Example 1 with Action
use of io.druid.server.security.Action in project druid by druid-io.
the class OverlordResource method securedTaskRunnerWorkItem.
private Collection<? extends TaskRunnerWorkItem> securedTaskRunnerWorkItem(Collection<? extends TaskRunnerWorkItem> collectionToFilter, HttpServletRequest req) {
final Map<Pair<Resource, Action>, Access> resourceAccessMap = new HashMap<>();
final AuthorizationInfo authorizationInfo = (AuthorizationInfo) req.getAttribute(AuthConfig.DRUID_AUTH_TOKEN);
return Collections2.filter(collectionToFilter, new Predicate<TaskRunnerWorkItem>() {
@Override
public boolean apply(TaskRunnerWorkItem input) {
final String taskId = input.getTaskId();
final Optional<Task> optionalTask = taskStorageQueryAdapter.getTask(taskId);
if (!optionalTask.isPresent()) {
throw new WebApplicationException(Response.serverError().entity(String.format("No task information found for task with id: [%s]", taskId)).build());
}
Resource resource = new Resource(optionalTask.get().getDataSource(), ResourceType.DATASOURCE);
Action action = Action.READ;
Pair<Resource, Action> key = new Pair<>(resource, action);
if (resourceAccessMap.containsKey(key)) {
return resourceAccessMap.get(key).isAllowed();
} else {
Access access = authorizationInfo.isAuthorized(key.lhs, key.rhs);
resourceAccessMap.put(key, access);
return access.isAllowed();
}
}
});
}
Also used :
Action(io.druid.server.security.Action)
TaskRunnerWorkItem(io.druid.indexing.overlord.TaskRunnerWorkItem)
Optional(com.google.common.base.Optional)
WebApplicationException(javax.ws.rs.WebApplicationException)
HashMap(java.util.HashMap)
Access(io.druid.server.security.Access)
Resource(io.druid.server.security.Resource)
AuthorizationInfo(io.druid.server.security.AuthorizationInfo)
Pair(io.druid.java.util.common.Pair)
Example 2 with Action
use of io.druid.server.security.Action in project druid by druid-io.
the class QueryResourceTest method testSecuredQuery.
@Test
public void testSecuredQuery() throws Exception {
EasyMock.expect(testServletRequest.getAttribute(EasyMock.anyString())).andReturn(new AuthorizationInfo() {
@Override
public Access isAuthorized(Resource resource, Action action) {
if (resource.getName().equals("allow")) {
return new Access(true);
} else {
return new Access(false);
}
}
}).times(2);
EasyMock.replay(testServletRequest);
queryResource = new QueryResource(warehouse, serverConfig, jsonMapper, jsonMapper, testSegmentWalker, new NoopServiceEmitter(), new NoopRequestLogger(), queryManager, new AuthConfig(true));
Response response = queryResource.doPost(new ByteArrayInputStream(simpleTimeSeriesQuery.getBytes("UTF-8")), null, /*pretty*/
testServletRequest);
Assert.assertEquals(Response.Status.FORBIDDEN.getStatusCode(), response.getStatus());
response = queryResource.doPost(new ByteArrayInputStream("{\"queryType\":\"timeBoundary\", \"dataSource\":\"allow\"}".getBytes("UTF-8")), null, /*pretty*/
testServletRequest);
Assert.assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
}
Also used :
Response(javax.ws.rs.core.Response)
Action(io.druid.server.security.Action)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Resource(io.druid.server.security.Resource)
Access(io.druid.server.security.Access)
NoopRequestLogger(io.druid.server.log.NoopRequestLogger)
NoopServiceEmitter(io.druid.server.metrics.NoopServiceEmitter)
AuthConfig(io.druid.server.security.AuthConfig)
AuthorizationInfo(io.druid.server.security.AuthorizationInfo)
Test(org.junit.Test)
Example 3 with Action
use of io.druid.server.security.Action in project druid by druid-io.
the class ClientInfoResource method getDataSources.
@GET
@Produces(MediaType.APPLICATION_JSON)
public Iterable<String> getDataSources(@Context final HttpServletRequest request) {
if (authConfig.isEnabled()) {
// This is an experimental feature, see - https://github.com/druid-io/druid/pull/2424
final Map<Pair<Resource, Action>, Access> resourceAccessMap = new HashMap<>();
final AuthorizationInfo authorizationInfo = (AuthorizationInfo) request.getAttribute(AuthConfig.DRUID_AUTH_TOKEN);
return Collections2.filter(getSegmentsForDatasources().keySet(), new Predicate<String>() {
@Override
public boolean apply(String input) {
Resource resource = new Resource(input, ResourceType.DATASOURCE);
Action action = Action.READ;
Pair<Resource, Action> key = new Pair<>(resource, action);
if (resourceAccessMap.containsKey(key)) {
return resourceAccessMap.get(key).isAllowed();
} else {
Access access = authorizationInfo.isAuthorized(key.lhs, key.rhs);
resourceAccessMap.put(key, access);
return access.isAllowed();
}
}
});
} else {
return getSegmentsForDatasources().keySet();
}
}
Also used :
Action(io.druid.server.security.Action)
HashMap(java.util.HashMap)
Access(io.druid.server.security.Access)
Resource(io.druid.server.security.Resource)
AuthorizationInfo(io.druid.server.security.AuthorizationInfo)
Pair(io.druid.java.util.common.Pair)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
Example 4 with Action
use of io.druid.server.security.Action in project druid by druid-io.
the class InventoryViewUtils method getSecuredDataSources.
public static Set<DruidDataSource> getSecuredDataSources(InventoryView inventoryView, final AuthorizationInfo authorizationInfo) {
if (authorizationInfo == null) {
throw new ISE("Invalid to call a secured method with null AuthorizationInfo!!");
} else {
final Map<Pair<Resource, Action>, Access> resourceAccessMap = new HashMap<>();
return ImmutableSet.copyOf(Iterables.filter(getDataSources(inventoryView), new Predicate<DruidDataSource>() {
@Override
public boolean apply(DruidDataSource input) {
Resource resource = new Resource(input.getName(), ResourceType.DATASOURCE);
Action action = Action.READ;
Pair<Resource, Action> key = new Pair<>(resource, action);
if (resourceAccessMap.containsKey(key)) {
return resourceAccessMap.get(key).isAllowed();
} else {
Access access = authorizationInfo.isAuthorized(key.lhs, key.rhs);
resourceAccessMap.put(key, access);
return access.isAllowed();
}
}
}));
}
}
Also used :
Action(io.druid.server.security.Action)
HashMap(java.util.HashMap)
Access(io.druid.server.security.Access)
Resource(io.druid.server.security.Resource)
ISE(io.druid.java.util.common.ISE)
DruidDataSource(io.druid.client.DruidDataSource)
Pair(io.druid.java.util.common.Pair)
Predicate(com.google.common.base.Predicate)
Example 5 with Action
use of io.druid.server.security.Action in project druid by druid-io.
the class QueryResourceTest method testDenySecuredGetServer.
@Test(timeout = 60_000L)
public void testDenySecuredGetServer() throws Exception {
final CountDownLatch waitForCancellationLatch = new CountDownLatch(1);
final CountDownLatch waitFinishLatch = new CountDownLatch(2);
final CountDownLatch startAwaitLatch = new CountDownLatch(1);
EasyMock.expect(testServletRequest.getAttribute(EasyMock.anyString())).andReturn(new AuthorizationInfo() {
@Override
public Access isAuthorized(Resource resource, Action action) {
// WRITE corresponds to cancellation of query
if (action.equals(Action.READ)) {
try {
waitForCancellationLatch.await();
} catch (InterruptedException e) {
Throwables.propagate(e);
}
return new Access(true);
} else {
// Deny access to cancel the query
return new Access(false);
}
}
}).times(2);
EasyMock.replay(testServletRequest);
queryResource = new QueryResource(warehouse, serverConfig, jsonMapper, jsonMapper, testSegmentWalker, new NoopServiceEmitter(), new NoopRequestLogger(), queryManager, new AuthConfig(true));
final String queryString = "{\"queryType\":\"timeBoundary\", \"dataSource\":\"allow\"," + "\"context\":{\"queryId\":\"id_1\"}}";
ObjectMapper mapper = new DefaultObjectMapper();
Query query = mapper.readValue(queryString, Query.class);
ListenableFuture future = MoreExecutors.listeningDecorator(Execs.singleThreaded("test_query_resource_%s")).submit(new Runnable() {
@Override
public void run() {
try {
startAwaitLatch.countDown();
Response response = queryResource.doPost(new ByteArrayInputStream(queryString.getBytes("UTF-8")), null, testServletRequest);
Assert.assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
} catch (IOException e) {
Throwables.propagate(e);
}
waitFinishLatch.countDown();
}
});
queryManager.registerQuery(query, future);
startAwaitLatch.await();
Executors.newSingleThreadExecutor().submit(new Runnable() {
@Override
public void run() {
Response response = queryResource.getServer("id_1", testServletRequest);
Assert.assertEquals(Response.Status.FORBIDDEN.getStatusCode(), response.getStatus());
waitForCancellationLatch.countDown();
waitFinishLatch.countDown();
}
});
waitFinishLatch.await();
}
Also used :
Action(io.druid.server.security.Action)
Query(io.druid.query.Query)
Resource(io.druid.server.security.Resource)
Access(io.druid.server.security.Access)
NoopRequestLogger(io.druid.server.log.NoopRequestLogger)
NoopServiceEmitter(io.druid.server.metrics.NoopServiceEmitter)
AuthConfig(io.druid.server.security.AuthConfig)
IOException(java.io.IOException)
CountDownLatch(java.util.concurrent.CountDownLatch)
AuthorizationInfo(io.druid.server.security.AuthorizationInfo)
Response(javax.ws.rs.core.Response)
ByteArrayInputStream(java.io.ByteArrayInputStream)
ListenableFuture(com.google.common.util.concurrent.ListenableFuture)
DefaultObjectMapper(io.druid.jackson.DefaultObjectMapper)
DefaultObjectMapper(io.druid.jackson.DefaultObjectMapper)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
Test(org.junit.Test)
Aggregations
Access (io.druid.server.security.Access)11
Action (io.druid.server.security.Action)11
Resource (io.druid.server.security.Resource)11
AuthorizationInfo (io.druid.server.security.AuthorizationInfo)10
Pair (io.druid.java.util.common.Pair)6
HashMap (java.util.HashMap)6
AuthConfig (io.druid.server.security.AuthConfig)5
GET (javax.ws.rs.GET)4
Produces (javax.ws.rs.Produces)4
Response (javax.ws.rs.core.Response)4
Test (org.junit.Test)4
DruidDataSource (io.druid.client.DruidDataSource)3
NoopRequestLogger (io.druid.server.log.NoopRequestLogger)3
NoopServiceEmitter (io.druid.server.metrics.NoopServiceEmitter)3
ByteArrayInputStream (java.io.ByteArrayInputStream)3
Path (javax.ws.rs.Path)3
ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)2
Optional (com.google.common.base.Optional)2
Predicate (com.google.common.base.Predicate)2
ImmutableList (com.google.common.collect.ImmutableList)2
