mirror of https://github.com/apache/druid.git
Add config to allow setting up custom unsecured paths for druid nodes. (#5614)
* Add config to allow setting up custom unsecured paths for druid nodes. * return all resources for Unsecured paths * review comment - Add test * fix tests * fix test
This commit is contained in:
parent
afa75e04b7
commit
e6efd75a3d
|
@ -9,6 +9,7 @@ layout: doc_page
|
||||||
|`druid.auth.authenticationChain`|JSON List of Strings|List of Authenticator type names|["allowAll"]|no|
|
|`druid.auth.authenticationChain`|JSON List of Strings|List of Authenticator type names|["allowAll"]|no|
|
||||||
|`druid.escalator.type`|String|Type of the Escalator that should be used for internal Druid communications. This Escalator must use an authentication scheme that is supported by an Authenticator in `druid.auth.authenticationChain`.|"noop"|no|
|
|`druid.escalator.type`|String|Type of the Escalator that should be used for internal Druid communications. This Escalator must use an authentication scheme that is supported by an Authenticator in `druid.auth.authenticationChain`.|"noop"|no|
|
||||||
|`druid.auth.authorizers`|JSON List of Strings|List of Authorizer type names |["allowAll"]|no|
|
|`druid.auth.authorizers`|JSON List of Strings|List of Authorizer type names |["allowAll"]|no|
|
||||||
|
|`druid.auth.unsecuredPaths`| List of Strings|List of paths for which security checks will not be performed. All requests to these paths will be allowed.|[]|no|
|
||||||
|
|
||||||
## Enabling Authentication/Authorization
|
## Enabling Authentication/Authorization
|
||||||
|
|
||||||
|
|
|
@ -126,7 +126,7 @@ public class OverlordResourceTest
|
||||||
public void expectAuthorizationTokenCheck()
|
public void expectAuthorizationTokenCheck()
|
||||||
{
|
{
|
||||||
AuthenticationResult authenticationResult = new AuthenticationResult("druid", "druid", null);
|
AuthenticationResult authenticationResult = new AuthenticationResult("druid", "druid", null);
|
||||||
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
|
||||||
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).anyTimes();
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).anyTimes();
|
||||||
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
|
||||||
.andReturn(authenticationResult)
|
.andReturn(authenticationResult)
|
||||||
|
|
|
@ -128,6 +128,7 @@ public class OverlordTest
|
||||||
public void setUp() throws Exception
|
public void setUp() throws Exception
|
||||||
{
|
{
|
||||||
req = EasyMock.createMock(HttpServletRequest.class);
|
req = EasyMock.createMock(HttpServletRequest.class);
|
||||||
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
|
||||||
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).anyTimes();
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).anyTimes();
|
||||||
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
||||||
new AuthenticationResult("druid", "druid", null)
|
new AuthenticationResult("druid", "druid", null)
|
||||||
|
|
|
@ -113,6 +113,7 @@ public class SupervisorResourceTest extends EasyMockSupport
|
||||||
|
|
||||||
EasyMock.expect(taskMaster.getSupervisorManager()).andReturn(Optional.of(supervisorManager));
|
EasyMock.expect(taskMaster.getSupervisorManager()).andReturn(Optional.of(supervisorManager));
|
||||||
EasyMock.expect(supervisorManager.createOrUpdateAndStartSupervisor(spec)).andReturn(true);
|
EasyMock.expect(supervisorManager.createOrUpdateAndStartSupervisor(spec)).andReturn(true);
|
||||||
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).atLeastOnce();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).atLeastOnce();
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).atLeastOnce();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
||||||
new AuthenticationResult("druid", "druid", null)
|
new AuthenticationResult("druid", "druid", null)
|
||||||
|
@ -162,6 +163,7 @@ public class SupervisorResourceTest extends EasyMockSupport
|
||||||
EasyMock.expect(supervisorManager.getSupervisorIds()).andReturn(supervisorIds).atLeastOnce();
|
EasyMock.expect(supervisorManager.getSupervisorIds()).andReturn(supervisorIds).atLeastOnce();
|
||||||
EasyMock.expect(supervisorManager.getSupervisorSpec("id1")).andReturn(Optional.of(spec1));
|
EasyMock.expect(supervisorManager.getSupervisorSpec("id1")).andReturn(Optional.of(spec1));
|
||||||
EasyMock.expect(supervisorManager.getSupervisorSpec("id2")).andReturn(Optional.of(spec2));
|
EasyMock.expect(supervisorManager.getSupervisorSpec("id2")).andReturn(Optional.of(spec2));
|
||||||
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).atLeastOnce();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).atLeastOnce();
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).atLeastOnce();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
||||||
new AuthenticationResult("druid", "druid", null)
|
new AuthenticationResult("druid", "druid", null)
|
||||||
|
@ -345,6 +347,7 @@ public class SupervisorResourceTest extends EasyMockSupport
|
||||||
SupervisorSpec spec2 = new TestSupervisorSpec("id2", null, Arrays.asList("datasource2"));
|
SupervisorSpec spec2 = new TestSupervisorSpec("id2", null, Arrays.asList("datasource2"));
|
||||||
EasyMock.expect(supervisorManager.getSupervisorSpec("id1")).andReturn(Optional.of(spec1)).atLeastOnce();
|
EasyMock.expect(supervisorManager.getSupervisorSpec("id1")).andReturn(Optional.of(spec1)).atLeastOnce();
|
||||||
EasyMock.expect(supervisorManager.getSupervisorSpec("id2")).andReturn(Optional.of(spec2)).atLeastOnce();
|
EasyMock.expect(supervisorManager.getSupervisorSpec("id2")).andReturn(Optional.of(spec2)).atLeastOnce();
|
||||||
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).atLeastOnce();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).atLeastOnce();
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).atLeastOnce();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
||||||
new AuthenticationResult("druid", "druid", null)
|
new AuthenticationResult("druid", "druid", null)
|
||||||
|
@ -457,6 +460,7 @@ public class SupervisorResourceTest extends EasyMockSupport
|
||||||
SupervisorSpec spec2 = new TestSupervisorSpec("id2", null, Arrays.asList("datasource2"));
|
SupervisorSpec spec2 = new TestSupervisorSpec("id2", null, Arrays.asList("datasource2"));
|
||||||
EasyMock.expect(supervisorManager.getSupervisorSpec("id1")).andReturn(Optional.of(spec1)).atLeastOnce();
|
EasyMock.expect(supervisorManager.getSupervisorSpec("id1")).andReturn(Optional.of(spec1)).atLeastOnce();
|
||||||
EasyMock.expect(supervisorManager.getSupervisorSpec("id2")).andReturn(Optional.of(spec2)).atLeastOnce();
|
EasyMock.expect(supervisorManager.getSupervisorSpec("id2")).andReturn(Optional.of(spec2)).atLeastOnce();
|
||||||
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).atLeastOnce();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).atLeastOnce();
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).atLeastOnce();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
||||||
new AuthenticationResult("wronguser", "druid", null)
|
new AuthenticationResult("wronguser", "druid", null)
|
||||||
|
@ -547,6 +551,7 @@ public class SupervisorResourceTest extends EasyMockSupport
|
||||||
|
|
||||||
EasyMock.expect(taskMaster.getSupervisorManager()).andReturn(Optional.of(supervisorManager)).times(3);
|
EasyMock.expect(taskMaster.getSupervisorManager()).andReturn(Optional.of(supervisorManager)).times(3);
|
||||||
EasyMock.expect(supervisorManager.getSupervisorHistory()).andReturn(history).times(3);
|
EasyMock.expect(supervisorManager.getSupervisorHistory()).andReturn(history).times(3);
|
||||||
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).atLeastOnce();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).atLeastOnce();
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).atLeastOnce();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
||||||
new AuthenticationResult("druid", "druid", null)
|
new AuthenticationResult("druid", "druid", null)
|
||||||
|
@ -644,6 +649,7 @@ public class SupervisorResourceTest extends EasyMockSupport
|
||||||
|
|
||||||
EasyMock.expect(taskMaster.getSupervisorManager()).andReturn(Optional.of(supervisorManager)).times(4);
|
EasyMock.expect(taskMaster.getSupervisorManager()).andReturn(Optional.of(supervisorManager)).times(4);
|
||||||
EasyMock.expect(supervisorManager.getSupervisorHistory()).andReturn(history).times(4);
|
EasyMock.expect(supervisorManager.getSupervisorHistory()).andReturn(history).times(4);
|
||||||
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).atLeastOnce();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).atLeastOnce();
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).atLeastOnce();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
||||||
new AuthenticationResult("notdruid", "druid", null)
|
new AuthenticationResult("notdruid", "druid", null)
|
||||||
|
|
|
@ -28,6 +28,7 @@ command=java
|
||||||
-Ddruid.escalator.authorizerName=basic
|
-Ddruid.escalator.authorizerName=basic
|
||||||
-Ddruid.auth.authorizers="[\"basic\"]"
|
-Ddruid.auth.authorizers="[\"basic\"]"
|
||||||
-Ddruid.auth.authorizer.basic.type=basic
|
-Ddruid.auth.authorizer.basic.type=basic
|
||||||
|
-Ddruid.auth.unsecuredPaths="[\"/druid/coordinator/v1/loadqueue\"]"
|
||||||
-cp /shared/docker/lib/*
|
-cp /shared/docker/lib/*
|
||||||
io.druid.cli.Main server coordinator
|
io.druid.cli.Main server coordinator
|
||||||
redirect_stderr=true
|
redirect_stderr=true
|
||||||
|
|
|
@ -100,6 +100,11 @@ public class ITBasicAuthConfigurationTest
|
||||||
httpClient
|
httpClient
|
||||||
);
|
);
|
||||||
|
|
||||||
|
final HttpClient unsecuredClient = httpClient;
|
||||||
|
|
||||||
|
// check that we are allowed to access unsecured path without credentials.
|
||||||
|
checkUnsecuredCoordinatorLoadQueuePath(unsecuredClient);
|
||||||
|
|
||||||
// check that admin works
|
// check that admin works
|
||||||
checkNodeAccess(adminClient);
|
checkNodeAccess(adminClient);
|
||||||
|
|
||||||
|
@ -221,6 +226,11 @@ public class ITBasicAuthConfigurationTest
|
||||||
testAvaticaAuthFailure(routerUrl);
|
testAvaticaAuthFailure(routerUrl);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
private void checkUnsecuredCoordinatorLoadQueuePath(HttpClient client)
|
||||||
|
{
|
||||||
|
makeRequest(client, HttpMethod.GET, config.getCoordinatorUrl() + "/druid/coordinator/v1/loadqueue", null);
|
||||||
|
}
|
||||||
|
|
||||||
private void testAvaticaQuery(String url)
|
private void testAvaticaQuery(String url)
|
||||||
{
|
{
|
||||||
LOG.info("URL: " + url);
|
LOG.info("URL: " + url);
|
||||||
|
|
|
@ -22,7 +22,9 @@ package io.druid.server.security;
|
||||||
import com.fasterxml.jackson.annotation.JsonCreator;
|
import com.fasterxml.jackson.annotation.JsonCreator;
|
||||||
import com.fasterxml.jackson.annotation.JsonProperty;
|
import com.fasterxml.jackson.annotation.JsonProperty;
|
||||||
|
|
||||||
|
import java.util.Collections;
|
||||||
import java.util.List;
|
import java.util.List;
|
||||||
|
import java.util.Objects;
|
||||||
|
|
||||||
public class AuthConfig
|
public class AuthConfig
|
||||||
{
|
{
|
||||||
|
@ -36,21 +38,25 @@ public class AuthConfig
|
||||||
*/
|
*/
|
||||||
public static final String DRUID_AUTHORIZATION_CHECKED = "Druid-Authorization-Checked";
|
public static final String DRUID_AUTHORIZATION_CHECKED = "Druid-Authorization-Checked";
|
||||||
|
|
||||||
|
public static final String DRUID_ALLOW_UNSECURED_PATH = "Druid-Allow-Unsecured-Path";
|
||||||
|
|
||||||
public static final String ALLOW_ALL_NAME = "allowAll";
|
public static final String ALLOW_ALL_NAME = "allowAll";
|
||||||
|
|
||||||
public AuthConfig()
|
public AuthConfig()
|
||||||
{
|
{
|
||||||
this(null, null);
|
this(null, null, null);
|
||||||
}
|
}
|
||||||
|
|
||||||
@JsonCreator
|
@JsonCreator
|
||||||
public AuthConfig(
|
public AuthConfig(
|
||||||
@JsonProperty("authenticatorChain") List<String> authenticationChain,
|
@JsonProperty("authenticatorChain") List<String> authenticationChain,
|
||||||
@JsonProperty("authorizers") List<String> authorizers
|
@JsonProperty("authorizers") List<String> authorizers,
|
||||||
|
@JsonProperty("unsecuredPaths") List<String> unsecuredPaths
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
this.authenticatorChain = authenticationChain;
|
this.authenticatorChain = authenticationChain;
|
||||||
this.authorizers = authorizers;
|
this.authorizers = authorizers;
|
||||||
|
this.unsecuredPaths = unsecuredPaths == null ? Collections.emptyList() : unsecuredPaths;
|
||||||
}
|
}
|
||||||
|
|
||||||
@JsonProperty
|
@JsonProperty
|
||||||
|
@ -59,6 +65,9 @@ public class AuthConfig
|
||||||
@JsonProperty
|
@JsonProperty
|
||||||
private List<String> authorizers;
|
private List<String> authorizers;
|
||||||
|
|
||||||
|
@JsonProperty
|
||||||
|
private final List<String> unsecuredPaths;
|
||||||
|
|
||||||
public List<String> getAuthenticatorChain()
|
public List<String> getAuthenticatorChain()
|
||||||
{
|
{
|
||||||
return authenticatorChain;
|
return authenticatorChain;
|
||||||
|
@ -69,12 +78,18 @@ public class AuthConfig
|
||||||
return authorizers;
|
return authorizers;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public List<String> getUnsecuredPaths()
|
||||||
|
{
|
||||||
|
return unsecuredPaths;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public String toString()
|
public String toString()
|
||||||
{
|
{
|
||||||
return "AuthConfig{" +
|
return "AuthConfig{" +
|
||||||
"authenticatorChain='" + authenticatorChain + '\'' +
|
"authenticatorChain='" + authenticatorChain + '\'' +
|
||||||
", authorizers='" + authorizers + '\'' +
|
", authorizers='" + authorizers + '\'' +
|
||||||
|
", unsecuredPaths='" + unsecuredPaths + '\'' +
|
||||||
'}';
|
'}';
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -87,23 +102,15 @@ public class AuthConfig
|
||||||
if (o == null || getClass() != o.getClass()) {
|
if (o == null || getClass() != o.getClass()) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
AuthConfig that = (AuthConfig) o;
|
AuthConfig that = (AuthConfig) o;
|
||||||
|
return Objects.equals(authenticatorChain, that.authenticatorChain) &&
|
||||||
if (getAuthenticatorChain() != null
|
Objects.equals(authorizers, that.authorizers) &&
|
||||||
? !getAuthenticatorChain().equals(that.getAuthenticatorChain())
|
Objects.equals(unsecuredPaths, that.unsecuredPaths);
|
||||||
: that.getAuthenticatorChain() != null) {
|
|
||||||
return false;
|
|
||||||
}
|
|
||||||
return getAuthorizers() != null ? getAuthorizers().equals(that.getAuthorizers()) : that.getAuthorizers() == null;
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public int hashCode()
|
public int hashCode()
|
||||||
{
|
{
|
||||||
int result = getAuthenticatorChain() != null ? getAuthenticatorChain().hashCode() : 0;
|
return Objects.hash(authenticatorChain, authorizers, unsecuredPaths);
|
||||||
result = 31 * result + (getAuthorizers() != null ? getAuthorizers().hashCode() : 0);
|
|
||||||
return result;
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -155,6 +155,10 @@ public class AuthorizationUtils
|
||||||
final AuthorizerMapper authorizerMapper
|
final AuthorizerMapper authorizerMapper
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
|
if (request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH) != null) {
|
||||||
|
return Access.OK;
|
||||||
|
}
|
||||||
|
|
||||||
if (request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED) != null) {
|
if (request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED) != null) {
|
||||||
throw new ISE("Request already had authorization check.");
|
throw new ISE("Request already had authorization check.");
|
||||||
}
|
}
|
||||||
|
@ -201,6 +205,10 @@ public class AuthorizationUtils
|
||||||
final AuthorizerMapper authorizerMapper
|
final AuthorizerMapper authorizerMapper
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
|
if (request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH) != null) {
|
||||||
|
return resources;
|
||||||
|
}
|
||||||
|
|
||||||
if (request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED) != null) {
|
if (request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED) != null) {
|
||||||
throw new ISE("Request already had authorization check.");
|
throw new ISE("Request already had authorization check.");
|
||||||
}
|
}
|
||||||
|
@ -309,6 +317,11 @@ public class AuthorizationUtils
|
||||||
final AuthorizerMapper authorizerMapper
|
final AuthorizerMapper authorizerMapper
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
|
|
||||||
|
if (request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH) != null) {
|
||||||
|
return unfilteredResources;
|
||||||
|
}
|
||||||
|
|
||||||
if (request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED) != null) {
|
if (request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED) != null) {
|
||||||
throw new ISE("Request already had authorization check.");
|
throw new ISE("Request already had authorization check.");
|
||||||
}
|
}
|
||||||
|
|
|
@ -76,8 +76,10 @@ public class SecuritySanityCheckFilter implements Filter
|
||||||
|
|
||||||
// make sure the original request isn't trying to fake the auth token checks
|
// make sure the original request isn't trying to fake the auth token checks
|
||||||
Boolean authInfoChecked = (Boolean) request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED);
|
Boolean authInfoChecked = (Boolean) request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED);
|
||||||
|
Boolean allowUnsecured = (Boolean) request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH);
|
||||||
|
|
||||||
AuthenticationResult result = (AuthenticationResult) request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT);
|
AuthenticationResult result = (AuthenticationResult) request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT);
|
||||||
if (authInfoChecked != null || result != null) {
|
if (authInfoChecked != null || result != null || allowUnsecured != null) {
|
||||||
sendJsonError(httpResponse, Response.SC_FORBIDDEN, unauthorizedMessage, out);
|
sendJsonError(httpResponse, Response.SC_FORBIDDEN, unauthorizedMessage, out);
|
||||||
out.close();
|
out.close();
|
||||||
return;
|
return;
|
||||||
|
|
|
@ -53,6 +53,7 @@ public class UnsecuredResourceFilter implements Filter
|
||||||
|
|
||||||
// This request will not go to an Authorizer, so we need to set this for PreResponseAuthorizationCheckFilter
|
// This request will not go to an Authorizer, so we need to set this for PreResponseAuthorizationCheckFilter
|
||||||
servletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
|
servletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
|
||||||
|
servletRequest.setAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH, true);
|
||||||
filterChain.doFilter(servletRequest, servletResponse);
|
filterChain.doFilter(servletRequest, servletResponse);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -144,6 +144,7 @@ public class EventReceiverFirehoseTest
|
||||||
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED))
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED))
|
||||||
.andReturn(null)
|
.andReturn(null)
|
||||||
.anyTimes();
|
.anyTimes();
|
||||||
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
|
||||||
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
|
||||||
.andReturn(AllowAllAuthenticator.ALLOW_ALL_RESULT)
|
.andReturn(AllowAllAuthenticator.ALLOW_ALL_RESULT)
|
||||||
.anyTimes();
|
.anyTimes();
|
||||||
|
@ -246,6 +247,7 @@ public class EventReceiverFirehoseTest
|
||||||
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED))
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED))
|
||||||
.andReturn(null)
|
.andReturn(null)
|
||||||
.anyTimes();
|
.anyTimes();
|
||||||
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
|
||||||
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
|
||||||
.andReturn(AllowAllAuthenticator.ALLOW_ALL_RESULT)
|
.andReturn(AllowAllAuthenticator.ALLOW_ALL_RESULT)
|
||||||
.anyTimes();
|
.anyTimes();
|
||||||
|
@ -265,6 +267,7 @@ public class EventReceiverFirehoseTest
|
||||||
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED))
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED))
|
||||||
.andReturn(null)
|
.andReturn(null)
|
||||||
.anyTimes();
|
.anyTimes();
|
||||||
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
|
||||||
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
|
||||||
.andReturn(AllowAllAuthenticator.ALLOW_ALL_RESULT)
|
.andReturn(AllowAllAuthenticator.ALLOW_ALL_RESULT)
|
||||||
.anyTimes();
|
.anyTimes();
|
||||||
|
@ -403,6 +406,7 @@ public class EventReceiverFirehoseTest
|
||||||
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED))
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED))
|
||||||
.andReturn(null)
|
.andReturn(null)
|
||||||
.anyTimes();
|
.anyTimes();
|
||||||
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
|
||||||
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
|
||||||
.andReturn(AllowAllAuthenticator.ALLOW_ALL_RESULT)
|
.andReturn(AllowAllAuthenticator.ALLOW_ALL_RESULT)
|
||||||
.anyTimes();
|
.anyTimes();
|
||||||
|
|
|
@ -170,6 +170,7 @@ public class QueryResourceTest
|
||||||
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED))
|
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED))
|
||||||
.andReturn(null)
|
.andReturn(null)
|
||||||
.anyTimes();
|
.anyTimes();
|
||||||
|
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
|
||||||
|
|
||||||
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
|
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
|
||||||
.andReturn(authenticationResult)
|
.andReturn(authenticationResult)
|
||||||
|
@ -206,6 +207,7 @@ public class QueryResourceTest
|
||||||
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED))
|
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED))
|
||||||
.andReturn(null)
|
.andReturn(null)
|
||||||
.anyTimes();
|
.anyTimes();
|
||||||
|
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
|
||||||
|
|
||||||
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
|
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
|
||||||
.andReturn(authenticationResult)
|
.andReturn(authenticationResult)
|
||||||
|
@ -247,13 +249,13 @@ public class QueryResourceTest
|
||||||
new DefaultGenericQueryMetricsFactory(jsonMapper),
|
new DefaultGenericQueryMetricsFactory(jsonMapper),
|
||||||
new NoopServiceEmitter(),
|
new NoopServiceEmitter(),
|
||||||
testRequestLogger,
|
testRequestLogger,
|
||||||
new AuthConfig(null, null),
|
new AuthConfig(),
|
||||||
authMapper
|
authMapper
|
||||||
),
|
),
|
||||||
jsonMapper,
|
jsonMapper,
|
||||||
jsonMapper,
|
jsonMapper,
|
||||||
queryManager,
|
queryManager,
|
||||||
new AuthConfig(null, null),
|
new AuthConfig(),
|
||||||
authMapper,
|
authMapper,
|
||||||
new DefaultGenericQueryMetricsFactory(jsonMapper)
|
new DefaultGenericQueryMetricsFactory(jsonMapper)
|
||||||
);
|
);
|
||||||
|
@ -301,6 +303,7 @@ public class QueryResourceTest
|
||||||
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED))
|
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED))
|
||||||
.andReturn(null)
|
.andReturn(null)
|
||||||
.anyTimes();
|
.anyTimes();
|
||||||
|
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
|
||||||
|
|
||||||
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
|
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
|
||||||
.andReturn(authenticationResult)
|
.andReturn(authenticationResult)
|
||||||
|
@ -354,13 +357,13 @@ public class QueryResourceTest
|
||||||
new DefaultGenericQueryMetricsFactory(jsonMapper),
|
new DefaultGenericQueryMetricsFactory(jsonMapper),
|
||||||
new NoopServiceEmitter(),
|
new NoopServiceEmitter(),
|
||||||
testRequestLogger,
|
testRequestLogger,
|
||||||
new AuthConfig(null, null),
|
new AuthConfig(),
|
||||||
authMapper
|
authMapper
|
||||||
),
|
),
|
||||||
jsonMapper,
|
jsonMapper,
|
||||||
jsonMapper,
|
jsonMapper,
|
||||||
queryManager,
|
queryManager,
|
||||||
new AuthConfig(null, null),
|
new AuthConfig(),
|
||||||
authMapper,
|
authMapper,
|
||||||
new DefaultGenericQueryMetricsFactory(jsonMapper)
|
new DefaultGenericQueryMetricsFactory(jsonMapper)
|
||||||
);
|
);
|
||||||
|
@ -426,6 +429,8 @@ public class QueryResourceTest
|
||||||
.andReturn(null)
|
.andReturn(null)
|
||||||
.anyTimes();
|
.anyTimes();
|
||||||
|
|
||||||
|
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
|
||||||
|
|
||||||
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
|
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
|
||||||
.andReturn(authenticationResult)
|
.andReturn(authenticationResult)
|
||||||
.anyTimes();
|
.anyTimes();
|
||||||
|
@ -475,13 +480,13 @@ public class QueryResourceTest
|
||||||
new DefaultGenericQueryMetricsFactory(jsonMapper),
|
new DefaultGenericQueryMetricsFactory(jsonMapper),
|
||||||
new NoopServiceEmitter(),
|
new NoopServiceEmitter(),
|
||||||
testRequestLogger,
|
testRequestLogger,
|
||||||
new AuthConfig(null, null),
|
new AuthConfig(),
|
||||||
authMapper
|
authMapper
|
||||||
),
|
),
|
||||||
jsonMapper,
|
jsonMapper,
|
||||||
jsonMapper,
|
jsonMapper,
|
||||||
queryManager,
|
queryManager,
|
||||||
new AuthConfig(null, null),
|
new AuthConfig(),
|
||||||
authMapper,
|
authMapper,
|
||||||
new DefaultGenericQueryMetricsFactory(jsonMapper)
|
new DefaultGenericQueryMetricsFactory(jsonMapper)
|
||||||
);
|
);
|
||||||
|
|
|
@ -128,6 +128,7 @@ public class DatasourcesResourceTest
|
||||||
EasyMock.expect(inventoryView.getInventory()).andReturn(
|
EasyMock.expect(inventoryView.getInventory()).andReturn(
|
||||||
ImmutableList.of(server)
|
ImmutableList.of(server)
|
||||||
).once();
|
).once();
|
||||||
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).once();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
||||||
new AuthenticationResult("druid", "druid", null)
|
new AuthenticationResult("druid", "druid", null)
|
||||||
|
@ -142,6 +143,7 @@ public class DatasourcesResourceTest
|
||||||
EasyMock.expect(inventoryView.getInventory()).andReturn(
|
EasyMock.expect(inventoryView.getInventory()).andReturn(
|
||||||
ImmutableList.of(server)
|
ImmutableList.of(server)
|
||||||
).once();
|
).once();
|
||||||
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).once();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
||||||
new AuthenticationResult("druid", "druid", null)
|
new AuthenticationResult("druid", "druid", null)
|
||||||
|
@ -184,6 +186,7 @@ public class DatasourcesResourceTest
|
||||||
ImmutableList.of(listDataSources.get(0), listDataSources.get(1))
|
ImmutableList.of(listDataSources.get(0), listDataSources.get(1))
|
||||||
).once();
|
).once();
|
||||||
|
|
||||||
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).once();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
||||||
authenticationResult
|
authenticationResult
|
||||||
|
@ -200,6 +203,7 @@ public class DatasourcesResourceTest
|
||||||
ImmutableList.of(listDataSources.get(0), listDataSources.get(1))
|
ImmutableList.of(listDataSources.get(0), listDataSources.get(1))
|
||||||
).once();
|
).once();
|
||||||
|
|
||||||
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).once();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
||||||
authenticationResult
|
authenticationResult
|
||||||
|
@ -236,7 +240,7 @@ public class DatasourcesResourceTest
|
||||||
inventoryView,
|
inventoryView,
|
||||||
null,
|
null,
|
||||||
null,
|
null,
|
||||||
new AuthConfig(null, null),
|
new AuthConfig(),
|
||||||
authMapper
|
authMapper
|
||||||
);
|
);
|
||||||
Response response = datasourcesResource.getQueryableDataSources("full", null, request);
|
Response response = datasourcesResource.getQueryableDataSources("full", null, request);
|
||||||
|
@ -277,6 +281,7 @@ public class DatasourcesResourceTest
|
||||||
EasyMock.expect(inventoryView.getInventory()).andReturn(
|
EasyMock.expect(inventoryView.getInventory()).andReturn(
|
||||||
ImmutableList.of(server)
|
ImmutableList.of(server)
|
||||||
).atLeastOnce();
|
).atLeastOnce();
|
||||||
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).once();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
||||||
new AuthenticationResult("druid", "druid", null)
|
new AuthenticationResult("druid", "druid", null)
|
||||||
|
|
|
@ -108,6 +108,7 @@ public class IntervalsResourceTest
|
||||||
EasyMock.expect(inventoryView.getInventory()).andReturn(
|
EasyMock.expect(inventoryView.getInventory()).andReturn(
|
||||||
ImmutableList.of(server)
|
ImmutableList.of(server)
|
||||||
).atLeastOnce();
|
).atLeastOnce();
|
||||||
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).once();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
||||||
new AuthenticationResult("druid", "druid", null)
|
new AuthenticationResult("druid", "druid", null)
|
||||||
|
@ -145,6 +146,7 @@ public class IntervalsResourceTest
|
||||||
EasyMock.expect(inventoryView.getInventory()).andReturn(
|
EasyMock.expect(inventoryView.getInventory()).andReturn(
|
||||||
ImmutableList.of(server)
|
ImmutableList.of(server)
|
||||||
).atLeastOnce();
|
).atLeastOnce();
|
||||||
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).once();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
||||||
new AuthenticationResult("druid", "druid", null)
|
new AuthenticationResult("druid", "druid", null)
|
||||||
|
@ -176,6 +178,7 @@ public class IntervalsResourceTest
|
||||||
EasyMock.expect(inventoryView.getInventory()).andReturn(
|
EasyMock.expect(inventoryView.getInventory()).andReturn(
|
||||||
ImmutableList.of(server)
|
ImmutableList.of(server)
|
||||||
).atLeastOnce();
|
).atLeastOnce();
|
||||||
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).once();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
||||||
new AuthenticationResult("druid", "druid", null)
|
new AuthenticationResult("druid", "druid", null)
|
||||||
|
@ -209,6 +212,7 @@ public class IntervalsResourceTest
|
||||||
EasyMock.expect(inventoryView.getInventory()).andReturn(
|
EasyMock.expect(inventoryView.getInventory()).andReturn(
|
||||||
ImmutableList.of(server)
|
ImmutableList.of(server)
|
||||||
).atLeastOnce();
|
).atLeastOnce();
|
||||||
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).once();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
|
||||||
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(
|
||||||
new AuthenticationResult("druid", "druid", null)
|
new AuthenticationResult("druid", "druid", null)
|
||||||
|
|
|
@ -110,6 +110,7 @@ public class ResourceFilterTestHelper
|
||||||
)
|
)
|
||||||
).anyTimes();
|
).anyTimes();
|
||||||
EasyMock.expect(request.getMethod()).andReturn(requestMethod).anyTimes();
|
EasyMock.expect(request.getMethod()).andReturn(requestMethod).anyTimes();
|
||||||
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
|
||||||
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).anyTimes();
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).anyTimes();
|
||||||
AuthenticationResult authenticationResult = new AuthenticationResult("druid", "druid", null);
|
AuthenticationResult authenticationResult = new AuthenticationResult("druid", "druid", null);
|
||||||
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT))
|
||||||
|
@ -182,7 +183,7 @@ public class ResourceFilterTestHelper
|
||||||
for (Key<?> key : mockableKeys) {
|
for (Key<?> key : mockableKeys) {
|
||||||
binder.bind((Key<Object>) key).toInstance(EasyMock.createNiceMock(key.getTypeLiteral().getRawType()));
|
binder.bind((Key<Object>) key).toInstance(EasyMock.createNiceMock(key.getTypeLiteral().getRawType()));
|
||||||
}
|
}
|
||||||
binder.bind(AuthConfig.class).toInstance(new AuthConfig(null, null));
|
binder.bind(AuthConfig.class).toInstance(new AuthConfig());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
);
|
);
|
||||||
|
|
|
@ -41,6 +41,7 @@ public class SecuritySanityCheckFilterTest
|
||||||
FilterChain filterChain = EasyMock.createStrictMock(FilterChain.class);
|
FilterChain filterChain = EasyMock.createStrictMock(FilterChain.class);
|
||||||
|
|
||||||
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
|
||||||
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).once();
|
||||||
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(null).once();
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(null).once();
|
||||||
filterChain.doFilter(req, resp);
|
filterChain.doFilter(req, resp);
|
||||||
EasyMock.expectLastCall().once();
|
EasyMock.expectLastCall().once();
|
||||||
|
@ -61,6 +62,7 @@ public class SecuritySanityCheckFilterTest
|
||||||
AuthenticationResult authenticationResult = new AuthenticationResult("does-not-belong", "does-not-belong", null);
|
AuthenticationResult authenticationResult = new AuthenticationResult("does-not-belong", "does-not-belong", null);
|
||||||
|
|
||||||
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(true).once();
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(true).once();
|
||||||
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
|
||||||
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(authenticationResult).once();
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(authenticationResult).once();
|
||||||
EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).once();
|
EasyMock.expect(resp.getOutputStream()).andReturn(outputStream).once();
|
||||||
resp.setStatus(403);
|
resp.setStatus(403);
|
||||||
|
|
|
@ -97,7 +97,9 @@ public class CliMiddleManager extends ServerRunnable
|
||||||
binder.bind(WorkerCuratorCoordinator.class).in(ManageLifecycle.class);
|
binder.bind(WorkerCuratorCoordinator.class).in(ManageLifecycle.class);
|
||||||
|
|
||||||
LifecycleModule.register(binder, WorkerTaskMonitor.class);
|
LifecycleModule.register(binder, WorkerTaskMonitor.class);
|
||||||
binder.bind(JettyServerInitializer.class).toInstance(new MiddleManagerJettyServerInitializer());
|
binder.bind(JettyServerInitializer.class)
|
||||||
|
.to(MiddleManagerJettyServerInitializer.class)
|
||||||
|
.in(LazySingleton.class);
|
||||||
Jerseys.addResource(binder, WorkerResource.class);
|
Jerseys.addResource(binder, WorkerResource.class);
|
||||||
Jerseys.addResource(binder, TaskManagementResource.class);
|
Jerseys.addResource(binder, TaskManagementResource.class);
|
||||||
|
|
||||||
|
|
|
@ -22,6 +22,7 @@ package io.druid.cli;
|
||||||
import com.fasterxml.jackson.databind.ObjectMapper;
|
import com.fasterxml.jackson.databind.ObjectMapper;
|
||||||
import com.google.common.collect.ImmutableList;
|
import com.google.common.collect.ImmutableList;
|
||||||
import com.google.inject.Binder;
|
import com.google.inject.Binder;
|
||||||
|
import com.google.inject.Inject;
|
||||||
import com.google.inject.Injector;
|
import com.google.inject.Injector;
|
||||||
import com.google.inject.Key;
|
import com.google.inject.Key;
|
||||||
import com.google.inject.Module;
|
import com.google.inject.Module;
|
||||||
|
@ -91,6 +92,7 @@ import io.druid.server.http.RedirectFilter;
|
||||||
import io.druid.server.http.RedirectInfo;
|
import io.druid.server.http.RedirectInfo;
|
||||||
import io.druid.server.initialization.jetty.JettyServerInitUtils;
|
import io.druid.server.initialization.jetty.JettyServerInitUtils;
|
||||||
import io.druid.server.initialization.jetty.JettyServerInitializer;
|
import io.druid.server.initialization.jetty.JettyServerInitializer;
|
||||||
|
import io.druid.server.security.AuthConfig;
|
||||||
import io.druid.server.security.AuthenticationUtils;
|
import io.druid.server.security.AuthenticationUtils;
|
||||||
import io.druid.server.security.Authenticator;
|
import io.druid.server.security.Authenticator;
|
||||||
import io.druid.server.security.AuthenticatorMapper;
|
import io.druid.server.security.AuthenticatorMapper;
|
||||||
|
@ -194,7 +196,9 @@ public class CliOverlord extends ServerRunnable
|
||||||
if (standalone) {
|
if (standalone) {
|
||||||
binder.bind(RedirectFilter.class).in(LazySingleton.class);
|
binder.bind(RedirectFilter.class).in(LazySingleton.class);
|
||||||
binder.bind(RedirectInfo.class).to(OverlordRedirectInfo.class).in(LazySingleton.class);
|
binder.bind(RedirectInfo.class).to(OverlordRedirectInfo.class).in(LazySingleton.class);
|
||||||
binder.bind(JettyServerInitializer.class).toInstance(new OverlordJettyServerInitializer());
|
binder.bind(JettyServerInitializer.class)
|
||||||
|
.to(OverlordJettyServerInitializer.class)
|
||||||
|
.in(LazySingleton.class);
|
||||||
}
|
}
|
||||||
|
|
||||||
Jerseys.addResource(binder, OverlordResource.class);
|
Jerseys.addResource(binder, OverlordResource.class);
|
||||||
|
@ -302,6 +306,14 @@ public class CliOverlord extends ServerRunnable
|
||||||
*/
|
*/
|
||||||
private static class OverlordJettyServerInitializer implements JettyServerInitializer
|
private static class OverlordJettyServerInitializer implements JettyServerInitializer
|
||||||
{
|
{
|
||||||
|
private final AuthConfig authConfig;
|
||||||
|
|
||||||
|
@Inject
|
||||||
|
OverlordJettyServerInitializer(AuthConfig authConfig)
|
||||||
|
{
|
||||||
|
this.authConfig = authConfig;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void initialize(Server server, Injector injector)
|
public void initialize(Server server, Injector injector)
|
||||||
{
|
{
|
||||||
|
@ -330,6 +342,7 @@ public class CliOverlord extends ServerRunnable
|
||||||
|
|
||||||
// perform no-op authorization for these resources
|
// perform no-op authorization for these resources
|
||||||
AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
|
AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
|
||||||
|
AuthenticationUtils.addNoopAuthorizationFilters(root, authConfig.getUnsecuredPaths());
|
||||||
|
|
||||||
authenticators = authenticatorMapper.getAuthenticatorChain();
|
authenticators = authenticatorMapper.getAuthenticatorChain();
|
||||||
AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
|
AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
|
||||||
|
|
|
@ -71,12 +71,14 @@ class CoordinatorJettyServerInitializer implements JettyServerInitializer
|
||||||
|
|
||||||
private final DruidCoordinatorConfig config;
|
private final DruidCoordinatorConfig config;
|
||||||
private final boolean beOverlord;
|
private final boolean beOverlord;
|
||||||
|
private final AuthConfig authConfig;
|
||||||
|
|
||||||
@Inject
|
@Inject
|
||||||
CoordinatorJettyServerInitializer(DruidCoordinatorConfig config, Properties properties)
|
CoordinatorJettyServerInitializer(DruidCoordinatorConfig config, Properties properties, AuthConfig authConfig)
|
||||||
{
|
{
|
||||||
this.config = config;
|
this.config = config;
|
||||||
this.beOverlord = CliCoordinator.isOverlord(properties);
|
this.beOverlord = CliCoordinator.isOverlord(properties);
|
||||||
|
this.authConfig = authConfig;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -117,6 +119,7 @@ class CoordinatorJettyServerInitializer implements JettyServerInitializer
|
||||||
|
|
||||||
// perform no-op authorization for these resources
|
// perform no-op authorization for these resources
|
||||||
AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
|
AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
|
||||||
|
AuthenticationUtils.addNoopAuthorizationFilters(root, authConfig.getUnsecuredPaths());
|
||||||
|
|
||||||
if (beOverlord) {
|
if (beOverlord) {
|
||||||
AuthenticationUtils.addNoopAuthorizationFilters(root, CliOverlord.UNSECURED_PATHS);
|
AuthenticationUtils.addNoopAuthorizationFilters(root, CliOverlord.UNSECURED_PATHS);
|
||||||
|
|
|
@ -21,6 +21,7 @@ package io.druid.cli;
|
||||||
|
|
||||||
import com.fasterxml.jackson.databind.ObjectMapper;
|
import com.fasterxml.jackson.databind.ObjectMapper;
|
||||||
import com.google.common.collect.Lists;
|
import com.google.common.collect.Lists;
|
||||||
|
import com.google.inject.Inject;
|
||||||
import com.google.inject.Injector;
|
import com.google.inject.Injector;
|
||||||
import com.google.inject.Key;
|
import com.google.inject.Key;
|
||||||
import com.google.inject.servlet.GuiceFilter;
|
import com.google.inject.servlet.GuiceFilter;
|
||||||
|
@ -52,6 +53,14 @@ class MiddleManagerJettyServerInitializer implements JettyServerInitializer
|
||||||
"/status/health"
|
"/status/health"
|
||||||
);
|
);
|
||||||
|
|
||||||
|
private final AuthConfig authConfig;
|
||||||
|
|
||||||
|
@Inject
|
||||||
|
public MiddleManagerJettyServerInitializer(AuthConfig authConfig)
|
||||||
|
{
|
||||||
|
this.authConfig = authConfig;
|
||||||
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
public void initialize(Server server, Injector injector)
|
public void initialize(Server server, Injector injector)
|
||||||
{
|
{
|
||||||
|
@ -67,6 +76,7 @@ class MiddleManagerJettyServerInitializer implements JettyServerInitializer
|
||||||
|
|
||||||
// perform no-op authorization for these resources
|
// perform no-op authorization for these resources
|
||||||
AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
|
AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
|
||||||
|
AuthenticationUtils.addNoopAuthorizationFilters(root, authConfig.getUnsecuredPaths());
|
||||||
|
|
||||||
authenticators = authenticatorMapper.getAuthenticatorChain();
|
authenticators = authenticatorMapper.getAuthenticatorChain();
|
||||||
AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
|
AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
|
||||||
|
|
|
@ -33,6 +33,7 @@ import io.druid.server.initialization.ServerConfig;
|
||||||
import io.druid.server.initialization.jetty.JettyServerInitUtils;
|
import io.druid.server.initialization.jetty.JettyServerInitUtils;
|
||||||
import io.druid.server.initialization.jetty.JettyServerInitializer;
|
import io.druid.server.initialization.jetty.JettyServerInitializer;
|
||||||
import io.druid.server.initialization.jetty.LimitRequestsFilter;
|
import io.druid.server.initialization.jetty.LimitRequestsFilter;
|
||||||
|
import io.druid.server.security.AuthConfig;
|
||||||
import io.druid.server.security.AuthenticationUtils;
|
import io.druid.server.security.AuthenticationUtils;
|
||||||
import io.druid.server.security.Authenticator;
|
import io.druid.server.security.Authenticator;
|
||||||
import io.druid.server.security.AuthenticatorMapper;
|
import io.druid.server.security.AuthenticatorMapper;
|
||||||
|
@ -61,11 +62,14 @@ public class QueryJettyServerInitializer implements JettyServerInitializer
|
||||||
|
|
||||||
private final ServerConfig serverConfig;
|
private final ServerConfig serverConfig;
|
||||||
|
|
||||||
|
private final AuthConfig authConfig;
|
||||||
|
|
||||||
@Inject
|
@Inject
|
||||||
public QueryJettyServerInitializer(Set<Handler> extensionHandlers, ServerConfig serverConfig)
|
public QueryJettyServerInitializer(Set<Handler> extensionHandlers, ServerConfig serverConfig, AuthConfig authConfig)
|
||||||
{
|
{
|
||||||
this.extensionHandlers = ImmutableList.copyOf(extensionHandlers);
|
this.extensionHandlers = ImmutableList.copyOf(extensionHandlers);
|
||||||
this.serverConfig = serverConfig;
|
this.serverConfig = serverConfig;
|
||||||
|
this.authConfig = authConfig;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -96,6 +100,7 @@ public class QueryJettyServerInitializer implements JettyServerInitializer
|
||||||
|
|
||||||
// perform no-op authorization for these resources
|
// perform no-op authorization for these resources
|
||||||
AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
|
AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
|
||||||
|
AuthenticationUtils.addNoopAuthorizationFilters(root, authConfig.getUnsecuredPaths());
|
||||||
|
|
||||||
authenticators = authenticatorMapper.getAuthenticatorChain();
|
authenticators = authenticatorMapper.getAuthenticatorChain();
|
||||||
AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
|
AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
|
||||||
|
|
|
@ -34,6 +34,7 @@ import io.druid.server.initialization.jetty.JettyServerInitUtils;
|
||||||
import io.druid.server.initialization.jetty.JettyServerInitializer;
|
import io.druid.server.initialization.jetty.JettyServerInitializer;
|
||||||
import io.druid.server.router.ManagementProxyConfig;
|
import io.druid.server.router.ManagementProxyConfig;
|
||||||
import io.druid.server.router.Router;
|
import io.druid.server.router.Router;
|
||||||
|
import io.druid.server.security.AuthConfig;
|
||||||
import io.druid.server.security.AuthenticationUtils;
|
import io.druid.server.security.AuthenticationUtils;
|
||||||
import io.druid.server.security.Authenticator;
|
import io.druid.server.security.Authenticator;
|
||||||
import io.druid.server.security.AuthenticatorMapper;
|
import io.druid.server.security.AuthenticatorMapper;
|
||||||
|
@ -63,6 +64,7 @@ public class RouterJettyServerInitializer implements JettyServerInitializer
|
||||||
private final ManagementProxyConfig managementProxyConfig;
|
private final ManagementProxyConfig managementProxyConfig;
|
||||||
private final AsyncQueryForwardingServlet asyncQueryForwardingServlet;
|
private final AsyncQueryForwardingServlet asyncQueryForwardingServlet;
|
||||||
private final AsyncManagementForwardingServlet asyncManagementForwardingServlet;
|
private final AsyncManagementForwardingServlet asyncManagementForwardingServlet;
|
||||||
|
private final AuthConfig authConfig;
|
||||||
|
|
||||||
@Inject
|
@Inject
|
||||||
public RouterJettyServerInitializer(
|
public RouterJettyServerInitializer(
|
||||||
|
@ -70,7 +72,8 @@ public class RouterJettyServerInitializer implements JettyServerInitializer
|
||||||
@Global DruidHttpClientConfig globalHttpClientConfig,
|
@Global DruidHttpClientConfig globalHttpClientConfig,
|
||||||
ManagementProxyConfig managementProxyConfig,
|
ManagementProxyConfig managementProxyConfig,
|
||||||
AsyncQueryForwardingServlet asyncQueryForwardingServlet,
|
AsyncQueryForwardingServlet asyncQueryForwardingServlet,
|
||||||
AsyncManagementForwardingServlet asyncManagementForwardingServlet
|
AsyncManagementForwardingServlet asyncManagementForwardingServlet,
|
||||||
|
AuthConfig authConfig
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
this.routerHttpClientConfig = routerHttpClientConfig;
|
this.routerHttpClientConfig = routerHttpClientConfig;
|
||||||
|
@ -78,6 +81,7 @@ public class RouterJettyServerInitializer implements JettyServerInitializer
|
||||||
this.managementProxyConfig = managementProxyConfig;
|
this.managementProxyConfig = managementProxyConfig;
|
||||||
this.asyncQueryForwardingServlet = asyncQueryForwardingServlet;
|
this.asyncQueryForwardingServlet = asyncQueryForwardingServlet;
|
||||||
this.asyncManagementForwardingServlet = asyncManagementForwardingServlet;
|
this.asyncManagementForwardingServlet = asyncManagementForwardingServlet;
|
||||||
|
this.authConfig = authConfig;
|
||||||
}
|
}
|
||||||
|
|
||||||
@Override
|
@Override
|
||||||
|
@ -105,6 +109,7 @@ public class RouterJettyServerInitializer implements JettyServerInitializer
|
||||||
|
|
||||||
// perform no-op authorization for these resources
|
// perform no-op authorization for these resources
|
||||||
AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
|
AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
|
||||||
|
AuthenticationUtils.addNoopAuthorizationFilters(root, authConfig.getUnsecuredPaths());
|
||||||
|
|
||||||
final List<Authenticator> authenticators = authenticatorMapper.getAuthenticatorChain();
|
final List<Authenticator> authenticators = authenticatorMapper.getAuthenticatorChain();
|
||||||
AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
|
AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
|
||||||
|
|
|
@ -86,6 +86,7 @@ public class SqlResourceTest extends CalciteTestBase
|
||||||
final DruidOperatorTable operatorTable = CalciteTests.createOperatorTable();
|
final DruidOperatorTable operatorTable = CalciteTests.createOperatorTable();
|
||||||
final ExprMacroTable macroTable = CalciteTests.createExprMacroTable();
|
final ExprMacroTable macroTable = CalciteTests.createExprMacroTable();
|
||||||
req = EasyMock.createStrictMock(HttpServletRequest.class);
|
req = EasyMock.createStrictMock(HttpServletRequest.class);
|
||||||
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
|
||||||
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED))
|
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED))
|
||||||
.andReturn(null)
|
.andReturn(null)
|
||||||
.anyTimes();
|
.anyTimes();
|
||||||
|
|
Loading…
Reference in New Issue