Search in sources :

Example 6 with Access

use of io.druid.server.security.Access in project druid by druid-io.

the class ConfigResourceFilter method filter.

@Override
public ContainerRequest filter(ContainerRequest request) {
    if (getAuthConfig().isEnabled()) {
        // This is an experimental feature, see - https://github.com/druid-io/druid/pull/2424
        final String resourceName = "CONFIG";
        final AuthorizationInfo authorizationInfo = (AuthorizationInfo) getReq().getAttribute(AuthConfig.DRUID_AUTH_TOKEN);
        Preconditions.checkNotNull(authorizationInfo, "Security is enabled but no authorization info found in the request");
        final Access authResult = authorizationInfo.isAuthorized(new Resource(resourceName, ResourceType.CONFIG), getAction(request));
        if (!authResult.isAllowed()) {
            throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(String.format("Access-Check-Result: %s", authResult.toString())).build());
        }
    }
    return request;
}
Also used : WebApplicationException(javax.ws.rs.WebApplicationException) Access(io.druid.server.security.Access) Resource(io.druid.server.security.Resource) AuthorizationInfo(io.druid.server.security.AuthorizationInfo)

Example 7 with Access

use of io.druid.server.security.Access in project druid by druid-io.

the class RulesResourceFilter method filter.

@Override
public ContainerRequest filter(ContainerRequest request) {
    if (getAuthConfig().isEnabled()) {
        // This is an experimental feature, see - https://github.com/druid-io/druid/pull/2424
        final String dataSourceName = request.getPathSegments().get(Iterables.indexOf(request.getPathSegments(), new Predicate<PathSegment>() {

            @Override
            public boolean apply(PathSegment input) {
                return input.getPath().equals("rules");
            }
        }) + 1).getPath();
        Preconditions.checkNotNull(dataSourceName);
        final AuthorizationInfo authorizationInfo = (AuthorizationInfo) getReq().getAttribute(AuthConfig.DRUID_AUTH_TOKEN);
        Preconditions.checkNotNull(authorizationInfo, "Security is enabled but no authorization info found in the request");
        final Access authResult = authorizationInfo.isAuthorized(new Resource(dataSourceName, ResourceType.DATASOURCE), getAction(request));
        if (!authResult.isAllowed()) {
            throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(String.format("Access-Check-Result: %s", authResult.toString())).build());
        }
    }
    return request;
}
Also used : WebApplicationException(javax.ws.rs.WebApplicationException) Access(io.druid.server.security.Access) Resource(io.druid.server.security.Resource) PathSegment(javax.ws.rs.core.PathSegment) AuthorizationInfo(io.druid.server.security.AuthorizationInfo) Predicate(com.google.common.base.Predicate)

Example 8 with Access

use of io.druid.server.security.Access in project druid by druid-io.

the class QueryResourceTest method testDenySecuredGetServer.

@Test(timeout = 60_000L)
public void testDenySecuredGetServer() throws Exception {
    final CountDownLatch waitForCancellationLatch = new CountDownLatch(1);
    final CountDownLatch waitFinishLatch = new CountDownLatch(2);
    final CountDownLatch startAwaitLatch = new CountDownLatch(1);
    EasyMock.expect(testServletRequest.getAttribute(EasyMock.anyString())).andReturn(new AuthorizationInfo() {

        @Override
        public Access isAuthorized(Resource resource, Action action) {
            // WRITE corresponds to cancellation of query
            if (action.equals(Action.READ)) {
                try {
                    waitForCancellationLatch.await();
                } catch (InterruptedException e) {
                    Throwables.propagate(e);
                }
                return new Access(true);
            } else {
                // Deny access to cancel the query
                return new Access(false);
            }
        }
    }).times(2);
    EasyMock.replay(testServletRequest);
    queryResource = new QueryResource(warehouse, serverConfig, jsonMapper, jsonMapper, testSegmentWalker, new NoopServiceEmitter(), new NoopRequestLogger(), queryManager, new AuthConfig(true));
    final String queryString = "{\"queryType\":\"timeBoundary\", \"dataSource\":\"allow\"," + "\"context\":{\"queryId\":\"id_1\"}}";
    ObjectMapper mapper = new DefaultObjectMapper();
    Query query = mapper.readValue(queryString, Query.class);
    ListenableFuture future = MoreExecutors.listeningDecorator(Execs.singleThreaded("test_query_resource_%s")).submit(new Runnable() {

        @Override
        public void run() {
            try {
                startAwaitLatch.countDown();
                Response response = queryResource.doPost(new ByteArrayInputStream(queryString.getBytes("UTF-8")), null, testServletRequest);
                Assert.assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
            } catch (IOException e) {
                Throwables.propagate(e);
            }
            waitFinishLatch.countDown();
        }
    });
    queryManager.registerQuery(query, future);
    startAwaitLatch.await();
    Executors.newSingleThreadExecutor().submit(new Runnable() {

        @Override
        public void run() {
            Response response = queryResource.getServer("id_1", testServletRequest);
            Assert.assertEquals(Response.Status.FORBIDDEN.getStatusCode(), response.getStatus());
            waitForCancellationLatch.countDown();
            waitFinishLatch.countDown();
        }
    });
    waitFinishLatch.await();
}
Also used : Action(io.druid.server.security.Action) Query(io.druid.query.Query) Resource(io.druid.server.security.Resource) Access(io.druid.server.security.Access) NoopRequestLogger(io.druid.server.log.NoopRequestLogger) NoopServiceEmitter(io.druid.server.metrics.NoopServiceEmitter) AuthConfig(io.druid.server.security.AuthConfig) IOException(java.io.IOException) CountDownLatch(java.util.concurrent.CountDownLatch) AuthorizationInfo(io.druid.server.security.AuthorizationInfo) Response(javax.ws.rs.core.Response) ByteArrayInputStream(java.io.ByteArrayInputStream) ListenableFuture(com.google.common.util.concurrent.ListenableFuture) DefaultObjectMapper(io.druid.jackson.DefaultObjectMapper) DefaultObjectMapper(io.druid.jackson.DefaultObjectMapper) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) Test(org.junit.Test)

Example 9 with Access

use of io.druid.server.security.Access in project druid by druid-io.

the class QueryResourceTest method testSecuredGetServer.

@Test(timeout = 60_000L)
public void testSecuredGetServer() throws Exception {
    final CountDownLatch waitForCancellationLatch = new CountDownLatch(1);
    final CountDownLatch waitFinishLatch = new CountDownLatch(2);
    final CountDownLatch startAwaitLatch = new CountDownLatch(1);
    final CountDownLatch cancelledCountDownLatch = new CountDownLatch(1);
    EasyMock.expect(testServletRequest.getAttribute(EasyMock.anyString())).andReturn(new AuthorizationInfo() {

        @Override
        public Access isAuthorized(Resource resource, Action action) {
            // WRITE corresponds to cancellation of query
            if (action.equals(Action.READ)) {
                try {
                    // Countdown startAwaitLatch as we want query cancellation to happen
                    // after we enter isAuthorized method so that we can handle the
                    // InterruptedException here because of query cancellation
                    startAwaitLatch.countDown();
                    waitForCancellationLatch.await();
                } catch (InterruptedException e) {
                    // When the query is cancelled the control will reach here,
                    // countdown the latch and rethrow the exception so that error response is returned for the query
                    cancelledCountDownLatch.countDown();
                    Throwables.propagate(e);
                }
                return new Access(true);
            } else {
                return new Access(true);
            }
        }
    }).times(2);
    EasyMock.replay(testServletRequest);
    queryResource = new QueryResource(warehouse, serverConfig, jsonMapper, jsonMapper, testSegmentWalker, new NoopServiceEmitter(), new NoopRequestLogger(), queryManager, new AuthConfig(true));
    final String queryString = "{\"queryType\":\"timeBoundary\", \"dataSource\":\"allow\"," + "\"context\":{\"queryId\":\"id_1\"}}";
    ObjectMapper mapper = new DefaultObjectMapper();
    Query query = mapper.readValue(queryString, Query.class);
    ListenableFuture future = MoreExecutors.listeningDecorator(Execs.singleThreaded("test_query_resource_%s")).submit(new Runnable() {

        @Override
        public void run() {
            try {
                Response response = queryResource.doPost(new ByteArrayInputStream(queryString.getBytes("UTF-8")), null, testServletRequest);
                Assert.assertEquals(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode(), response.getStatus());
            } catch (IOException e) {
                Throwables.propagate(e);
            }
            waitFinishLatch.countDown();
        }
    });
    queryManager.registerQuery(query, future);
    startAwaitLatch.await();
    Executors.newSingleThreadExecutor().submit(new Runnable() {

        @Override
        public void run() {
            Response response = queryResource.getServer("id_1", testServletRequest);
            Assert.assertEquals(Response.Status.ACCEPTED.getStatusCode(), response.getStatus());
            waitForCancellationLatch.countDown();
            waitFinishLatch.countDown();
        }
    });
    waitFinishLatch.await();
    cancelledCountDownLatch.await();
}
Also used : Action(io.druid.server.security.Action) Query(io.druid.query.Query) Resource(io.druid.server.security.Resource) Access(io.druid.server.security.Access) NoopRequestLogger(io.druid.server.log.NoopRequestLogger) NoopServiceEmitter(io.druid.server.metrics.NoopServiceEmitter) AuthConfig(io.druid.server.security.AuthConfig) IOException(java.io.IOException) CountDownLatch(java.util.concurrent.CountDownLatch) AuthorizationInfo(io.druid.server.security.AuthorizationInfo) Response(javax.ws.rs.core.Response) ByteArrayInputStream(java.io.ByteArrayInputStream) ListenableFuture(com.google.common.util.concurrent.ListenableFuture) DefaultObjectMapper(io.druid.jackson.DefaultObjectMapper) DefaultObjectMapper(io.druid.jackson.DefaultObjectMapper) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) Test(org.junit.Test)

Example 10 with Access

use of io.druid.server.security.Access in project druid by druid-io.

the class OverlordResourceTest method setUp.

@Before
public void setUp() throws Exception {
    taskRunner = EasyMock.createMock(TaskRunner.class);
    taskMaster = EasyMock.createStrictMock(TaskMaster.class);
    tsqa = EasyMock.createStrictMock(TaskStorageQueryAdapter.class);
    req = EasyMock.createStrictMock(HttpServletRequest.class);
    EasyMock.expect(taskMaster.getTaskRunner()).andReturn(Optional.of(taskRunner)).anyTimes();
    overlordResource = new OverlordResource(taskMaster, tsqa, null, null, null, new AuthConfig(true));
    EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTH_TOKEN)).andReturn(new AuthorizationInfo() {

        @Override
        public Access isAuthorized(Resource resource, Action action) {
            if (resource.getName().equals("allow")) {
                return new Access(true);
            } else {
                return new Access(false);
            }
        }
    });
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) Action(io.druid.server.security.Action) Resource(io.druid.server.security.Resource) Access(io.druid.server.security.Access) AuthConfig(io.druid.server.security.AuthConfig) TaskMaster(io.druid.indexing.overlord.TaskMaster) AuthorizationInfo(io.druid.server.security.AuthorizationInfo) TaskStorageQueryAdapter(io.druid.indexing.overlord.TaskStorageQueryAdapter) TaskRunner(io.druid.indexing.overlord.TaskRunner) Before(org.junit.Before)

Aggregations

Access (io.druid.server.security.Access)19 Resource (io.druid.server.security.Resource)19 AuthorizationInfo (io.druid.server.security.AuthorizationInfo)18 Action (io.druid.server.security.Action)11 WebApplicationException (javax.ws.rs.WebApplicationException)8 Produces (javax.ws.rs.Produces)7 Pair (io.druid.java.util.common.Pair)6 HashMap (java.util.HashMap)6 Response (javax.ws.rs.core.Response)6 AuthConfig (io.druid.server.security.AuthConfig)5 Path (javax.ws.rs.Path)5 Predicate (com.google.common.base.Predicate)4 GET (javax.ws.rs.GET)4 Test (org.junit.Test)4 DruidDataSource (io.druid.client.DruidDataSource)3 Query (io.druid.query.Query)3 NoopRequestLogger (io.druid.server.log.NoopRequestLogger)3 NoopServiceEmitter (io.druid.server.metrics.NoopServiceEmitter)3 ByteArrayInputStream (java.io.ByteArrayInputStream)3 IOException (java.io.IOException)3