.
If credentialsValidator is not specified, type 'metadata' will be used as default.
Configuration of the named authenticator is assigned through properties with the form:
@ -67,18 +71,41 @@ Configuration of the named authenticator is assigned through properties with the
druid.auth.authenticator.<authenticatorName>.<authenticatorProperty>
```
The configuration examples in the rest of this document will use "MyBasicAuthenticator" as the name of the authenticator being configured.
The authenticator configuration examples in the rest of this document will use "MyBasicMetadataAuthenticator" or "MyBasicLDAPAuthenticator" as the name of the authenticators being configured.
#### Properties
#### Properties for Druid metadata store user authentication
|Property|Description|Default|required|
|--------|-----------|-------|--------|
|`druid.auth.authenticator.MyBasicAuthenticator.initialAdminPassword`|Initial [Password Provider](../../operations/password-provider.md) for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will not affect its password.|null|No|
|`druid.auth.authenticator.MyBasicAuthenticator.initialInternalClientPassword`|Initial [Password Provider](../../operations/password-provider.md) for the default internal system user, used for internal process communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will not affect its password.|null|No|
|`druid.auth.authenticator.MyBasicAuthenticator.enableCacheNotifications`|If true, the Coordinator will notify Druid processes whenever a configuration change to this Authenticator occurs, allowing them to immediately update their state without waiting for polling.|true|No|
|`druid.auth.authenticator.MyBasicAuthenticator.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No|
|`druid.auth.authenticator.MyBasicAuthenticator.credentialIterations`|Number of iterations to use for password hashing.|10000|No|
|`druid.auth.authenticator.MyBasicAuthenticator.authorizerName`|Authorizer that requests should be directed to|N/A|Yes|
|`druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword`|Initial [Password Provider](../../operations/password-provider.md) for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will not affect its password.|null|No|
|`druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword`|Initial [Password Provider](../../operations/password-provider.md) for the default internal system user, used for internal process communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will not affect its password.|null|No|
|`druid.auth.authenticator.MyBasicMetadataAuthenticator.enableCacheNotifications`|If true, the Coordinator will notify Druid processes whenever a configuration change to this Authenticator occurs, allowing them to immediately update their state without waiting for polling.|true|No|
|`druid.auth.authenticator.MyBasicMetadataAuthenticator.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No|
|`druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialIterations`|Number of iterations to use for password hashing.|10000|No|
|`druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type`|The type of credentials store (metadata) to validate requests credentials.|metadata|No|
|`druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure`|If true and the request credential doesn't exists or isn't fully configured in the credentials store, the request will proceed to next Authenticator in the chain.|false|No|
|`druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName`|Authorizer that requests should be directed to|N/A|Yes|
#### Properties for LDAP user authentication
|Property|Description|Default|required|
|--------|-----------|-------|--------|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.initialAdminPassword`|Initial [Password Provider](../../operations/password-provider.md) for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will not affect its password.|null|No|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.initialInternalClientPassword`|Initial [Password Provider](../../operations/password-provider.md) for the default internal system user, used for internal process communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will not affect its password.|null|No|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.enableCacheNotifications`|If true, the Coordinator will notify Druid processes whenever a configuration change to this Authenticator occurs, allowing them to immediately update their state without waiting for polling.|true|No|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialIterations`|Number of iterations to use for password hashing.|10000|No|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.type`|The type of credentials store (ldap) to validate requests credentials.|metadata|No|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.url`|URL of the LDAP server.|null|Yes|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.bindUser`|LDAP bind user username.|null|Yes|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.bindPassword`|[Password Provider](../../operations/password-provider.md) LDAP bind user password.|null|Yes|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.baseDn`|The point from where the LDAP server will search for users.|null|Yes|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.userSearch`|The filter/expression to use for the search. For example, (&(sAMAccountName=%s)(objectClass=user))|null|Yes|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.userAttribute`|The attribute id identifying the attribute that will be returned as part of the search. For example, sAMAccountName. |null|Yes|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialVerifyDuration`|The duration in seconds for how long valid credentials are verifiable within the cache when not requested.|600|No|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialMaxDuration`|The max duration in seconds for valid credentials that can reside in cache regardless of how often they are requested.|3600|No|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialCacheSize`|The valid credentials cache size. The cache uses a LRU policy.|100|No|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.skipOnFailure`|If true and the request credential doesn't exists or isn't fully configured in the credentials store, the request will proceed to next Authenticator in the chain.|false|No|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.authorizerName`|Authorizer that requests should be directed to.|N/A|Yes|
### Creating an Escalator
@ -87,7 +114,7 @@ The configuration examples in the rest of this document will use "MyBasicAuthent
druid.escalator.type=basic
druid.escalator.internalClientUsername=druid_system
druid.escalator.internalClientPassword=password2
druid.escalator.authorizerName=MyBasicAuthorizer
druid.escalator.authorizerName=MyBasicMetadataAuthorizer
```
#### Properties
@ -100,24 +127,40 @@ druid.escalator.authorizerName=MyBasicAuthorizer
### Creating an Authorizer
```
druid.auth.authorizers=["MyBasicAuthorizer"]
druid.auth.authorizers=["MyBasicMetadataAuthorizer"]
druid.auth.authorizer.MyBasicAuthorizer.type=basic
druid.auth.authorizer.MyBasicMetadataAuthorizer.type=basic
```
To use the Basic authorizer, add an authenticator with type `basic` to the authorizers list.
To use the Basic authorizer, add an authorizer with type `basic` to the authorizers list.
Configuration of the named authenticator is assigned through properties with the form:
Configuration of the named authorizer is assigned through properties with the form:
```
druid.auth.authorizer.<authorizerName>.<authorizerProperty>
```
#### Properties
The authorizer configuration examples in the rest of this document will use "MyBasicMetadataAuthorizer" or "MyBasicLDAPAuthorizer" as the name of the authenticators being configured.
#### Properties for Druid metadata store user authorization
|Property|Description|Default|required|
|--------|-----------|-------|--------|
|`druid.auth.authorizer.MyBasicAuthorizer.enableCacheNotifications`|If true, the Coordinator will notify Druid processes whenever a configuration change to this Authorizer occurs, allowing them to immediately update their state without waiting for polling.|true|No|
|`druid.auth.authorizer.MyBasicAuthorizer.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No|
|`druid.auth.authorizer.MyBasicMetadataAuthorizer.enableCacheNotifications`|If true, the Coordinator will notify Druid processes whenever a configuration change to this Authorizer occurs, allowing them to immediately update their state without waiting for polling.|true|No|
|`druid.auth.authorizer.MyBasicMetadataAuthorizer.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No|
|`druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminUser`|The initial admin user with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned.|admin|No|
|`druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminRole`|The initial admin role to create if it doesn't already exists.|admin|No|
|`druid.auth.authorizer.MyBasicMetadataAuthorizer.roleProvider.type`|The type of role provider to authorize requests credentials.|metadata|No
#### Properties for LDAP user authorization
|Property|Description|Default|required|
|--------|-----------|-------|--------|
|`druid.auth.authorizer.MyBasicLDAPAuthorizer.enableCacheNotifications`|If true, the Coordinator will notify Druid processes whenever a configuration change to this Authorizer occurs, allowing them to immediately update their state without waiting for polling.|true|No|
|`druid.auth.authorizer.MyBasicLDAPAuthorizer.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No|
|`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminUser`|The initial admin user with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned.|admin|No|
|`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminRole`|The initial admin role to create if it doesn't already exists.|admin|No|
|`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminGroupMapping`|The initial admin group mapping with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned. The name of this initial admin group mapping will be set to adminGroupMapping|null|No|
|`druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.type`|The type of role provider (ldap) to authorize requests credentials.|metadata|No
|`druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.groupFilters`|Array of LDAP group filters used to filter out the allowed set of groups returned from LDAP search. Filters can be begin with *, or end with ,* to provide configurational flexibility to limit or filter allowed set of groups available to LDAP Authorizer.|null|No|
## Usage
@ -157,7 +200,7 @@ Example request body:
##### Cache Load Status
`GET(/druid-ext/basic-security/authentication/loadStatus)`
Return the current load status of the local caches of the authentication database.
Return the current load status of the local caches of the authentication Druid metadata store.
#### Authorization API
@ -262,6 +305,30 @@ Create a new user with name {userName}
`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})`
Delete the user with name {userName}
##### Group mapping Creation/Deletion
`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/groupmappings)`
Return a list of all group mappings.
`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/groupmappings/{groupMappingName})`
Return the group mapping and role information of the group mapping with name {groupMappingName}
`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/groupmappings/{groupMappingName})`
Create a new group mapping with name {groupMappingName}
Content: JSON group mapping object
Example request body:
```
{
"name": "user",
"groupPattern": "CN=aaa,OU=aaa,OU=Groupings,DC=corp,DC=company,DC=com",
"roles": [
"user"
]
}
```
`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/groupmappings/{groupMappingName})`
Delete the group mapping with name {groupMappingName}
#### Role Creation/Deletion
`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/roles)`
@ -297,7 +364,7 @@ This API supports the following flags:
- `?full`: The output will contain an extra `users` list, containing the users that currently have this role.
```json
"users":["druid"]
{"users":["druid"]}
```
- `?simplifyPermissions`: The permissions in the output will contain only a list of `resourceAction` objects, without the extraneous `resourceNamePattern` field. The `users` field will be null when `?full` is not specified.
@ -336,6 +403,12 @@ Assign role {roleName} to user {userName}.
`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}/roles/{roleName})`
Unassign role {roleName} from user {userName}
`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/groupmappings/{groupMappingName}/roles/{roleName})`
Assign role {roleName} to group mapping {groupMappingName}.
`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/groupmappings/{groupMappingName}/roles/{roleName})`
Unassign role {roleName} from group mapping {groupMappingName}
#### Permissions
`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName}/permissions)`
@ -368,7 +441,7 @@ Please see [Defining permissions](#defining-permissions) for more details.
##### Cache Load Status
`GET(/druid-ext/basic-security/authorization/loadStatus)`
Return the current load status of the local caches of the authorization database.
Return the current load status of the local caches of the authorization Druid metadata store.
## Default user accounts
@ -462,10 +535,10 @@ Queries on the [system schema tables](../../querying/sql.html#system-schema) req
## Configuration Propagation
To prevent excessive load on the Coordinator, the Authenticator and Authorizer user/role database state is cached on each Druid process.
To prevent excessive load on the Coordinator, the Authenticator and Authorizer user/role Druid metadata store state is cached on each Druid process.
Each process will periodically poll the Coordinator for the latest database state, controlled by the `druid.auth.basic.common.pollingPeriod` and `druid.auth.basic.common.maxRandomDelay` properties.
Each process will periodically poll the Coordinator for the latest Druid metadata store state, controlled by the `druid.auth.basic.common.pollingPeriod` and `druid.auth.basic.common.maxRandomDelay` properties.
When a configuration update occurs, the Coordinator can optionally notify each process with the updated database state. This behavior is controlled by the `enableCacheNotifications` and `cacheNotificationTimeout` properties on Authenticators and Authorizers.
When a configuration update occurs, the Coordinator can optionally notify each process with the updated Druid metadata store state. This behavior is controlled by the `enableCacheNotifications` and `cacheNotificationTimeout` properties on Authenticators and Authorizers.
Note that because of the caching, changes made to the user/role database may not be immediately reflected at each Druid process.
Note that because of the caching, changes made to the user/role Druid metadata store may not be immediately reflected at each Druid process.

38
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthDBConfig.java
View File

@ -27,23 +27,32 @@ public class BasicAuthDBConfig
private final PasswordProvider initialAdminPassword;
private final PasswordProvider initialInternalClientPassword;
private final String initialAdminUser;
private final String initialAdminRole;
private final String initialAdminGroupMapping;
private final boolean enableCacheNotifications;
private final long cacheNotificationTimeout;
private final int iterations;
private final int credentialIterations;
public BasicAuthDBConfig(
final PasswordProvider initialAdminPassword,
final PasswordProvider initialInternalClientPassword,
final Boolean enableCacheNotifications,
final Long cacheNotificationTimeout,
final int iterations
final String initialAdminUser,
final String initialAdminRole,
final String initialAdminGroupMapping,
final boolean enableCacheNotifications,
final long cacheNotificationTimeout,
final int credentialIterations
)
{
this.initialAdminPassword = initialAdminPassword;
this.initialInternalClientPassword = initialInternalClientPassword;
this.initialAdminUser = initialAdminUser;
this.initialAdminRole = initialAdminRole;
this.initialAdminGroupMapping = initialAdminGroupMapping;
this.enableCacheNotifications = enableCacheNotifications;
this.cacheNotificationTimeout = cacheNotificationTimeout;
this.iterations = iterations;
this.credentialIterations = credentialIterations;
}
public PasswordProvider getInitialAdminPassword()
@ -56,6 +65,21 @@ public class BasicAuthDBConfig
return initialInternalClientPassword;
}
public String getInitialAdminUser()
{
return initialAdminUser;
}
public String getInitialAdminRole()
{
return initialAdminRole;
}
public String getInitialAdminGroupMapping()
{
return initialAdminGroupMapping;
}
public boolean isEnableCacheNotifications()
{
return enableCacheNotifications;
@ -66,8 +90,8 @@ public class BasicAuthDBConfig
return cacheNotificationTimeout;
}
public int getIterations()
public int getCredentialIterations()
{
return iterations;
return credentialIterations;
}
}

111
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthLDAPConfig.java Normal file
View File

@ -0,0 +1,111 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.druid.security.basic;
import org.apache.druid.metadata.PasswordProvider;
public class BasicAuthLDAPConfig
{
private final String url;
private final String bindUser;
private final PasswordProvider bindPassword;
private final String baseDn;
private final String userSearch;
private final String userAttribute;
private final int credentialIterations;
private final Integer credentialVerifyDuration;
private final Integer credentialMaxDuration;
private final Integer credentialCacheSize;
public BasicAuthLDAPConfig(
final String url,
final String bindUser,
final PasswordProvider bindPassword,
final String baseDn,
final String userSearch,
final String userAttribute,
final int credentialIterations,
final Integer credentialVerifyDuration,
final Integer credentialMaxDuration,
final Integer credentialCacheSize
)
{
this.url = url;
this.bindUser = bindUser;
this.bindPassword = bindPassword;
this.baseDn = baseDn;
this.userSearch = userSearch;
this.userAttribute = userAttribute;
this.credentialIterations = credentialIterations;
this.credentialVerifyDuration = credentialVerifyDuration;
this.credentialMaxDuration = credentialMaxDuration;
this.credentialCacheSize = credentialCacheSize;
}
public String getUrl()
{
return url;
}
public String getBindUser()
{
return bindUser;
}
public PasswordProvider getBindPassword()
{
return bindPassword;
}
public String getBaseDn()
{
return baseDn;
}
public String getUserSearch()
{
return userSearch;
}
public String getUserAttribute()
{
return userAttribute;
}
public int getCredentialIterations()
{
return credentialIterations;
}
public Integer getCredentialVerifyDuration()
{
return credentialVerifyDuration;
}
public Integer getCredentialMaxDuration()
{
return credentialMaxDuration;
}
public Integer getCredentialCacheSize()
{
return credentialCacheSize;
}
}

181
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthSSLConfig.java Normal file
View File

@ -0,0 +1,181 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.druid.security.basic;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import org.apache.druid.metadata.PasswordProvider;
public class BasicAuthSSLConfig
{
@JsonProperty
private String protocol;
@JsonProperty
private String trustStoreType;
@JsonProperty
private String trustStorePath;
@JsonProperty
private String trustStoreAlgorithm;
@JsonProperty("trustStorePassword")
private PasswordProvider trustStorePasswordProvider;
@JsonProperty
private String keyStorePath;
@JsonProperty
private String keyStoreType;
@JsonProperty
private String certAlias;
@JsonProperty("keyStorePassword")
private PasswordProvider keyStorePasswordProvider;
@JsonProperty("keyManagerPassword")
private PasswordProvider keyManagerPasswordProvider;
@JsonProperty
private String keyManagerFactoryAlgorithm;
@JsonProperty
private Boolean validateHostnames;
@JsonCreator
public BasicAuthSSLConfig(
@JsonProperty("protocol") String protocol,
@JsonProperty("trustStoreType") String trustStoreType,
@JsonProperty("trustStorePath") String trustStorePath,
@JsonProperty("trustStoreAlgorithm") String trustStoreAlgorithm,
@JsonProperty("trustStorePassword") PasswordProvider trustStorePasswordProvider,
@JsonProperty("keyStorePath") String keyStorePath,
@JsonProperty("keyStoreType") String keyStoreType,
@JsonProperty("certAlias") String certAlias,
@JsonProperty("keyStorePassword") PasswordProvider keyStorePasswordProvider,
@JsonProperty("keyManagerPassword") PasswordProvider keyManagerPasswordProvider,
@JsonProperty("keyManagerFactoryAlgorithm") String keyManagerFactoryAlgorithm,
@JsonProperty("validateHostnames") Boolean validateHostnames
)
{
this.protocol = protocol;
this.trustStoreType = trustStoreType;
this.trustStorePath = trustStorePath;
this.trustStoreAlgorithm = trustStoreAlgorithm;
this.trustStorePasswordProvider = trustStorePasswordProvider;
this.keyStorePath = keyStorePath;
this.keyStoreType = keyStoreType;
this.certAlias = certAlias;
this.keyStorePasswordProvider = keyStorePasswordProvider;
this.keyManagerPasswordProvider = keyManagerPasswordProvider;
this.keyManagerFactoryAlgorithm = keyManagerFactoryAlgorithm;
this.validateHostnames = validateHostnames;
}
@JsonProperty
public String getProtocol()
{
return protocol;
}
@JsonProperty
public String getTrustStoreType()
{
return trustStoreType;
}
@JsonProperty
public String getTrustStorePath()
{
return trustStorePath;
}
@JsonProperty
public String getTrustStoreAlgorithm()
{
return trustStoreAlgorithm;
}
@JsonProperty("trustStorePassword")
public PasswordProvider getTrustStorePasswordProvider()
{
return trustStorePasswordProvider;
}
@JsonProperty
public String getKeyStorePath()
{
return keyStorePath;
}
@JsonProperty
public String getKeyStoreType()
{
return keyStoreType;
}
@JsonProperty
public String getCertAlias()
{
return certAlias;
}
@JsonProperty("keyStorePassword")
public PasswordProvider getKeyStorePasswordProvider()
{
return keyStorePasswordProvider;
}
@JsonProperty("keyManagerPassword")
public PasswordProvider getKeyManagerPasswordProvider()
{
return keyManagerPasswordProvider;
}
@JsonProperty
public String getKeyManagerFactoryAlgorithm()
{
return keyManagerFactoryAlgorithm;
}
@JsonProperty
public Boolean getValidateHostnames()
{
return validateHostnames;
}
@Override
public String toString()
{
return "SSLClientConfig{" +
"protocol='" + protocol + '\'' +
", trustStoreType='" + trustStoreType + '\'' +
", trustStorePath='" + trustStorePath + '\'' +
", trustStoreAlgorithm='" + trustStoreAlgorithm + '\'' +
", keyStorePath='" + keyStorePath + '\'' +
", keyStoreType='" + keyStoreType + '\'' +
", certAlias='" + certAlias + '\'' +
", keyManagerFactoryAlgorithm='" + keyManagerFactoryAlgorithm + '\'' +
", validateHostnames='" + validateHostnames + '\'' +
'}';
}
}

58
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthUtils.java
View File

@ -26,8 +26,10 @@ import org.apache.druid.java.util.common.RE;
import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser;
import org.apache.druid.security.basic.authorization.entity.GroupMappingAndRoleMap;
import org.apache.druid.security.basic.authorization.entity.UserAndRoleMap;
import javax.annotation.Nullable;
@ -48,7 +50,9 @@ public class BasicAuthUtils
private static final Logger log = new Logger(BasicAuthUtils.class);
private static final SecureRandom SECURE_RANDOM = new SecureRandom();
public static final String ADMIN_NAME = "admin";
public static final String ADMIN_GROUP_MAPPING_NAME = "adminGroupMapping";
public static final String INTERNAL_USER_NAME = "druid_system";
public static final String SEARCH_RESULT_CONTEXT_KEY = "searchResult";
// PBKDF2WithHmacSHA512 is chosen since it has built-in support in Java8.
// Argon2 (https://github.com/p-h-c/phc-winner-argon2) is newer but the only presently
@ -57,6 +61,9 @@ public class BasicAuthUtils
// 256-bit salt should be more than sufficient for uniqueness, expected user count is on the order of thousands.
public static final int SALT_LENGTH = 32;
public static final int DEFAULT_KEY_ITERATIONS = 10000;
public static final int DEFAULT_CREDENTIAL_VERIFY_DURATION_SECONDS = 600;
public static final int DEFAULT_CREDENTIAL_MAX_DURATION_SECONDS = 3600;
public static final int DEFAULT_CREDENTIAL_CACHE_SIZE = 100;
public static final int KEY_LENGTH = 512;
public static final String ALGORITHM = "PBKDF2WithHmacSHA512";
@ -70,6 +77,11 @@ public class BasicAuthUtils
{
};
public static final TypeReference AUTHORIZER_GROUP_MAPPING_MAP_TYPE_REFERENCE =
new TypeReference<Map<String, BasicAuthorizerGroupMapping>>()
{
};
public static final TypeReference AUTHORIZER_ROLE_MAP_TYPE_REFERENCE =
new TypeReference<Map<String, BasicAuthorizerRole>>()
{
@ -80,6 +92,11 @@ public class BasicAuthUtils
{
};
public static final TypeReference AUTHORIZER_GROUP_MAPPING_AND_ROLE_MAP_TYPE_REFERENCE =
new TypeReference<GroupMappingAndRoleMap>()
{
};
public static byte[] hashPassword(final char[] password, final byte[] salt, final int iterations)
{
try {
@ -155,7 +172,7 @@ public class BasicAuthUtils
userMap = objectMapper.readValue(userMapBytes, AUTHENTICATOR_USER_MAP_TYPE_REFERENCE);
}
catch (IOException ioe) {
throw new RuntimeException(ioe);
throw new RuntimeException("Couldn't deserialize authenticator userMap!", ioe);
}
}
return userMap;
@ -170,7 +187,7 @@ public class BasicAuthUtils
return objectMapper.writeValueAsBytes(userMap);
}
catch (IOException ioe) {
throw new ISE(ioe, "WTF? Couldn't serialize userMap!");
throw new ISE(ioe, "Couldn't serialize authenticator userMap!");
}
}
@ -187,7 +204,7 @@ public class BasicAuthUtils
userMap = objectMapper.readValue(userMapBytes, BasicAuthUtils.AUTHORIZER_USER_MAP_TYPE_REFERENCE);
}
catch (IOException ioe) {
throw new RuntimeException(ioe);
throw new RuntimeException("Couldn't deserialize authorizer userMap!", ioe);
}
}
return userMap;
@ -199,7 +216,36 @@ public class BasicAuthUtils
return objectMapper.writeValueAsBytes(userMap);
}
catch (IOException ioe) {
throw new ISE(ioe, "WTF? Couldn't serialize userMap!");
throw new ISE(ioe, "Couldn't serialize authorizer userMap!");
}
}
public static Map<String, BasicAuthorizerGroupMapping> deserializeAuthorizerGroupMappingMap(
ObjectMapper objectMapper,
byte[] groupMappingMapBytes
)
{
Map<String, BasicAuthorizerGroupMapping> groupMappingMap;
if (groupMappingMapBytes == null) {
groupMappingMap = new HashMap<>();
} else {
try {
groupMappingMap = objectMapper.readValue(groupMappingMapBytes, BasicAuthUtils.AUTHORIZER_GROUP_MAPPING_MAP_TYPE_REFERENCE);
}
catch (IOException ioe) {
throw new RuntimeException("Couldn't deserialize authorizer groupMappingMap!", ioe);
}
}
return groupMappingMap;
}
public static byte[] serializeAuthorizerGroupMappingMap(ObjectMapper objectMapper, Map<String, BasicAuthorizerGroupMapping> groupMappingMap)
{
try {
return objectMapper.writeValueAsBytes(groupMappingMap);
}
catch (IOException ioe) {
throw new ISE(ioe, "Couldn't serialize authorizer groupMappingMap!");
}
}
@ -216,7 +262,7 @@ public class BasicAuthUtils
roleMap = objectMapper.readValue(roleMapBytes, BasicAuthUtils.AUTHORIZER_ROLE_MAP_TYPE_REFERENCE);
}
catch (IOException ioe) {
throw new RuntimeException(ioe);
throw new RuntimeException("Couldn't deserialize authorizer roleMap!", ioe);
}
}
return roleMap;
@ -228,7 +274,7 @@ public class BasicAuthUtils
return objectMapper.writeValueAsBytes(roleMap);
}
catch (IOException ioe) {
throw new ISE(ioe, "WTF? Couldn't serialize roleMap!");
throw new ISE(ioe, "Couldn't serialize authorizer roleMap!");
}
}
}

38
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicSecurityAuthenticationException.java Normal file
View File

@ -0,0 +1,38 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.druid.security.basic;
import org.apache.druid.java.util.common.StringUtils;
/**
* Throw this when a request is unauthorized and we want to send a 401 response back.
*/
public class BasicSecurityAuthenticationException extends IllegalArgumentException
{
public BasicSecurityAuthenticationException(String formatText, Object... arguments)
{
super(StringUtils.nonStrictFormat(formatText, arguments));
}
public BasicSecurityAuthenticationException(Throwable t, String formatText, Object... arguments)
{
super(StringUtils.nonStrictFormat(formatText, arguments), t);
}
}

11
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicSecurityDruidModule.java
View File

@ -32,6 +32,7 @@ import org.apache.druid.guice.JsonConfigProvider;
import org.apache.druid.guice.LazySingleton;
import org.apache.druid.guice.LifecycleModule;
import org.apache.druid.initialization.DruidModule;
import org.apache.druid.java.util.http.client.NettyHttpClient;
import org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator;
import org.apache.druid.security.basic.authentication.BasicHTTPEscalator;
import org.apache.druid.security.basic.authentication.db.cache.BasicAuthenticatorCacheManager;
@ -72,14 +73,19 @@ public class BasicSecurityDruidModule implements DruidModule
{
JsonConfigProvider.bind(binder, "druid.auth.basic.common", BasicAuthCommonCacheConfig.class);
JsonConfigProvider.bind(binder, "druid.auth.basic.composition", BasicAuthClassCompositionConfig.class);
JsonConfigProvider.bind(binder, "druid.auth.basic.ssl", BasicAuthSSLConfig.class);
LifecycleModule.register(binder, BasicAuthenticatorMetadataStorageUpdater.class);
LifecycleModule.register(binder, BasicAuthorizerMetadataStorageUpdater.class);
LifecycleModule.register(binder, BasicAuthenticatorCacheManager.class);
LifecycleModule.register(binder, BasicAuthorizerCacheManager.class);
LifecycleModule.register(binder, BasicAuthenticatorCacheNotifier.class);
LifecycleModule.register(binder, BasicAuthorizerCacheNotifier.class);
Jerseys.addResource(binder, BasicAuthenticatorResource.class);
Jerseys.addResource(binder, BasicAuthorizerResource.class);
binder.requestStaticInjection(BasicSecuritySSLSocketFactory.class);
}
@Provides
@ -201,7 +207,7 @@ public class BasicSecurityDruidModule implements DruidModule
NoopBasicAuthorizerCacheNotifier.class
);
}
@Override
public List<? extends Module> getJacksonModules()
{
@ -209,7 +215,8 @@ public class BasicSecurityDruidModule implements DruidModule
new SimpleModule("BasicDruidSecurity").registerSubtypes(
BasicHTTPAuthenticator.class,
BasicHTTPEscalator.class,
BasicRoleBasedAuthorizer.class
BasicRoleBasedAuthorizer.class,
NettyHttpClient.class
)
);
}

123
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicSecuritySSLSocketFactory.java Normal file
View File

@ -0,0 +1,123 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.druid.security.basic;
import com.google.inject.Inject;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.druid.server.security.TLSCertificateChecker;
import org.apache.druid.server.security.TLSUtils;
import javax.net.SocketFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import java.io.IOException;
import java.net.InetAddress;
import java.net.Socket;
public class BasicSecuritySSLSocketFactory extends SSLSocketFactory
{
private static final Logger LOG = new Logger(BasicSecuritySSLSocketFactory.class);
private SSLSocketFactory sf;
@Inject
private static BasicAuthSSLConfig basicAuthSSLConfig;
@Inject
private static TLSCertificateChecker certificateChecker;
public BasicSecuritySSLSocketFactory()
{
SSLContext ctx = new TLSUtils.ClientSSLContextBuilder()
.setProtocol(basicAuthSSLConfig.getProtocol())
.setTrustStoreType(basicAuthSSLConfig.getTrustStoreType())
.setTrustStorePath(basicAuthSSLConfig.getTrustStorePath())
.setTrustStoreAlgorithm(basicAuthSSLConfig.getTrustStoreAlgorithm())
.setTrustStorePasswordProvider(basicAuthSSLConfig.getTrustStorePasswordProvider())
.setKeyStoreType(basicAuthSSLConfig.getKeyStoreType())
.setKeyStorePath(basicAuthSSLConfig.getKeyStorePath())
.setKeyStoreAlgorithm(basicAuthSSLConfig.getKeyManagerFactoryAlgorithm())
.setCertAlias(basicAuthSSLConfig.getCertAlias())
.setKeyStorePasswordProvider(basicAuthSSLConfig.getKeyStorePasswordProvider())
.setKeyManagerFactoryPasswordProvider(basicAuthSSLConfig.getKeyManagerPasswordProvider())
.setValidateHostnames(basicAuthSSLConfig.getValidateHostnames())
.setCertificateChecker(certificateChecker)
.build();
sf = ctx.getSocketFactory();
}
public static SocketFactory getDefault()
{
return new BasicSecuritySSLSocketFactory();
}
@Override
public String[] getDefaultCipherSuites()
{
return sf.getDefaultCipherSuites();
}
@Override
public String[] getSupportedCipherSuites()
{
return sf.getSupportedCipherSuites();
}
@Override
public Socket createSocket(
Socket s,
String host,
int port,
boolean autoClose) throws IOException
{
return sf.createSocket(s, host, port, autoClose);
}
@Override
public Socket createSocket(String host, int port) throws IOException
{
return sf.createSocket(host, port);
}
@Override
public Socket createSocket(
String host,
int port,
InetAddress localHost,
int localPort) throws IOException
{
return sf.createSocket(host, port, localHost, localPort);
}
@Override
public Socket createSocket(InetAddress host, int port) throws IOException
{
return sf.createSocket(host, port);
}
@Override
public Socket createSocket(
InetAddress address,
int port,
InetAddress localAddress,
int localPort) throws IOException
{
return sf.createSocket(address, port, localAddress, localPort);
}
}

19
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/CommonCacheNotifier.java
View File

@ -107,6 +107,7 @@ public class CommonCacheNotifier
Pair<String, byte[]> update = updateQueue.take();
String authorizer = update.lhs;
byte[] serializedMap = update.rhs;
BasicAuthDBConfig authorizerConfig = itemConfigMap.get(update.lhs);
if (!authorizerConfig.isEnableCacheNotifications()) {
continue;
@ -157,20 +158,23 @@ public class CommonCacheNotifier
);
}
private List<ListenableFuture<StatusResponseHolder>> sendUpdate(String updatedAuthorizerPrefix, byte[] serializedUserMap)
private List<ListenableFuture<StatusResponseHolder>> sendUpdate(String updatedAuthenticatorPrefix, byte[] serializedEntity)
{
List<ListenableFuture<StatusResponseHolder>> futures = new ArrayList<>();
for (NodeType nodeType : NODE_TYPES) {
DruidNodeDiscovery nodeDiscovery = discoveryProvider.getForNodeType(nodeType);
Collection<DiscoveryDruidNode> nodes = nodeDiscovery.getAllNodes();
for (DiscoveryDruidNode node : nodes) {
URL listenerURL = getListenerURL(node.getDruidNode(), baseUrl, updatedAuthorizerPrefix);
URL listenerURL = getListenerURL(
node.getDruidNode(),
StringUtils.format(baseUrl, StringUtils.urlEncode(updatedAuthenticatorPrefix))
);
// best effort, if this fails, remote node will poll and pick up the update eventually
Request req = new Request(HttpMethod.POST, listenerURL);
req.setContent(MediaType.APPLICATION_JSON, serializedUserMap);
req.setContent(MediaType.APPLICATION_JSON, serializedEntity);
BasicAuthDBConfig itemConfig = itemConfigMap.get(updatedAuthorizerPrefix);
BasicAuthDBConfig itemConfig = itemConfigMap.get(updatedAuthenticatorPrefix);
ListenableFuture<StatusResponseHolder> future = httpClient.go(
req,
@ -183,18 +187,19 @@ public class CommonCacheNotifier
return futures;
}
private URL getListenerURL(DruidNode druidNode, String baseUrl, String itemName)
private URL getListenerURL(DruidNode druidNode, String baseUrl)
{
try {
return new URL(
druidNode.getServiceScheme(),
druidNode.getHost(),
druidNode.getPortToUse(),
StringUtils.format(baseUrl, StringUtils.urlEncode(itemName))
baseUrl
);
}
catch (MalformedURLException mue) {
LOG.error(callerName + ":WTF? Malformed url for DruidNode[%s] and itemName[%s]", druidNode, itemName);
LOG.error(callerName + ":WTF? Malformed url for DruidNode[%s] and baseUrl[%s]", druidNode, baseUrl);
throw new RuntimeException(mue);
}
}

97
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/BasicHTTPAuthenticator.java
View File

@ -24,13 +24,14 @@ import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.annotation.JsonTypeName;
import com.google.inject.Provider;
import org.apache.druid.java.util.common.IAE;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.druid.metadata.PasswordProvider;
import org.apache.druid.security.basic.BasicAuthDBConfig;
import org.apache.druid.security.basic.BasicAuthUtils;
import org.apache.druid.security.basic.BasicSecurityAuthenticationException;
import org.apache.druid.security.basic.authentication.db.cache.BasicAuthenticatorCacheManager;
import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials;
import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser;
import org.apache.druid.security.basic.authentication.validator.CredentialsValidator;
import org.apache.druid.security.basic.authentication.validator.MetadataStoreCredentialsValidator;
import org.apache.druid.server.security.AuthConfig;
import org.apache.druid.server.security.AuthenticationResult;
import org.apache.druid.server.security.Authenticator;
@ -46,17 +47,20 @@ import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Arrays;
import java.util.EnumSet;
import java.util.Locale;
import java.util.Map;
@JsonTypeName("basic")
public class BasicHTTPAuthenticator implements Authenticator
{
private final Provider<BasicAuthenticatorCacheManager> cacheManager;
private static final Logger LOG = new Logger(BasicHTTPAuthenticator.class);
private final String name;
private final String authorizerName;
private final BasicAuthDBConfig dbConfig;
private final CredentialsValidator credentialsValidator;
private final boolean skipOnFailure;
@JsonCreator
public BasicHTTPAuthenticator(
@ -67,7 +71,9 @@ public class BasicHTTPAuthenticator implements Authenticator
@JsonProperty("initialInternalClientPassword") PasswordProvider initialInternalClientPassword,
@JsonProperty("enableCacheNotifications") Boolean enableCacheNotifications,
@JsonProperty("cacheNotificationTimeout") Long cacheNotificationTimeout,
@JsonProperty("credentialIterations") Integer credentialIterations
@JsonProperty("credentialIterations") Integer credentialIterations,
@JsonProperty("skipOnFailure") Boolean skipOnFailure,
@JsonProperty("credentialsValidator") CredentialsValidator credentialsValidator
)
{
this.name = name;
@ -75,11 +81,19 @@ public class BasicHTTPAuthenticator implements Authenticator
this.dbConfig = new BasicAuthDBConfig(
initialAdminPassword,
initialInternalClientPassword,
null,
null,
null,
enableCacheNotifications == null ? true : enableCacheNotifications,
cacheNotificationTimeout == null ? BasicAuthDBConfig.DEFAULT_CACHE_NOTIFY_TIMEOUT_MS : cacheNotificationTimeout,
credentialIterations == null ? BasicAuthUtils.DEFAULT_KEY_ITERATIONS : credentialIterations
);
this.cacheManager = cacheManager;
if (credentialsValidator == null) {
this.credentialsValidator = new MetadataStoreCredentialsValidator(cacheManager);
} else {
this.credentialsValidator = credentialsValidator;
}
this.skipOnFailure = skipOnFailure == null ? false : skipOnFailure;
}
@Override
@ -105,11 +119,7 @@ public class BasicHTTPAuthenticator implements Authenticator
return null;
}
if (checkCredentials(user, password.toCharArray())) {
return new AuthenticationResult(user, authorizerName, name, null);
} else {
return null;
}
return credentialsValidator.validateCredentials(name, authorizerName, user, password.toCharArray());
}
@ -165,8 +175,7 @@ public class BasicHTTPAuthenticator implements Authenticator
}
// At this point, encodedUserSecret is not null, indicating that the request intends to perform
// Basic HTTP authentication. If any errors occur with the authentication, we send a 401 response immediately
// and do not proceed further down the filter chain.
// Basic HTTP authentication.
String decodedUserSecret = BasicAuthUtils.decodeUserSecret(encodedUserSecret);
if (decodedUserSecret == null) {
// We recognized a Basic auth header, but could not decode the user secret.
@ -176,6 +185,7 @@ public class BasicHTTPAuthenticator implements Authenticator
String[] splits = decodedUserSecret.split(":");
if (splits.length != 2) {
// The decoded user secret is not of the right format
httpResp.sendError(HttpServletResponse.SC_UNAUTHORIZED);
return;
}
@ -183,12 +193,34 @@ public class BasicHTTPAuthenticator implements Authenticator
String user = splits[0];
char[] password = splits[1].toCharArray();
if (checkCredentials(user, password)) {
AuthenticationResult authenticationResult = new AuthenticationResult(user, authorizerName, name, null);
servletRequest.setAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT, authenticationResult);
filterChain.doFilter(servletRequest, servletResponse);
} else {
httpResp.sendError(HttpServletResponse.SC_UNAUTHORIZED);
// If any authentication error occurs we send a 401 response immediately and do not proceed further down the filter chain.
// If the authentication result is null and skipOnFailure property is false, we send a 401 response and do not proceed
// further down the filter chain. If the authentication result is null and skipOnFailure is true then move on to the next filter.
// Authentication results, for instance, can be null if a user doesn't exists within a user store
try {
AuthenticationResult authenticationResult = credentialsValidator.validateCredentials(
name,
authorizerName,
user,
password
);
if (authenticationResult != null) {
servletRequest.setAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT, authenticationResult);
filterChain.doFilter(servletRequest, servletResponse);
} else {
if (skipOnFailure) {
LOG.info("Skipping failed authenticator %s ", name);
filterChain.doFilter(servletRequest, servletResponse);
} else {
httpResp.sendError(HttpServletResponse.SC_UNAUTHORIZED);
}
}
}
catch (BasicSecurityAuthenticationException ex) {
LOG.info("Exception authenticating user %s - %s", user, ex.getMessage());
httpResp.sendError(HttpServletResponse.SC_UNAUTHORIZED,
String.format(Locale.getDefault(),
"User authentication failed username[%s].", user));
}
}
@ -198,29 +230,4 @@ public class BasicHTTPAuthenticator implements Authenticator
}
}
private boolean checkCredentials(String username, char[] password)
{
Map<String, BasicAuthenticatorUser> userMap = cacheManager.get().getUserMap(name);
if (userMap == null) {
throw new IAE("No userMap is available for authenticator: [%s]", name);
}
BasicAuthenticatorUser user = userMap.get(username);
if (user == null) {
return false;
}
BasicAuthenticatorCredentials credentials = user.getCredentials();
if (credentials == null) {
return false;
}
byte[] recalculatedHash = BasicAuthUtils.hashPassword(
password,
credentials.getSalt(),
credentials.getIterations()
);
return Arrays.equals(recalculatedHash, credentials.getHash());
}
}

5
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/BasicHTTPEscalator.java
View File

@ -22,6 +22,7 @@ package org.apache.druid.security.basic.authentication;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.annotation.JsonTypeName;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.druid.java.util.http.client.CredentialedHttpClient;
import org.apache.druid.java.util.http.client.HttpClient;
import org.apache.druid.java.util.http.client.auth.BasicCredentials;
@ -32,6 +33,8 @@ import org.apache.druid.server.security.Escalator;
@JsonTypeName("basic")
public class BasicHTTPEscalator implements Escalator
{
private static final Logger LOG = new Logger(BasicHTTPEscalator.class);
private final String internalClientUsername;
private final PasswordProvider internalClientPassword;
private final String authorizerName;
@ -51,6 +54,7 @@ public class BasicHTTPEscalator implements Escalator
@Override
public HttpClient createEscalatedClient(HttpClient baseClient)
{
LOG.debug("----------- Creating escalated client");
return new CredentialedHttpClient(
new BasicCredentials(internalClientUsername, internalClientPassword.getPassword()),
baseClient
@ -60,6 +64,7 @@ public class BasicHTTPEscalator implements Escalator
@Override
public AuthenticationResult createEscalatedAuthenticationResult()
{
LOG.debug("----------- Creating escalated authentication result. username: %s", this.internalClientUsername);
// if you found your self asking why the authenticatedBy field is set to null please read this:
// https://github.com/apache/incubator-druid/pull/5706#discussion_r185940889
return new AuthenticationResult(internalClientUsername, authorizerName, null, null);

136
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/LdapUserPrincipal.java Normal file
View File

@ -0,0 +1,136 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.druid.security.basic.authentication;
import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.druid.security.basic.BasicAuthUtils;
import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials;
import javax.naming.directory.SearchResult;
import java.security.Principal;
import java.time.Instant;
import java.util.Arrays;
import java.util.Objects;
import java.util.concurrent.atomic.AtomicReference;
public class LdapUserPrincipal implements Principal
{
private static final Logger LOG = new Logger(LdapUserPrincipal.class);
private final String name;
private final BasicAuthenticatorCredentials credentials;
private final SearchResult searchResult;
private final Instant createdAt;
private final AtomicReference<Instant> lastVerified = new AtomicReference<>();
public LdapUserPrincipal(
String name,
BasicAuthenticatorCredentials credentials,
SearchResult searchResult
)
{
this(name, credentials, searchResult, Instant.now());
}
private LdapUserPrincipal(
String name,
BasicAuthenticatorCredentials credentials,
SearchResult searchResult,
Instant createdAt
)
{
Objects.requireNonNull(name, "name is required");
Objects.requireNonNull(credentials, "credentials is required");
Objects.requireNonNull(searchResult, "searchResult is required");
Objects.requireNonNull(createdAt, "createdAt is required");
this.name = name;
this.credentials = credentials;
this.searchResult = searchResult;
this.createdAt = createdAt;
this.lastVerified.set(createdAt);
}
@Override
public String getName()
{
return this.name;
}
public SearchResult getSearchResult()
{
return searchResult;
}
public Instant getCreatedAt()
{
return createdAt;
}
public Instant getLastVerified()
{
return lastVerified.get();
}
public boolean hasSameCredentials(char[] password)
{
byte[] recalculatedHash = BasicAuthUtils.hashPassword(
password,
this.credentials.getSalt(),
this.credentials.getIterations()
);
if (Arrays.equals(recalculatedHash, credentials.getHash())) {
this.lastVerified.set(Instant.now());
LOG.debug("Refereshing lastVerified principal user '%s'", this.name);
return true;
} else {
return false;
}
}
public boolean isExpired(int duration, int maxDuration)
{
long now = System.currentTimeMillis();
long maxCutoff = now - (maxDuration * 1000L);
if (this.createdAt.toEpochMilli() < maxCutoff) {
long cutoff = now - (duration * 1000L);
if (this.lastVerified.get().toEpochMilli() < cutoff) {
return true;
} else {
return false;
}
} else {
return false;
}
}
@Override
public String toString()
{
return StringUtils.format(
"LdapUserPrincipal[name=%s, searchResult=%s, createdAt=%s, lastVerified=%s]",
name,
searchResult,
createdAt,
lastVerified);
}
}

5
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/BasicAuthenticatorCacheManager.java vendored
View File

@ -30,12 +30,11 @@ import java.util.Map;
public interface BasicAuthenticatorCacheManager
{
/**
* Update this cache manager's local state with fresh information pushed by the coordinator.
*
* Update this cache manager's local state of user map with fresh information pushed by the coordinator.
* @param authenticatorPrefix The name of the authenticator this update applies to.
* @param serializedUserMap The updated, serialized user map
*/
void handleAuthenticatorUpdate(String authenticatorPrefix, byte[] serializedUserMap);
void handleAuthenticatorUserMapUpdate(String authenticatorPrefix, byte[] serializedUserMap);
/**
* Return the cache manager's local view of the user map for the authenticator named `authenticatorPrefix`.

2
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/BasicAuthenticatorCacheNotifier.java vendored
View File

@ -30,5 +30,5 @@ public interface BasicAuthenticatorCacheNotifier
* @param updatedAuthenticatorPrefix Name of authenticator being updated
* @param updatedUserMap User map state
*/
void addUpdate(String updatedAuthenticatorPrefix, byte[] updatedUserMap);
void addUserUpdate(String updatedAuthenticatorPrefix, byte[] updatedUserMap);
}

15
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/CoordinatorBasicAuthenticatorCacheNotifier.java vendored
View File

@ -42,9 +42,8 @@ import java.util.concurrent.TimeUnit;
@ManageLifecycle
public class CoordinatorBasicAuthenticatorCacheNotifier implements BasicAuthenticatorCacheNotifier
{
private final LifecycleLock lifecycleLock = new LifecycleLock();
private CommonCacheNotifier cacheNotifier;
private final CommonCacheNotifier userCacheNotifier;
@Inject
public CoordinatorBasicAuthenticatorCacheNotifier(
@ -53,7 +52,7 @@ public class CoordinatorBasicAuthenticatorCacheNotifier implements BasicAuthenti
@EscalatedClient HttpClient httpClient
)
{
cacheNotifier = new CommonCacheNotifier(
userCacheNotifier = new CommonCacheNotifier(
initAuthenticatorConfigMap(authenticatorMapper),
discoveryProvider,
httpClient,
@ -66,11 +65,11 @@ public class CoordinatorBasicAuthenticatorCacheNotifier implements BasicAuthenti
public void start()
{
if (!lifecycleLock.canStart()) {
throw new ISE("can't start.");
throw new ISE("Can't start.");
}
try {
cacheNotifier.start();
userCacheNotifier.start();
lifecycleLock.started();
}
finally {
@ -85,7 +84,7 @@ public class CoordinatorBasicAuthenticatorCacheNotifier implements BasicAuthenti
return;
}
try {
cacheNotifier.stop();
userCacheNotifier.stop();
}
finally {
lifecycleLock.exitStop();
@ -93,10 +92,10 @@ public class CoordinatorBasicAuthenticatorCacheNotifier implements BasicAuthenti
}
@Override
public void addUpdate(String updatedAuthorizerPrefix, byte[] updatedUserMap)
public void addUserUpdate(String updatedAuthenticatorPrefix, byte[] updatedUserMap)
{
Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS));
cacheNotifier.addUpdate(updatedAuthorizerPrefix, updatedUserMap);
userCacheNotifier.addUpdate(updatedAuthenticatorPrefix, updatedUserMap);
}
private Map<String, BasicAuthDBConfig> initAuthenticatorConfigMap(AuthenticatorMapper mapper)

21
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/CoordinatorPollingBasicAuthenticatorCacheManager.java vendored
View File

@ -101,7 +101,7 @@ public class CoordinatorPollingBasicAuthenticatorCacheManager implements BasicAu
throw new ISE("can't start.");
}
LOG.info("Starting DefaultBasicAuthenticatorCacheManager.");
LOG.info("Starting CoordinatorPollingBasicAuthenticatorCacheManager.");
try {
initUserMaps();
@ -113,17 +113,17 @@ public class CoordinatorPollingBasicAuthenticatorCacheManager implements BasicAu
() -> {
try {
long randomDelay = ThreadLocalRandom.current().nextLong(0, commonCacheConfig.getMaxRandomDelay());
LOG.debug("Inserting random polling delay of [%s] ms", randomDelay);
LOG.debug("Inserting cachedUserMaps random polling delay of [%s] ms", randomDelay);
Thread.sleep(randomDelay);
LOG.debug("Scheduled cache poll is running");
LOG.debug("Scheduled user cache poll is running");
for (String authenticatorPrefix : authenticatorPrefixes) {
Map<String, BasicAuthenticatorUser> userMap = fetchUserMapFromCoordinator(authenticatorPrefix, false);
if (userMap != null) {
cachedUserMaps.put(authenticatorPrefix, userMap);
}
}
LOG.debug("Scheduled cache poll is done");
LOG.debug("Scheduled user cache poll is done");
}
catch (Throwable t) {
LOG.makeAlert(t, "Error occured while polling for cachedUserMaps.").emit();
@ -132,7 +132,7 @@ public class CoordinatorPollingBasicAuthenticatorCacheManager implements BasicAu
);
lifecycleLock.started();
LOG.info("Started DefaultBasicAuthenticatorCacheManager.");
LOG.info("Started CoordinatorPollingBasicAuthenticatorCacheManager.");
}
finally {
lifecycleLock.exitStart();
@ -146,15 +146,15 @@ public class CoordinatorPollingBasicAuthenticatorCacheManager implements BasicAu
throw new ISE("can't stop.");
}
LOG.info("DefaultBasicAuthenticatorCacheManager is stopping.");
LOG.info("CoordinatorPollingBasicAuthenticatorCacheManager is stopping.");
exec.shutdown();
LOG.info("DefaultBasicAuthenticatorCacheManager is stopped.");
LOG.info("CoordinatorPollingBasicAuthenticatorCacheManager is stopped.");
}
@Override
public void handleAuthenticatorUpdate(String authenticatorPrefix, byte[] serializedUserMap)
public void handleAuthenticatorUserMapUpdate(String authenticatorPrefix, byte[] serializedUserMap)
{
LOG.debug("Received cache update for authenticator [%s].", authenticatorPrefix);
LOG.debug("Received user cache update for authenticator [%s].", authenticatorPrefix);
Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS));
try {
cachedUserMaps.put(
@ -170,7 +170,7 @@ public class CoordinatorPollingBasicAuthenticatorCacheManager implements BasicAu
}
}
catch (Exception e) {
LOG.makeAlert(e, "WTF? Could not deserialize user map received from coordinator.").emit();
LOG.makeAlert(e, "Could not deserialize user map received from coordinator.").emit();
}
}
@ -279,6 +279,7 @@ public class CoordinatorPollingBasicAuthenticatorCacheManager implements BasicAu
if (authenticator instanceof BasicHTTPAuthenticator) {
String authenticatorName = entry.getKey();
authenticatorPrefixes.add(authenticatorName);
Map<String, BasicAuthenticatorUser> userMap = fetchUserMapFromCoordinator(authenticatorName, true);
if (userMap != null) {
cachedUserMaps.put(authenticatorName, userMap);

2
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/MetadataStoragePollingBasicAuthenticatorCacheManager.java vendored
View File

@ -47,7 +47,7 @@ public class MetadataStoragePollingBasicAuthenticatorCacheManager implements Bas
}
@Override
public void handleAuthenticatorUpdate(String authenticatorPrefix, byte[] serializedUserMap)
public void handleAuthenticatorUserMapUpdate(String authenticatorPrefix, byte[] serializedUserMap)
{
}

8
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/NoopBasicAuthenticatorCacheNotifier.java vendored
View File

@ -26,8 +26,14 @@ package org.apache.druid.security.basic.authentication.db.cache;
*/
public class NoopBasicAuthenticatorCacheNotifier implements BasicAuthenticatorCacheNotifier
{
/**
* Send the user map state contained in updatedUserMap to all non-coordinator Druid services
*
* @param updatedAuthenticatorPrefix Name of authenticator being updated
* @param updatedUserMap User map state
*/
@Override
public void addUpdate(String updatedAuthenticatorPrefix, byte[] updatedUserMap)
public void addUserUpdate(String updatedAuthenticatorPrefix, byte[] updatedUserMap)
{
// Do nothing as this is a noop implementation
}

100
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/updater/CoordinatorBasicAuthenticatorMetadataStorageUpdater.java
View File

@ -173,7 +173,7 @@ public class CoordinatorBasicAuthenticatorMetadataStorageUpdater implements Basi
return ScheduledExecutors.Signal.STOP;
}
try {
LOG.debug("Scheduled db poll is running");
LOG.debug("Scheduled db userMap poll is running");
for (String authenticatorPrefix : authenticatorPrefixes) {
byte[] userMapBytes = getCurrentUserMapBytes(authenticatorPrefix);
@ -185,7 +185,7 @@ public class CoordinatorBasicAuthenticatorMetadataStorageUpdater implements Basi
cachedUserMaps.put(authenticatorPrefix, new BasicAuthenticatorUserMapBundle(userMap, userMapBytes));
}
}
LOG.debug("Scheduled db poll is done");
LOG.debug("Scheduled db userMap poll is done");
}
catch (Throwable t) {
LOG.makeAlert(t, "Error occured while polling for cachedUserMaps.").emit();
@ -277,7 +277,7 @@ public class CoordinatorBasicAuthenticatorMetadataStorageUpdater implements Basi
{
cachedUserMaps.forEach(
(authenticatorName, userMapBundle) -> {
cacheNotifier.addUpdate(authenticatorName, userMapBundle.getSerializedUserMap());
cacheNotifier.addUserUpdate(authenticatorName, userMapBundle.getSerializedUserMap());
}
);
}
@ -287,40 +287,6 @@ public class CoordinatorBasicAuthenticatorMetadataStorageUpdater implements Basi
return StringUtils.format("basic_authentication_%s_%s", keyPrefix, keyName);
}
private boolean tryUpdateUserMap(
String prefix,
Map<String, BasicAuthenticatorUser> userMap,
byte[] oldValue,
byte[] newValue
)
{
try {
MetadataCASUpdate update = new MetadataCASUpdate(
connectorConfig.getConfigTable(),
MetadataStorageConnector.CONFIG_TABLE_KEY_COLUMN,
MetadataStorageConnector.CONFIG_TABLE_VALUE_COLUMN,
getPrefixedKeyColumn(prefix, USERS),
oldValue,
newValue
);
boolean succeeded = connector.compareAndSwap(
Collections.singletonList(update)
);
if (succeeded) {
cachedUserMaps.put(prefix, new BasicAuthenticatorUserMapBundle(userMap, newValue));
cacheNotifier.addUpdate(prefix, newValue);
return true;
} else {
return false;
}
}
catch (Exception e) {
throw new RuntimeException(e);
}
}
private void createUserInternal(String prefix, String userName)
{
int attempts = 0;
@ -330,12 +296,7 @@ public class CoordinatorBasicAuthenticatorMetadataStorageUpdater implements Basi
} else {
attempts++;
}
try {
Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
}
catch (InterruptedException ie) {
throw new RuntimeException(ie);
}
updateRetryDelay();
}
throw new ISE("Could not create user[%s] due to concurrent update contention.", userName);
}
@ -349,16 +310,21 @@ public class CoordinatorBasicAuthenticatorMetadataStorageUpdater implements Basi
} else {
attempts++;
}
try {
Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
}
catch (InterruptedException ie) {
throw new RuntimeException(ie);
}
updateRetryDelay();
}
throw new ISE("Could not delete user[%s] due to concurrent update contention.", userName);
}
private void updateRetryDelay()
{
try {
Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
}
catch (InterruptedException ie) {
throw new RuntimeException(ie);
}
}
private void setUserCredentialsInternal(String prefix, String userName, BasicAuthenticatorCredentialUpdate update)
{
BasicAuthenticatorCredentials credentials;
@ -371,7 +337,7 @@ public class CoordinatorBasicAuthenticatorMetadataStorageUpdater implements Basi
credentials = new BasicAuthenticatorCredentials(
new BasicAuthenticatorCredentialUpdate(
update.getPassword(),
authenticator.getDbConfig().getIterations()
authenticator.getDbConfig().getCredentialIterations()
)
);
} else {
@ -442,4 +408,38 @@ public class CoordinatorBasicAuthenticatorMetadataStorageUpdater implements Basi
byte[] newValue = BasicAuthUtils.serializeAuthenticatorUserMap(objectMapper, userMap);
return tryUpdateUserMap(prefix, userMap, oldValue, newValue);
}
private boolean tryUpdateUserMap(
String prefix,
Map<String, BasicAuthenticatorUser> userMap,
byte[] oldValue,
byte[] newValue
)
{
try {
MetadataCASUpdate update = new MetadataCASUpdate(
connectorConfig.getConfigTable(),
MetadataStorageConnector.CONFIG_TABLE_KEY_COLUMN,
MetadataStorageConnector.CONFIG_TABLE_VALUE_COLUMN,
getPrefixedKeyColumn(prefix, USERS),
oldValue,
newValue
);
boolean succeeded = connector.compareAndSwap(
Collections.singletonList(update)
);
if (succeeded) {
cachedUserMaps.put(prefix, new BasicAuthenticatorUserMapBundle(userMap, newValue));
cacheNotifier.addUserUpdate(prefix, newValue);
return true;
} else {
return false;
}
}
catch (Exception e) {
throw new RuntimeException(e);
}
}
}

4
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/BasicAuthenticatorResource.java
View File

@ -211,7 +211,7 @@ public class BasicAuthenticatorResource
}
/**
* Listen for update notifications for the auth storage
* Listen for users update notifications for the auth storage
*/
@POST
@Path("/listen/{authenticatorName}")
@ -224,6 +224,6 @@ public class BasicAuthenticatorResource
byte[] serializedUserMap
)
{
return handler.authenticatorUpdateListener(authenticatorName, serializedUserMap);
return handler.authenticatorUserUpdateListener(authenticatorName, serializedUserMap);
}
}

2
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/BasicAuthenticatorResourceHandler.java
View File

@ -46,7 +46,7 @@ public interface BasicAuthenticatorResourceHandler
Response refreshAll();
// non-coordinator methods
Response authenticatorUpdateListener(String authenticatorName, byte[] serializedUserMap);
Response authenticatorUserUpdateListener(String authenticatorName, byte[] serializedUserMap);
// common methods
Response getLoadStatus();

7
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/CoordinatorBasicAuthenticatorResourceHandler.java
View File

@ -179,7 +179,7 @@ public class CoordinatorBasicAuthenticatorResourceHandler implements BasicAuthen
}
@Override
public Response authenticatorUpdateListener(String authenticatorName, byte[] serializedUserMap)
public Response authenticatorUserUpdateListener(String authenticatorName, byte[] serializedUserMap)
{
return Response.status(Response.Status.NOT_FOUND).build();
}
@ -189,9 +189,8 @@ public class CoordinatorBasicAuthenticatorResourceHandler implements BasicAuthen
{
Map<String, Boolean> loadStatus = new HashMap<>();
authenticatorMap.forEach(
(authenticatorName, authenticator) -> {
loadStatus.put(authenticatorName, storageUpdater.getCachedUserMap(authenticatorName) != null);
}
(authenticatorName, authenticator) ->
loadStatus.put(authenticatorName, storageUpdater.getCachedUserMap(authenticatorName) != null)
);
return Response.ok(loadStatus).build();
}

12
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/DefaultBasicAuthenticatorResourceHandler.java
View File

@ -109,11 +109,11 @@ public class DefaultBasicAuthenticatorResourceHandler implements BasicAuthentica
}
@Override
public Response authenticatorUpdateListener(String authenticatorName, byte[] serializedUserMap)
public Response authenticatorUserUpdateListener(String authenticatorName, byte[] serializedUserMap)
{
final BasicHTTPAuthenticator authenticator = authenticatorMap.get(authenticatorName);
if (authenticator == null) {
String errMsg = StringUtils.format("Received update for unknown authenticator[%s]", authenticatorName);
String errMsg = StringUtils.format("Received user update for unknown authenticator[%s]", authenticatorName);
log.error(errMsg);
return Response.status(Response.Status.BAD_REQUEST)
.entity(ImmutableMap.<String, Object>of(
@ -123,7 +123,7 @@ public class DefaultBasicAuthenticatorResourceHandler implements BasicAuthentica
.build();
}
cacheManager.handleAuthenticatorUpdate(authenticatorName, serializedUserMap);
cacheManager.handleAuthenticatorUserMapUpdate(authenticatorName, serializedUserMap);
return Response.ok().build();
}
@ -131,10 +131,8 @@ public class DefaultBasicAuthenticatorResourceHandler implements BasicAuthentica
public Response getLoadStatus()
{
Map<String, Boolean> loadStatus = new HashMap<>();
authenticatorMap.forEach(
(authenticatorName, authenticator) -> {
loadStatus.put(authenticatorName, cacheManager.getUserMap(authenticatorName) != null);
}
authenticatorMap.forEach((authenticatorName, authenticator) ->
loadStatus.put(authenticatorName, cacheManager.getUserMap(authenticatorName) != null)
);
return Response.ok(loadStatus).build();
}

7
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/entity/BasicAuthenticatorCredentials.java
View File

@ -77,7 +77,7 @@ public class BasicAuthenticatorCredentials
if (this == o) {
return true;
}
if (o == null || getClass() != o.getClass()) {
if (o == null || !getClass().equals(o.getClass())) {
return false;
}
@ -86,11 +86,8 @@ public class BasicAuthenticatorCredentials
if (getIterations() != that.getIterations()) {
return false;
}
if (!Arrays.equals(getSalt(), that.getSalt())) {
return false;
}
return Arrays.equals(getHash(), that.getHash());
return Arrays.equals(getSalt(), that.getSalt()) && Arrays.equals(getHash(), that.getHash());
}
@Override

8
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/entity/BasicAuthenticatorUser.java
View File

@ -55,16 +55,14 @@ public class BasicAuthenticatorUser
if (this == o) {
return true;
}
if (o == null || getClass() != o.getClass()) {
if (o == null || !getClass().equals(o.getClass())) {
return false;
}
BasicAuthenticatorUser that = (BasicAuthenticatorUser) o;
if (getName() != null ? !getName().equals(that.getName()) : that.getName() != null) {
return false;
}
return getCredentials() != null ? getCredentials().equals(that.getCredentials()) : that.getCredentials() == null;
return (getName() != null ? getName().equals(that.getName()) : that.getName() == null)
&& (getCredentials() != null ? getCredentials().equals(that.getCredentials()) : that.getCredentials() == null);
}
@Override

39
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/validator/CredentialsValidator.java Normal file
View File

@ -0,0 +1,39 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.druid.security.basic.authentication.validator;
import com.fasterxml.jackson.annotation.JsonSubTypes;
import com.fasterxml.jackson.annotation.JsonTypeInfo;
import org.apache.druid.server.security.AuthenticationResult;
@JsonTypeInfo(use = JsonTypeInfo.Id.NAME, property = "type", defaultImpl = MetadataStoreCredentialsValidator.class)
@JsonSubTypes(value = {
@JsonSubTypes.Type(name = "metadata", value = MetadataStoreCredentialsValidator.class),
@JsonSubTypes.Type(name = "ldap", value = LDAPCredentialsValidator.class),
})
public interface CredentialsValidator
{
AuthenticationResult validateCredentials(
String authenticatorName,
String authorizerName,
String username,
char[] password
);
}

296
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/validator/LDAPCredentialsValidator.java Normal file
View File

@ -0,0 +1,296 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.druid.security.basic.authentication.validator;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.annotation.JsonTypeName;
import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.druid.metadata.PasswordProvider;
import org.apache.druid.security.basic.BasicAuthLDAPConfig;
import org.apache.druid.security.basic.BasicAuthUtils;
import org.apache.druid.security.basic.BasicSecurityAuthenticationException;
import org.apache.druid.security.basic.BasicSecuritySSLSocketFactory;
import org.apache.druid.security.basic.authentication.LdapUserPrincipal;
import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials;
import org.apache.druid.server.security.AuthenticationResult;
import javax.annotation.Nullable;
import javax.naming.AuthenticationException;
import javax.naming.Context;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
import javax.naming.directory.InitialDirContext;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapName;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Properties;
import java.util.concurrent.locks.ReentrantLock;
@JsonTypeName("ldap")
public class LDAPCredentialsValidator implements CredentialsValidator
{
private static final Logger LOG = new Logger(LDAPCredentialsValidator.class);
private static final ReentrantLock LOCK = new ReentrantLock();
private final LruBlockCache cache;
private final BasicAuthLDAPConfig ldapConfig;
@JsonCreator
public LDAPCredentialsValidator(
@JsonProperty("url") String url,
@JsonProperty("bindUser") String bindUser,
@JsonProperty("bindPassword") PasswordProvider bindPassword,
@JsonProperty("baseDn") String baseDn,
@JsonProperty("userSearch") String userSearch,
@JsonProperty("userAttribute") String userAttribute,
@JsonProperty("credentialIterations") Integer credentialIterations,
@JsonProperty("credentialVerifyDuration") Integer credentialVerifyDuration,
@JsonProperty("credentialMaxDuration") Integer credentialMaxDuration,
@JsonProperty("credentialCacheSize") Integer credentialCacheSize
)
{
this.ldapConfig = new BasicAuthLDAPConfig(
url,
bindUser,
bindPassword,
baseDn,
userSearch,
userAttribute,
credentialIterations == null ? BasicAuthUtils.DEFAULT_KEY_ITERATIONS : credentialIterations,
credentialVerifyDuration == null ? BasicAuthUtils.DEFAULT_CREDENTIAL_VERIFY_DURATION_SECONDS : credentialVerifyDuration,
credentialMaxDuration == null ? BasicAuthUtils.DEFAULT_CREDENTIAL_MAX_DURATION_SECONDS : credentialMaxDuration,
credentialCacheSize == null ? BasicAuthUtils.DEFAULT_CREDENTIAL_CACHE_SIZE : credentialCacheSize
);
this.cache = new LruBlockCache(
this.ldapConfig.getCredentialCacheSize(),
this.ldapConfig.getCredentialVerifyDuration(),
this.ldapConfig.getCredentialMaxDuration()
);
}
Properties bindProperties(BasicAuthLDAPConfig ldapConfig)
{
Properties properties = commonProperties(ldapConfig);
properties.put(Context.SECURITY_PRINCIPAL, ldapConfig.getBindUser());
properties.put(Context.SECURITY_CREDENTIALS, ldapConfig.getBindPassword().getPassword());
return properties;
}
Properties userProperties(BasicAuthLDAPConfig ldapConfig, LdapName userDn, char[] password)
{
Properties properties = commonProperties(ldapConfig);
properties.put(Context.SECURITY_PRINCIPAL, userDn.toString());
properties.put(Context.SECURITY_CREDENTIALS, String.valueOf(password));
return properties;
}
Properties commonProperties(BasicAuthLDAPConfig ldapConfig)
{
Properties properties = new Properties();
properties.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
properties.put(Context.PROVIDER_URL, ldapConfig.getUrl());
properties.put(Context.SECURITY_AUTHENTICATION, "simple");
if (StringUtils.toLowerCase(ldapConfig.getUrl()).startsWith("ldaps://")) {
properties.put(Context.SECURITY_PROTOCOL, "ssl");
properties.put("java.naming.ldap.factory.socket", BasicSecuritySSLSocketFactory.class.getName());
}
return properties;
}
@Override
public AuthenticationResult validateCredentials(
String authenticatorName,
String authorizerName,
String username,
char[] password
)
{
SearchResult userResult;
LdapName userDn;
Map<String, Object> contextMap = new HashMap<>();
LdapUserPrincipal principal = this.cache.getOrExpire(username);
if (principal != null && principal.hasSameCredentials(password)) {
contextMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, principal.getSearchResult());
return new AuthenticationResult(username, authorizerName, authenticatorName, contextMap);
} else {
try {
InitialDirContext dirContext = new InitialDirContext(bindProperties(this.ldapConfig));
try {
userResult = getLdapUserObject(this.ldapConfig, dirContext, username);
if (userResult == null) {
LOG.debug("User not found: %s", username);
return null;
}
userDn = new LdapName(userResult.getNameInNamespace());
}
finally {
try {
dirContext.close();
}
catch (Exception ignored) {
// ignored
}
}
}
catch (NamingException e) {
LOG.error(e, "Exception during user lookup");
return null;
}
if (!validatePassword(this.ldapConfig, userDn, password)) {
LOG.debug("Password incorrect for LDAP user %s", username);
throw new BasicSecurityAuthenticationException("User LDAP authentication failed username[%s].", userDn.toString());
}
byte[] salt = BasicAuthUtils.generateSalt();
byte[] hash = BasicAuthUtils.hashPassword(password, salt, this.ldapConfig.getCredentialIterations());
LdapUserPrincipal newPrincipal = new LdapUserPrincipal(
username,
new BasicAuthenticatorCredentials(salt, hash, this.ldapConfig.getCredentialIterations()),
userResult
);
this.cache.put(username, newPrincipal);
contextMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userResult);
return new AuthenticationResult(username, authorizerName, authenticatorName, contextMap);
}
}
@Nullable
SearchResult getLdapUserObject(BasicAuthLDAPConfig ldapConfig, DirContext context, String username)
{
try {
SearchControls sc = new SearchControls();
sc.setSearchScope(SearchControls.SUBTREE_SCOPE);
sc.setReturningAttributes(new String[] {ldapConfig.getUserAttribute(), "memberOf" });
NamingEnumeration<SearchResult> results = context.search(
ldapConfig.getBaseDn(),
StringUtils.format(ldapConfig.getUserSearch(), username),
sc);
try {
if (!results.hasMore()) {
return null;
}
return results.next();
}
finally {
results.close();
}
}
catch (NamingException e) {
LOG.debug(e, "Unable to find user '%s'", username);
return null;
}
}
boolean validatePassword(BasicAuthLDAPConfig ldapConfig, LdapName userDn, char[] password)
{
InitialDirContext context = null;
try {
context = new InitialDirContext(userProperties(ldapConfig, userDn, password));
return true;
}
catch (AuthenticationException e) {
return false;
}
catch (NamingException e) {
LOG.error(e, "Exception during LDAP authentication username[%s]", userDn.toString());
return false;
}
finally {
try {
if (context != null) {
context.close();
}
}
catch (Exception ignored) {
LOG.warn("Exception closing LDAP context");
// ignored
}
}
}
private static class LruBlockCache extends LinkedHashMap<String, LdapUserPrincipal>
{
private static final long serialVersionUID = 7509410739092012261L;
private final int cacheSize;
private final int duration;
private final int maxDuration;
public LruBlockCache(int cacheSize, int duration, int maxDuration)
{
super(16, 0.75f, true);
this.cacheSize = cacheSize;
this.duration = duration;
this.maxDuration = maxDuration;
}
@Override
protected boolean removeEldestEntry(Map.Entry<String, LdapUserPrincipal> eldest)
{
return size() > cacheSize;
}
@Nullable
LdapUserPrincipal getOrExpire(String identity)
{
try {
LOCK.lock();
LdapUserPrincipal principal = get(identity);
if (principal != null) {
if (principal.isExpired(duration, maxDuration)) {
remove(identity);
return null;
} else {
return principal;
}
} else {
return null;
}
}
finally {
LOCK.unlock();
}
}
@Override
public LdapUserPrincipal put(String key, LdapUserPrincipal value)
{
try {
LOCK.lock();
return super.put(key, value);
}
finally {
LOCK.unlock();
}
}
}
}

89
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/validator/MetadataStoreCredentialsValidator.java Normal file
View File

@ -0,0 +1,89 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.druid.security.basic.authentication.validator;
import com.fasterxml.jackson.annotation.JacksonInject;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonTypeName;
import com.google.inject.Provider;
import org.apache.druid.java.util.common.IAE;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.druid.security.basic.BasicAuthUtils;
import org.apache.druid.security.basic.BasicSecurityAuthenticationException;
import org.apache.druid.security.basic.authentication.db.cache.BasicAuthenticatorCacheManager;
import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials;
import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser;
import org.apache.druid.server.security.AuthenticationResult;
import javax.annotation.Nullable;
import java.util.Arrays;
import java.util.Map;
@JsonTypeName("metadata")
public class MetadataStoreCredentialsValidator implements CredentialsValidator
{
private static final Logger LOG = new Logger(MetadataStoreCredentialsValidator.class);
private final Provider<BasicAuthenticatorCacheManager> cacheManager;
@JsonCreator
public MetadataStoreCredentialsValidator(
@JacksonInject Provider<BasicAuthenticatorCacheManager> cacheManager
)
{
this.cacheManager = cacheManager;
}
@Override
@Nullable
public AuthenticationResult validateCredentials(
String authenticatorName,
String authorizerName,
String username,
char[] password
)
{
Map<String, BasicAuthenticatorUser> userMap = cacheManager.get().getUserMap(authenticatorName);
if (userMap == null) {
throw new IAE("No userMap is available for authenticator with prefix: [%s]", authenticatorName);
}
BasicAuthenticatorUser user = userMap.get(username);
if (user == null) {
return null;
}
BasicAuthenticatorCredentials credentials = user.getCredentials();
if (credentials == null) {
return null;
}
byte[] recalculatedHash = BasicAuthUtils.hashPassword(
password,
credentials.getSalt(),
credentials.getIterations()
);
if (Arrays.equals(recalculatedHash, credentials.getHash())) {
return new AuthenticationResult(username, authorizerName, authenticatorName, null);
} else {
LOG.debug("Password incorrect for metadata store user %s", username);
throw new BasicSecurityAuthenticationException("User metadata store authentication failed username[%s].", username);
}
}
}

49
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/BasicRoleBasedAuthorizer.java
View File

@ -28,71 +28,80 @@ import org.apache.druid.security.basic.BasicAuthDBConfig;
import org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheManager;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerPermission;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser;
import org.apache.druid.server.security.Access;
import org.apache.druid.server.security.Action;
import org.apache.druid.server.security.AuthenticationResult;
import org.apache.druid.server.security.Authorizer;
import org.apache.druid.server.security.Resource;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
@JsonTypeName("basic")
public class BasicRoleBasedAuthorizer implements Authorizer
{
private final BasicAuthorizerCacheManager cacheManager;
private final String name;
private final BasicAuthDBConfig dbConfig;
private final RoleProvider roleProvider;
@JsonCreator
public BasicRoleBasedAuthorizer(
@JacksonInject BasicAuthorizerCacheManager cacheManager,
@JsonProperty("name") String name,
@JsonProperty("initialAdminUser") String initialAdminUser,
@JsonProperty("initialAdminRole") String initialAdminRole,
@JsonProperty("initialAdminGroupMapping") String initialAdminGroupMapping,
@JsonProperty("enableCacheNotifications") Boolean enableCacheNotifications,
@JsonProperty("cacheNotificationTimeout") Long cacheNotificationTimeout
@JsonProperty("cacheNotificationTimeout") Long cacheNotificationTimeout,
@JsonProperty("roleProvider") RoleProvider roleProvider
)
{
this.name = name;
this.cacheManager = cacheManager;
this.dbConfig = new BasicAuthDBConfig(
null,
null,
initialAdminUser,
initialAdminRole,
initialAdminGroupMapping,
enableCacheNotifications == null ? true : enableCacheNotifications,
cacheNotificationTimeout == null ? BasicAuthDBConfig.DEFAULT_CACHE_NOTIFY_TIMEOUT_MS : cacheNotificationTimeout,
0
);
if (roleProvider == null) {
this.roleProvider = new MetadataStoreRoleProvider(cacheManager);
} else {
this.roleProvider = roleProvider;
}
}
@Override
@SuppressWarnings("unchecked")
public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action)
{
if (authenticationResult == null) {
throw new IAE("WTF? authenticationResult should never be null.");
throw new IAE("authenticationResult is null where it should never be.");
}
Map<String, BasicAuthorizerUser> userMap = cacheManager.getUserMap(name);
if (userMap == null) {
throw new IAE("Could not load userMap for authorizer [%s]", name);
}
Set<String> roleNames = new HashSet<>(roleProvider.getRoles(name, authenticationResult));
Map<String, BasicAuthorizerRole> roleMap = roleProvider.getRoleMap(name);
Map<String, BasicAuthorizerRole> roleMap = cacheManager.getRoleMap(name);
if (roleNames.isEmpty()) {
return new Access(false);
}
if (roleMap == null) {
throw new IAE("Could not load roleMap for authorizer [%s]", name);
}
BasicAuthorizerUser user = userMap.get(authenticationResult.getIdentity());
if (user == null) {
return new Access(false);
}
for (String roleName : user.getRoles()) {
for (String roleName : roleNames) {
BasicAuthorizerRole role = roleMap.get(roleName);
for (BasicAuthorizerPermission permission : role.getPermissions()) {
if (permissionCheck(resource, action, permission)) {
return new Access(true);
if (role != null) {
for (BasicAuthorizerPermission permission : role.getPermissions()) {
if (permissionCheck(resource, action, permission)) {
return new Access(true);
}
}
}
}

224
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/LDAPRoleProvider.java Normal file
View File

@ -0,0 +1,224 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.druid.security.basic.authorization;
import com.fasterxml.jackson.annotation.JacksonInject;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import com.fasterxml.jackson.annotation.JsonTypeName;
import com.google.common.annotations.VisibleForTesting;
import org.apache.druid.java.util.common.IAE;
import org.apache.druid.java.util.common.RE;
import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.druid.security.basic.BasicAuthUtils;
import org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheManager;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser;
import org.apache.druid.server.security.AuthenticationResult;
import javax.naming.InvalidNameException;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapName;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Locale;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.TreeSet;
@JsonTypeName("ldap")
public class LDAPRoleProvider implements RoleProvider
{
private static final Logger LOG = new Logger(LDAPRoleProvider.class);
private final BasicAuthorizerCacheManager cacheManager;
private final String[] groupFilters;
@JsonCreator
public LDAPRoleProvider(
@JacksonInject BasicAuthorizerCacheManager cacheManager,
@JsonProperty("groupFilters") String[] groupFilters
)
{
this.cacheManager = cacheManager;
this.groupFilters = groupFilters;
}
@Override
public Set<String> getRoles(String authorizerPrefix, AuthenticationResult authenticationResult)
{
Set<String> roleNames = new HashSet<>();
Map<String, BasicAuthorizerGroupMapping> groupMappingMap = cacheManager.getGroupMappingMap(authorizerPrefix);
if (groupMappingMap == null) {
throw new IAE("Could not load groupMappingMap for authorizer [%s]", authorizerPrefix);
}
Map<String, BasicAuthorizerUser> userMap = cacheManager.getUserMap(authorizerPrefix);
if (userMap == null) {
throw new IAE("Could not load userMap for authorizer [%s]", authorizerPrefix);
}
// Get the groups assigned to the LDAP user
SearchResult searchResult = Optional.ofNullable(authenticationResult.getContext())
.map(contextMap -> contextMap.get(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY))
.map(p -> {
if (p instanceof SearchResult) {
return (SearchResult) p;
} else {
return null;
}
})
.orElse(null);
if (searchResult != null) {
try {
Set<LdapName> groupNamesFromLdap = getGroupsFromLdap(searchResult);
if (groupNamesFromLdap.isEmpty()) {
LOG.debug("User %s is not mapped to any groups", authenticationResult.getIdentity());
} else {
// Get the roles mapped to LDAP groups from the metastore.
// This allows us to authorize groups LDAP user belongs
roleNames.addAll(getRoles(groupMappingMap, groupNamesFromLdap));
}
}
catch (NamingException e) {
LOG.error(e, "Exception in looking up groups for user %s", authenticationResult.getIdentity());
}
}
// Get the roles assigned to LDAP user from the metastore.
// This allow us to authorize LDAP users regardless of whether they belong to any groups or not in LDAP.
BasicAuthorizerUser user = userMap.get(authenticationResult.getIdentity());
if (user != null) {
roleNames.addAll(user.getRoles());
}
return roleNames;
}
@Override
public Map<String, BasicAuthorizerRole> getRoleMap(String authorizerPrefix)
{
return cacheManager.getRoleMap(authorizerPrefix);
}
@VisibleForTesting
public Set<String> getRoles(Map<String, BasicAuthorizerGroupMapping> groupMappingMap, Set<LdapName> groupNamesFromLdap)
{
Set<String> roles = new HashSet<>();
if (groupMappingMap.size() == 0) {
return roles;
}
for (LdapName groupName : groupNamesFromLdap) {
for (Map.Entry<String, BasicAuthorizerGroupMapping> groupMappingEntry : groupMappingMap.entrySet()) {
BasicAuthorizerGroupMapping groupMapping = groupMappingEntry.getValue();
String mask = groupMapping.getGroupPattern();
try {
if (mask.startsWith("*,")) {
LdapName ln = new LdapName(mask.substring(2));
if (groupName.startsWith(ln)) {
roles.addAll(groupMapping.getRoles());
}
} else if (mask.endsWith(",*")) {
LdapName ln = new LdapName(mask.substring(0, mask.length() - 2));
if (groupName.endsWith(ln)) {
roles.addAll(groupMapping.getRoles());
}
} else {
LdapName ln = new LdapName(mask);
if (groupName.equals(ln)) {
roles.addAll(groupMapping.getRoles());
}
}
}
catch (InvalidNameException e) {
throw new RuntimeException(String.format(Locale.getDefault(),
"Configuration problem - Invalid groupMapping '%s'", mask));
}
}
}
return roles;
}
Set<LdapName> getGroupsFromLdap(SearchResult userResult) throws NamingException
{
Set<LdapName> groups = new TreeSet<>();
Attribute memberOf = userResult.getAttributes().get("memberOf");
if (memberOf == null) {
LOG.debug("No memberOf attributes");
return groups; // not part of any groups
}
for (int i = 0; i < memberOf.size(); i++) {
String memberDn = memberOf.get(i).toString();
LdapName ln;
try {
ln = new LdapName(memberDn);
}
catch (InvalidNameException e) {
LOG.debug("Invalid LDAP name: %s", memberDn);
continue;
}
if (this.groupFilters != null) {
if (allowedLdapGroup(ln, new TreeSet<>(Arrays.asList(this.groupFilters)))) {
groups.add(ln);
}
} else {
groups.add(ln);
}
}
return groups;
}
boolean allowedLdapGroup(LdapName groupName, Set<String> groupFilters)
{
for (String filter : groupFilters) {
try {
if (filter.startsWith("*,")) {
LdapName ln = new LdapName(filter.substring(2));
if (groupName.startsWith(ln)) {
return true;
}
} else if (filter.endsWith(",*")) {
LdapName ln = new LdapName(filter.substring(0, filter.length() - 2));
if (groupName.endsWith(ln)) {
return true;
}
} else {
LOG.debug("Attempting exact filter %s", filter);
LdapName ln = new LdapName(filter);
if (groupName.equals(ln)) {
return true;
}
}
}
catch (InvalidNameException e) {
throw new RE(StringUtils.format("Configuration problem - Invalid groupFilter '%s'", filter));
}
}
return false;
}
}

72
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/MetadataStoreRoleProvider.java Normal file
View File

@ -0,0 +1,72 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.druid.security.basic.authorization;
import com.fasterxml.jackson.annotation.JacksonInject;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonTypeName;
import org.apache.druid.java.util.common.IAE;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheManager;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser;
import org.apache.druid.server.security.AuthenticationResult;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
@JsonTypeName("metadata")
public class MetadataStoreRoleProvider implements RoleProvider
{
private static final Logger LOG = new Logger(MetadataStoreRoleProvider.class);
private final BasicAuthorizerCacheManager cacheManager;
@JsonCreator
public MetadataStoreRoleProvider(
@JacksonInject BasicAuthorizerCacheManager cacheManager
)
{
this.cacheManager = cacheManager;
}
@Override
public Set<String> getRoles(String authorizerPrefix, AuthenticationResult authenticationResult)
{
Set<String> roleNames = new HashSet<>();
Map<String, BasicAuthorizerUser> userMap = cacheManager.getUserMap(authorizerPrefix);
if (userMap == null) {
throw new IAE("Could not load userMap for authorizer [%s]", authorizerPrefix);
}
BasicAuthorizerUser user = userMap.get(authenticationResult.getIdentity());
if (user != null) {
roleNames.addAll(user.getRoles());
}
return roleNames;
}
@Override
public Map<String, BasicAuthorizerRole> getRoleMap(String authorizerPrefix)
{
return cacheManager.getRoleMap(authorizerPrefix);
}
}

39
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/RoleProvider.java Normal file
View File

@ -0,0 +1,39 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.druid.security.basic.authorization;
import com.fasterxml.jackson.annotation.JsonSubTypes;
import com.fasterxml.jackson.annotation.JsonTypeInfo;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole;
import org.apache.druid.server.security.AuthenticationResult;
import java.util.Map;
import java.util.Set;
@JsonTypeInfo(use = JsonTypeInfo.Id.NAME, property = "type", defaultImpl = MetadataStoreRoleProvider.class)
@JsonSubTypes(value = {
@JsonSubTypes.Type(name = "metadata", value = MetadataStoreRoleProvider.class),
@JsonSubTypes.Type(name = "ldap", value = LDAPRoleProvider.class),
})
public interface RoleProvider
{
Set<String> getRoles(String authorizerPrefix, AuthenticationResult authenticationResult);
Map<String, BasicAuthorizerRole> getRoleMap(String authorizerPrefix);
}

28
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/BasicAuthorizerCacheManager.java vendored
View File

@ -19,6 +19,7 @@
package org.apache.druid.security.basic.authorization.db.cache;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser;
@ -32,11 +33,18 @@ public interface BasicAuthorizerCacheManager
{
/**
* Update this cache manager's local state with fresh information pushed by the coordinator.
*
* @param authorizerPrefix The name of the authorizer this update applies to.
* @param serializedUserAndRoleMap The updated, serialized user and role maps
*/
void handleAuthorizerUpdate(String authorizerPrefix, byte[] serializedUserAndRoleMap);
void handleAuthorizerUserUpdate(String authorizerPrefix, byte[] serializedUserAndRoleMap);
/**
* Update this cache manager's local state with fresh information pushed by the coordinator.
* @param authorizerPrefix The name of the authorizer this update applies to.
* @param serializedGroupMappingAndRoleMap The updated, serialized group and role maps
* */
void handleAuthorizerGroupMappingUpdate(String authorizerPrefix, byte[] serializedGroupMappingAndRoleMap);
/**
* Return the cache manager's local view of the user map for the authorizer named `authorizerPrefix`.
@ -53,4 +61,20 @@ public interface BasicAuthorizerCacheManager
* @return Role map
*/
Map<String, BasicAuthorizerRole> getRoleMap(String authorizerPrefix);
/**
* Return the cache manager's local view of the groupMapping map for the authorizer named `authorizerPrefix`.
*
* @param authorizerPrefix The name of the authorizer
* @return GroupMapping map
*/
Map<String, BasicAuthorizerGroupMapping> getGroupMappingMap(String authorizerPrefix);
/**
* Return the cache manager's local view of the groupMapping-role map for the authorizer named `authorizerPrefix`.
*
* @param authorizerPrefix The name of the authorizer
* @return Role map
*/
Map<String, BasicAuthorizerRole> getGroupMappingRoleMap(String authorizerPrefix);
}

12
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/BasicAuthorizerCacheNotifier.java vendored
View File

@ -26,9 +26,15 @@ public interface BasicAuthorizerCacheNotifier
{
/**
* Send the user map state contained in updatedUserMap to all non-coordinator Druid services
*
* @param authorizerPrefix Name of authorizer being updated
* @param authorizerPrefix Name of authorizer being updated
* @param userAndRoleMap User/role map state
*/
void addUpdate(String authorizerPrefix, byte[] userAndRoleMap);
void addUpdateUser(String authorizerPrefix, byte[] userAndRoleMap);
/**
* Send the groupMapping map state contained in updatedGroupMappingMap to all non-coordinator Druid services
* @param authorizerPrefix Name of authorizer being updated
* @param groupMappingAndRoleMap Group/role map state
*/
void addUpdateGroupMapping(String authorizerPrefix, byte[] groupMappingAndRoleMap);
}

31
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/CoordinatorBasicAuthorizerCacheNotifier.java vendored
View File

@ -44,7 +44,8 @@ public class CoordinatorBasicAuthorizerCacheNotifier implements BasicAuthorizerC
{
private final LifecycleLock lifecycleLock = new LifecycleLock();
private CommonCacheNotifier cacheNotifier;
private final CommonCacheNotifier cacheUserNotifier;
private final CommonCacheNotifier cacheGroupMappingNotifier;
@Inject
public CoordinatorBasicAuthorizerCacheNotifier(
@ -53,11 +54,18 @@ public class CoordinatorBasicAuthorizerCacheNotifier implements BasicAuthorizerC
@EscalatedClient HttpClient httpClient
)
{
cacheNotifier = new CommonCacheNotifier(
cacheUserNotifier = new CommonCacheNotifier(
getAuthorizerConfigMap(authorizerMapper),
discoveryProvider,
httpClient,
"/druid-ext/basic-security/authorization/listen/%s",
"/druid-ext/basic-security/authorization/listen/users/%s",
"CoordinatorBasicAuthorizerCacheNotifier"
);
cacheGroupMappingNotifier = new CommonCacheNotifier(
getAuthorizerConfigMap(authorizerMapper),
discoveryProvider,
httpClient,
"/druid-ext/basic-security/authorization/listen/groupMappings/%s",
"CoordinatorBasicAuthorizerCacheNotifier"
);
}
@ -70,7 +78,8 @@ public class CoordinatorBasicAuthorizerCacheNotifier implements BasicAuthorizerC
}
try {
cacheNotifier.start();
cacheUserNotifier.start();
cacheGroupMappingNotifier.start();
lifecycleLock.started();
}
finally {
@ -85,7 +94,8 @@ public class CoordinatorBasicAuthorizerCacheNotifier implements BasicAuthorizerC
return;
}
try {
cacheNotifier.stop();
cacheUserNotifier.stop();
cacheGroupMappingNotifier.stop();
}
finally {
lifecycleLock.exitStop();
@ -93,10 +103,17 @@ public class CoordinatorBasicAuthorizerCacheNotifier implements BasicAuthorizerC
}
@Override
public void addUpdate(String updatedAuthorizerPrefix, byte[] updatedUserMap)
public void addUpdateUser(String updatedAuthorizerPrefix, byte[] userAndRoleMap)
{
Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS));
cacheNotifier.addUpdate(updatedAuthorizerPrefix, updatedUserMap);
cacheUserNotifier.addUpdate(updatedAuthorizerPrefix, userAndRoleMap);
}
@Override
public void addUpdateGroupMapping(String updatedAuthorizerPrefix, byte[] groupMappingAndRoleMap)
{
Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS));
cacheGroupMappingNotifier.addUpdate(updatedAuthorizerPrefix, groupMappingAndRoleMap);
}
private Map<String, BasicAuthDBConfig> getAuthorizerConfigMap(AuthorizerMapper mapper)

181
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/CoordinatorPollingBasicAuthorizerCacheManager.java vendored
View File

@ -43,8 +43,10 @@ import org.apache.druid.java.util.http.client.response.BytesFullResponseHolder;
import org.apache.druid.security.basic.BasicAuthCommonCacheConfig;
import org.apache.druid.security.basic.BasicAuthUtils;
import org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser;
import org.apache.druid.security.basic.authorization.entity.GroupMappingAndRoleMap;
import org.apache.druid.security.basic.authorization.entity.UserAndRoleMap;
import org.apache.druid.server.security.Authorizer;
import org.apache.druid.server.security.AuthorizerMapper;
@ -69,6 +71,8 @@ public class CoordinatorPollingBasicAuthorizerCacheManager implements BasicAutho
private final ConcurrentHashMap<String, Map<String, BasicAuthorizerUser>> cachedUserMaps;
private final ConcurrentHashMap<String, Map<String, BasicAuthorizerRole>> cachedRoleMaps;
private final ConcurrentHashMap<String, Map<String, BasicAuthorizerGroupMapping>> cachedGroupMappingMaps;
private final ConcurrentHashMap<String, Map<String, BasicAuthorizerRole>> cachedGroupMappingRoleMaps;
private final Set<String> authorizerPrefixes;
private final Injector injector;
@ -92,6 +96,8 @@ public class CoordinatorPollingBasicAuthorizerCacheManager implements BasicAutho
this.objectMapper = objectMapper;
this.cachedUserMaps = new ConcurrentHashMap<>();
this.cachedRoleMaps = new ConcurrentHashMap<>();
this.cachedGroupMappingMaps = new ConcurrentHashMap<>();
this.cachedGroupMappingRoleMaps = new ConcurrentHashMap<>();
this.authorizerPrefixes = new HashSet<>();
this.druidLeaderClient = druidLeaderClient;
}
@ -118,7 +124,7 @@ public class CoordinatorPollingBasicAuthorizerCacheManager implements BasicAutho
LOG.debug("Inserting random polling delay of [%s] ms", randomDelay);
Thread.sleep(randomDelay);
LOG.debug("Scheduled cache poll is running");
LOG.debug("Scheduled userMap cache poll is running");
for (String authorizerPrefix : authorizerPrefixes) {
UserAndRoleMap userAndRoleMap = fetchUserAndRoleMapFromCoordinator(authorizerPrefix, false);
if (userAndRoleMap != null) {
@ -126,7 +132,7 @@ public class CoordinatorPollingBasicAuthorizerCacheManager implements BasicAutho
cachedRoleMaps.put(authorizerPrefix, userAndRoleMap.getRoleMap());
}
}
LOG.debug("Scheduled cache poll is done");
LOG.debug("Scheduled userMap cache poll is done");
}
catch (Throwable t) {
LOG.makeAlert(t, "Error occured while polling for cachedUserMaps.").emit();
@ -134,6 +140,32 @@ public class CoordinatorPollingBasicAuthorizerCacheManager implements BasicAutho
}
);
ScheduledExecutors.scheduleWithFixedDelay(
exec,
new Duration(commonCacheConfig.getPollingPeriod()),
new Duration(commonCacheConfig.getPollingPeriod()),
() -> {
try {
long randomDelay = ThreadLocalRandom.current().nextLong(0, commonCacheConfig.getMaxRandomDelay());
LOG.debug("Inserting random polling delay of [%s] ms", randomDelay);
Thread.sleep(randomDelay);
LOG.debug("Scheduled groupMappingMap cache poll is running");
for (String authorizerPrefix : authorizerPrefixes) {
GroupMappingAndRoleMap groupMappingAndRoleMap = fetchGroupAndRoleMapFromCoordinator(authorizerPrefix, false);
if (groupMappingAndRoleMap != null) {
cachedGroupMappingMaps.put(authorizerPrefix, groupMappingAndRoleMap.getGroupMappingMap());
cachedGroupMappingRoleMaps.put(authorizerPrefix, groupMappingAndRoleMap.getRoleMap());
}
}
LOG.debug("Scheduled groupMappingMap cache poll is done");
}
catch (Throwable t) {
LOG.makeAlert(t, "Error occured while polling for cachedGroupMappingMaps.").emit();
}
}
);
lifecycleLock.started();
LOG.info("Started CoordinatorPollingBasicAuthorizerCacheManager.");
}
@ -155,9 +187,9 @@ public class CoordinatorPollingBasicAuthorizerCacheManager implements BasicAutho
}
@Override
public void handleAuthorizerUpdate(String authorizerPrefix, byte[] serializedUserAndRoleMap)
public void handleAuthorizerUserUpdate(String authorizerPrefix, byte[] serializedUserAndRoleMap)
{
LOG.debug("Received cache update for authorizer [%s].", authorizerPrefix);
LOG.debug("Received userMap cache update for authorizer [%s].", authorizerPrefix);
Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS));
try {
UserAndRoleMap userAndRoleMap = objectMapper.readValue(
@ -169,7 +201,7 @@ public class CoordinatorPollingBasicAuthorizerCacheManager implements BasicAutho
cachedRoleMaps.put(authorizerPrefix, userAndRoleMap.getRoleMap());
if (commonCacheConfig.getCacheDirectory() != null) {
writeMapToDisk(authorizerPrefix, serializedUserAndRoleMap);
writeUserMapToDisk(authorizerPrefix, serializedUserAndRoleMap);
}
}
catch (Exception e) {
@ -177,6 +209,29 @@ public class CoordinatorPollingBasicAuthorizerCacheManager implements BasicAutho
}
}
@Override
public void handleAuthorizerGroupMappingUpdate(String authorizerPrefix, byte[] serializedGroupMappingAndRoleMap)
{
LOG.debug("Received groupMappingMap cache update for authorizer [%s].", authorizerPrefix);
Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS));
try {
GroupMappingAndRoleMap groupMappingAndRoleMap = objectMapper.readValue(
serializedGroupMappingAndRoleMap,
BasicAuthUtils.AUTHORIZER_GROUP_MAPPING_AND_ROLE_MAP_TYPE_REFERENCE
);
cachedGroupMappingMaps.put(authorizerPrefix, groupMappingAndRoleMap.getGroupMappingMap());
cachedGroupMappingRoleMaps.put(authorizerPrefix, groupMappingAndRoleMap.getRoleMap());
if (commonCacheConfig.getCacheDirectory() != null) {
writeGroupMappingMapToDisk(authorizerPrefix, serializedGroupMappingAndRoleMap);
}
}
catch (Exception e) {
LOG.makeAlert(e, "Could not deserialize groupMapping/role map received from coordinator.").emit();
}
}
@Override
public Map<String, BasicAuthorizerUser> getUserMap(String authorizerPrefix)
{
@ -189,9 +244,26 @@ public class CoordinatorPollingBasicAuthorizerCacheManager implements BasicAutho
return cachedRoleMaps.get(authorizerPrefix);
}
@Override
public Map<String, BasicAuthorizerGroupMapping> getGroupMappingMap(String authorizerPrefix)
{
return cachedGroupMappingMaps.get(authorizerPrefix);
}
@Override
public Map<String, BasicAuthorizerRole> getGroupMappingRoleMap(String authorizerPrefix)
{
return cachedGroupMappingRoleMaps.get(authorizerPrefix);
}
private String getUserRoleMapFilename(String prefix)
{
return StringUtils.format("%s.authorizer.cache", prefix);
return StringUtils.format("%s.authorizer.userRole.cache", prefix);
}
private String getGroupMappingRoleMapFilename(String prefix)
{
return StringUtils.format("%s.authorizer.groupMappingRole.cache", prefix);
}
@Nullable
@ -207,7 +279,20 @@ public class CoordinatorPollingBasicAuthorizerCacheManager implements BasicAutho
);
}
private void writeMapToDisk(String prefix, byte[] userMapBytes) throws IOException
@Nullable
private GroupMappingAndRoleMap loadGroupMappingAndRoleMapFromDisk(String prefix) throws IOException
{
File groupMappingAndRoleMapFile = new File(commonCacheConfig.getCacheDirectory(), getGroupMappingRoleMapFilename(prefix));
if (!groupMappingAndRoleMapFile.exists()) {
return null;
}
return objectMapper.readValue(
groupMappingAndRoleMapFile,
BasicAuthUtils.AUTHORIZER_GROUP_MAPPING_AND_ROLE_MAP_TYPE_REFERENCE
);
}
private void writeUserMapToDisk(String prefix, byte[] userMapBytes) throws IOException
{
File cacheDir = new File(commonCacheConfig.getCacheDirectory());
cacheDir.mkdirs();
@ -221,13 +306,27 @@ public class CoordinatorPollingBasicAuthorizerCacheManager implements BasicAutho
);
}
private void writeGroupMappingMapToDisk(String prefix, byte[] groupMappingBytes) throws IOException
{
File cacheDir = new File(commonCacheConfig.getCacheDirectory());
cacheDir.mkdirs();
File groupMapFile = new File(commonCacheConfig.getCacheDirectory(), getGroupMappingRoleMapFilename(prefix));
FileUtils.writeAtomically(
groupMapFile,
out -> {
out.write(groupMappingBytes);
return null;
}
);
}
@Nullable
private UserAndRoleMap fetchUserAndRoleMapFromCoordinator(String prefix, boolean isInit)
{
try {
return RetryUtils.retry(
() -> {
return tryFetchMapsFromCoordinator(prefix);
return tryFetchUserMapsFromCoordinator(prefix);
},
e -> true,
commonCacheConfig.getMaxSyncRetries()
@ -252,7 +351,38 @@ public class CoordinatorPollingBasicAuthorizerCacheManager implements BasicAutho
}
}
private UserAndRoleMap tryFetchMapsFromCoordinator(
@Nullable
private GroupMappingAndRoleMap fetchGroupAndRoleMapFromCoordinator(String prefix, boolean isInit)
{
try {
return RetryUtils.retry(
() -> {
return tryFetchGroupMappingMapsFromCoordinator(prefix);
},
e -> true,
commonCacheConfig.getMaxSyncRetries()
);
}
catch (Exception e) {
LOG.makeAlert(e, "Encountered exception while fetching group and role map for authorizer [%s]", prefix).emit();
if (isInit) {
if (commonCacheConfig.getCacheDirectory() != null) {
try {
LOG.info("Attempting to load group map snapshot from disk.");
return loadGroupMappingAndRoleMapFromDisk(prefix);
}
catch (Exception e2) {
e2.addSuppressed(e);
LOG.makeAlert(e2, "Encountered exception while loading group-role map snapshot for authorizer [%s]", prefix)
.emit();
}
}
}
return null;
}
}
private UserAndRoleMap tryFetchUserMapsFromCoordinator(
String prefix
) throws Exception
{
@ -271,11 +401,35 @@ public class CoordinatorPollingBasicAuthorizerCacheManager implements BasicAutho
BasicAuthUtils.AUTHORIZER_USER_AND_ROLE_MAP_TYPE_REFERENCE
);
if (userAndRoleMap != null && commonCacheConfig.getCacheDirectory() != null) {
writeMapToDisk(prefix, userRoleMapBytes);
writeUserMapToDisk(prefix, userRoleMapBytes);
}
return userAndRoleMap;
}
private GroupMappingAndRoleMap tryFetchGroupMappingMapsFromCoordinator(
String prefix
) throws Exception
{
Request req = druidLeaderClient.makeRequest(
HttpMethod.GET,
StringUtils.format("/druid-ext/basic-security/authorization/db/%s/cachedSerializedGroupMappingMap", prefix)
);
BytesFullResponseHolder responseHolder = druidLeaderClient.go(
req,
new BytesFullResponseHandler()
);
byte[] groupRoleMapBytes = responseHolder.getContent();
GroupMappingAndRoleMap groupMappingAndRoleMap = objectMapper.readValue(
groupRoleMapBytes,
BasicAuthUtils.AUTHORIZER_GROUP_MAPPING_AND_ROLE_MAP_TYPE_REFERENCE
);
if (groupMappingAndRoleMap != null && commonCacheConfig.getCacheDirectory() != null) {
writeGroupMappingMapToDisk(prefix, groupRoleMapBytes);
}
return groupMappingAndRoleMap;
}
private void initUserMaps()
{
AuthorizerMapper authorizerMapper = injector.getInstance(AuthorizerMapper.class);
@ -289,11 +443,18 @@ public class CoordinatorPollingBasicAuthorizerCacheManager implements BasicAutho
if (authorizer instanceof BasicRoleBasedAuthorizer) {
String authorizerName = entry.getKey();
authorizerPrefixes.add(authorizerName);
UserAndRoleMap userAndRoleMap = fetchUserAndRoleMapFromCoordinator(authorizerName, true);
if (userAndRoleMap != null) {
cachedUserMaps.put(authorizerName, userAndRoleMap.getUserMap());
cachedRoleMaps.put(authorizerName, userAndRoleMap.getRoleMap());
}
GroupMappingAndRoleMap groupMappingAndRoleMap = fetchGroupAndRoleMapFromCoordinator(authorizerName, true);
if (groupMappingAndRoleMap != null) {
cachedGroupMappingMaps.put(authorizerName, groupMappingAndRoleMap.getGroupMappingMap());
cachedGroupMappingRoleMaps.put(authorizerName, groupMappingAndRoleMap.getRoleMap());
}
}
}
}

21
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/MetadataStoragePollingBasicAuthorizerCacheManager.java vendored
View File

@ -21,6 +21,7 @@ package org.apache.druid.security.basic.authorization.db.cache;
import com.google.inject.Inject;
import org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser;
@ -39,7 +40,13 @@ public class MetadataStoragePollingBasicAuthorizerCacheManager implements BasicA
}
@Override
public void handleAuthorizerUpdate(String authorizerPrefix, byte[] serializedUserAndRoleMap)
public void handleAuthorizerUserUpdate(String authorizerPrefix, byte[] serializedUserAndRoleMap)
{
}
@Override
public void handleAuthorizerGroupMappingUpdate(String authorizerPrefix, byte[] serializedGroupMappingAndRoleMap)
{
}
@ -55,4 +62,16 @@ public class MetadataStoragePollingBasicAuthorizerCacheManager implements BasicA
{
return storageUpdater.getCachedRoleMap(authorizerPrefix);
}
@Override
public Map<String, BasicAuthorizerGroupMapping> getGroupMappingMap(String authorizerPrefix)
{
return storageUpdater.getCachedGroupMappingMap(authorizerPrefix);
}
@Override
public Map<String, BasicAuthorizerRole> getGroupMappingRoleMap(String authorizerPrefix)
{
return getRoleMap(authorizerPrefix);
}
}

20
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/NoopBasicAuthorizerCacheNotifier.java vendored
View File

@ -26,8 +26,26 @@ package org.apache.druid.security.basic.authorization.db.cache;
*/
public class NoopBasicAuthorizerCacheNotifier implements BasicAuthorizerCacheNotifier
{
/**
* Send the user map state contained in updatedUserMap to all non-coordinator Druid services
*
* @param authorizerPrefix Name of authorizer being updated
* @param userAndRoleMap User/role map state
*/
@Override
public void addUpdate(String authorizerPrefix, byte[] userAndRoleMap)
public void addUpdateUser(String authorizerPrefix, byte[] userAndRoleMap)
{
// Do nothing as this is a noop implementation
}
/**
* Send the groupMapping map state contained in updatedGroupMappingMap to all non-coordinator Druid services
*
* @param authorizerPrefix Name of authorizer being updated
* @param groupMappingAndRoleMap Group/role map state
*/
@Override
public void addUpdateGroupMapping(String authorizerPrefix, byte[] groupMappingAndRoleMap)
{
// Do nothing as this is a noop implementation
}

17
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/updater/BasicAuthorizerMetadataStorageUpdater.java
View File

@ -19,6 +19,7 @@
package org.apache.druid.security.basic.authorization.db.updater;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser;
import org.apache.druid.server.security.ResourceAction;
@ -38,22 +39,34 @@ public interface BasicAuthorizerMetadataStorageUpdater
void deleteUser(String prefix, String userName);
void createGroupMapping(String prefix, BasicAuthorizerGroupMapping groupMapping);
void deleteGroupMapping(String prefix, String groupMappingName);
void createRole(String prefix, String roleName);
void deleteRole(String prefix, String roleName);
void assignRole(String prefix, String userName, String roleName);
void assignUserRole(String prefix, String userName, String roleName);
void unassignRole(String prefix, String userName, String roleName);
void unassignUserRole(String prefix, String userName, String roleName);
void assignGroupMappingRole(String prefix, String groupMappingName, String roleName);
void unassignGroupMappingRole(String prefix, String groupMappingName, String roleName);
void setPermissions(String prefix, String roleName, List<ResourceAction> permissions);
Map<String, BasicAuthorizerUser> getCachedUserMap(String prefix);
Map<String, BasicAuthorizerGroupMapping> getCachedGroupMappingMap(String prefix);
Map<String, BasicAuthorizerRole> getCachedRoleMap(String prefix);
byte[] getCurrentUserMapBytes(String prefix);
byte[] getCurrentGroupMappingMapBytes(String prefix);
byte[] getCurrentRoleMapBytes(String prefix);
void refreshAllNotification();

642
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/updater/CoordinatorBasicAuthorizerMetadataStorageUpdater.java
View File

@ -38,15 +38,19 @@ import org.apache.druid.metadata.MetadataCASUpdate;
import org.apache.druid.metadata.MetadataStorageConnector;
import org.apache.druid.metadata.MetadataStorageTablesConfig;
import org.apache.druid.security.basic.BasicAuthCommonCacheConfig;
import org.apache.druid.security.basic.BasicAuthDBConfig;
import org.apache.druid.security.basic.BasicAuthUtils;
import org.apache.druid.security.basic.BasicSecurityDBResourceException;
import org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer;
import org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheNotifier;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingMapBundle;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerPermission;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleMapBundle;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserMapBundle;
import org.apache.druid.security.basic.authorization.entity.GroupMappingAndRoleMap;
import org.apache.druid.security.basic.authorization.entity.UserAndRoleMap;
import org.apache.druid.server.security.Action;
import org.apache.druid.server.security.Authorizer;
@ -56,14 +60,15 @@ import org.apache.druid.server.security.ResourceAction;
import org.apache.druid.server.security.ResourceType;
import org.joda.time.Duration;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ThreadLocalRandom;
@ -78,6 +83,7 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
private static final long UPDATE_RETRY_DELAY = 1000;
private static final String USERS = "users";
private static final String GROUP_MAPPINGS = "groupMappings";
private static final String ROLES = "roles";
public static final List<ResourceAction> SUPERUSER_PERMISSIONS = makeSuperUserPermissions();
@ -91,6 +97,7 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
private final int numRetries = 5;
private final Map<String, BasicAuthorizerUserMapBundle> cachedUserMaps;
private final Map<String, BasicAuthorizerGroupMappingMapBundle> cachedGroupMappingMaps;
private final Map<String, BasicAuthorizerRoleMapBundle> cachedRoleMaps;
private final Set<String> authorizerNames;
@ -118,6 +125,7 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
this.objectMapper = objectMapper;
this.cacheNotifier = cacheNotifier;
this.cachedUserMaps = new ConcurrentHashMap<>();
this.cachedGroupMappingMaps = new ConcurrentHashMap<>();
this.cachedRoleMaps = new ConcurrentHashMap<>();
this.authorizerNames = new HashSet<>();
}
@ -138,6 +146,8 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
for (Map.Entry<String, Authorizer> entry : authorizerMapper.getAuthorizerMap().entrySet()) {
Authorizer authorizer = entry.getValue();
if (authorizer instanceof BasicRoleBasedAuthorizer) {
BasicRoleBasedAuthorizer basicRoleBasedAuthorizer = (BasicRoleBasedAuthorizer) authorizer;
BasicAuthDBConfig dbConfig = basicRoleBasedAuthorizer.getDbConfig();
String authorizerName = entry.getKey();
authorizerNames.add(authorizerName);
@ -148,6 +158,13 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
);
cachedUserMaps.put(authorizerName, new BasicAuthorizerUserMapBundle(userMap, userMapBytes));
byte[] groupMappingMapBytes = getCurrentGroupMappingMapBytes(authorizerName);
Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(
objectMapper,
groupMappingMapBytes
);
cachedGroupMappingMaps.put(authorizerName, new BasicAuthorizerGroupMappingMapBundle(groupMappingMap, groupMappingMapBytes));
byte[] roleMapBytes = getCurrentRoleMapBytes(authorizerName);
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(
objectMapper,
@ -155,7 +172,11 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
);
cachedRoleMaps.put(authorizerName, new BasicAuthorizerRoleMapBundle(roleMap, roleMapBytes));
initSuperusers(authorizerName, userMap, roleMap);
initSuperUsersAndGroupMapping(authorizerName, userMap, roleMap, groupMappingMap,
dbConfig.getInitialAdminUser(),
dbConfig.getInitialAdminRole(),
dbConfig.getInitialAdminGroupMapping()
);
}
}
@ -163,47 +184,53 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
exec,
new Duration(commonCacheConfig.getPollingPeriod()),
new Duration(commonCacheConfig.getPollingPeriod()),
new Callable<ScheduledExecutors.Signal>()
{
@Override
public ScheduledExecutors.Signal call()
{
if (stopped) {
return ScheduledExecutors.Signal.STOP;
}
try {
LOG.debug("Scheduled db poll is running");
for (String authorizerName : authorizerNames) {
() -> {
if (stopped) {
return ScheduledExecutors.Signal.STOP;
}
try {
LOG.debug("Scheduled db poll is running");
for (String authorizerName : authorizerNames) {
byte[] userMapBytes = getCurrentUserMapBytes(authorizerName);
Map<String, BasicAuthorizerUser> userMap = BasicAuthUtils.deserializeAuthorizerUserMap(
objectMapper,
userMapBytes
);
if (userMapBytes != null) {
synchronized (cachedUserMaps) {
cachedUserMaps.put(authorizerName, new BasicAuthorizerUserMapBundle(userMap, userMapBytes));
}
}
byte[] roleMapBytes = getCurrentRoleMapBytes(authorizerName);
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(
objectMapper,
roleMapBytes
);
if (roleMapBytes != null) {
synchronized (cachedUserMaps) {
cachedRoleMaps.put(authorizerName, new BasicAuthorizerRoleMapBundle(roleMap, roleMapBytes));
}
byte[] userMapBytes = getCurrentUserMapBytes(authorizerName);
Map<String, BasicAuthorizerUser> userMap = BasicAuthUtils.deserializeAuthorizerUserMap(
objectMapper,
userMapBytes
);
if (userMapBytes != null) {
synchronized (cachedUserMaps) {
cachedUserMaps.put(authorizerName, new BasicAuthorizerUserMapBundle(userMap, userMapBytes));
}
}
byte[] groupMappingMapBytes = getCurrentGroupMappingMapBytes(authorizerName);
Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(
objectMapper,
groupMappingMapBytes
);
if (groupMappingMapBytes != null) {
synchronized (cachedGroupMappingMaps) {
cachedGroupMappingMaps.put(authorizerName, new BasicAuthorizerGroupMappingMapBundle(groupMappingMap, groupMappingMapBytes));
}
}
byte[] roleMapBytes = getCurrentRoleMapBytes(authorizerName);
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(
objectMapper,
roleMapBytes
);
if (roleMapBytes != null) {
synchronized (cachedRoleMaps) {
cachedRoleMaps.put(authorizerName, new BasicAuthorizerRoleMapBundle(roleMap, roleMapBytes));
}
}
LOG.debug("Scheduled db poll is done");
}
catch (Throwable t) {
LOG.makeAlert(t, "Error occured while polling for cachedUserMaps.").emit();
}
return ScheduledExecutors.Signal.REPEAT;
LOG.debug("Scheduled db poll is done");
}
catch (Throwable t) {
LOG.makeAlert(t, "Error occured while polling for cachedUserMaps, cachedGroupMappingMaps, cachedRoleMaps.").emit();
}
return ScheduledExecutors.Signal.REPEAT;
}
);
@ -239,7 +266,69 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
byte[] newUserMapValue
)
{
return tryUpdateUserAndRoleMap(prefix, userMap, oldUserMapValue, newUserMapValue, null, null, null);
try {
List<MetadataCASUpdate> updates = new ArrayList<>();
if (userMap != null) {
updates.add(
createMetadataCASUpdate(prefix, oldUserMapValue, newUserMapValue, USERS)
);
boolean succeeded = connector.compareAndSwap(updates);
if (succeeded) {
cachedUserMaps.put(prefix, new BasicAuthorizerUserMapBundle(userMap, newUserMapValue));
byte[] serializedUserAndRoleMap = getCurrentUserAndRoleMapSerialized(prefix);
cacheNotifier.addUpdateUser(prefix, serializedUserAndRoleMap);
return true;
} else {
return false;
}
}
return false;
}
catch (Exception e) {
throw new RuntimeException(e);
}
}
private boolean tryUpdateGroupMappingMap(
String prefix,
Map<String, BasicAuthorizerGroupMapping> groupMappingMap,
byte[] oldGroupMappingMapValue,
byte[] newGroupMappingMapValue
)
{
try {
List<MetadataCASUpdate> updates = new ArrayList<>();
if (groupMappingMap != null) {
updates.add(
createMetadataCASUpdate(prefix, oldGroupMappingMapValue, newGroupMappingMapValue, GROUP_MAPPINGS)
);
boolean succeeded = connector.compareAndSwap(updates);
if (succeeded) {
cachedGroupMappingMaps.put(prefix,
new BasicAuthorizerGroupMappingMapBundle(
groupMappingMap,
newGroupMappingMapValue
)
);
byte[] serializedGroupMappingAndRoleMap = getCurrentGroupMappingAndRoleMapSerialized(prefix);
cacheNotifier.addUpdateGroupMapping(prefix, serializedGroupMappingAndRoleMap);
return true;
} else {
return false;
}
}
return false;
}
catch (Exception e) {
throw new RuntimeException(e);
}
}
private boolean tryUpdateRoleMap(
@ -249,7 +338,33 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
byte[] newRoleMapValue
)
{
return tryUpdateUserAndRoleMap(prefix, null, null, null, roleMap, oldRoleMapValue, newRoleMapValue);
try {
List<MetadataCASUpdate> updates = new ArrayList<>();
if (roleMap != null) {
updates.add(
createMetadataCASUpdate(prefix, oldRoleMapValue, newRoleMapValue, ROLES)
);
boolean succeeded = connector.compareAndSwap(updates);
if (succeeded) {
cachedRoleMaps.put(prefix, new BasicAuthorizerRoleMapBundle(roleMap, newRoleMapValue));
byte[] serializedUserAndRoleMap = getCurrentUserAndRoleMapSerialized(prefix);
cacheNotifier.addUpdateUser(prefix, serializedUserAndRoleMap);
byte[] serializedGroupMappingAndRoleMap = getCurrentGroupMappingAndRoleMapSerialized(prefix);
cacheNotifier.addUpdateGroupMapping(prefix, serializedGroupMappingAndRoleMap);
return true;
} else {
return false;
}
}
return false;
}
catch (Exception e) {
throw new RuntimeException(e);
}
}
private boolean tryUpdateUserAndRoleMap(
@ -264,55 +379,91 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
{
try {
List<MetadataCASUpdate> updates = new ArrayList<>();
if (userMap != null) {
if (userMap != null && roleMap != null) {
updates.add(
new MetadataCASUpdate(
connectorConfig.getConfigTable(),
MetadataStorageConnector.CONFIG_TABLE_KEY_COLUMN,
MetadataStorageConnector.CONFIG_TABLE_VALUE_COLUMN,
getPrefixedKeyColumn(prefix, USERS),
oldUserMapValue,
newUserMapValue
)
createMetadataCASUpdate(prefix, oldUserMapValue, newUserMapValue, USERS)
);
}
if (roleMap != null) {
updates.add(
new MetadataCASUpdate(
connectorConfig.getConfigTable(),
MetadataStorageConnector.CONFIG_TABLE_KEY_COLUMN,
MetadataStorageConnector.CONFIG_TABLE_VALUE_COLUMN,
getPrefixedKeyColumn(prefix, ROLES),
oldRoleMapValue,
newRoleMapValue
)
createMetadataCASUpdate(prefix, oldRoleMapValue, newRoleMapValue, ROLES)
);
boolean succeeded = connector.compareAndSwap(updates);
if (succeeded) {
cachedUserMaps.put(prefix, new BasicAuthorizerUserMapBundle(userMap, newUserMapValue));
cachedRoleMaps.put(prefix, new BasicAuthorizerRoleMapBundle(roleMap, newRoleMapValue));
byte[] serializedUserAndRoleMap = getCurrentUserAndRoleMapSerialized(prefix);
cacheNotifier.addUpdateUser(prefix, serializedUserAndRoleMap);
return true;
} else {
return false;
}
}
}
catch (Exception e) {
throw new RuntimeException(e);
}
return false;
}
private boolean tryUpdateGroupMappingAndRoleMap(
String prefix,
Map<String, BasicAuthorizerGroupMapping> groupMappingMap,
byte[] oldGroupMappingMapValue,
byte[] newGroupMappingMapValue,
Map<String, BasicAuthorizerRole> roleMap,
byte[] oldRoleMapValue,
byte[] newRoleMapValue
)
{
try {
List<MetadataCASUpdate> updates = new ArrayList<>();
if (groupMappingMap != null && roleMap != null) {
updates.add(
createMetadataCASUpdate(prefix, oldGroupMappingMapValue, newGroupMappingMapValue, GROUP_MAPPINGS)
);
updates.add(
createMetadataCASUpdate(prefix, oldRoleMapValue, newRoleMapValue, ROLES)
);
}
boolean succeeded = connector.compareAndSwap(updates);
if (succeeded) {
if (userMap != null) {
cachedUserMaps.put(prefix, new BasicAuthorizerUserMapBundle(userMap, newUserMapValue));
}
if (roleMap != null) {
cachedRoleMaps.put(prefix, new BasicAuthorizerRoleMapBundle(roleMap, newRoleMapValue));
}
cachedGroupMappingMaps.put(prefix, new BasicAuthorizerGroupMappingMapBundle(groupMappingMap, newGroupMappingMapValue));
cachedRoleMaps.put(prefix, new BasicAuthorizerRoleMapBundle(roleMap, newRoleMapValue));
byte[] serializedUserAndRoleMap = getCurrentUserAndRoleMapSerialized(prefix);
cacheNotifier.addUpdate(prefix, serializedUserAndRoleMap);
byte[] serializedGroupMappingAndRoleMap = getCurrentGroupMappingAndRoleMapSerialized(prefix);
cacheNotifier.addUpdateGroupMapping(prefix, serializedGroupMappingAndRoleMap);
return true;
} else {
return false;
}
}
catch (Exception e) {
throw new RuntimeException(e);
}
}
@Nonnull
private MetadataCASUpdate createMetadataCASUpdate(
String prefix,
byte[] oldValue,
byte[] newValue,
String columnName
)
{
return new MetadataCASUpdate(
connectorConfig.getConfigTable(),
MetadataStorageConnector.CONFIG_TABLE_KEY_COLUMN,
MetadataStorageConnector.CONFIG_TABLE_VALUE_COLUMN,
getPrefixedKeyColumn(prefix, columnName),
oldValue,
newValue
);
}
@Override
public void createUser(String prefix, String userName)
{
@ -327,6 +478,21 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
deleteUserInternal(prefix, userName);
}
@Override
public void createGroupMapping(String prefix, BasicAuthorizerGroupMapping groupMapping)
{
Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS));
createGroupMappingInternal(prefix, groupMapping);
}
@Override
public void deleteGroupMapping(String prefix, String groupMappingName)
{
Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS));
deleteGroupMappingInternal(prefix, groupMappingName);
}
@Override
public void createRole(String prefix, String roleName)
{
@ -342,17 +508,31 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
}
@Override
public void assignRole(String prefix, String userName, String roleName)
public void assignUserRole(String prefix, String userName, String roleName)
{
Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS));
assignRoleInternal(prefix, userName, roleName);
assignUserRoleInternal(prefix, userName, roleName);
}
@Override
public void unassignRole(String prefix, String userName, String roleName)
public void unassignUserRole(String prefix, String userName, String roleName)
{
Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS));
unassignRoleInternal(prefix, userName, roleName);
unassignUserRoleInternal(prefix, userName, roleName);
}
@Override
public void assignGroupMappingRole(String prefix, String groupMappingName, String roleName)
{
Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS));
assignGroupMappingRoleInternal(prefix, groupMappingName, roleName);
}
@Override
public void unassignGroupMappingRole(String prefix, String groupMappingName, String roleName)
{
Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS));
unassignGroupMappingRoleInternal(prefix, groupMappingName, roleName);
}
@Override
@ -370,6 +550,13 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
return userMapBundle == null ? null : userMapBundle.getUserMap();
}
@Override
public Map<String, BasicAuthorizerGroupMapping> getCachedGroupMappingMap(String prefix)
{
BasicAuthorizerGroupMappingMapBundle groupMapBundle = cachedGroupMappingMaps.get(prefix);
return groupMapBundle == null ? null : groupMapBundle.getGroupMappingMap();
}
@Override
@Nullable
public Map<String, BasicAuthorizerRole> getCachedRoleMap(String prefix)
@ -389,6 +576,17 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
);
}
@Override
public byte[] getCurrentGroupMappingMapBytes(String prefix)
{
return connector.lookup(
connectorConfig.getConfigTable(),
MetadataStorageConnector.CONFIG_TABLE_KEY_COLUMN,
MetadataStorageConnector.CONFIG_TABLE_VALUE_COLUMN,
getPrefixedKeyColumn(prefix, GROUP_MAPPINGS)
);
}
@Override
public byte[] getCurrentRoleMapBytes(String prefix)
{
@ -407,7 +605,10 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
(authorizerName) -> {
try {
byte[] serializedUserAndRoleMap = getCurrentUserAndRoleMapSerialized(authorizerName);
cacheNotifier.addUpdate(authorizerName, serializedUserAndRoleMap);
cacheNotifier.addUpdateUser(authorizerName, serializedUserAndRoleMap);
byte[] serializeGroupAndRoleMap = getCurrentGroupMappingAndRoleMapSerialized(authorizerName);
cacheNotifier.addUpdateGroupMapping(authorizerName, serializeGroupAndRoleMap);
}
catch (IOException ioe) {
throw new RuntimeException(ioe);
@ -429,6 +630,19 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
return objectMapper.writeValueAsBytes(userAndRoleMap);
}
private byte[] getCurrentGroupMappingAndRoleMapSerialized(String prefix) throws IOException
{
BasicAuthorizerGroupMappingMapBundle groupMappingMapBundle = cachedGroupMappingMaps.get(prefix);
BasicAuthorizerRoleMapBundle roleMapBundle = cachedRoleMaps.get(prefix);
GroupMappingAndRoleMap groupMappingAndRoleMap = new GroupMappingAndRoleMap(
groupMappingMapBundle == null ? null : groupMappingMapBundle.getGroupMappingMap(),
roleMapBundle == null ? null : roleMapBundle.getRoleMap()
);
return objectMapper.writeValueAsBytes(groupMappingAndRoleMap);
}
private void createUserInternal(String prefix, String userName)
{
int attempts = 0;
@ -445,7 +659,7 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
throw new RuntimeException(ie);
}
}
throw new ISE("Could not create user[%s] due to concurrent update contention.", userName);
throw new ISE("Could not create user [%s] due to concurrent update contention.", userName);
}
private void deleteUserInternal(String prefix, String userName)
@ -464,7 +678,45 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
throw new RuntimeException(ie);
}
}
throw new ISE("Could not delete user[%s] due to concurrent update contention.", userName);
throw new ISE("Could not delete user [%s] due to concurrent update contention.", userName);
}
private void createGroupMappingInternal(String prefix, BasicAuthorizerGroupMapping groupMapping)
{
int attempts = 0;
while (attempts < numRetries) {
if (createGroupMappingOnce(prefix, groupMapping)) {
return;
} else {
attempts++;
}
try {
Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
}
catch (InterruptedException ie) {
throw new RuntimeException(ie);
}
}
throw new ISE("Could not create group mapping [%s] due to concurrent update contention.", groupMapping);
}
private void deleteGroupMappingInternal(String prefix, String groupMappingName)
{
int attempts = 0;
while (attempts < numRetries) {
if (deleteGroupMappingOnce(prefix, groupMappingName)) {
return;
} else {
attempts++;
}
try {
Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
}
catch (InterruptedException ie) {
throw new RuntimeException(ie);
}
}
throw new ISE("Could not delete group mapping [%s] due to concurrent update contention.", groupMappingName);
}
private void createRoleInternal(String prefix, String roleName)
@ -483,7 +735,7 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
throw new RuntimeException(ie);
}
}
throw new ISE("Could not create role[%s] due to concurrent update contention.", roleName);
throw new ISE("Could not create role [%s] due to concurrent update contention.", roleName);
}
private void deleteRoleInternal(String prefix, String roleName)
@ -502,14 +754,14 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
throw new RuntimeException(ie);
}
}
throw new ISE("Could not delete role[%s] due to concurrent update contention.", roleName);
throw new ISE("Could not delete role [%s] due to concurrent update contention.", roleName);
}
private void assignRoleInternal(String prefix, String userName, String roleName)
private void assignUserRoleInternal(String prefix, String userName, String roleName)
{
int attempts = 0;
while (attempts < numRetries) {
if (assignRoleOnce(prefix, userName, roleName)) {
if (assignUserRoleOnce(prefix, userName, roleName)) {
return;
} else {
attempts++;
@ -521,14 +773,14 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
throw new RuntimeException(ie);
}
}
throw new ISE("Could not assign role[%s] to user[%s] due to concurrent update contention.", roleName, userName);
throw new ISE("Could not assign role [%s] to user [%s] due to concurrent update contention.", roleName, userName);
}
private void unassignRoleInternal(String prefix, String userName, String roleName)
private void unassignUserRoleInternal(String prefix, String userName, String roleName)
{
int attempts = 0;
while (attempts < numRetries) {
if (unassignRoleOnce(prefix, userName, roleName)) {
if (unassignUserRoleOnce(prefix, userName, roleName)) {
return;
} else {
attempts++;
@ -540,7 +792,50 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
throw new RuntimeException(ie);
}
}
throw new ISE("Could not unassign role[%s] from user[%s] due to concurrent update contention.", roleName, userName);
throw new ISE("Could not unassign role [%s] from user [%s] due to concurrent update contention.", roleName, userName);
}
private void assignGroupMappingRoleInternal(String prefix, String groupMappingName, String roleName)
{
int attempts = 0;
while (attempts < numRetries) {
if (assignGroupMappingRoleOnce(prefix, groupMappingName, roleName)) {
return;
} else {
attempts++;
}
try {
Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
}
catch (InterruptedException ie) {
throw new RuntimeException(ie);
}
}
throw new ISE("Could not assign role [%s] to group mapping [%s] due to concurrent update contention.",
roleName,
groupMappingName
);
}
private void unassignGroupMappingRoleInternal(String prefix, String groupMappingName, String roleName)
{
int attempts = 0;
while (attempts < numRetries) {
if (unassignGroupMappingRoleOnce(prefix, groupMappingName, roleName)) {
return;
} else {
attempts++;
}
try {
Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
}
catch (InterruptedException ie) {
throw new RuntimeException(ie);
}
}
throw new ISE("Could not unassign role [%s] from group mapping [%s] due to concurrent update contention.", roleName,
groupMappingName
);
}
private void setPermissionsInternal(String prefix, String roleName, List<ResourceAction> permissions)
@ -559,7 +854,20 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
throw new RuntimeException(ie);
}
}
throw new ISE("Could not set permissions for role[%s] due to concurrent update contention.", roleName);
throw new ISE("Could not set permissions for role [%s] due to concurrent update contention.", roleName);
}
private boolean deleteUserOnce(String prefix, String userName)
{
byte[] oldValue = getCurrentUserMapBytes(prefix);
Map<String, BasicAuthorizerUser> userMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, oldValue);
if (userMap.get(userName) == null) {
throw new BasicSecurityDBResourceException("User [%s] does not exist.", userName);
} else {
userMap.remove(userName);
}
byte[] newValue = BasicAuthUtils.serializeAuthorizerUserMap(objectMapper, userMap);
return tryUpdateUserMap(prefix, userMap, oldValue, newValue);
}
private boolean createUserOnce(String prefix, String userName)
@ -575,17 +883,30 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
return tryUpdateUserMap(prefix, userMap, oldValue, newValue);
}
private boolean deleteUserOnce(String prefix, String userName)
private boolean deleteGroupMappingOnce(String prefix, String groupMappingName)
{
byte[] oldValue = getCurrentUserMapBytes(prefix);
Map<String, BasicAuthorizerUser> userMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, oldValue);
if (userMap.get(userName) == null) {
throw new BasicSecurityDBResourceException("User [%s] does not exist.", userName);
byte[] oldValue = getCurrentGroupMappingMapBytes(prefix);
Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, oldValue);
if (groupMappingMap.get(groupMappingName) == null) {
throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", groupMappingName);
} else {
userMap.remove(userName);
groupMappingMap.remove(groupMappingName);
}
byte[] newValue = BasicAuthUtils.serializeAuthorizerUserMap(objectMapper, userMap);
return tryUpdateUserMap(prefix, userMap, oldValue, newValue);
byte[] newValue = BasicAuthUtils.serializeAuthorizerGroupMappingMap(objectMapper, groupMappingMap);
return tryUpdateGroupMappingMap(prefix, groupMappingMap, oldValue, newValue);
}
private boolean createGroupMappingOnce(String prefix, BasicAuthorizerGroupMapping groupMapping)
{
byte[] oldValue = getCurrentGroupMappingMapBytes(prefix);
Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, oldValue);
if (groupMappingMap.get(groupMapping.getName()) != null) {
throw new BasicSecurityDBResourceException("Group mapping [%s] already exists.", groupMapping.getName());
} else {
groupMappingMap.put(groupMapping.getName(), groupMapping);
}
byte[] newValue = BasicAuthUtils.serializeAuthorizerGroupMappingMap(objectMapper, groupMappingMap);
return tryUpdateGroupMappingMap(prefix, groupMappingMap, oldValue, newValue);
}
private boolean createRoleOnce(String prefix, String roleName)
@ -623,16 +944,31 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
user.getRoles().remove(roleName);
}
byte[] newUserMapValue = BasicAuthUtils.serializeAuthorizerUserMap(objectMapper, userMap);
byte[] oldGroupMapValue = getCurrentGroupMappingMapBytes(prefix);
Map<String, BasicAuthorizerGroupMapping> groupMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(
objectMapper,
oldGroupMapValue
);
for (BasicAuthorizerGroupMapping group : groupMap.values()) {
group.getRoles().remove(roleName);
}
byte[] newGroupMapValue = BasicAuthUtils.serializeAuthorizerGroupMappingMap(objectMapper, groupMap);
byte[] newRoleMapValue = BasicAuthUtils.serializeAuthorizerRoleMap(objectMapper, roleMap);
return tryUpdateUserAndRoleMap(
prefix,
userMap, oldUserMapValue, newUserMapValue,
roleMap, oldRoleMapValue, newRoleMapValue
) && tryUpdateGroupMappingAndRoleMap(
prefix,
groupMap, oldGroupMapValue, newGroupMapValue,
roleMap, newRoleMapValue, newRoleMapValue
);
}
private boolean assignRoleOnce(String prefix, String userName, String roleName)
private boolean assignUserRoleOnce(String prefix, String userName, String roleName)
{
byte[] oldRoleMapValue = getCurrentRoleMapBytes(prefix);
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(
@ -668,7 +1004,7 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
);
}
private boolean unassignRoleOnce(String prefix, String userName, String roleName)
private boolean unassignUserRoleOnce(String prefix, String userName, String roleName)
{
byte[] oldRoleMapValue = getCurrentRoleMapBytes(prefix);
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(
@ -704,6 +1040,78 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
);
}
private boolean assignGroupMappingRoleOnce(String prefix, String groupMappingName, String roleName)
{
byte[] oldRoleMapValue = getCurrentRoleMapBytes(prefix);
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(
objectMapper,
oldRoleMapValue
);
if (roleMap.get(roleName) == null) {
throw new BasicSecurityDBResourceException("Role [%s] does not exist.", roleName);
}
byte[] oldGroupMappingMapValue = getCurrentGroupMappingMapBytes(prefix);
Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(
objectMapper,
oldGroupMappingMapValue
);
BasicAuthorizerGroupMapping groupMapping = groupMappingMap.get(groupMappingName);
if (groupMappingMap.get(groupMappingName) == null) {
throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", groupMappingName);
}
if (groupMapping.getRoles().contains(roleName)) {
throw new BasicSecurityDBResourceException("Group mapping [%s] already has role [%s].", groupMappingName, roleName);
}
groupMapping.getRoles().add(roleName);
byte[] newGroupMapValue = BasicAuthUtils.serializeAuthorizerGroupMappingMap(objectMapper, groupMappingMap);
// Role map is unchanged, but submit as an update to ensure that the table didn't change (e.g., role deleted)
return tryUpdateGroupMappingAndRoleMap(
prefix,
groupMappingMap, oldGroupMappingMapValue, newGroupMapValue,
roleMap, oldRoleMapValue, oldRoleMapValue
);
}
private boolean unassignGroupMappingRoleOnce(String prefix, String groupMappingName, String roleName)
{
byte[] oldRoleMapValue = getCurrentRoleMapBytes(prefix);
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(
objectMapper,
oldRoleMapValue
);
if (roleMap.get(roleName) == null) {
throw new BasicSecurityDBResourceException("Role [%s] does not exist.", roleName);
}
byte[] oldGroupMappingMapValue = getCurrentGroupMappingMapBytes(prefix);
Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(
objectMapper,
oldGroupMappingMapValue
);
BasicAuthorizerGroupMapping groupMapping = groupMappingMap.get(groupMappingName);
if (groupMappingMap.get(groupMappingName) == null) {
throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", groupMappingName);
}
if (!groupMapping.getRoles().contains(roleName)) {
throw new BasicSecurityDBResourceException("Group mapping [%s] does not have role [%s].", groupMappingName, roleName);
}
groupMapping.getRoles().remove(roleName);
byte[] newGroupMapValue = BasicAuthUtils.serializeAuthorizerGroupMappingMap(objectMapper, groupMappingMap);
// Role map is unchanged, but submit as an update to ensure that the table didn't change (e.g., role deleted)
return tryUpdateGroupMappingAndRoleMap(
prefix,
groupMappingMap, oldGroupMappingMapValue, newGroupMapValue,
roleMap, oldRoleMapValue, oldRoleMapValue
);
}
private boolean setPermissionsOnce(String prefix, String roleName, List<ResourceAction> permissions)
{
byte[] oldRoleMapValue = getCurrentRoleMapBytes(prefix);
@ -723,10 +1131,14 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
return tryUpdateRoleMap(prefix, roleMap, oldRoleMapValue, newRoleMapValue);
}
private void initSuperusers(
private void initSuperUsersAndGroupMapping(
String authorizerName,
Map<String, BasicAuthorizerUser> userMap,
Map<String, BasicAuthorizerRole> roleMap
Map<String, BasicAuthorizerRole> roleMap,
Map<String, BasicAuthorizerGroupMapping> groupMappingMap,
String initialAdminUser,
String initialAdminRole,
String initialAdminGroupMapping
)
{
if (!roleMap.containsKey(BasicAuthUtils.ADMIN_NAME)) {
@ -739,14 +1151,38 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu
setPermissionsInternal(authorizerName, BasicAuthUtils.INTERNAL_USER_NAME, SUPERUSER_PERMISSIONS);
}
if (!userMap.containsKey(BasicAuthUtils.INTERNAL_USER_NAME)) {
createUserInternal(authorizerName, BasicAuthUtils.INTERNAL_USER_NAME);
assignRoleInternal(authorizerName, BasicAuthUtils.INTERNAL_USER_NAME, BasicAuthUtils.INTERNAL_USER_NAME);
}
if (!userMap.containsKey(BasicAuthUtils.ADMIN_NAME)) {
createUserInternal(authorizerName, BasicAuthUtils.ADMIN_NAME);
assignRoleInternal(authorizerName, BasicAuthUtils.ADMIN_NAME, BasicAuthUtils.ADMIN_NAME);
assignUserRoleInternal(authorizerName, BasicAuthUtils.ADMIN_NAME, BasicAuthUtils.ADMIN_NAME);
}
if (!userMap.containsKey(BasicAuthUtils.INTERNAL_USER_NAME)) {
createUserInternal(authorizerName, BasicAuthUtils.INTERNAL_USER_NAME);
assignUserRoleInternal(authorizerName, BasicAuthUtils.INTERNAL_USER_NAME, BasicAuthUtils.INTERNAL_USER_NAME);
}
if (initialAdminRole != null
&& !(initialAdminRole.equals(BasicAuthUtils.ADMIN_NAME) || initialAdminRole.equals(BasicAuthUtils.INTERNAL_USER_NAME))
&& !roleMap.containsKey(initialAdminRole)) {
createRoleInternal(authorizerName, initialAdminRole);
setPermissionsInternal(authorizerName, initialAdminRole, SUPERUSER_PERMISSIONS);
}
if (initialAdminUser != null
&& !(initialAdminUser.equals(BasicAuthUtils.ADMIN_NAME) || initialAdminUser.equals(BasicAuthUtils.INTERNAL_USER_NAME))
&& !userMap.containsKey(initialAdminUser)) {
createUserInternal(authorizerName, initialAdminUser);
assignUserRoleInternal(authorizerName, initialAdminUser, initialAdminRole == null ? BasicAuthUtils.ADMIN_NAME : initialAdminRole);
}
if (initialAdminGroupMapping != null && !groupMappingMap.containsKey(BasicAuthUtils.ADMIN_GROUP_MAPPING_NAME)) {
BasicAuthorizerGroupMapping groupMapping =
new BasicAuthorizerGroupMapping(
BasicAuthUtils.ADMIN_GROUP_MAPPING_NAME,
initialAdminGroupMapping,
new HashSet<>(Collections.singletonList(initialAdminRole == null ? BasicAuthUtils.ADMIN_NAME : initialAdminRole))
);
createGroupMappingInternal(authorizerName, groupMapping);
}
}

37
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/updater/NoopBasicAuthorizerMetadataStorageUpdater.java
View File

@ -19,6 +19,7 @@
package org.apache.druid.security.basic.authorization.db.updater;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser;
import org.apache.druid.server.security.ResourceAction;
@ -43,6 +44,16 @@ public class NoopBasicAuthorizerMetadataStorageUpdater implements BasicAuthorize
{
}
@Override
public void createGroupMapping(String prefix, BasicAuthorizerGroupMapping groupMapping)
{
}
@Override
public void deleteGroupMapping(String prefix, String groupMappingName)
{
}
@Override
public void createRole(String prefix, String roleName)
{
@ -54,12 +65,22 @@ public class NoopBasicAuthorizerMetadataStorageUpdater implements BasicAuthorize
}
@Override
public void assignRole(String prefix, String userName, String roleName)
public void assignUserRole(String prefix, String userName, String roleName)
{
}
@Override
public void unassignRole(String prefix, String userName, String roleName)
public void unassignUserRole(String prefix, String userName, String roleName)
{
}
@Override
public void assignGroupMappingRole(String prefix, String groupMappingName, String roleName)
{
}
@Override
public void unassignGroupMappingRole(String prefix, String groupMappingName, String roleName)
{
}
@ -74,6 +95,12 @@ public class NoopBasicAuthorizerMetadataStorageUpdater implements BasicAuthorize
return Collections.emptyMap();
}
@Override
public Map<String, BasicAuthorizerGroupMapping> getCachedGroupMappingMap(String prefix)
{
return Collections.emptyMap();
}
@Override
public Map<String, BasicAuthorizerRole> getCachedRoleMap(String prefix)
{
@ -92,6 +119,12 @@ public class NoopBasicAuthorizerMetadataStorageUpdater implements BasicAuthorize
return new byte[0];
}
@Override
public byte[] getCurrentGroupMappingMapBytes(String prefix)
{
return new byte[0];
}
@Override
public void refreshAllNotification()
{

223
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/BasicAuthorizerResource.java
View File

@ -24,6 +24,7 @@ import com.google.inject.Inject;
import com.sun.jersey.spi.container.ResourceFilters;
import org.apache.druid.guice.LazySingleton;
import org.apache.druid.security.basic.BasicSecurityResourceFilter;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping;
import org.apache.druid.server.security.ResourceAction;
import javax.servlet.http.HttpServletRequest;
@ -44,7 +45,7 @@ import java.util.List;
@LazySingleton
public class BasicAuthorizerResource
{
private BasicAuthorizerResourceHandler resourceHandler;
private final BasicAuthorizerResourceHandler resourceHandler;
@Inject
public BasicAuthorizerResource(
@ -108,6 +109,24 @@ public class BasicAuthorizerResource
return resourceHandler.getAllUsers(authorizerName);
}
/**
* @param req HTTP request
*
* @return List of all groupMappings
*/
@GET
@Path("/db/{authorizerName}/groupMappings")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@ResourceFilters(BasicSecurityResourceFilter.class)
public Response getAllGroupMappings(
@Context HttpServletRequest req,
@PathParam("authorizerName") final String authorizerName
)
{
return resourceHandler.getAllGroupMappings(authorizerName);
}
/**
* @param req HTTP request
* @param userName Name of user to retrieve information about
@ -130,6 +149,27 @@ public class BasicAuthorizerResource
return resourceHandler.getUser(authorizerName, userName, full != null, simplifyPermissions != null);
}
/**
* @param req HTTP request
* @param groupMappingName Name of groupMapping to retrieve information about
*
* @return Name, groupPattern, roles, and permissions of the groupMapping with groupMappingName, 400 error response if groupMapping doesn't exist
*/
@GET
@Path("/db/{authorizerName}/groupMappings/{groupMappingName}")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@ResourceFilters(BasicSecurityResourceFilter.class)
public Response getGroupMapping(
@Context HttpServletRequest req,
@PathParam("authorizerName") final String authorizerName,
@PathParam("groupMappingName") final String groupMappingName,
@QueryParam("full") String full
)
{
return resourceHandler.getGroupMapping(authorizerName, groupMappingName, full != null);
}
/**
* Create a new user with name userName
*
@ -174,6 +214,54 @@ public class BasicAuthorizerResource
return resourceHandler.deleteUser(authorizerName, userName);
}
/**
* Create a new groupMapping with name groupMappingName
*
* @param req HTTP request
* @param groupMappingName Name to assign the new groupMapping
*
* @return OK response, or 400 error response if groupMapping already exists
*/
@POST
@Path("/db/{authorizerName}/groupMappings/{groupMappingName}")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@ResourceFilters(BasicSecurityResourceFilter.class)
public Response createGroupMapping(
@Context HttpServletRequest req,
@PathParam("authorizerName") final String authorizerName,
@PathParam("groupMappingName") String groupMappingName,
BasicAuthorizerGroupMapping groupMapping
)
{
return resourceHandler.createGroupMapping(
authorizerName,
new BasicAuthorizerGroupMapping(groupMappingName, groupMapping.getGroupPattern(), groupMapping.getRoles())
);
}
/**
* Delete a groupMapping with name groupMappingName
*
* @param req HTTP request
* @param groupMappingName Name of groupMapping to delete
*
* @return OK response, or 400 error response if groupMapping doesn't exist
*/
@DELETE
@Path("/db/{authorizerName}/groupMappings/{groupMappingName}")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@ResourceFilters(BasicSecurityResourceFilter.class)
public Response deleteGroupMapping(
@Context HttpServletRequest req,
@PathParam("authorizerName") final String authorizerName,
@PathParam("groupMappingName") String groupMappingName
)
{
return resourceHandler.deleteGroupMapping(authorizerName, groupMappingName);
}
/**
* @param req HTTP request
*
@ -198,7 +286,7 @@ public class BasicAuthorizerResource
* @param req HTTP request
* @param roleName Name of role
*
* @return Role name, users with role, and permissions of role. 400 error if role doesn't exist.
* @return Role name, users with role, groupMappings with role, and permissions of role. 400 error if role doesn't exist.
*/
@GET
@Path("/db/{authorizerName}/roles/{roleName}")
@ -308,6 +396,54 @@ public class BasicAuthorizerResource
return resourceHandler.unassignRoleFromUser(authorizerName, userName, roleName);
}
/**
* Assign a role to a groupMapping.
*
* @param req HTTP request
* @param groupMappingName Name of groupMapping
* @param roleName Name of role
*
* @return OK response. 400 error if groupMapping/role don't exist, or if groupMapping already has the role
*/
@POST
@Path("/db/{authorizerName}/groupMappings/{groupMappingName}/roles/{roleName}")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@ResourceFilters(BasicSecurityResourceFilter.class)
public Response assignRoleToGroupMapping(
@Context HttpServletRequest req,
@PathParam("authorizerName") final String authorizerName,
@PathParam("groupMappingName") String groupMappingName,
@PathParam("roleName") String roleName
)
{
return resourceHandler.assignRoleToGroupMapping(authorizerName, groupMappingName, roleName);
}
/**
* Remove a role from a groupMapping.
*
* @param req HTTP request
* @param groupMappingName Name of groupMapping
* @param roleName Name of role
*
* @return OK response. 400 error if groupMapping/role don't exist, or if groupMapping does not have the role.
*/
@DELETE
@Path("/db/{authorizerName}/groupMappings/{groupMappingName}/roles/{roleName}")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@ResourceFilters(BasicSecurityResourceFilter.class)
public Response unassignRoleFromGroupMapping(
@Context HttpServletRequest req,
@PathParam("authorizerName") final String authorizerName,
@PathParam("groupMappingName") String groupMappingName,
@PathParam("roleName") String roleName
)
{
return resourceHandler.unassignRoleFromGroupMapping(authorizerName, groupMappingName, roleName);
}
/**
* Set the permissions of a role. This replaces the previous permissions of the role.
*
@ -332,6 +468,28 @@ public class BasicAuthorizerResource
return resourceHandler.setRolePermissions(authorizerName, roleName, permissions);
}
/**
* Get the permissions of a role.
*
* @param req HTTP request
* @param roleName Name of role
*
* @return OK response. 400 error if role doesn't exist.
*/
@GET
@Path("/db/{authorizerName}/roles/{roleName}/permissions")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@ResourceFilters(BasicSecurityResourceFilter.class)
public Response getRolePermissions(
@Context HttpServletRequest req,
@PathParam("authorizerName") final String authorizerName,
@PathParam("roleName") String roleName
)
{
return resourceHandler.getRolePermissions(authorizerName, roleName);
}
/**
* @param req HTTP request
*
@ -347,24 +505,79 @@ public class BasicAuthorizerResource
@PathParam("authorizerName") final String authorizerName
)
{
return resourceHandler.getCachedMaps(authorizerName);
return resourceHandler.getCachedUserMaps(authorizerName);
}
/**
* @param req HTTP request
*
* @return serialized groupMapping map
*/
@GET
@Path("/db/{authorizerName}/cachedSerializedGroupMappingMap")
@Produces(SmileMediaTypes.APPLICATION_JACKSON_SMILE)
@Consumes(MediaType.APPLICATION_JSON)
@ResourceFilters(BasicSecurityResourceFilter.class)
public Response getCachedSerializedGroupMap(
@Context HttpServletRequest req,
@PathParam("authorizerName") final String authorizerName
)
{
return resourceHandler.getCachedGroupMappingMaps(authorizerName);
}
/**
* Listen for update notifications for the auth storage
* Listen for update notifications for the user auth storage
* @deprecated path /listen/{authorizerName} is to replaced by /listen/users/{authorizerName}
* use {@link #authorizerUserUpdateListener(HttpServletRequest, String, byte[])} instead
*/
@POST
@Path("/listen/{authorizerName}")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@ResourceFilters(BasicSecurityResourceFilter.class)
@Deprecated
public Response authorizerUpdateListener(
@Context HttpServletRequest req,
@PathParam("authorizerName") final String authorizerName,
byte[] serializedUserAndRoleMap
)
{
return resourceHandler.authorizerUpdateListener(authorizerName, serializedUserAndRoleMap);
return resourceHandler.authorizerUserUpdateListener(authorizerName, serializedUserAndRoleMap);
}
/**
* Listen for update notifications for the user auth storage
*/
@POST
@Path("/listen/users/{authorizerName}")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@ResourceFilters(BasicSecurityResourceFilter.class)
public Response authorizerUserUpdateListener(
@Context HttpServletRequest req,
@PathParam("authorizerName") final String authorizerName,
byte[] serializedUserAndRoleMap
)
{
return resourceHandler.authorizerUserUpdateListener(authorizerName, serializedUserAndRoleMap);
}
/**
* Listen for update notifications for the groupMapping auth storage
*/
@POST
@Path("/listen/groupMappings/{authorizerName}")
@Produces(MediaType.APPLICATION_JSON)
@Consumes(MediaType.APPLICATION_JSON)
@ResourceFilters(BasicSecurityResourceFilter.class)
public Response authorizerGroupMappingUpdateListener(
@Context HttpServletRequest req,
@PathParam("authorizerName") final String authorizerName,
byte[] serializedGroupMappingAndRoleMap
)
{
return resourceHandler.authorizerGroupMappingUpdateListener(authorizerName, serializedGroupMappingAndRoleMap);
}
}

23
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/BasicAuthorizerResourceHandler.java
View File

@ -19,6 +19,7 @@
package org.apache.druid.security.basic.authorization.endpoint;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping;
import org.apache.druid.server.security.ResourceAction;
import javax.ws.rs.core.Response;
@ -34,12 +35,20 @@ public interface BasicAuthorizerResourceHandler
// coordinator methods
Response getAllUsers(String authorizerName);
Response getAllGroupMappings(String authorizerName);
Response getUser(String authorizerName, String userName, boolean isFull, boolean simplifyPermissions);
Response getGroupMapping(String authorizerName, String groupMappingName, boolean isFull);
Response createUser(String authorizerName, String userName);
Response createGroupMapping(String authorizerName, BasicAuthorizerGroupMapping groupMapping);
Response deleteUser(String authorizerName, String userName);
Response deleteGroupMapping(String authorizerName, String groupMappingName);
Response getAllRoles(String authorizerName);
Response getRole(String authorizerName, String roleName, boolean isFull, boolean simplifyPermissions);
@ -50,16 +59,26 @@ public interface BasicAuthorizerResourceHandler
Response assignRoleToUser(String authorizerName, String userName, String roleName);
Response assignRoleToGroupMapping(String authorizerName, String groupMappingName, String roleName);
Response unassignRoleFromUser(String authorizerName, String userName, String roleName);
Response unassignRoleFromGroupMapping(String authorizerName, String groupMappingName, String roleName);
Response setRolePermissions(String authorizerName, String roleName, List<ResourceAction> permissions);
Response getCachedMaps(String authorizerName);
Response getRolePermissions(String authorizerName, String roleName);
Response getCachedUserMaps(String authorizerName);
Response getCachedGroupMappingMaps(String authorizerName);
Response refreshAll();
// non-coordinator methods
Response authorizerUpdateListener(String authorizerName, byte[] serializedUserAndRoleMap);
Response authorizerUserUpdateListener(String authorizerName, byte[] serializedUserAndRoleMap);
Response authorizerGroupMappingUpdateListener(String authorizerName, byte[] serializedGroupMappingAndRoleMap);
// common
Response getLoadStatus();

265
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/CoordinatorBasicAuthorizerResourceHandler.java
View File

@ -29,12 +29,15 @@ import org.apache.druid.security.basic.BasicAuthUtils;
import org.apache.druid.security.basic.BasicSecurityDBResourceException;
import org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer;
import org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingFull;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleFull;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFull;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFullSimplifiedPermissions;
import org.apache.druid.security.basic.authorization.entity.GroupMappingAndRoleMap;
import org.apache.druid.security.basic.authorization.entity.UserAndRoleMap;
import org.apache.druid.server.security.Authorizer;
import org.apache.druid.server.security.AuthorizerMapper;
@ -93,6 +96,21 @@ public class CoordinatorBasicAuthorizerResourceHandler implements BasicAuthorize
return Response.ok(userMap.keySet()).build();
}
@Override
public Response getAllGroupMappings(String authorizerName)
{
final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName);
if (authorizer == null) {
return makeResponseForAuthorizerNotFound(authorizerName);
}
Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(
objectMapper,
storageUpdater.getCurrentGroupMappingMapBytes(authorizerName)
);
return Response.ok(groupMappingMap.keySet()).build();
}
@Override
public Response getUser(String authorizerName, String userName, boolean isFull, boolean simplifyPermissions)
{
@ -108,6 +126,21 @@ public class CoordinatorBasicAuthorizerResourceHandler implements BasicAuthorize
}
}
@Override
public Response getGroupMapping(String authorizerName, String groupMappingName, boolean isFull)
{
final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName);
if (authorizer == null) {
return makeResponseForAuthorizerNotFound(authorizerName);
}
if (isFull) {
return getGroupMappingFull(authorizerName, groupMappingName);
} else {
return getGroupMappingSimple(authorizerName, groupMappingName);
}
}
@Override
public Response createUser(String authorizerName, String userName)
{
@ -125,6 +158,23 @@ public class CoordinatorBasicAuthorizerResourceHandler implements BasicAuthorize
}
}
@Override
public Response createGroupMapping(String authorizerName, BasicAuthorizerGroupMapping groupMapping)
{
final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName);
if (authorizer == null) {
return makeResponseForAuthorizerNotFound(authorizerName);
}
try {
storageUpdater.createGroupMapping(authorizerName, groupMapping);
return Response.ok().build();
}
catch (BasicSecurityDBResourceException cfe) {
return makeResponseForBasicSecurityDBResourceException(cfe);
}
}
@Override
public Response deleteUser(String authorizerName, String userName)
{
@ -142,6 +192,23 @@ public class CoordinatorBasicAuthorizerResourceHandler implements BasicAuthorize
}
}
@Override
public Response deleteGroupMapping(String authorizerName, String groupMappingName)
{
final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName);
if (authorizer == null) {
return makeResponseForAuthorizerNotFound(authorizerName);
}
try {
storageUpdater.deleteGroupMapping(authorizerName, groupMappingName);
return Response.ok().build();
}
catch (BasicSecurityDBResourceException cfe) {
return makeResponseForBasicSecurityDBResourceException(cfe);
}
}
@Override
public Response getAllRoles(String authorizerName)
{
@ -216,7 +283,24 @@ public class CoordinatorBasicAuthorizerResourceHandler implements BasicAuthorize
}
try {
storageUpdater.assignRole(authorizerName, userName, roleName);
storageUpdater.assignUserRole(authorizerName, userName, roleName);
return Response.ok().build();
}
catch (BasicSecurityDBResourceException cfe) {
return makeResponseForBasicSecurityDBResourceException(cfe);
}
}
@Override
public Response assignRoleToGroupMapping(String authorizerName, String groupMappingName, String roleName)
{
final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName);
if (authorizer == null) {
return makeResponseForAuthorizerNotFound(authorizerName);
}
try {
storageUpdater.assignGroupMappingRole(authorizerName, groupMappingName, roleName);
return Response.ok().build();
}
catch (BasicSecurityDBResourceException cfe) {
@ -233,7 +317,24 @@ public class CoordinatorBasicAuthorizerResourceHandler implements BasicAuthorize
}
try {
storageUpdater.unassignRole(authorizerName, userName, roleName);
storageUpdater.unassignUserRole(authorizerName, userName, roleName);
return Response.ok().build();
}
catch (BasicSecurityDBResourceException cfe) {
return makeResponseForBasicSecurityDBResourceException(cfe);
}
}
@Override
public Response unassignRoleFromGroupMapping(String authorizerName, String groupMappingName, String roleName)
{
final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName);
if (authorizer == null) {
return makeResponseForAuthorizerNotFound(authorizerName);
}
try {
storageUpdater.unassignGroupMappingRole(authorizerName, groupMappingName, roleName);
return Response.ok().build();
}
catch (BasicSecurityDBResourceException cfe) {
@ -259,7 +360,18 @@ public class CoordinatorBasicAuthorizerResourceHandler implements BasicAuthorize
}
@Override
public Response getCachedMaps(String authorizerName)
public Response getRolePermissions(String authorizerName, String roleName)
{
final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName);
if (authorizer == null) {
return makeResponseForAuthorizerNotFound(authorizerName);
}
return getPermissions(authorizerName, roleName);
}
@Override
public Response getCachedUserMaps(String authorizerName)
{
final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName);
if (authorizer == null) {
@ -274,6 +386,21 @@ public class CoordinatorBasicAuthorizerResourceHandler implements BasicAuthorize
return Response.ok(userAndRoleMap).build();
}
@Override
public Response getCachedGroupMappingMaps(String authorizerName)
{
final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName);
if (authorizer == null) {
return makeResponseForAuthorizerNotFound(authorizerName);
}
GroupMappingAndRoleMap groupMappingAndRoleMap = new GroupMappingAndRoleMap(
storageUpdater.getCachedGroupMappingMap(authorizerName),
storageUpdater.getCachedRoleMap(authorizerName)
);
return Response.ok(groupMappingAndRoleMap).build();
}
@Override
public Response refreshAll()
{
@ -282,7 +409,13 @@ public class CoordinatorBasicAuthorizerResourceHandler implements BasicAuthorize
}
@Override
public Response authorizerUpdateListener(String authorizerName, byte[] serializedUserAndRoleMap)
public Response authorizerUserUpdateListener(String authorizerName, byte[] serializedUserAndRoleMap)
{
return Response.status(Response.Status.NOT_FOUND).build();
}
@Override
public Response authorizerGroupMappingUpdateListener(String authorizerName, byte[] serializedGroupMappingAndRoleMap)
{
return Response.status(Response.Status.NOT_FOUND).build();
}
@ -293,7 +426,9 @@ public class CoordinatorBasicAuthorizerResourceHandler implements BasicAuthorize
Map<String, Boolean> loadStatus = new HashMap<>();
authorizerMap.forEach(
(authorizerName, authorizer) -> {
loadStatus.put(authorizerName, storageUpdater.getCachedUserMap(authorizerName) != null);
loadStatus.put(authorizerName, storageUpdater.getCachedUserMap(authorizerName) != null &&
storageUpdater.getCachedGroupMappingMap(authorizerName) != null &&
storageUpdater.getCachedRoleMap(authorizerName) != null);
}
);
return Response.ok(loadStatus).build();
@ -344,17 +479,17 @@ public class CoordinatorBasicAuthorizerResourceHandler implements BasicAuthorize
storageUpdater.getCurrentUserMapBytes(authorizerName)
);
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(
objectMapper,
storageUpdater.getCurrentRoleMapBytes(authorizerName)
);
try {
BasicAuthorizerUser user = userMap.get(userName);
if (user == null) {
throw new BasicSecurityDBResourceException("User [%s] does not exist.", userName);
}
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(
objectMapper,
storageUpdater.getCurrentRoleMapBytes(authorizerName)
);
if (simplifyPermissions) {
Set<BasicAuthorizerRoleSimplifiedPermissions> roles = getRolesForUserWithSimplifiedPermissions(user, roleMap);
BasicAuthorizerUserFullSimplifiedPermissions fullUser = new BasicAuthorizerUserFullSimplifiedPermissions(
@ -412,6 +547,60 @@ public class CoordinatorBasicAuthorizerResourceHandler implements BasicAuthorize
return roles;
}
private Response getGroupMappingSimple(String authorizerName, String groupMappingName)
{
Map<String, BasicAuthorizerGroupMapping> groupMappings = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(
objectMapper,
storageUpdater.getCurrentGroupMappingMapBytes(authorizerName)
);
try {
BasicAuthorizerGroupMapping groupMapping = groupMappings.get(groupMappingName);
if (groupMapping == null) {
throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", groupMappingName);
}
return Response.ok(groupMapping).build();
}
catch (BasicSecurityDBResourceException e) {
return makeResponseForBasicSecurityDBResourceException(e);
}
}
private Response getGroupMappingFull(String authorizerName, String groupMappingName)
{
Map<String, BasicAuthorizerGroupMapping> groupMappings = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(
objectMapper,
storageUpdater.getCurrentGroupMappingMapBytes(authorizerName)
);
try {
BasicAuthorizerGroupMapping groupMapping = groupMappings.get(groupMappingName);
if (groupMapping == null) {
throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", groupMappingName);
}
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(
objectMapper,
storageUpdater.getCurrentRoleMapBytes(authorizerName)
);
Set<BasicAuthorizerRole> roles = new HashSet<>();
for (String roleName : groupMapping.getRoles()) {
BasicAuthorizerRole role = roleMap.get(roleName);
if (role == null) {
log.error("Group mapping [%s] had role [%s], but role was not found.", groupMappingName, roleName);
} else {
roles.add(role);
}
}
BasicAuthorizerGroupMappingFull fullGroup = new BasicAuthorizerGroupMappingFull(groupMapping.getName(), groupMapping.getGroupPattern(), roles);
return Response.ok(fullGroup).build();
}
catch (BasicSecurityDBResourceException e) {
return makeResponseForBasicSecurityDBResourceException(e);
}
}
private Response getRoleSimple(String authorizerName, String roleName, boolean simplifyPermissions)
{
@ -444,29 +633,42 @@ public class CoordinatorBasicAuthorizerResourceHandler implements BasicAuthorize
storageUpdater.getCurrentRoleMapBytes(authorizerName)
);
Map<String, BasicAuthorizerUser> userMap = BasicAuthUtils.deserializeAuthorizerUserMap(
objectMapper,
storageUpdater.getCurrentUserMapBytes(authorizerName)
);
Set<String> users = new HashSet<>();
for (BasicAuthorizerUser user : userMap.values()) {
if (user.getRoles().contains(roleName)) {
users.add(user.getName());
}
}
try {
BasicAuthorizerRole role = roleMap.get(roleName);
if (role == null) {
throw new BasicSecurityDBResourceException("Role [%s] does not exist.", roleName);
}
Map<String, BasicAuthorizerUser> userMap = BasicAuthUtils.deserializeAuthorizerUserMap(
objectMapper,
storageUpdater.getCurrentUserMapBytes(authorizerName)
);
Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(
objectMapper,
storageUpdater.getCurrentGroupMappingMapBytes(authorizerName)
);
Set<String> users = new HashSet<>();
for (BasicAuthorizerUser user : userMap.values()) {
if (user.getRoles().contains(roleName)) {
users.add(user.getName());
}
}
Set<String> groupMappings = new HashSet<>();
for (BasicAuthorizerGroupMapping group : groupMappingMap.values()) {
if (group.getRoles().contains(roleName)) {
groupMappings.add(group.getName());
}
}
if (simplifyPermissions) {
return Response.ok(new BasicAuthorizerRoleSimplifiedPermissions(role, users)).build();
} else {
BasicAuthorizerRoleFull roleFull = new BasicAuthorizerRoleFull(
roleName,
users,
groupMappings,
role.getPermissions()
);
return Response.ok(roleFull).build();
@ -476,4 +678,23 @@ public class CoordinatorBasicAuthorizerResourceHandler implements BasicAuthorize
return makeResponseForBasicSecurityDBResourceException(e);
}
}
private Response getPermissions(String authorizerName, String roleName)
{
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(
objectMapper,
storageUpdater.getCurrentRoleMapBytes(authorizerName)
);
try {
BasicAuthorizerRole role = roleMap.get(roleName);
if (role == null) {
throw new BasicSecurityDBResourceException("Role [%s] does not exist.", roleName);
}
return Response.ok(role.getPermissions()).build();
}
catch (BasicSecurityDBResourceException e) {
return makeResponseForBasicSecurityDBResourceException(e);
}
}
}

80
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/DefaultBasicAuthorizerResourceHandler.java
View File

@ -25,6 +25,7 @@ import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer;
import org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheManager;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping;
import org.apache.druid.server.security.Authorizer;
import org.apache.druid.server.security.AuthorizerMapper;
import org.apache.druid.server.security.ResourceAction;
@ -69,24 +70,49 @@ public class DefaultBasicAuthorizerResourceHandler implements BasicAuthorizerRes
return NOT_FOUND_RESPONSE;
}
@Override
public Response getAllGroupMappings(String authorizerName)
{
return NOT_FOUND_RESPONSE;
}
@Override
public Response getUser(String authorizerName, String userName, boolean isFull, boolean simplifyPermissions)
{
return NOT_FOUND_RESPONSE;
}
@Override
public Response getGroupMapping(String authorizerName, String groupMappingName, boolean isFull)
{
return NOT_FOUND_RESPONSE;
}
@Override
public Response createUser(String authorizerName, String userName)
{
return NOT_FOUND_RESPONSE;
}
@Override
public Response createGroupMapping(String authorizerName, BasicAuthorizerGroupMapping groupMapping)
{
return NOT_FOUND_RESPONSE;
}
@Override
public Response deleteUser(String authorizerName, String userName)
{
return NOT_FOUND_RESPONSE;
}
@Override
public Response deleteGroupMapping(String authorizerName, String groupMappingName)
{
return NOT_FOUND_RESPONSE;
}
@Override
public Response getAllRoles(String authorizerName)
{
@ -117,12 +143,24 @@ public class DefaultBasicAuthorizerResourceHandler implements BasicAuthorizerRes
return NOT_FOUND_RESPONSE;
}
@Override
public Response assignRoleToGroupMapping(String authorizerName, String groupMappingName, String roleName)
{
return NOT_FOUND_RESPONSE;
}
@Override
public Response unassignRoleFromUser(String authorizerName, String userName, String roleName)
{
return NOT_FOUND_RESPONSE;
}
@Override
public Response unassignRoleFromGroupMapping(String authorizerName, String groupMappingName, String roleName)
{
return NOT_FOUND_RESPONSE;
}
@Override
public Response setRolePermissions(String authorizerName, String roleName, List<ResourceAction> permissions)
{
@ -130,7 +168,19 @@ public class DefaultBasicAuthorizerResourceHandler implements BasicAuthorizerRes
}
@Override
public Response getCachedMaps(String authorizerName)
public Response getRolePermissions(String authorizerName, String roleName)
{
return NOT_FOUND_RESPONSE;
}
@Override
public Response getCachedUserMaps(String authorizerName)
{
return NOT_FOUND_RESPONSE;
}
@Override
public Response getCachedGroupMappingMaps(String authorizerName)
{
return NOT_FOUND_RESPONSE;
}
@ -142,7 +192,7 @@ public class DefaultBasicAuthorizerResourceHandler implements BasicAuthorizerRes
}
@Override
public Response authorizerUpdateListener(String authorizerName, byte[] serializedUserAndRoleMap)
public Response authorizerUserUpdateListener(String authorizerName, byte[] serializedUserAndRoleMap)
{
final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName);
if (authorizer == null) {
@ -156,7 +206,26 @@ public class DefaultBasicAuthorizerResourceHandler implements BasicAuthorizerRes
.build();
}
cacheManager.handleAuthorizerUpdate(authorizerName, serializedUserAndRoleMap);
cacheManager.handleAuthorizerUserUpdate(authorizerName, serializedUserAndRoleMap);
return Response.ok().build();
}
@Override
public Response authorizerGroupMappingUpdateListener(String authorizerName, byte[] serializedGroupMappingAndRoleMap)
{
final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName);
if (authorizer == null) {
String errMsg = StringUtils.format("Received update for unknown authorizer[%s]", authorizerName);
log.error(errMsg);
return Response.status(Response.Status.BAD_REQUEST)
.entity(ImmutableMap.<String, Object>of(
"error",
StringUtils.format(errMsg)
))
.build();
}
cacheManager.handleAuthorizerGroupMappingUpdate(authorizerName, serializedGroupMappingAndRoleMap);
return Response.ok().build();
}
@ -166,7 +235,10 @@ public class DefaultBasicAuthorizerResourceHandler implements BasicAuthorizerRes
Map<String, Boolean> loadStatus = new HashMap<>();
authorizerMap.forEach(
(authorizerName, authorizer) -> {
loadStatus.put(authorizerName, cacheManager.getUserMap(authorizerName) != null);
loadStatus.put(authorizerName, cacheManager.getUserMap(authorizerName) != null &&
cacheManager.getRoleMap(authorizerName) != null &&
cacheManager.getGroupMappingMap(authorizerName) != null &&
cacheManager.getGroupMappingRoleMap(authorizerName) != null);
}
);
return Response.ok(loadStatus).build();

97
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerGroupMapping.java Normal file
View File

@ -0,0 +1,97 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.druid.security.basic.authorization.entity;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import java.util.HashSet;
import java.util.Set;
public class BasicAuthorizerGroupMapping
{
private final String name;
private final String groupPattern;
private final Set<String> roles;
@JsonCreator
public BasicAuthorizerGroupMapping(
@JsonProperty("name") String name,
@JsonProperty("groupPattern") String groupPattern,
@JsonProperty("roles") Set<String> roles
)
{
this.name = name;
this.groupPattern = groupPattern;
this.roles = roles == null ? new HashSet<>() : roles;
}
@JsonProperty
public String getName()
{
return name;
}
@JsonProperty
public String getGroupPattern()
{
return groupPattern;
}
@JsonProperty
public Set<String> getRoles()
{
return roles;
}
@Override
public boolean equals(Object o)
{
if (this == o) {
return true;
}
if (o == null || getClass() != o.getClass()) {
return false;
}
BasicAuthorizerGroupMapping that = (BasicAuthorizerGroupMapping) o;
if (getName() != null ? !getName().equals(that.getName()) : that.getName() != null) {
return false;
}
if (getGroupPattern() != null ? !getGroupPattern().equals(that.getGroupPattern()) : that.getGroupPattern() != null) {
return false;
}
return getRoles() != null ? getRoles().equals(that.getRoles()) : that.getRoles() == null;
}
@Override
public int hashCode()
{
int result = getName() != null ? getName().hashCode() : 0;
result = 31 * result
+ (getGroupPattern() != null ? getGroupPattern().hashCode() : 0)
+ (getRoles() != null ? getRoles().hashCode() : 0);
return result;
}
}

96
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerGroupMappingFull.java Normal file
View File

@ -0,0 +1,96 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.druid.security.basic.authorization.entity;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import java.util.HashSet;
import java.util.Set;
public class BasicAuthorizerGroupMappingFull
{
private final String name;
private final String groupPattern;
private final Set<BasicAuthorizerRole> roles;
@JsonCreator
public BasicAuthorizerGroupMappingFull(
@JsonProperty("name") String name,
@JsonProperty("groupPattern") String groupPattern,
@JsonProperty("roles") Set<BasicAuthorizerRole> roles
)
{
this.name = name;
this.groupPattern = groupPattern;
this.roles = roles == null ? new HashSet<>() : roles;
}
@JsonProperty
public String getName()
{
return name;
}
private String getGroupPattern()
{
return groupPattern;
}
@JsonProperty
public Set<BasicAuthorizerRole> getRoles()
{
return roles;
}
@Override
public boolean equals(Object o)
{
if (this == o) {
return true;
}
if (o == null || getClass() != o.getClass()) {
return false;
}
BasicAuthorizerGroupMappingFull that = (BasicAuthorizerGroupMappingFull) o;
if (getName() != null ? !getName().equals(that.getName()) : that.getName() != null) {
return false;
}
if (getGroupPattern() != null ? !getGroupPattern().equals(that.getGroupPattern()) : that.getGroupPattern() != null) {
return false;
}
return getRoles() != null ? getRoles().equals(that.getRoles()) : that.getRoles() == null;
}
@Override
public int hashCode()
{
int result = getName() != null ? getName().hashCode() : 0;
result = 31 * result
+ (getGroupPattern() != null ? getGroupPattern().hashCode() : 0)
+ (getRoles() != null ? getRoles().hashCode() : 0);
return result;
}
}

53
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerGroupMappingMapBundle.java Normal file
View File

@ -0,0 +1,53 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.druid.security.basic.authorization.entity;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import java.util.Map;
public class BasicAuthorizerGroupMappingMapBundle
{
private final Map<String, BasicAuthorizerGroupMapping> groupMappingMap;
private final byte[] serializedGroupMappingMap;
@JsonCreator
public BasicAuthorizerGroupMappingMapBundle(
@JsonProperty("groupMappingMap") Map<String, BasicAuthorizerGroupMapping> groupMappingMap,
@JsonProperty("serializedGroupMappingMap") byte[] serializedGroupMappingMap
)
{
this.groupMappingMap = groupMappingMap;
this.serializedGroupMappingMap = serializedGroupMappingMap;
}
@JsonProperty
public Map<String, BasicAuthorizerGroupMapping> getGroupMappingMap()
{
return groupMappingMap;
}
@JsonProperty
public byte[] getSerializedGroupMappingMap()
{
return serializedGroupMappingMap;
}
}

2
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerPermission.java
View File

@ -44,7 +44,7 @@ public class BasicAuthorizerPermission
this.resourceNamePattern = resourceNamePattern;
}
public BasicAuthorizerPermission(
private BasicAuthorizerPermission(
ResourceAction resourceAction
)
{

13
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerRoleFull.java
View File

@ -34,17 +34,20 @@ public class BasicAuthorizerRoleFull
{
private final String name;
private final Set<String> users;
private final Set<String> groups;
private final List<BasicAuthorizerPermission> permissions;
@JsonCreator
public BasicAuthorizerRoleFull(
@JsonProperty("name") String name,
@JsonProperty("users") Set<String> users,
@JsonProperty("groups") Set<String> groups,
@JsonProperty("permissions") List<BasicAuthorizerPermission> permissions
)
{
this.name = name;
this.users = users;
this.groups = groups;
this.permissions = permissions == null ? new ArrayList<>() : permissions;
}
@ -66,6 +69,12 @@ public class BasicAuthorizerRoleFull
return users;
}
@JsonProperty
public Set<String> getGroups()
{
return groups;
}
@Override
public boolean equals(Object o)
{
@ -84,6 +93,9 @@ public class BasicAuthorizerRoleFull
if (getUsers() != null ? !getUsers().equals(that.getUsers()) : that.getUsers() != null) {
return false;
}
if (getGroups() != null ? !getGroups().equals(that.getGroups()) : that.getGroups() != null) {
return false;
}
return getPermissions() != null ? getPermissions().equals(that.getPermissions()) : that.getPermissions() == null;
}
@ -93,6 +105,7 @@ public class BasicAuthorizerRoleFull
{
int result = getName() != null ? getName().hashCode() : 0;
result = 31 * result + (getUsers() != null ? getUsers().hashCode() : 0);
result = 31 * result + (getGroups() != null ? getGroups().hashCode() : 0);
result = 31 * result + (getPermissions() != null ? getPermissions().hashCode() : 0);
return result;
}

56
extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/GroupMappingAndRoleMap.java Normal file
View File

@ -0,0 +1,56 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.druid.security.basic.authorization.entity;
import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;
import java.util.Map;
public class GroupMappingAndRoleMap
{
@JsonProperty
private Map<String, BasicAuthorizerGroupMapping> groupMappingMap;
@JsonProperty
private Map<String, BasicAuthorizerRole> roleMap;
@JsonCreator
public GroupMappingAndRoleMap(
@JsonProperty("groupMappingMap") Map<String, BasicAuthorizerGroupMapping> groupMappingMap,
@JsonProperty("roleMap") Map<String, BasicAuthorizerRole> roleMap
)
{
this.groupMappingMap = groupMappingMap;
this.roleMap = roleMap;
}
@JsonProperty
public Map<String, BasicAuthorizerGroupMapping> getGroupMappingMap()
{
return groupMappingMap;
}
@JsonProperty
public Map<String, BasicAuthorizerRole> getRoleMap()
{
return roleMap;
}
}

154
extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/BasicHTTPAuthenticatorTest.java
View File

@ -24,11 +24,13 @@ import com.google.inject.Provider;
import com.google.inject.util.Providers;
import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.metadata.DefaultPasswordProvider;
import org.apache.druid.security.basic.BasicSecurityAuthenticationException;
import org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator;
import org.apache.druid.security.basic.authentication.db.cache.BasicAuthenticatorCacheManager;
import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate;
import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials;
import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser;
import org.apache.druid.security.basic.authentication.validator.CredentialsValidator;
import org.apache.druid.server.security.AuthConfig;
import org.apache.druid.server.security.AuthenticationResult;
import org.easymock.EasyMock;
@ -52,7 +54,7 @@ public class BasicHTTPAuthenticatorTest
new BasicAuthenticatorCacheManager()
{
@Override
public void handleAuthenticatorUpdate(String authenticatorPrefix, byte[] serializedUserMap)
public void handleAuthenticatorUserMapUpdate(String authenticatorPrefix, byte[] serializedUserMap)
{
}
@ -74,10 +76,12 @@ public class BasicHTTPAuthenticatorTest
new DefaultPasswordProvider("a"),
new DefaultPasswordProvider("a"),
false,
null,
null, null,
false,
null
);
@Test
public void testGoodPassword() throws IOException, ServletException
{
@ -107,6 +111,58 @@ public class BasicHTTPAuthenticatorTest
EasyMock.verify(req, resp, filterChain);
}
@Test
public void testGoodPasswordWithValidator() throws IOException, ServletException
{
CredentialsValidator validator = EasyMock.createMock(CredentialsValidator.class);
BasicHTTPAuthenticator authenticatorWithValidator = new BasicHTTPAuthenticator(
CACHE_MANAGER_PROVIDER,
"basic",
"basic",
null,
null,
false,
null, null,
false,
validator
);
String header = StringUtils.utf8Base64("userA:helloworld");
header = StringUtils.format("Basic %s", header);
EasyMock
.expect(
validator.validateCredentials(EasyMock.eq("basic"), EasyMock.eq("basic"), EasyMock.eq("userA"), EasyMock.aryEq("helloworld".toCharArray()))
)
.andReturn(
new AuthenticationResult("userA", "basic", "basic", null)
)
.times(1);
EasyMock.replay(validator);
HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
EasyMock.expect(req.getHeader("Authorization")).andReturn(header);
req.setAttribute(
AuthConfig.DRUID_AUTHENTICATION_RESULT,
new AuthenticationResult("userA", "basic", "basic", null)
);
EasyMock.expectLastCall().times(1);
EasyMock.replay(req);
HttpServletResponse resp = EasyMock.createMock(HttpServletResponse.class);
EasyMock.replay(resp);
FilterChain filterChain = EasyMock.createMock(FilterChain.class);
filterChain.doFilter(req, resp);
EasyMock.expectLastCall().times(1);
EasyMock.replay(filterChain);
Filter authenticatorFilter = authenticatorWithValidator.getFilter();
authenticatorFilter.doFilter(req, resp, filterChain);
EasyMock.verify(req, resp, validator, filterChain);
}
@Test
public void testBadPassword() throws IOException, ServletException
{
@ -118,7 +174,7 @@ public class BasicHTTPAuthenticatorTest
EasyMock.replay(req);
HttpServletResponse resp = EasyMock.createMock(HttpServletResponse.class);
resp.sendError(HttpServletResponse.SC_UNAUTHORIZED);
resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User authentication failed username[userA].");
EasyMock.expectLastCall().times(1);
EasyMock.replay(resp);
@ -131,6 +187,53 @@ public class BasicHTTPAuthenticatorTest
EasyMock.verify(req, resp, filterChain);
}
@Test
public void testBadPasswordWithSkipOnFailureValidator() throws IOException, ServletException
{
CredentialsValidator validator = EasyMock.createMock(CredentialsValidator.class);
BasicHTTPAuthenticator authenticatorWithValidator = new BasicHTTPAuthenticator(
CACHE_MANAGER_PROVIDER,
"basic",
"basic",
null,
null,
false,
null, null,
true,
validator
);
String header = StringUtils.utf8Base64("userA:badpassword");
header = StringUtils.format("Basic %s", header);
EasyMock
.expect(
validator.validateCredentials(EasyMock.eq("basic"), EasyMock.eq("basic"), EasyMock.eq("userA"), EasyMock.aryEq("badpassword".toCharArray()))
)
.andThrow(
new BasicSecurityAuthenticationException("User authentication failed username[%s].", "userA")
)
.times(1);
EasyMock.replay(validator);
HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
EasyMock.expect(req.getHeader("Authorization")).andReturn(header);
EasyMock.replay(req);
HttpServletResponse resp = EasyMock.createMock(HttpServletResponse.class);
resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User authentication failed username[userA].");
EasyMock.expectLastCall().times(1);
EasyMock.replay(resp);
// Authentication filter should not move on to the next filter in the chain
FilterChain filterChain = EasyMock.createMock(FilterChain.class);
EasyMock.replay(filterChain);
Filter authenticatorFilter = authenticatorWithValidator.getFilter();
authenticatorFilter.doFilter(req, resp, filterChain);
EasyMock.verify(req, resp, validator, filterChain);
}
@Test
public void testUnknownUser() throws IOException, ServletException
{
@ -155,6 +258,51 @@ public class BasicHTTPAuthenticatorTest
EasyMock.verify(req, resp, filterChain);
}
@Test
public void testUnknownUserWithSkipOnFailure() throws IOException, ServletException
{
CredentialsValidator validator = EasyMock.createMock(CredentialsValidator.class);
BasicHTTPAuthenticator authenticatorWithSkipOnFailure = new BasicHTTPAuthenticator(
CACHE_MANAGER_PROVIDER,
"basic",
"basic",
null,
null,
false,
null, null,
true,
validator
);
String header = StringUtils.utf8Base64("userB:helloworld");
header = StringUtils.format("Basic %s", header);
HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class);
EasyMock.expect(req.getHeader("Authorization")).andReturn(header);
EasyMock.replay(req);
EasyMock
.expect(
validator.validateCredentials(EasyMock.eq("basic"), EasyMock.eq("basic"), EasyMock.eq("userB"), EasyMock.aryEq("helloworld".toCharArray()))
)
.andReturn(null)
.times(1);
EasyMock.replay(validator);
HttpServletResponse resp = EasyMock.createMock(HttpServletResponse.class);
EasyMock.replay(resp);
// Authentication filter should move on to the next filter in the chain without sending a response
FilterChain filterChain = EasyMock.createMock(FilterChain.class);
filterChain.doFilter(req, resp);
EasyMock.expectLastCall().times(1);
EasyMock.replay(filterChain);
Filter authenticatorFilter = authenticatorWithSkipOnFailure.getFilter();
authenticatorFilter.doFilter(req, resp, filterChain);
EasyMock.verify(req, resp, validator, filterChain);
}
@Test
public void testRecognizedButMalformedBasicAuthHeader() throws IOException, ServletException
{

41
extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/CoordinatorBasicAuthenticatorMetadataStorageUpdaterTest.java
View File

@ -45,14 +45,13 @@ import java.util.Map;
public class CoordinatorBasicAuthenticatorMetadataStorageUpdaterTest
{
private static final String AUTHENTICATOR_NAME = "test";
@Rule
public ExpectedException expectedException = ExpectedException.none();
@Rule
public final TestDerbyConnector.DerbyConnectorRule derbyConnectorRule = new TestDerbyConnector.DerbyConnectorRule();
private TestDerbyConnector connector;
private MetadataStorageTablesConfig tablesConfig;
private CoordinatorBasicAuthenticatorMetadataStorageUpdater updater;
private ObjectMapper objectMapper;
@ -60,10 +59,9 @@ public class CoordinatorBasicAuthenticatorMetadataStorageUpdaterTest
public void setUp()
{
objectMapper = new ObjectMapper(new SmileFactory());
connector = derbyConnectorRule.getConnector();
tablesConfig = derbyConnectorRule.metadataTablesConfigSupplier().get();
TestDerbyConnector connector = derbyConnectorRule.getConnector();
MetadataStorageTablesConfig tablesConfig = derbyConnectorRule.metadataTablesConfigSupplier().get();
connector.createConfigTable();
updater = new CoordinatorBasicAuthenticatorMetadataStorageUpdater(
new AuthenticatorMapper(
ImmutableMap.of(
@ -76,6 +74,8 @@ public class CoordinatorBasicAuthenticatorMetadataStorageUpdaterTest
null,
null,
null,
null,
false,
null
)
)
@ -100,16 +100,24 @@ public class CoordinatorBasicAuthenticatorMetadataStorageUpdaterTest
@Test
public void createUser()
{
updater.createUser(AUTHENTICATOR_NAME, "druid");
Map<String, BasicAuthenticatorUser> expectedUserMap = ImmutableMap.of(
"druid", new BasicAuthenticatorUser("druid", null)
);
byte[] expectedSerializeUserMap = BasicAuthUtils.serializeAuthenticatorUserMap(objectMapper, expectedUserMap);
updater.createUser(AUTHENTICATOR_NAME, "druid");
Assert.assertArrayEquals(expectedSerializeUserMap, updater.getCurrentUserMapBytes(AUTHENTICATOR_NAME));
Map<String, BasicAuthenticatorUser> actualUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap(
objectMapper,
updater.getCurrentUserMapBytes(AUTHENTICATOR_NAME)
);
Assert.assertEquals(expectedUserMap, actualUserMap);
// Validate cache user map methods
Assert.assertEquals(expectedUserMap, updater.getCachedUserMap(AUTHENTICATOR_NAME));
Assert.assertArrayEquals(expectedSerializeUserMap, updater.getCachedSerializedUserMap(AUTHENTICATOR_NAME));
// create duplicate should fail
expectedException.expect(BasicSecurityDBResourceException.class);
expectedException.expectMessage("User [druid] already exists.");
@ -119,15 +127,24 @@ public class CoordinatorBasicAuthenticatorMetadataStorageUpdaterTest
@Test
public void deleteUser()
{
Map<String, BasicAuthenticatorUser> expectedUserMap = ImmutableMap.of();
byte[] expectedSerializeUserMap = BasicAuthUtils.serializeAuthenticatorUserMap(objectMapper, expectedUserMap);
updater.createUser(AUTHENTICATOR_NAME, "druid");
updater.deleteUser(AUTHENTICATOR_NAME, "druid");
Map<String, BasicAuthenticatorUser> expectedUserMap = ImmutableMap.of();
Assert.assertArrayEquals(expectedSerializeUserMap, updater.getCurrentUserMapBytes(AUTHENTICATOR_NAME));
Map<String, BasicAuthenticatorUser> actualUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap(
objectMapper,
updater.getCurrentUserMapBytes(AUTHENTICATOR_NAME)
);
Assert.assertEquals(expectedUserMap, actualUserMap);
// Validate cache user map methods
Assert.assertEquals(expectedUserMap, updater.getCachedUserMap(AUTHENTICATOR_NAME));
Assert.assertArrayEquals(expectedSerializeUserMap, updater.getCachedSerializedUserMap(AUTHENTICATOR_NAME));
// delete non-existent user should fail
expectedException.expect(BasicSecurityDBResourceException.class);
expectedException.expectMessage("User [druid] does not exist.");
@ -153,6 +170,14 @@ public class CoordinatorBasicAuthenticatorMetadataStorageUpdaterTest
);
Assert.assertArrayEquals(credentials.getHash(), recalculatedHash);
}
// Validate cache user map methods
Map<String, BasicAuthenticatorUser> expectedUserMap = ImmutableMap.of(
"druid", new BasicAuthenticatorUser("druid", credentials)
);
byte[] expectedSerializeUserMap = BasicAuthUtils.serializeAuthenticatorUserMap(objectMapper, expectedUserMap);
Assert.assertArrayEquals(expectedSerializeUserMap, updater.getCurrentUserMapBytes(AUTHENTICATOR_NAME));
Assert.assertEquals(expectedUserMap, updater.getCachedUserMap(AUTHENTICATOR_NAME));
Assert.assertArrayEquals(expectedSerializeUserMap, updater.getCachedSerializedUserMap(AUTHENTICATOR_NAME));
}
}

113
extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/CoordinatorBasicAuthenticatorResourceTest.java
View File

@ -53,6 +53,7 @@ public class CoordinatorBasicAuthenticatorResourceTest
{
private static final String AUTHENTICATOR_NAME = "test";
private static final String AUTHENTICATOR_NAME2 = "test2";
private static final String AUTHENTICATOR_NAME_LDAP = "testLdap";
@Rule
public ExpectedException expectedException = ExpectedException.none();
@ -60,19 +61,19 @@ public class CoordinatorBasicAuthenticatorResourceTest
@Rule
public final TestDerbyConnector.DerbyConnectorRule derbyConnectorRule = new TestDerbyConnector.DerbyConnectorRule();
private TestDerbyConnector connector;
private MetadataStorageTablesConfig tablesConfig;
private BasicAuthenticatorResource resource;
private CoordinatorBasicAuthenticatorMetadataStorageUpdater storageUpdater;
private HttpServletRequest req;
private ObjectMapper objectMapper;
@Before
public void setUp()
{
req = EasyMock.createStrictMock(HttpServletRequest.class);
connector = derbyConnectorRule.getConnector();
tablesConfig = derbyConnectorRule.metadataTablesConfigSupplier().get();
objectMapper = new ObjectMapper(new SmileFactory());
TestDerbyConnector connector = derbyConnectorRule.getConnector();
MetadataStorageTablesConfig tablesConfig = derbyConnectorRule.metadataTablesConfigSupplier().get();
connector.createConfigTable();
ObjectMapper objectMapper = new ObjectMapper(new SmileFactory());
@ -83,22 +84,39 @@ public class CoordinatorBasicAuthenticatorResourceTest
new BasicHTTPAuthenticator(
null,
AUTHENTICATOR_NAME,
"test",
null,
new DefaultPasswordProvider("druid"),
new DefaultPasswordProvider("druid"),
null,
null,
null,
false,
null
),
AUTHENTICATOR_NAME2,
new BasicHTTPAuthenticator(
null,
AUTHENTICATOR_NAME2,
"test",
null,
new DefaultPasswordProvider("druid"),
new DefaultPasswordProvider("druid"),
null,
null,
null,
false,
null
),
AUTHENTICATOR_NAME_LDAP,
new BasicHTTPAuthenticator(
null,
AUTHENTICATOR_NAME2,
null,
new DefaultPasswordProvider("druid"),
new DefaultPasswordProvider("druid"),
null,
null,
null,
false,
null
)
)
@ -164,10 +182,26 @@ public class CoordinatorBasicAuthenticatorResourceTest
response = resource.getAllUsers(req, AUTHENTICATOR_NAME);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedUsers, response.getEntity());
// Verify cached user map is also getting updated
response = resource.getCachedSerializedUserMap(req, AUTHENTICATOR_NAME);
Assert.assertEquals(200, response.getStatus());
Assert.assertTrue(response.getEntity() instanceof byte[]);
Map<String, BasicAuthenticatorUser> cachedUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, (byte[]) response.getEntity());
Assert.assertNotNull(cachedUserMap.get(BasicAuthUtils.ADMIN_NAME));
Assert.assertEquals(cachedUserMap.get(BasicAuthUtils.ADMIN_NAME).getName(), BasicAuthUtils.ADMIN_NAME);
Assert.assertNotNull(cachedUserMap.get(BasicAuthUtils.INTERNAL_USER_NAME));
Assert.assertEquals(cachedUserMap.get(BasicAuthUtils.ADMIN_NAME).getName(), BasicAuthUtils.ADMIN_NAME);
Assert.assertNotNull(cachedUserMap.get("druid"));
Assert.assertEquals(cachedUserMap.get("druid").getName(), "druid");
Assert.assertNotNull(cachedUserMap.get("druid2"));
Assert.assertEquals(cachedUserMap.get("druid2").getName(), "druid2");
Assert.assertNotNull(cachedUserMap.get("druid3"));
Assert.assertEquals(cachedUserMap.get("druid3").getName(), "druid3");
}
@Test
public void testSeparateDatabaseTables()
public void testGetAllUsersSeparateDatabaseTables()
{
Response response = resource.getAllUsers(req, AUTHENTICATOR_NAME);
Assert.assertEquals(200, response.getStatus());
@ -201,9 +235,43 @@ public class CoordinatorBasicAuthenticatorResourceTest
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedUsers, response.getEntity());
// Verify cached user map for AUTHENTICATOR_NAME authenticator is also getting updated
response = resource.getCachedSerializedUserMap(req, AUTHENTICATOR_NAME);
Assert.assertEquals(200, response.getStatus());
Assert.assertTrue(response.getEntity() instanceof byte[]);
Map<String, BasicAuthenticatorUser> cachedUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, (byte[]) response.getEntity());
Assert.assertNotNull(cachedUserMap.get(BasicAuthUtils.ADMIN_NAME));
Assert.assertEquals(cachedUserMap.get(BasicAuthUtils.ADMIN_NAME).getName(), BasicAuthUtils.ADMIN_NAME);
Assert.assertNotNull(cachedUserMap.get(BasicAuthUtils.INTERNAL_USER_NAME));
Assert.assertEquals(cachedUserMap.get(BasicAuthUtils.ADMIN_NAME).getName(), BasicAuthUtils.ADMIN_NAME);
Assert.assertNotNull(cachedUserMap.get("druid"));
Assert.assertEquals(cachedUserMap.get("druid").getName(), "druid");
Assert.assertNotNull(cachedUserMap.get("druid2"));
Assert.assertEquals(cachedUserMap.get("druid2").getName(), "druid2");
Assert.assertNotNull(cachedUserMap.get("druid3"));
Assert.assertEquals(cachedUserMap.get("druid3").getName(), "druid3");
response = resource.getAllUsers(req, AUTHENTICATOR_NAME2);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedUsers2, response.getEntity());
// Verify cached user map for each AUTHENTICATOR_NAME2 is also getting updated
response = resource.getCachedSerializedUserMap(req, AUTHENTICATOR_NAME2);
Assert.assertEquals(200, response.getStatus());
Assert.assertTrue(response.getEntity() instanceof byte[]);
cachedUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, (byte[]) response.getEntity());
Assert.assertNotNull(cachedUserMap.get(BasicAuthUtils.ADMIN_NAME));
Assert.assertEquals(cachedUserMap.get(BasicAuthUtils.ADMIN_NAME).getName(), BasicAuthUtils.ADMIN_NAME);
Assert.assertNotNull(cachedUserMap.get(BasicAuthUtils.INTERNAL_USER_NAME));
Assert.assertEquals(cachedUserMap.get(BasicAuthUtils.ADMIN_NAME).getName(), BasicAuthUtils.ADMIN_NAME);
Assert.assertNotNull(cachedUserMap.get("druid4"));
Assert.assertEquals(cachedUserMap.get("druid4").getName(), "druid4");
Assert.assertNotNull(cachedUserMap.get("druid5"));
Assert.assertEquals(cachedUserMap.get("druid5").getName(), "druid5");
Assert.assertNotNull(cachedUserMap.get("druid6"));
Assert.assertEquals(cachedUserMap.get("druid6").getName(), "druid6");
}
@Test
@ -220,6 +288,13 @@ public class CoordinatorBasicAuthenticatorResourceTest
response = resource.deleteUser(req, AUTHENTICATOR_NAME, "druid");
Assert.assertEquals(200, response.getStatus());
response = resource.getCachedSerializedUserMap(req, AUTHENTICATOR_NAME);
Assert.assertEquals(200, response.getStatus());
Assert.assertTrue(response.getEntity() instanceof byte[]);
Map<String, BasicAuthenticatorUser> cachedUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, (byte[]) response.getEntity());
Assert.assertNotNull(cachedUserMap);
Assert.assertNull(cachedUserMap.get("druid"));
response = resource.deleteUser(req, AUTHENTICATOR_NAME, "druid");
Assert.assertEquals(400, response.getStatus());
Assert.assertEquals(errorMapWithMsg("User [druid] does not exist."), response.getEntity());
@ -263,6 +338,29 @@ public class CoordinatorBasicAuthenticatorResourceTest
);
Assert.assertArrayEquals(recalculatedHash, hash);
response = resource.getCachedSerializedUserMap(req, AUTHENTICATOR_NAME);
Assert.assertEquals(200, response.getStatus());
Assert.assertTrue(response.getEntity() instanceof byte[]);
Map<String, BasicAuthenticatorUser> cachedUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, (byte[]) response.getEntity());
Assert.assertNotNull(cachedUserMap);
Assert.assertNotNull(cachedUserMap.get("druid"));
Assert.assertEquals("druid", cachedUserMap.get("druid").getName());
BasicAuthenticatorCredentials cachedUserCredentials = cachedUserMap.get("druid").getCredentials();
salt = cachedUserCredentials.getSalt();
hash = cachedUserCredentials.getHash();
iterations = cachedUserCredentials.getIterations();
Assert.assertEquals(BasicAuthUtils.SALT_LENGTH, salt.length);
Assert.assertEquals(BasicAuthUtils.KEY_LENGTH / 8, hash.length);
Assert.assertEquals(BasicAuthUtils.DEFAULT_KEY_ITERATIONS, iterations);
recalculatedHash = BasicAuthUtils.hashPassword(
"helloworld".toCharArray(),
salt,
iterations
);
Assert.assertArrayEquals(recalculatedHash, hash);
response = resource.deleteUser(req, AUTHENTICATOR_NAME, "druid");
Assert.assertEquals(200, response.getStatus());
@ -284,5 +382,4 @@ public class CoordinatorBasicAuthenticatorResourceTest
{
return ImmutableMap.of("error", errorMsg);
}
}

4
extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/NoopBasicAuthenticatorCacheNotifier.java
View File

@ -24,8 +24,8 @@ import org.apache.druid.security.basic.authentication.db.cache.BasicAuthenticato
public class NoopBasicAuthenticatorCacheNotifier implements BasicAuthenticatorCacheNotifier
{
@Override
public void addUpdate(String updatedAuthenticatorPrefix, byte[] updatedUserMap)
public void addUserUpdate(String updatedAuthenticatorPrefix, byte[] updatedUserMap)
{
// Do nothing as this is a noop implementation
}
}

149
extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/validator/DBCredentialsValidatorTest.java Normal file
View File

@ -0,0 +1,149 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/
package org.apache.druid.security.authentication.validator;
import com.google.common.collect.ImmutableMap;
import com.google.inject.Provider;
import com.google.inject.util.Providers;
import org.apache.druid.java.util.common.IAE;
import org.apache.druid.security.basic.BasicSecurityAuthenticationException;
import org.apache.druid.security.basic.authentication.db.cache.BasicAuthenticatorCacheManager;
import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate;
import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials;
import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser;
import org.apache.druid.security.basic.authentication.validator.MetadataStoreCredentialsValidator;
import org.apache.druid.server.security.AuthenticationResult;
import org.easymock.EasyMock;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import java.util.Map;
public class DBCredentialsValidatorTest
{
@Rule
public ExpectedException expectedException = ExpectedException.none();
private static BasicAuthenticatorCredentials USER_A_CREDENTIALS = new BasicAuthenticatorCredentials(
new BasicAuthenticatorCredentialUpdate("helloworld", 20)
);
private static Provider<BasicAuthenticatorCacheManager> CACHE_MANAGER_PROVIDER = Providers.of(
new BasicAuthenticatorCacheManager()
{
@Override
public void handleAuthenticatorUserMapUpdate(String authenticatorPrefix, byte[] serializedUserMap)
{
}
@Override
public Map<String, BasicAuthenticatorUser> getUserMap(String authenticatorPrefix)
{
return ImmutableMap.of(
"userA", new BasicAuthenticatorUser("userA", USER_A_CREDENTIALS),
"userB", new BasicAuthenticatorUser("userB", null)
);
}
}
);
private static MetadataStoreCredentialsValidator validator = new MetadataStoreCredentialsValidator(CACHE_MANAGER_PROVIDER);
@Test
public void validateBadAuthenticator()
{
String authenticatorName = "notbasic";
String authorizerName = "basic";
String username = "userA";
String password = "helloworld";
BasicAuthenticatorCacheManager cacheManager = EasyMock.createMock(BasicAuthenticatorCacheManager.class);
EasyMock.expect(cacheManager.getUserMap(authenticatorName)).andReturn(null).times(1);
EasyMock.replay(cacheManager);
MetadataStoreCredentialsValidator validator = new MetadataStoreCredentialsValidator(Providers.of(cacheManager));
expectedException.expect(IAE.class);
expectedException.expectMessage("No userMap is available for authenticator with prefix: [notbasic]");
validator.validateCredentials(authenticatorName, authorizerName, username, password.toCharArray());
EasyMock.verify(cacheManager);
}
@Test
public void validateMissingCredentials()
{
String authenticatorName = "basic";
String authorizerName = "basic";
String username = "userB";
String password = "helloworld";
AuthenticationResult result = validator.validateCredentials(authenticatorName, authorizerName, username, password.toCharArray());
Assert.assertNull(result);
}
@Test
public void validateMissingUser()
{
String authenticatorName = "basic";
String authorizerName = "basic";
String username = "userC";
String password = "helloworld";
AuthenticationResult result = validator.validateCredentials(authenticatorName, authorizerName, username, password.toCharArray());
Assert.assertNull(result);
}
@Test
public void validateGoodCredentials()
{
String authenticatorName = "basic";
String authorizerName = "basic";
String username = "userA";
String password = "helloworld";
AuthenticationResult result = validator.validateCredentials(authenticatorName, authorizerName, username, password.toCharArray());
Assert.assertNotNull(result);
Assert.assertEquals(username, result.getIdentity());
Assert.assertEquals(authenticatorName, result.getAuthenticatedBy());
Assert.assertEquals(authorizerName, result.getAuthorizerName());
Assert.assertNull(result.getContext());
}
@Test
public void validateBadCredentials()
{
String authenticatorName = "basic";
String authorizerName = "basic";
String username = "userA";
String password = "badpassword";
expectedException.expect(BasicSecurityAuthenticationException.class);
expectedException.expectMessage("User metadata store authentication failed username[userA].");
validator.validateCredentials(authenticatorName, authorizerName, username, password.toCharArray());
}
}

325
extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authorization/BasicRoleBasedAuthorizerTest.java
View File

@ -25,9 +25,13 @@ import com.google.common.collect.ImmutableMap;
import org.apache.druid.metadata.MetadataStorageTablesConfig;
import org.apache.druid.metadata.TestDerbyConnector;
import org.apache.druid.security.basic.BasicAuthCommonCacheConfig;
import org.apache.druid.security.basic.BasicAuthUtils;
import org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer;
import org.apache.druid.security.basic.authorization.LDAPRoleProvider;
import org.apache.druid.security.basic.authorization.MetadataStoreRoleProvider;
import org.apache.druid.security.basic.authorization.db.cache.MetadataStoragePollingBasicAuthorizerCacheManager;
import org.apache.druid.security.basic.authorization.db.updater.CoordinatorBasicAuthorizerMetadataStorageUpdater;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping;
import org.apache.druid.server.security.Access;
import org.apache.druid.server.security.Action;
import org.apache.druid.server.security.AuthenticationResult;
@ -41,37 +45,75 @@ import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.BasicAttributes;
import javax.naming.directory.SearchResult;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
public class BasicRoleBasedAuthorizerTest
{
private static final String AUTHORIZER_NAME = "test";
private static final String DB_AUTHORIZER_NAME = "metadata";
private static final String LDAP_AUTHORIZER_NAME = "ldap";
@Rule
public final TestDerbyConnector.DerbyConnectorRule derbyConnectorRule = new TestDerbyConnector.DerbyConnectorRule();
private BasicRoleBasedAuthorizer authorizer;
private TestDerbyConnector connector;
private MetadataStorageTablesConfig tablesConfig;
private BasicRoleBasedAuthorizer ldapAuthorizer;
private CoordinatorBasicAuthorizerMetadataStorageUpdater updater;
private String[] groupFilters = {
"*,OU=Druid,OU=Application,OU=Groupings,DC=corp,DC=apache,DC=org",
"*,OU=Platform,OU=Groupings,DC=corp,DC=apache,DC=org"
};
private SearchResult userSearchResult;
private SearchResult adminSearchResult;
@Before
public void setUp()
{
connector = derbyConnectorRule.getConnector();
tablesConfig = derbyConnectorRule.metadataTablesConfigSupplier().get();
TestDerbyConnector connector = derbyConnectorRule.getConnector();
MetadataStorageTablesConfig tablesConfig = derbyConnectorRule.metadataTablesConfigSupplier().get();
connector.createConfigTable();
BasicAttributes userAttrs = new BasicAttributes(true);
userAttrs.put(new BasicAttribute("sAMAccountName", "druiduser"));
userAttrs.put(new BasicAttribute("memberOf", "CN=user,OU=Druid,OU=Application,OU=Groupings,DC=corp,DC=apache,DC=org"));
BasicAttributes adminAttrs = new BasicAttributes(true);
adminAttrs.put(new BasicAttribute("sAMAccountName", "druidadmin"));
adminAttrs.put(new BasicAttribute("memberOf", "CN=admin,OU=Platform,OU=Groupings,DC=corp,DC=apache,DC=org"));
userSearchResult = new SearchResult("CN=1234,OU=Employees,OU=People", null, userAttrs);
adminSearchResult = new SearchResult("CN=9876,OU=Employees,OU=People", null, adminAttrs);
updater = new CoordinatorBasicAuthorizerMetadataStorageUpdater(
new AuthorizerMapper(
ImmutableMap.of(
AUTHORIZER_NAME,
DB_AUTHORIZER_NAME,
new BasicRoleBasedAuthorizer(
null,
AUTHORIZER_NAME,
DB_AUTHORIZER_NAME,
null,
null
null,
null, null,
null,
new MetadataStoreRoleProvider(null)
),
LDAP_AUTHORIZER_NAME,
new BasicRoleBasedAuthorizer(
null,
LDAP_AUTHORIZER_NAME,
null,
null,
null, null,
null,
new LDAPRoleProvider(null, groupFilters)
)
)
),
@ -86,12 +128,23 @@ public class BasicRoleBasedAuthorizerTest
updater.start();
authorizer = new BasicRoleBasedAuthorizer(
new MetadataStoragePollingBasicAuthorizerCacheManager(
updater
),
AUTHORIZER_NAME,
null,
null
DB_AUTHORIZER_NAME,
null,
null,
null, null,
null,
new MetadataStoreRoleProvider(new MetadataStoragePollingBasicAuthorizerCacheManager(updater))
);
ldapAuthorizer = new BasicRoleBasedAuthorizer(
null,
LDAP_AUTHORIZER_NAME,
null,
null,
null, null,
null,
new LDAPRoleProvider(new MetadataStoragePollingBasicAuthorizerCacheManager(updater), groupFilters)
);
}
@ -103,15 +156,15 @@ public class BasicRoleBasedAuthorizerTest
@Test
public void testAuth()
{
updater.createUser(AUTHORIZER_NAME, "druid");
updater.createRole(AUTHORIZER_NAME, "druidRole");
updater.assignRole(AUTHORIZER_NAME, "druid", "druidRole");
updater.createUser(DB_AUTHORIZER_NAME, "druid");
updater.createRole(DB_AUTHORIZER_NAME, "druidRole");
updater.assignUserRole(DB_AUTHORIZER_NAME, "druid", "druidRole");
List<ResourceAction> permissions = Collections.singletonList(
new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE)
);
updater.setPermissions(AUTHORIZER_NAME, "druidRole", permissions);
updater.setPermissions(DB_AUTHORIZER_NAME, "druidRole", permissions);
AuthenticationResult authenticationResult = new AuthenticationResult("druid", "druid", null, null);
@ -129,4 +182,242 @@ public class BasicRoleBasedAuthorizerTest
);
Assert.assertFalse(access.isAllowed());
}
@Test
public void testAuthGroupMapping()
{
BasicAuthorizerGroupMapping groupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "CN=admin,OU=Platform,OU=Groupings,DC=corp,DC=apache,DC=org", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, groupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "druidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
List<ResourceAction> permissions = Collections.singletonList(
new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE)
);
updater.setPermissions(LDAP_AUTHORIZER_NAME, "druidRole", permissions);
Map<String, Object> contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult);
AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap);
Access access = ldapAuthorizer.authorize(
authenticationResult,
new Resource("testResource", ResourceType.DATASOURCE),
Action.WRITE
);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(
authenticationResult,
new Resource("wrongResource", ResourceType.DATASOURCE),
Action.WRITE
);
Assert.assertFalse(access.isAllowed());
}
@Test
public void testAuthGroupMappingPatternRightMask()
{
//Admin
BasicAuthorizerGroupMapping adminGrroupMapping = new BasicAuthorizerGroupMapping("adminGrroupMapping", "CN=admin,*", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, adminGrroupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "adminDruidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "adminGrroupMapping", "adminDruidRole");
List<ResourceAction> adminPermissions = Arrays.asList(
new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE),
new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ)
);
updater.setPermissions(LDAP_AUTHORIZER_NAME, "adminDruidRole", adminPermissions);
//User
BasicAuthorizerGroupMapping userGrroupMapping = new BasicAuthorizerGroupMapping("userGrroupMapping", "CN=user,*", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, userGrroupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "userDruidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "userGrroupMapping", "userDruidRole");
List<ResourceAction> userPermissions = Collections.singletonList(
new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ)
);
updater.setPermissions(LDAP_AUTHORIZER_NAME, "userDruidRole", userPermissions);
Map<String, Object> contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult);
AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap);
Access access = ldapAuthorizer.authorize(
authenticationResult,
new Resource("testResource", ResourceType.DATASOURCE),
Action.READ
);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(
authenticationResult,
new Resource("testResource", ResourceType.DATASOURCE),
Action.WRITE
);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(
authenticationResult,
new Resource("wrongResource", ResourceType.DATASOURCE),
Action.WRITE
);
Assert.assertFalse(access.isAllowed());
contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult);
authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap);
access = ldapAuthorizer.authorize(
authenticationResult,
new Resource("testResource", ResourceType.DATASOURCE),
Action.WRITE
);
Assert.assertFalse(access.isAllowed());
access = ldapAuthorizer.authorize(
authenticationResult,
new Resource("testResource", ResourceType.DATASOURCE),
Action.READ
);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(
authenticationResult,
new Resource("wrongResource", ResourceType.DATASOURCE),
Action.READ
);
Assert.assertFalse(access.isAllowed());
}
@Test
public void testAuthGroupMappingPatternLeftMask()
{
//Admin
BasicAuthorizerGroupMapping adminGrroupMapping = new BasicAuthorizerGroupMapping("adminGrroupMapping", "*,CN=admin,OU=Platform,OU=Groupings,DC=corp,DC=apache,DC=org", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, adminGrroupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "adminDruidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "adminGrroupMapping", "adminDruidRole");
List<ResourceAction> adminPermissions = Arrays.asList(
new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE),
new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ)
);
updater.setPermissions(LDAP_AUTHORIZER_NAME, "adminDruidRole", adminPermissions);
//User
BasicAuthorizerGroupMapping userGrroupMapping = new BasicAuthorizerGroupMapping("userGrroupMapping", "*,CN=user,OU=Druid,OU=Application,OU=Groupings,DC=corp,DC=apache,DC=org", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, userGrroupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "userDruidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "userGrroupMapping", "userDruidRole");
List<ResourceAction> userPermissions = Collections.singletonList(
new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ)
);
updater.setPermissions(LDAP_AUTHORIZER_NAME, "userDruidRole", userPermissions);
Map<String, Object> contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult);
AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap);
Access access = ldapAuthorizer.authorize(
authenticationResult,
new Resource("testResource", ResourceType.DATASOURCE),
Action.READ
);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(
authenticationResult,
new Resource("testResource", ResourceType.DATASOURCE),
Action.WRITE
);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(
authenticationResult,
new Resource("wrongResource", ResourceType.DATASOURCE),
Action.WRITE
);
Assert.assertFalse(access.isAllowed());
contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult);
authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap);
access = ldapAuthorizer.authorize(
authenticationResult,
new Resource("testResource", ResourceType.DATASOURCE),
Action.WRITE
);
Assert.assertFalse(access.isAllowed());
access = ldapAuthorizer.authorize(
authenticationResult,
new Resource("testResource", ResourceType.DATASOURCE),
Action.READ
);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(
authenticationResult,
new Resource("wrongResource", ResourceType.DATASOURCE),
Action.READ
);
Assert.assertFalse(access.isAllowed());
}
@Test
public void testAuthMissingGroupMapping()
{
BasicAuthorizerGroupMapping groupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "CN=unknown,*", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, groupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "druidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
List<ResourceAction> permissions = Arrays.asList(
new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE),
new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ)
);
updater.setPermissions(LDAP_AUTHORIZER_NAME, "druidRole", permissions);
Map<String, Object> contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult);
AuthenticationResult authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap);
Access access = ldapAuthorizer.authorize(
authenticationResult,
new Resource("testResource", ResourceType.DATASOURCE),
Action.WRITE
);
Assert.assertFalse(access.isAllowed());
access = ldapAuthorizer.authorize(
authenticationResult,
new Resource("testResource", ResourceType.DATASOURCE),
Action.READ
);
Assert.assertFalse(access.isAllowed());
access = ldapAuthorizer.authorize(
authenticationResult,
new Resource("wrongResource", ResourceType.DATASOURCE),
Action.WRITE
);
Assert.assertFalse(access.isAllowed());
access = ldapAuthorizer.authorize(
authenticationResult,
new Resource("wrongResource", ResourceType.DATASOURCE),
Action.READ
);
Assert.assertFalse(access.isAllowed());
}
}

181
extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authorization/CoordinatorBasicAuthorizerMetadataStorageUpdaterTest.java
View File

@ -31,6 +31,7 @@ import org.apache.druid.security.basic.BasicAuthUtils;
import org.apache.druid.security.basic.BasicSecurityDBResourceException;
import org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer;
import org.apache.druid.security.basic.authorization.db.updater.CoordinatorBasicAuthorizerMetadataStorageUpdater;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerPermission;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser;
@ -80,8 +81,6 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest
@Rule
public final TestDerbyConnector.DerbyConnectorRule derbyConnectorRule = new TestDerbyConnector.DerbyConnectorRule();
private TestDerbyConnector connector;
private MetadataStorageTablesConfig tablesConfig;
private CoordinatorBasicAuthorizerMetadataStorageUpdater updater;
private ObjectMapper objectMapper;
@ -89,8 +88,8 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest
public void setUp()
{
objectMapper = new ObjectMapper(new SmileFactory());
connector = derbyConnectorRule.getConnector();
tablesConfig = derbyConnectorRule.metadataTablesConfigSupplier().get();
TestDerbyConnector connector = derbyConnectorRule.getConnector();
MetadataStorageTablesConfig tablesConfig = derbyConnectorRule.metadataTablesConfigSupplier().get();
connector.createConfigTable();
updater = new CoordinatorBasicAuthorizerMetadataStorageUpdater(
@ -101,6 +100,10 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest
null,
AUTHORIZER_NAME,
null,
null,
null,
null,
null,
null
)
)
@ -138,6 +141,27 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest
Assert.assertEquals(expectedUserMap, actualUserMap);
}
@Test
public void testCreateDeleteGroupMapping()
{
updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", null));
Map<String, BasicAuthorizerGroupMapping> expectedGroupMappingMap = new HashMap<>();
expectedGroupMappingMap.put("druid", new BasicAuthorizerGroupMapping("druid", "CN=test", null));
Map<String, BasicAuthorizerGroupMapping> actualGroupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(
objectMapper,
updater.getCurrentGroupMappingMapBytes(AUTHORIZER_NAME)
);
Assert.assertEquals(expectedGroupMappingMap, actualGroupMappingMap);
updater.deleteGroupMapping(AUTHORIZER_NAME, "druid");
expectedGroupMappingMap.remove("druid");
actualGroupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(
objectMapper,
updater.getCurrentGroupMappingMapBytes(AUTHORIZER_NAME)
);
Assert.assertEquals(expectedGroupMappingMap, actualGroupMappingMap);
}
@Test
public void testDeleteNonExistentUser()
{
@ -146,6 +170,15 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest
updater.deleteUser(AUTHORIZER_NAME, "druid");
}
@Test
public void testDeleteNonExistentGroupMapping()
{
expectedException.expect(BasicSecurityDBResourceException.class);
expectedException.expectMessage("Group mapping [druid] does not exist.");
updater.deleteGroupMapping(AUTHORIZER_NAME, "druid");
}
@Test
public void testCreateDuplicateUser()
{
@ -155,6 +188,14 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest
updater.createUser(AUTHORIZER_NAME, "druid");
}
@Test
public void testCreateDuplicateGroupMapping()
{
expectedException.expect(BasicSecurityDBResourceException.class);
expectedException.expectMessage("Group mapping [druid] already exists.");
updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", null));
updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", null));
}
// role tests
@Test
public void testCreateDeleteRole()
@ -194,13 +235,13 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest
updater.createRole(AUTHORIZER_NAME, "druid");
}
// role and user tests
// role, user, and group mapping tests
@Test
public void testAddAndRemoveRole()
public void testAddAndRemoveRoleToUser()
{
updater.createUser(AUTHORIZER_NAME, "druid");
updater.createRole(AUTHORIZER_NAME, "druidRole");
updater.assignRole(AUTHORIZER_NAME, "druid", "druidRole");
updater.assignUserRole(AUTHORIZER_NAME, "druid", "druidRole");
Map<String, BasicAuthorizerUser> expectedUserMap = new HashMap<>(BASE_USER_MAP);
expectedUserMap.put("druid", new BasicAuthorizerUser("druid", ImmutableSet.of("druidRole")));
@ -221,7 +262,7 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest
Assert.assertEquals(expectedUserMap, actualUserMap);
Assert.assertEquals(expectedRoleMap, actualRoleMap);
updater.unassignRole(AUTHORIZER_NAME, "druid", "druidRole");
updater.unassignUserRole(AUTHORIZER_NAME, "druid", "druidRole");
expectedUserMap.put("druid", new BasicAuthorizerUser("druid", ImmutableSet.of()));
actualUserMap = BasicAuthUtils.deserializeAuthorizerUserMap(
objectMapper,
@ -232,13 +273,60 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest
Assert.assertEquals(expectedRoleMap, actualRoleMap);
}
// role, user, and group mapping tests
@Test
public void testAddAndRemoveRoleToGroupMapping()
{
updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", null));
updater.createRole(AUTHORIZER_NAME, "druidRole");
updater.assignGroupMappingRole(AUTHORIZER_NAME, "druid", "druidRole");
Map<String, BasicAuthorizerGroupMapping> expectedGroupMappingMap = new HashMap<>();
expectedGroupMappingMap.put("druid", new BasicAuthorizerGroupMapping("druid", "CN=test", ImmutableSet.of("druidRole")));
Map<String, BasicAuthorizerRole> expectedRoleMap = new HashMap<>(BASE_ROLE_MAP);
expectedRoleMap.put("druidRole", new BasicAuthorizerRole("druidRole", ImmutableList.of()));
Map<String, BasicAuthorizerGroupMapping> actualGroupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(
objectMapper,
updater.getCurrentGroupMappingMapBytes(AUTHORIZER_NAME)
);
Map<String, BasicAuthorizerRole> actualRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(
objectMapper,
updater.getCurrentRoleMapBytes(AUTHORIZER_NAME)
);
Assert.assertEquals(expectedGroupMappingMap, actualGroupMappingMap);
Assert.assertEquals(expectedRoleMap, actualRoleMap);
updater.unassignGroupMappingRole(AUTHORIZER_NAME, "druid", "druidRole");
expectedGroupMappingMap.put("druid", new BasicAuthorizerGroupMapping("druid", "CN=test", ImmutableSet.of()));
actualGroupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(
objectMapper,
updater.getCurrentGroupMappingMapBytes(AUTHORIZER_NAME)
);
Assert.assertEquals(expectedGroupMappingMap, actualGroupMappingMap);
Assert.assertEquals(expectedRoleMap, actualRoleMap);
}
@Test
public void testAddRoleToNonExistentUser()
{
expectedException.expect(BasicSecurityDBResourceException.class);
expectedException.expectMessage("User [nonUser] does not exist.");
updater.createRole(AUTHORIZER_NAME, "druid");
updater.assignRole(AUTHORIZER_NAME, "nonUser", "druid");
updater.assignUserRole(AUTHORIZER_NAME, "nonUser", "druid");
}
@Test
public void testAddRoleToNonExistentGroupMapping()
{
expectedException.expect(BasicSecurityDBResourceException.class);
expectedException.expectMessage("Group mapping [nonUser] does not exist.");
updater.createRole(AUTHORIZER_NAME, "druid");
updater.assignGroupMappingRole(AUTHORIZER_NAME, "nonUser", "druid");
}
@Test
@ -247,7 +335,16 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest
expectedException.expect(BasicSecurityDBResourceException.class);
expectedException.expectMessage("Role [nonRole] does not exist.");
updater.createUser(AUTHORIZER_NAME, "druid");
updater.assignRole(AUTHORIZER_NAME, "druid", "nonRole");
updater.assignUserRole(AUTHORIZER_NAME, "druid", "nonRole");
}
@Test
public void testAddNonexistentRoleToGroupMapping()
{
expectedException.expect(BasicSecurityDBResourceException.class);
expectedException.expectMessage("Role [nonRole] does not exist.");
updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", null));
updater.assignGroupMappingRole(AUTHORIZER_NAME, "druid", "nonRole");
}
@Test
@ -257,12 +354,33 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest
expectedException.expectMessage("User [druid] already has role [druidRole].");
updater.createUser(AUTHORIZER_NAME, "druid");
updater.createRole(AUTHORIZER_NAME, "druidRole");
updater.assignRole(AUTHORIZER_NAME, "druid", "druidRole");
updater.assignRole(AUTHORIZER_NAME, "druid", "druidRole");
updater.assignUserRole(AUTHORIZER_NAME, "druid", "druidRole");
updater.assignUserRole(AUTHORIZER_NAME, "druid", "druidRole");
}
@Test
public void testUnassignInvalidRoleAssignmentFails()
public void testAddExistingRoleToGroupMappingFails()
{
expectedException.expect(BasicSecurityDBResourceException.class);
expectedException.expectMessage("Group mapping [druid] already has role [druidRole].");
updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", null));
updater.createRole(AUTHORIZER_NAME, "druidRole");
updater.assignGroupMappingRole(AUTHORIZER_NAME, "druid", "druidRole");
updater.assignGroupMappingRole(AUTHORIZER_NAME, "druid", "druidRole");
}
@Test
public void testAddExistingRoleToGroupMappingWithRoleFails()
{
expectedException.expect(BasicSecurityDBResourceException.class);
expectedException.expectMessage("Group mapping [druid] already has role [druidRole].");
updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", ImmutableSet.of("druidRole")));
updater.createRole(AUTHORIZER_NAME, "druidRole");
updater.assignGroupMappingRole(AUTHORIZER_NAME, "druid", "druidRole");
}
@Test
public void testUnassignInvalidRoleAssignmentToUserFails()
{
expectedException.expect(BasicSecurityDBResourceException.class);
expectedException.expectMessage("User [druid] does not have role [druidRole].");
@ -289,16 +407,49 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest
Assert.assertEquals(expectedUserMap, actualUserMap);
Assert.assertEquals(expectedRoleMap, actualRoleMap);
updater.unassignRole(AUTHORIZER_NAME, "druid", "druidRole");
updater.unassignUserRole(AUTHORIZER_NAME, "druid", "druidRole");
}
@Test
public void testUnassignInvalidRoleAssignmentToGroupMappingFails()
{
expectedException.expect(BasicSecurityDBResourceException.class);
expectedException.expectMessage("Group mapping [druid] does not have role [druidRole].");
updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", null));
updater.createRole(AUTHORIZER_NAME, "druidRole");
Map<String, BasicAuthorizerGroupMapping> expectedGroupMappingMap = new HashMap<>();
expectedGroupMappingMap.put("druid", new BasicAuthorizerGroupMapping("druid", "CN=test", null));
Map<String, BasicAuthorizerRole> expectedRoleMap = new HashMap<>(BASE_ROLE_MAP);
expectedRoleMap.put("druidRole", new BasicAuthorizerRole("druidRole", ImmutableList.of()));
Map<String, BasicAuthorizerGroupMapping> actualGroupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(
objectMapper,
updater.getCurrentGroupMappingMapBytes(AUTHORIZER_NAME)
);
Map<String, BasicAuthorizerRole> actualRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(
objectMapper,
updater.getCurrentRoleMapBytes(AUTHORIZER_NAME)
);
Assert.assertEquals(expectedGroupMappingMap, actualGroupMappingMap);
Assert.assertEquals(expectedRoleMap, actualRoleMap);
updater.unassignGroupMappingRole(AUTHORIZER_NAME, "druid", "druidRole");
}
// role and permission tests
@Test
public void testSetRolePermissions()
{
updater.createUser(AUTHORIZER_NAME, "druid");
updater.createRole(AUTHORIZER_NAME, "druidRole");
updater.assignRole(AUTHORIZER_NAME, "druid", "druidRole");
updater.assignUserRole(AUTHORIZER_NAME, "druid", "druidRole");
List<ResourceAction> permsToAdd = ImmutableList.of(
new ResourceAction(

283
extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authorization/CoordinatorBasicAuthorizerResourceTest.java
View File

@ -35,6 +35,8 @@ import org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer;
import org.apache.druid.security.basic.authorization.db.updater.CoordinatorBasicAuthorizerMetadataStorageUpdater;
import org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResource;
import org.apache.druid.security.basic.authorization.endpoint.CoordinatorBasicAuthorizerResourceHandler;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingFull;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerPermission;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole;
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleFull;
@ -70,6 +72,7 @@ public class CoordinatorBasicAuthorizerResourceTest
{
private static final String AUTHORIZER_NAME = "test";
private static final String AUTHORIZER_NAME2 = "test2";
private static final String AUTHORIZER_NAME3 = "test3";
@Rule
public ExpectedException expectedException = ExpectedException.none();
@ -99,6 +102,10 @@ public class CoordinatorBasicAuthorizerResourceTest
null,
AUTHORIZER_NAME,
null,
null,
null,
null,
null,
null
),
AUTHORIZER_NAME2,
@ -106,6 +113,21 @@ public class CoordinatorBasicAuthorizerResourceTest
null,
AUTHORIZER_NAME2,
null,
null,
null,
null,
null,
null
),
AUTHORIZER_NAME3,
new BasicRoleBasedAuthorizer(
null,
AUTHORIZER_NAME3,
null,
null,
"adminGroupMapping",
null,
null,
null
)
)
@ -148,13 +170,47 @@ public class CoordinatorBasicAuthorizerResourceTest
response.getEntity()
);
response = resource.getAllUsers(req, AUTHORIZER_NAME2);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(
ImmutableSet.of(BasicAuthUtils.ADMIN_NAME, BasicAuthUtils.INTERNAL_USER_NAME),
response.getEntity()
);
response = resource.getAllGroupMappings(req, AUTHORIZER_NAME);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(
ImmutableSet.of(),
response.getEntity()
);
response = resource.getAllGroupMappings(req, AUTHORIZER_NAME2);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(
ImmutableSet.of(),
response.getEntity()
);
response = resource.getAllGroupMappings(req, AUTHORIZER_NAME3);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(
ImmutableSet.of("adminGroupMapping"),
response.getEntity()
);
resource.createUser(req, AUTHORIZER_NAME, "druid");
resource.createUser(req, AUTHORIZER_NAME, "druid2");
resource.createUser(req, AUTHORIZER_NAME, "druid3");
resource.createGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", new BasicAuthorizerGroupMapping("druidGroupMapping", "", new HashSet<>()));
resource.createGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", new BasicAuthorizerGroupMapping("druid2GroupMapping", "", new HashSet<>()));
resource.createGroupMapping(req, AUTHORIZER_NAME, "druid3GroupMapping", new BasicAuthorizerGroupMapping("druid3GroupMapping", "", new HashSet<>()));
resource.createUser(req, AUTHORIZER_NAME2, "druid4");
resource.createUser(req, AUTHORIZER_NAME2, "druid5");
resource.createUser(req, AUTHORIZER_NAME2, "druid6");
resource.createGroupMapping(req, AUTHORIZER_NAME2, "druid4GroupMapping", new BasicAuthorizerGroupMapping("druid4GroupMapping", "", new HashSet<>()));
resource.createGroupMapping(req, AUTHORIZER_NAME2, "druid5GroupMapping", new BasicAuthorizerGroupMapping("druid5GroupMapping", "", new HashSet<>()));
resource.createGroupMapping(req, AUTHORIZER_NAME2, "druid6GroupMapping", new BasicAuthorizerGroupMapping("druid6GroupMapping", "", new HashSet<>()));
Set<String> expectedUsers = ImmutableSet.of(
BasicAuthUtils.ADMIN_NAME,
@ -179,6 +235,26 @@ public class CoordinatorBasicAuthorizerResourceTest
response = resource.getAllUsers(req, AUTHORIZER_NAME2);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedUsers2, response.getEntity());
Set<String> expectedGroupMappings = ImmutableSet.of(
"druidGroupMapping",
"druid2GroupMapping",
"druid3GroupMapping"
);
Set<String> expectedGroupMappings2 = ImmutableSet.of(
"druid4GroupMapping",
"druid5GroupMapping",
"druid6GroupMapping"
);
response = resource.getAllGroupMappings(req, AUTHORIZER_NAME);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedGroupMappings, response.getEntity());
response = resource.getAllGroupMappings(req, AUTHORIZER_NAME2);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedGroupMappings2, response.getEntity());
}
@Test
@ -219,6 +295,31 @@ public class CoordinatorBasicAuthorizerResourceTest
Assert.assertEquals(expectedUsers, response.getEntity());
}
@Test
public void testGetAllGroupMappings()
{
Response response = resource.getAllGroupMappings(req, AUTHORIZER_NAME);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(
ImmutableSet.of(),
response.getEntity()
);
resource.createGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", new BasicAuthorizerGroupMapping("druidGroupMapping", "", new HashSet<>()));
resource.createGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", new BasicAuthorizerGroupMapping("druid2GroupMapping", "", new HashSet<>()));
resource.createGroupMapping(req, AUTHORIZER_NAME, "druid3GroupMapping", new BasicAuthorizerGroupMapping("druid3GroupMapping", "", new HashSet<>()));
Set<String> expectedGroupMappings = ImmutableSet.of(
"druidGroupMapping",
"druid2GroupMapping",
"druid3GroupMapping"
);
response = resource.getAllGroupMappings(req, AUTHORIZER_NAME);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedGroupMappings, response.getEntity());
}
@Test
public void testGetAllRoles()
{
@ -273,6 +374,33 @@ public class CoordinatorBasicAuthorizerResourceTest
Assert.assertEquals(errorMapWithMsg("User [druid] does not exist."), response.getEntity());
}
@Test
public void testCreateDeleteGroupMapping()
{
Response response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", new BasicAuthorizerGroupMapping("druidGroupMapping", "", new HashSet<>()));
Assert.assertEquals(200, response.getStatus());
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", null);
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerGroupMapping expectedGroupMapping = new BasicAuthorizerGroupMapping(
"druidGroupMapping",
"", ImmutableSet.of()
);
Assert.assertEquals(expectedGroupMapping, response.getEntity());
response = resource.deleteGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping");
Assert.assertEquals(200, response.getStatus());
response = resource.deleteGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping");
Assert.assertEquals(400, response.getStatus());
Assert.assertEquals(errorMapWithMsg("Group mapping [druidGroupMapping] does not exist."), response.getEntity());
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", null);
Assert.assertEquals(400, response.getStatus());
Assert.assertEquals(errorMapWithMsg("Group mapping [druidGroupMapping] does not exist."), response.getEntity());
}
@Test
public void testCreateDeleteRole()
{
@ -298,7 +426,7 @@ public class CoordinatorBasicAuthorizerResourceTest
}
@Test
public void testRoleAssignment()
public void testUserRoleAssignment()
{
Response response = resource.createRole(req, AUTHORIZER_NAME, "druidRole");
Assert.assertEquals(200, response.getStatus());
@ -339,6 +467,48 @@ public class CoordinatorBasicAuthorizerResourceTest
Assert.assertEquals(expectedRole, response.getEntity());
}
@Test
public void testGroupMappingRoleAssignment()
{
Response response = resource.createRole(req, AUTHORIZER_NAME, "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", new BasicAuthorizerGroupMapping("druidGroupMapping", "", new HashSet<>()));
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", null);
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerGroupMapping expectedGroupMapping = new BasicAuthorizerGroupMapping(
"druidGroupMapping",
"", ImmutableSet.of("druidRole")
);
Assert.assertEquals(expectedGroupMapping, response.getEntity());
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", null, null);
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerRole expectedRole = new BasicAuthorizerRole("druidRole", ImmutableList.of());
Assert.assertEquals(expectedRole, response.getEntity());
response = resource.unassignRoleFromGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", null);
Assert.assertEquals(200, response.getStatus());
expectedGroupMapping = new BasicAuthorizerGroupMapping(
"druidGroupMapping",
"", ImmutableSet.of()
);
Assert.assertEquals(expectedGroupMapping, response.getEntity());
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", null, null);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedRole, response.getEntity());
}
@Test
public void testDeleteAssignedRole()
{
@ -357,6 +527,18 @@ public class CoordinatorBasicAuthorizerResourceTest
response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid2", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", new BasicAuthorizerGroupMapping("druidGroupMapping", "", new HashSet<>()));
Assert.assertEquals(200, response.getStatus());
response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", new BasicAuthorizerGroupMapping("druid2GroupMapping", "", new HashSet<>()));
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.getUser(req, AUTHORIZER_NAME, "druid", null, null);
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerUser expectedUser = new BasicAuthorizerUser(
@ -373,6 +555,22 @@ public class CoordinatorBasicAuthorizerResourceTest
);
Assert.assertEquals(expectedUser2, response.getEntity());
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", null);
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerGroupMapping expectedGroupMapping = new BasicAuthorizerGroupMapping(
"druidGroupMapping",
"", ImmutableSet.of("druidRole")
);
Assert.assertEquals(expectedGroupMapping, response.getEntity());
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", null);
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerGroupMapping expectedGroupMapping2 = new BasicAuthorizerGroupMapping(
"druid2GroupMapping",
"", ImmutableSet.of("druidRole")
);
Assert.assertEquals(expectedGroupMapping2, response.getEntity());
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", null, null);
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerRole expectedRole = new BasicAuthorizerRole("druidRole", ImmutableList.of());
@ -396,6 +594,22 @@ public class CoordinatorBasicAuthorizerResourceTest
ImmutableSet.of()
);
Assert.assertEquals(expectedUser2, response.getEntity());
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", null);
Assert.assertEquals(200, response.getStatus());
expectedGroupMapping = new BasicAuthorizerGroupMapping(
"druidGroupMapping",
"", ImmutableSet.of()
);
Assert.assertEquals(expectedGroupMapping, response.getEntity());
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", null);
Assert.assertEquals(200, response.getStatus());
expectedGroupMapping2 = new BasicAuthorizerGroupMapping(
"druid2GroupMapping",
"", ImmutableSet.of()
);
Assert.assertEquals(expectedGroupMapping2, response.getEntity());
}
@Test
@ -446,7 +660,7 @@ public class CoordinatorBasicAuthorizerResourceTest
}
@Test
public void testUsersRolesAndPerms()
public void testUsersGroupMappingsRolesAndPerms()
{
Response response = resource.createUser(req, AUTHORIZER_NAME, "druid");
Assert.assertEquals(200, response.getStatus());
@ -454,6 +668,12 @@ public class CoordinatorBasicAuthorizerResourceTest
response = resource.createUser(req, AUTHORIZER_NAME, "druid2");
Assert.assertEquals(200, response.getStatus());
response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", new BasicAuthorizerGroupMapping("druidGroupMapping", "", new HashSet<>()));
Assert.assertEquals(200, response.getStatus());
response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", new BasicAuthorizerGroupMapping("druid2GroupMapping", "", new HashSet<>()));
Assert.assertEquals(200, response.getStatus());
response = resource.createRole(req, AUTHORIZER_NAME, "druidRole");
Assert.assertEquals(200, response.getStatus());
@ -490,6 +710,18 @@ public class CoordinatorBasicAuthorizerResourceTest
response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid2", "druidRole2");
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole2");
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "druidRole2");
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerRole expectedRole = new BasicAuthorizerRole("druidRole", BasicAuthorizerPermission.makePermissionList(perms));
BasicAuthorizerRole expectedRole2 = new BasicAuthorizerRole("druidRole2", BasicAuthorizerPermission.makePermissionList(perms2));
Set<BasicAuthorizerRole> expectedRoles = Sets.newHashSet(expectedRole, expectedRole2);
@ -520,10 +752,22 @@ public class CoordinatorBasicAuthorizerResourceTest
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedUserFullSimplifiedPermissions2, response.getEntity());
BasicAuthorizerGroupMappingFull expectedGroupMappingFull = new BasicAuthorizerGroupMappingFull("druidGroupMapping", "", expectedRoles);
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "");
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedGroupMappingFull, response.getEntity());
BasicAuthorizerGroupMappingFull expectedGroupMappingFull2 = new BasicAuthorizerGroupMappingFull("druid2GroupMapping", "", expectedRoles);
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "");
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedGroupMappingFull2, response.getEntity());
Set<String> expectedUserSet = Sets.newHashSet("druid", "druid2");
Set<String> expectedGroupMappingSet = Sets.newHashSet("druidGroupMapping", "druid2GroupMapping");
BasicAuthorizerRoleFull expectedRoleFull = new BasicAuthorizerRoleFull(
"druidRole",
expectedUserSet,
expectedGroupMappingSet,
BasicAuthorizerPermission.makePermissionList(perms)
);
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", "", null);
@ -549,6 +793,7 @@ public class CoordinatorBasicAuthorizerResourceTest
BasicAuthorizerRoleFull expectedRoleFull2 = new BasicAuthorizerRoleFull(
"druidRole2",
expectedUserSet,
expectedGroupMappingSet,
BasicAuthorizerPermission.makePermissionList(perms2)
);
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole2", "", null);
@ -620,16 +865,24 @@ public class CoordinatorBasicAuthorizerResourceTest
response = resource.unassignRoleFromUser(req, AUTHORIZER_NAME, "druid2", "druidRole2");
Assert.assertEquals(200, response.getStatus());
response = resource.unassignRoleFromGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.unassignRoleFromGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "druidRole2");
Assert.assertEquals(200, response.getStatus());
expectedUserFull = new BasicAuthorizerUserFull("druid", Sets.newHashSet(expectedRole2));
expectedUserFull2 = new BasicAuthorizerUserFull("druid2", Sets.newHashSet(expectedRole));
expectedRoleFull = new BasicAuthorizerRoleFull(
"druidRole",
Sets.newHashSet("druid2"),
Sets.newHashSet("druid2GroupMapping"),
BasicAuthorizerPermission.makePermissionList(perms)
);
expectedRoleFull2 = new BasicAuthorizerRoleFull(
"druidRole2",
Sets.newHashSet("druid"),
Sets.newHashSet("druidGroupMapping"),
BasicAuthorizerPermission.makePermissionList(perms2)
);
expectedUserFullSimplifiedPermissions = new BasicAuthorizerUserFullSimplifiedPermissions(
@ -705,15 +958,10 @@ public class CoordinatorBasicAuthorizerResourceTest
final int innerI = i;
String roleName = "druidRole-" + i;
addRoleCallables.add(
new Callable<Void>()
{
@Override
public Void call() throws Exception
{
Response response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid", roleName);
responseCodesAssign[innerI] = response.getStatus();
return null;
}
() -> {
Response response12 = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid", roleName);
responseCodesAssign[innerI] = response12.getStatus();
return null;
}
);
}
@ -748,15 +996,10 @@ public class CoordinatorBasicAuthorizerResourceTest
final int innerI = i;
String roleName = "druidRole-" + i;
removeRoleCallables.add(
new Callable<Void>()
{
@Override
public Void call() throws Exception
{
Response response = resource.unassignRoleFromUser(req, AUTHORIZER_NAME, "druid", roleName);
responseCodesRemove[innerI] = response.getStatus();
return null;
}
() -> {
Response response1 = resource.unassignRoleFromUser(req, AUTHORIZER_NAME, "druid", roleName);
responseCodesRemove[innerI] = response1.getStatus();
return null;
}
);
}

8
extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authorization/NoopBasicAuthorizerCacheNotifier.java
View File

@ -24,7 +24,13 @@ import org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCac
public class NoopBasicAuthorizerCacheNotifier implements BasicAuthorizerCacheNotifier
{
@Override
public void addUpdate(String authorizerPrefix, byte[] userAndRoleMap)
public void addUpdateUser(String authorizerPrefix, byte[] userAndRoleMap)
{
}
@Override
public void addUpdateGroupMapping(String authorizerPrefix, byte[] groupMappingAndRoleMap)
{
}

4
integration-tests/src/test/java/org/apache/druid/tests/security/ITBasicAuthConfigurationTest.java
View File

@ -467,7 +467,7 @@ public class ITBasicAuthConfigurationTest
LOG.info("Testing Avatica query on broker with incorrect credentials.");
testAvaticaAuthFailure(brokerUrl);
LOG.info("Testing Avatica query on router with incorrect credentials.");
testAvaticaAuthFailure(routerUrl);
@ -526,7 +526,7 @@ public class ITBasicAuthConfigurationTest
catch (AvaticaSqlException ase) {
Assert.assertEquals(
ase.getErrorMessage(),
"Error while executing SQL \"SELECT * FROM INFORMATION_SCHEMA.COLUMNS\": Remote driver error: ForbiddenException: Authentication failed."
"Error while executing SQL \"SELECT * FROM INFORMATION_SCHEMA.COLUMNS\": Remote driver error: BasicSecurityAuthenticationException: User metadata store authentication failed username[admin]."
);
return;
}

12
website/.spelling
View File

@ -569,6 +569,18 @@ authorizerName
druid_system
pollingPeriod
roleName
LDAP
ldap
MyBasicMetadataAuthenticator
MyBasicLDAPAuthenticator
MyBasicMetadataAuthorizer
MyBasicLDAPAuthorizer
credentialsValidator
sAMAccountName
objectClass
initialAdminRole
adminGroupMapping
groupMappingName
- ../docs/development/extensions-core/druid-kerberos.md
8Kb
HttpComponents