Example 16 with Resource
use of io.druid.server.security.Resource in project druid by druid-io.
the class StateResourceFilter method filter.
@Override
public ContainerRequest filter(ContainerRequest request) {
if (getAuthConfig().isEnabled()) {
// This is an experimental feature, see - https://github.com/druid-io/druid/pull/2424
final String resourceName = "STATE";
final AuthorizationInfo authorizationInfo = (AuthorizationInfo) getReq().getAttribute(AuthConfig.DRUID_AUTH_TOKEN);
Preconditions.checkNotNull(authorizationInfo, "Security is enabled but no authorization info found in the request");
final Access authResult = authorizationInfo.isAuthorized(new Resource(resourceName, ResourceType.STATE), getAction(request));
if (!authResult.isAllowed()) {
throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(String.format("Access-Check-Result: %s", authResult.toString())).build());
}
}
return request;
}
Also used :
WebApplicationException(javax.ws.rs.WebApplicationException)
Access(io.druid.server.security.Access)
Resource(io.druid.server.security.Resource)
AuthorizationInfo(io.druid.server.security.AuthorizationInfo)
Example 17 with Resource
use of io.druid.server.security.Resource in project druid by druid-io.
the class QueryResourceTest method testDenySecuredGetServer.
@Test(timeout = 60_000L)
public void testDenySecuredGetServer() throws Exception {
final CountDownLatch waitForCancellationLatch = new CountDownLatch(1);
final CountDownLatch waitFinishLatch = new CountDownLatch(2);
final CountDownLatch startAwaitLatch = new CountDownLatch(1);
EasyMock.expect(testServletRequest.getAttribute(EasyMock.anyString())).andReturn(new AuthorizationInfo() {
@Override
public Access isAuthorized(Resource resource, Action action) {
// WRITE corresponds to cancellation of query
if (action.equals(Action.READ)) {
try {
waitForCancellationLatch.await();
} catch (InterruptedException e) {
Throwables.propagate(e);
}
return new Access(true);
} else {
// Deny access to cancel the query
return new Access(false);
}
}
}).times(2);
EasyMock.replay(testServletRequest);
queryResource = new QueryResource(warehouse, serverConfig, jsonMapper, jsonMapper, testSegmentWalker, new NoopServiceEmitter(), new NoopRequestLogger(), queryManager, new AuthConfig(true));
final String queryString = "{\"queryType\":\"timeBoundary\", \"dataSource\":\"allow\"," + "\"context\":{\"queryId\":\"id_1\"}}";
ObjectMapper mapper = new DefaultObjectMapper();
Query query = mapper.readValue(queryString, Query.class);
ListenableFuture future = MoreExecutors.listeningDecorator(Execs.singleThreaded("test_query_resource_%s")).submit(new Runnable() {
@Override
public void run() {
try {
startAwaitLatch.countDown();
Response response = queryResource.doPost(new ByteArrayInputStream(queryString.getBytes("UTF-8")), null, testServletRequest);
Assert.assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
} catch (IOException e) {
Throwables.propagate(e);
}
waitFinishLatch.countDown();
}
});
queryManager.registerQuery(query, future);
startAwaitLatch.await();
Executors.newSingleThreadExecutor().submit(new Runnable() {
@Override
public void run() {
Response response = queryResource.getServer("id_1", testServletRequest);
Assert.assertEquals(Response.Status.FORBIDDEN.getStatusCode(), response.getStatus());
waitForCancellationLatch.countDown();
waitFinishLatch.countDown();
}
});
waitFinishLatch.await();
}
Also used :
Action(io.druid.server.security.Action)
Query(io.druid.query.Query)
Resource(io.druid.server.security.Resource)
Access(io.druid.server.security.Access)
NoopRequestLogger(io.druid.server.log.NoopRequestLogger)
NoopServiceEmitter(io.druid.server.metrics.NoopServiceEmitter)
AuthConfig(io.druid.server.security.AuthConfig)
IOException(java.io.IOException)
CountDownLatch(java.util.concurrent.CountDownLatch)
AuthorizationInfo(io.druid.server.security.AuthorizationInfo)
Response(javax.ws.rs.core.Response)
ByteArrayInputStream(java.io.ByteArrayInputStream)
ListenableFuture(com.google.common.util.concurrent.ListenableFuture)
DefaultObjectMapper(io.druid.jackson.DefaultObjectMapper)
DefaultObjectMapper(io.druid.jackson.DefaultObjectMapper)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
Test(org.junit.Test)
Example 18 with Resource
use of io.druid.server.security.Resource in project druid by druid-io.
the class QueryResourceTest method testSecuredGetServer.
@Test(timeout = 60_000L)
public void testSecuredGetServer() throws Exception {
final CountDownLatch waitForCancellationLatch = new CountDownLatch(1);
final CountDownLatch waitFinishLatch = new CountDownLatch(2);
final CountDownLatch startAwaitLatch = new CountDownLatch(1);
final CountDownLatch cancelledCountDownLatch = new CountDownLatch(1);
EasyMock.expect(testServletRequest.getAttribute(EasyMock.anyString())).andReturn(new AuthorizationInfo() {
@Override
public Access isAuthorized(Resource resource, Action action) {
// WRITE corresponds to cancellation of query
if (action.equals(Action.READ)) {
try {
// Countdown startAwaitLatch as we want query cancellation to happen
// after we enter isAuthorized method so that we can handle the
// InterruptedException here because of query cancellation
startAwaitLatch.countDown();
waitForCancellationLatch.await();
} catch (InterruptedException e) {
// When the query is cancelled the control will reach here,
// countdown the latch and rethrow the exception so that error response is returned for the query
cancelledCountDownLatch.countDown();
Throwables.propagate(e);
}
return new Access(true);
} else {
return new Access(true);
}
}
}).times(2);
EasyMock.replay(testServletRequest);
queryResource = new QueryResource(warehouse, serverConfig, jsonMapper, jsonMapper, testSegmentWalker, new NoopServiceEmitter(), new NoopRequestLogger(), queryManager, new AuthConfig(true));
final String queryString = "{\"queryType\":\"timeBoundary\", \"dataSource\":\"allow\"," + "\"context\":{\"queryId\":\"id_1\"}}";
ObjectMapper mapper = new DefaultObjectMapper();
Query query = mapper.readValue(queryString, Query.class);
ListenableFuture future = MoreExecutors.listeningDecorator(Execs.singleThreaded("test_query_resource_%s")).submit(new Runnable() {
@Override
public void run() {
try {
Response response = queryResource.doPost(new ByteArrayInputStream(queryString.getBytes("UTF-8")), null, testServletRequest);
Assert.assertEquals(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode(), response.getStatus());
} catch (IOException e) {
Throwables.propagate(e);
}
waitFinishLatch.countDown();
}
});
queryManager.registerQuery(query, future);
startAwaitLatch.await();
Executors.newSingleThreadExecutor().submit(new Runnable() {
@Override
public void run() {
Response response = queryResource.getServer("id_1", testServletRequest);
Assert.assertEquals(Response.Status.ACCEPTED.getStatusCode(), response.getStatus());
waitForCancellationLatch.countDown();
waitFinishLatch.countDown();
}
});
waitFinishLatch.await();
cancelledCountDownLatch.await();
}
Also used :
Action(io.druid.server.security.Action)
Query(io.druid.query.Query)
Resource(io.druid.server.security.Resource)
Access(io.druid.server.security.Access)
NoopRequestLogger(io.druid.server.log.NoopRequestLogger)
NoopServiceEmitter(io.druid.server.metrics.NoopServiceEmitter)
AuthConfig(io.druid.server.security.AuthConfig)
IOException(java.io.IOException)
CountDownLatch(java.util.concurrent.CountDownLatch)
AuthorizationInfo(io.druid.server.security.AuthorizationInfo)
Response(javax.ws.rs.core.Response)
ByteArrayInputStream(java.io.ByteArrayInputStream)
ListenableFuture(com.google.common.util.concurrent.ListenableFuture)
DefaultObjectMapper(io.druid.jackson.DefaultObjectMapper)
DefaultObjectMapper(io.druid.jackson.DefaultObjectMapper)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
Test(org.junit.Test)
Example 19 with Resource
use of io.druid.server.security.Resource in project druid by druid-io.
the class OverlordResourceTest method setUp.
@Before
public void setUp() throws Exception {
taskRunner = EasyMock.createMock(TaskRunner.class);
taskMaster = EasyMock.createStrictMock(TaskMaster.class);
tsqa = EasyMock.createStrictMock(TaskStorageQueryAdapter.class);
req = EasyMock.createStrictMock(HttpServletRequest.class);
EasyMock.expect(taskMaster.getTaskRunner()).andReturn(Optional.of(taskRunner)).anyTimes();
overlordResource = new OverlordResource(taskMaster, tsqa, null, null, null, new AuthConfig(true));
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTH_TOKEN)).andReturn(new AuthorizationInfo() {
@Override
public Access isAuthorized(Resource resource, Action action) {
if (resource.getName().equals("allow")) {
return new Access(true);
} else {
return new Access(false);
}
}
});
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
Action(io.druid.server.security.Action)
Resource(io.druid.server.security.Resource)
Access(io.druid.server.security.Access)
AuthConfig(io.druid.server.security.AuthConfig)
TaskMaster(io.druid.indexing.overlord.TaskMaster)
AuthorizationInfo(io.druid.server.security.AuthorizationInfo)
TaskStorageQueryAdapter(io.druid.indexing.overlord.TaskStorageQueryAdapter)
TaskRunner(io.druid.indexing.overlord.TaskRunner)
Before(org.junit.Before)
Aggregations
Access (io.druid.server.security.Access)19
Resource (io.druid.server.security.Resource)19
AuthorizationInfo (io.druid.server.security.AuthorizationInfo)18
Action (io.druid.server.security.Action)11
WebApplicationException (javax.ws.rs.WebApplicationException)8
Produces (javax.ws.rs.Produces)7
Pair (io.druid.java.util.common.Pair)6
HashMap (java.util.HashMap)6
Response (javax.ws.rs.core.Response)6
AuthConfig (io.druid.server.security.AuthConfig)5
Path (javax.ws.rs.Path)5
Predicate (com.google.common.base.Predicate)4
GET (javax.ws.rs.GET)4
Test (org.junit.Test)4
DruidDataSource (io.druid.client.DruidDataSource)3
Query (io.druid.query.Query)3
NoopRequestLogger (io.druid.server.log.NoopRequestLogger)3
NoopServiceEmitter (io.druid.server.metrics.NoopServiceEmitter)3
ByteArrayInputStream (java.io.ByteArrayInputStream)3
IOException (java.io.IOException)3
