Example 1 with AuthorizationInfo
use of io.druid.server.security.AuthorizationInfo in project druid by druid-io.
the class ClientInfoResource method getDataSources.
@GET
@Produces(MediaType.APPLICATION_JSON)
public Iterable<String> getDataSources(@Context final HttpServletRequest request) {
if (authConfig.isEnabled()) {
// This is an experimental feature, see - https://github.com/druid-io/druid/pull/2424
final Map<Pair<Resource, Action>, Access> resourceAccessMap = new HashMap<>();
final AuthorizationInfo authorizationInfo = (AuthorizationInfo) request.getAttribute(AuthConfig.DRUID_AUTH_TOKEN);
return Collections2.filter(getSegmentsForDatasources().keySet(), new Predicate<String>() {
@Override
public boolean apply(String input) {
Resource resource = new Resource(input, ResourceType.DATASOURCE);
Action action = Action.READ;
Pair<Resource, Action> key = new Pair<>(resource, action);
if (resourceAccessMap.containsKey(key)) {
return resourceAccessMap.get(key).isAllowed();
} else {
Access access = authorizationInfo.isAuthorized(key.lhs, key.rhs);
resourceAccessMap.put(key, access);
return access.isAllowed();
}
}
});
} else {
return getSegmentsForDatasources().keySet();
}
}
Also used :
Action(io.druid.server.security.Action)
HashMap(java.util.HashMap)
Access(io.druid.server.security.Access)
Resource(io.druid.server.security.Resource)
AuthorizationInfo(io.druid.server.security.AuthorizationInfo)
Pair(io.druid.java.util.common.Pair)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
Example 2 with AuthorizationInfo
use of io.druid.server.security.AuthorizationInfo in project druid by druid-io.
the class IntervalsResource method getSpecificIntervals.
@GET
@Path("/{interval}")
@Produces(MediaType.APPLICATION_JSON)
public Response getSpecificIntervals(@PathParam("interval") String interval, @QueryParam("simple") String simple, @QueryParam("full") String full, @Context final HttpServletRequest req) {
final Interval theInterval = new Interval(interval.replace("_", "/"));
final Set<DruidDataSource> datasources = authConfig.isEnabled() ? InventoryViewUtils.getSecuredDataSources(serverInventoryView, (AuthorizationInfo) req.getAttribute(AuthConfig.DRUID_AUTH_TOKEN)) : InventoryViewUtils.getDataSources(serverInventoryView);
final Comparator<Interval> comparator = Comparators.inverse(Comparators.intervalsByStartThenEnd());
if (full != null) {
final Map<Interval, Map<String, Map<String, Object>>> retVal = Maps.newTreeMap(comparator);
for (DruidDataSource dataSource : datasources) {
for (DataSegment dataSegment : dataSource.getSegments()) {
if (theInterval.contains(dataSegment.getInterval())) {
Map<String, Map<String, Object>> dataSourceInterval = retVal.get(dataSegment.getInterval());
if (dataSourceInterval == null) {
Map<String, Map<String, Object>> tmp = Maps.newHashMap();
retVal.put(dataSegment.getInterval(), tmp);
}
setProperties(retVal, dataSource, dataSegment);
}
}
}
return Response.ok(retVal).build();
}
if (simple != null) {
final Map<Interval, Map<String, Object>> retVal = Maps.newHashMap();
for (DruidDataSource dataSource : datasources) {
for (DataSegment dataSegment : dataSource.getSegments()) {
if (theInterval.contains(dataSegment.getInterval())) {
Map<String, Object> properties = retVal.get(dataSegment.getInterval());
if (properties == null) {
properties = Maps.newHashMap();
properties.put("size", dataSegment.getSize());
properties.put("count", 1);
retVal.put(dataSegment.getInterval(), properties);
} else {
properties.put("size", MapUtils.getLong(properties, "size", 0L) + dataSegment.getSize());
properties.put("count", MapUtils.getInt(properties, "count", 0) + 1);
}
}
}
}
return Response.ok(retVal).build();
}
final Map<String, Object> retVal = Maps.newHashMap();
for (DruidDataSource dataSource : datasources) {
for (DataSegment dataSegment : dataSource.getSegments()) {
if (theInterval.contains(dataSegment.getInterval())) {
retVal.put("size", MapUtils.getLong(retVal, "size", 0L) + dataSegment.getSize());
retVal.put("count", MapUtils.getInt(retVal, "count", 0) + 1);
}
}
}
return Response.ok(retVal).build();
}
Also used :
AuthorizationInfo(io.druid.server.security.AuthorizationInfo)
DruidDataSource(io.druid.client.DruidDataSource)
DataSegment(io.druid.timeline.DataSegment)
Map(java.util.Map)
Interval(org.joda.time.Interval)
Path(javax.ws.rs.Path)
Produces(javax.ws.rs.Produces)
GET(javax.ws.rs.GET)
Example 3 with AuthorizationInfo
use of io.druid.server.security.AuthorizationInfo in project druid by druid-io.
the class ConfigResourceFilter method filter.
@Override
public ContainerRequest filter(ContainerRequest request) {
if (getAuthConfig().isEnabled()) {
// This is an experimental feature, see - https://github.com/druid-io/druid/pull/2424
final String resourceName = "CONFIG";
final AuthorizationInfo authorizationInfo = (AuthorizationInfo) getReq().getAttribute(AuthConfig.DRUID_AUTH_TOKEN);
Preconditions.checkNotNull(authorizationInfo, "Security is enabled but no authorization info found in the request");
final Access authResult = authorizationInfo.isAuthorized(new Resource(resourceName, ResourceType.CONFIG), getAction(request));
if (!authResult.isAllowed()) {
throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(String.format("Access-Check-Result: %s", authResult.toString())).build());
}
}
return request;
}
Also used :
WebApplicationException(javax.ws.rs.WebApplicationException)
Access(io.druid.server.security.Access)
Resource(io.druid.server.security.Resource)
AuthorizationInfo(io.druid.server.security.AuthorizationInfo)
Example 4 with AuthorizationInfo
use of io.druid.server.security.AuthorizationInfo in project druid by druid-io.
the class RulesResourceFilter method filter.
@Override
public ContainerRequest filter(ContainerRequest request) {
if (getAuthConfig().isEnabled()) {
// This is an experimental feature, see - https://github.com/druid-io/druid/pull/2424
final String dataSourceName = request.getPathSegments().get(Iterables.indexOf(request.getPathSegments(), new Predicate<PathSegment>() {
@Override
public boolean apply(PathSegment input) {
return input.getPath().equals("rules");
}
}) + 1).getPath();
Preconditions.checkNotNull(dataSourceName);
final AuthorizationInfo authorizationInfo = (AuthorizationInfo) getReq().getAttribute(AuthConfig.DRUID_AUTH_TOKEN);
Preconditions.checkNotNull(authorizationInfo, "Security is enabled but no authorization info found in the request");
final Access authResult = authorizationInfo.isAuthorized(new Resource(dataSourceName, ResourceType.DATASOURCE), getAction(request));
if (!authResult.isAllowed()) {
throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(String.format("Access-Check-Result: %s", authResult.toString())).build());
}
}
return request;
}
Also used :
WebApplicationException(javax.ws.rs.WebApplicationException)
Access(io.druid.server.security.Access)
Resource(io.druid.server.security.Resource)
PathSegment(javax.ws.rs.core.PathSegment)
AuthorizationInfo(io.druid.server.security.AuthorizationInfo)
Predicate(com.google.common.base.Predicate)
Example 5 with AuthorizationInfo
use of io.druid.server.security.AuthorizationInfo in project druid by druid-io.
the class QueryResourceTest method testSecuredQuery.
@Test
public void testSecuredQuery() throws Exception {
EasyMock.expect(testServletRequest.getAttribute(EasyMock.anyString())).andReturn(new AuthorizationInfo() {
@Override
public Access isAuthorized(Resource resource, Action action) {
if (resource.getName().equals("allow")) {
return new Access(true);
} else {
return new Access(false);
}
}
}).times(2);
EasyMock.replay(testServletRequest);
queryResource = new QueryResource(warehouse, serverConfig, jsonMapper, jsonMapper, testSegmentWalker, new NoopServiceEmitter(), new NoopRequestLogger(), queryManager, new AuthConfig(true));
Response response = queryResource.doPost(new ByteArrayInputStream(simpleTimeSeriesQuery.getBytes("UTF-8")), null, /*pretty*/
testServletRequest);
Assert.assertEquals(Response.Status.FORBIDDEN.getStatusCode(), response.getStatus());
response = queryResource.doPost(new ByteArrayInputStream("{\"queryType\":\"timeBoundary\", \"dataSource\":\"allow\"}".getBytes("UTF-8")), null, /*pretty*/
testServletRequest);
Assert.assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
}
Also used :
Response(javax.ws.rs.core.Response)
Action(io.druid.server.security.Action)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Resource(io.druid.server.security.Resource)
Access(io.druid.server.security.Access)
NoopRequestLogger(io.druid.server.log.NoopRequestLogger)
NoopServiceEmitter(io.druid.server.metrics.NoopServiceEmitter)
AuthConfig(io.druid.server.security.AuthConfig)
AuthorizationInfo(io.druid.server.security.AuthorizationInfo)
Test(org.junit.Test)
Aggregations
AuthorizationInfo (io.druid.server.security.AuthorizationInfo)20
Access (io.druid.server.security.Access)18
Resource (io.druid.server.security.Resource)18
Action (io.druid.server.security.Action)10
Produces (javax.ws.rs.Produces)9
WebApplicationException (javax.ws.rs.WebApplicationException)8
GET (javax.ws.rs.GET)6
Path (javax.ws.rs.Path)6
Response (javax.ws.rs.core.Response)6
Pair (io.druid.java.util.common.Pair)5
AuthConfig (io.druid.server.security.AuthConfig)5
HashMap (java.util.HashMap)5
DruidDataSource (io.druid.client.DruidDataSource)4
Test (org.junit.Test)4
Predicate (com.google.common.base.Predicate)3
Query (io.druid.query.Query)3
NoopRequestLogger (io.druid.server.log.NoopRequestLogger)3
NoopServiceEmitter (io.druid.server.metrics.NoopServiceEmitter)3
ByteArrayInputStream (java.io.ByteArrayInputStream)3
IOException (java.io.IOException)3
