Search in sources :

Example 16 with AuthorizationInfo

use of io.druid.server.security.AuthorizationInfo in project druid by druid-io.

the class DatasourceResourceFilter method filter.

@Override
public ContainerRequest filter(ContainerRequest request) {
    if (getAuthConfig().isEnabled()) {
        // This is an experimental feature, see - https://github.com/druid-io/druid/pull/2424
        final String dataSourceName = request.getPathSegments().get(Iterables.indexOf(request.getPathSegments(), new Predicate<PathSegment>() {

            @Override
            public boolean apply(PathSegment input) {
                return input.getPath().equals("datasources");
            }
        }) + 1).getPath();
        Preconditions.checkNotNull(dataSourceName);
        final AuthorizationInfo authorizationInfo = (AuthorizationInfo) getReq().getAttribute(AuthConfig.DRUID_AUTH_TOKEN);
        Preconditions.checkNotNull(authorizationInfo, "Security is enabled but no authorization info found in the request");
        final Access authResult = authorizationInfo.isAuthorized(new Resource(dataSourceName, ResourceType.DATASOURCE), getAction(request));
        if (!authResult.isAllowed()) {
            throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(String.format("Access-Check-Result: %s", authResult.toString())).build());
        }
    }
    return request;
}
Also used : WebApplicationException(javax.ws.rs.WebApplicationException) Access(io.druid.server.security.Access) Resource(io.druid.server.security.Resource) PathSegment(javax.ws.rs.core.PathSegment) AuthorizationInfo(io.druid.server.security.AuthorizationInfo) Predicate(com.google.common.base.Predicate)

Example 17 with AuthorizationInfo

use of io.druid.server.security.AuthorizationInfo in project druid by druid-io.

the class StateResourceFilter method filter.

@Override
public ContainerRequest filter(ContainerRequest request) {
    if (getAuthConfig().isEnabled()) {
        // This is an experimental feature, see - https://github.com/druid-io/druid/pull/2424
        final String resourceName = "STATE";
        final AuthorizationInfo authorizationInfo = (AuthorizationInfo) getReq().getAttribute(AuthConfig.DRUID_AUTH_TOKEN);
        Preconditions.checkNotNull(authorizationInfo, "Security is enabled but no authorization info found in the request");
        final Access authResult = authorizationInfo.isAuthorized(new Resource(resourceName, ResourceType.STATE), getAction(request));
        if (!authResult.isAllowed()) {
            throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(String.format("Access-Check-Result: %s", authResult.toString())).build());
        }
    }
    return request;
}
Also used : WebApplicationException(javax.ws.rs.WebApplicationException) Access(io.druid.server.security.Access) Resource(io.druid.server.security.Resource) AuthorizationInfo(io.druid.server.security.AuthorizationInfo)

Example 18 with AuthorizationInfo

use of io.druid.server.security.AuthorizationInfo in project druid by druid-io.

the class QueryResourceTest method testDenySecuredGetServer.

@Test(timeout = 60_000L)
public void testDenySecuredGetServer() throws Exception {
    final CountDownLatch waitForCancellationLatch = new CountDownLatch(1);
    final CountDownLatch waitFinishLatch = new CountDownLatch(2);
    final CountDownLatch startAwaitLatch = new CountDownLatch(1);
    EasyMock.expect(testServletRequest.getAttribute(EasyMock.anyString())).andReturn(new AuthorizationInfo() {

        @Override
        public Access isAuthorized(Resource resource, Action action) {
            // WRITE corresponds to cancellation of query
            if (action.equals(Action.READ)) {
                try {
                    waitForCancellationLatch.await();
                } catch (InterruptedException e) {
                    Throwables.propagate(e);
                }
                return new Access(true);
            } else {
                // Deny access to cancel the query
                return new Access(false);
            }
        }
    }).times(2);
    EasyMock.replay(testServletRequest);
    queryResource = new QueryResource(warehouse, serverConfig, jsonMapper, jsonMapper, testSegmentWalker, new NoopServiceEmitter(), new NoopRequestLogger(), queryManager, new AuthConfig(true));
    final String queryString = "{\"queryType\":\"timeBoundary\", \"dataSource\":\"allow\"," + "\"context\":{\"queryId\":\"id_1\"}}";
    ObjectMapper mapper = new DefaultObjectMapper();
    Query query = mapper.readValue(queryString, Query.class);
    ListenableFuture future = MoreExecutors.listeningDecorator(Execs.singleThreaded("test_query_resource_%s")).submit(new Runnable() {

        @Override
        public void run() {
            try {
                startAwaitLatch.countDown();
                Response response = queryResource.doPost(new ByteArrayInputStream(queryString.getBytes("UTF-8")), null, testServletRequest);
                Assert.assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
            } catch (IOException e) {
                Throwables.propagate(e);
            }
            waitFinishLatch.countDown();
        }
    });
    queryManager.registerQuery(query, future);
    startAwaitLatch.await();
    Executors.newSingleThreadExecutor().submit(new Runnable() {

        @Override
        public void run() {
            Response response = queryResource.getServer("id_1", testServletRequest);
            Assert.assertEquals(Response.Status.FORBIDDEN.getStatusCode(), response.getStatus());
            waitForCancellationLatch.countDown();
            waitFinishLatch.countDown();
        }
    });
    waitFinishLatch.await();
}
Also used : Action(io.druid.server.security.Action) Query(io.druid.query.Query) Resource(io.druid.server.security.Resource) Access(io.druid.server.security.Access) NoopRequestLogger(io.druid.server.log.NoopRequestLogger) NoopServiceEmitter(io.druid.server.metrics.NoopServiceEmitter) AuthConfig(io.druid.server.security.AuthConfig) IOException(java.io.IOException) CountDownLatch(java.util.concurrent.CountDownLatch) AuthorizationInfo(io.druid.server.security.AuthorizationInfo) Response(javax.ws.rs.core.Response) ByteArrayInputStream(java.io.ByteArrayInputStream) ListenableFuture(com.google.common.util.concurrent.ListenableFuture) DefaultObjectMapper(io.druid.jackson.DefaultObjectMapper) DefaultObjectMapper(io.druid.jackson.DefaultObjectMapper) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) Test(org.junit.Test)

Example 19 with AuthorizationInfo

use of io.druid.server.security.AuthorizationInfo in project druid by druid-io.

the class QueryResourceTest method testSecuredGetServer.

@Test(timeout = 60_000L)
public void testSecuredGetServer() throws Exception {
    final CountDownLatch waitForCancellationLatch = new CountDownLatch(1);
    final CountDownLatch waitFinishLatch = new CountDownLatch(2);
    final CountDownLatch startAwaitLatch = new CountDownLatch(1);
    final CountDownLatch cancelledCountDownLatch = new CountDownLatch(1);
    EasyMock.expect(testServletRequest.getAttribute(EasyMock.anyString())).andReturn(new AuthorizationInfo() {

        @Override
        public Access isAuthorized(Resource resource, Action action) {
            // WRITE corresponds to cancellation of query
            if (action.equals(Action.READ)) {
                try {
                    // Countdown startAwaitLatch as we want query cancellation to happen
                    // after we enter isAuthorized method so that we can handle the
                    // InterruptedException here because of query cancellation
                    startAwaitLatch.countDown();
                    waitForCancellationLatch.await();
                } catch (InterruptedException e) {
                    // When the query is cancelled the control will reach here,
                    // countdown the latch and rethrow the exception so that error response is returned for the query
                    cancelledCountDownLatch.countDown();
                    Throwables.propagate(e);
                }
                return new Access(true);
            } else {
                return new Access(true);
            }
        }
    }).times(2);
    EasyMock.replay(testServletRequest);
    queryResource = new QueryResource(warehouse, serverConfig, jsonMapper, jsonMapper, testSegmentWalker, new NoopServiceEmitter(), new NoopRequestLogger(), queryManager, new AuthConfig(true));
    final String queryString = "{\"queryType\":\"timeBoundary\", \"dataSource\":\"allow\"," + "\"context\":{\"queryId\":\"id_1\"}}";
    ObjectMapper mapper = new DefaultObjectMapper();
    Query query = mapper.readValue(queryString, Query.class);
    ListenableFuture future = MoreExecutors.listeningDecorator(Execs.singleThreaded("test_query_resource_%s")).submit(new Runnable() {

        @Override
        public void run() {
            try {
                Response response = queryResource.doPost(new ByteArrayInputStream(queryString.getBytes("UTF-8")), null, testServletRequest);
                Assert.assertEquals(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode(), response.getStatus());
            } catch (IOException e) {
                Throwables.propagate(e);
            }
            waitFinishLatch.countDown();
        }
    });
    queryManager.registerQuery(query, future);
    startAwaitLatch.await();
    Executors.newSingleThreadExecutor().submit(new Runnable() {

        @Override
        public void run() {
            Response response = queryResource.getServer("id_1", testServletRequest);
            Assert.assertEquals(Response.Status.ACCEPTED.getStatusCode(), response.getStatus());
            waitForCancellationLatch.countDown();
            waitFinishLatch.countDown();
        }
    });
    waitFinishLatch.await();
    cancelledCountDownLatch.await();
}
Also used : Action(io.druid.server.security.Action) Query(io.druid.query.Query) Resource(io.druid.server.security.Resource) Access(io.druid.server.security.Access) NoopRequestLogger(io.druid.server.log.NoopRequestLogger) NoopServiceEmitter(io.druid.server.metrics.NoopServiceEmitter) AuthConfig(io.druid.server.security.AuthConfig) IOException(java.io.IOException) CountDownLatch(java.util.concurrent.CountDownLatch) AuthorizationInfo(io.druid.server.security.AuthorizationInfo) Response(javax.ws.rs.core.Response) ByteArrayInputStream(java.io.ByteArrayInputStream) ListenableFuture(com.google.common.util.concurrent.ListenableFuture) DefaultObjectMapper(io.druid.jackson.DefaultObjectMapper) DefaultObjectMapper(io.druid.jackson.DefaultObjectMapper) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) Test(org.junit.Test)

Example 20 with AuthorizationInfo

use of io.druid.server.security.AuthorizationInfo in project druid by druid-io.

the class OverlordResourceTest method setUp.

@Before
public void setUp() throws Exception {
    taskRunner = EasyMock.createMock(TaskRunner.class);
    taskMaster = EasyMock.createStrictMock(TaskMaster.class);
    tsqa = EasyMock.createStrictMock(TaskStorageQueryAdapter.class);
    req = EasyMock.createStrictMock(HttpServletRequest.class);
    EasyMock.expect(taskMaster.getTaskRunner()).andReturn(Optional.of(taskRunner)).anyTimes();
    overlordResource = new OverlordResource(taskMaster, tsqa, null, null, null, new AuthConfig(true));
    EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTH_TOKEN)).andReturn(new AuthorizationInfo() {

        @Override
        public Access isAuthorized(Resource resource, Action action) {
            if (resource.getName().equals("allow")) {
                return new Access(true);
            } else {
                return new Access(false);
            }
        }
    });
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) Action(io.druid.server.security.Action) Resource(io.druid.server.security.Resource) Access(io.druid.server.security.Access) AuthConfig(io.druid.server.security.AuthConfig) TaskMaster(io.druid.indexing.overlord.TaskMaster) AuthorizationInfo(io.druid.server.security.AuthorizationInfo) TaskStorageQueryAdapter(io.druid.indexing.overlord.TaskStorageQueryAdapter) TaskRunner(io.druid.indexing.overlord.TaskRunner) Before(org.junit.Before)

Aggregations

AuthorizationInfo (io.druid.server.security.AuthorizationInfo)20 Access (io.druid.server.security.Access)18 Resource (io.druid.server.security.Resource)18 Action (io.druid.server.security.Action)10 Produces (javax.ws.rs.Produces)9 WebApplicationException (javax.ws.rs.WebApplicationException)8 GET (javax.ws.rs.GET)6 Path (javax.ws.rs.Path)6 Response (javax.ws.rs.core.Response)6 Pair (io.druid.java.util.common.Pair)5 AuthConfig (io.druid.server.security.AuthConfig)5 HashMap (java.util.HashMap)5 DruidDataSource (io.druid.client.DruidDataSource)4 Test (org.junit.Test)4 Predicate (com.google.common.base.Predicate)3 Query (io.druid.query.Query)3 NoopRequestLogger (io.druid.server.log.NoopRequestLogger)3 NoopServiceEmitter (io.druid.server.metrics.NoopServiceEmitter)3 ByteArrayInputStream (java.io.ByteArrayInputStream)3 IOException (java.io.IOException)3