Search in sources :

Example 1 with BasicAuthenticatorCredentialUpdate

use of org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate in project druid by druid-io.

the class CoordinatorBasicAuthenticatorMetadataStorageUpdaterTest method setCredentials.

@Test
public void setCredentials() {
    updater.createUser(AUTHENTICATOR_NAME, "druid");
    updater.setUserCredentials(AUTHENTICATOR_NAME, "druid", new BasicAuthenticatorCredentialUpdate("helloworld", null));
    Map<String, BasicAuthenticatorUser> userMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, updater.getCurrentUserMapBytes(AUTHENTICATOR_NAME));
    BasicAuthenticatorCredentials credentials = userMap.get("druid").getCredentials();
    byte[] recalculatedHash = BasicAuthUtils.hashPassword("helloworld".toCharArray(), credentials.getSalt(), credentials.getIterations());
    Assert.assertArrayEquals(credentials.getHash(), recalculatedHash);
    // Validate cache user map methods
    Map<String, BasicAuthenticatorUser> expectedUserMap = ImmutableMap.of("druid", new BasicAuthenticatorUser("druid", credentials));
    byte[] expectedSerializeUserMap = BasicAuthUtils.serializeAuthenticatorUserMap(objectMapper, expectedUserMap);
    Assert.assertArrayEquals(expectedSerializeUserMap, updater.getCurrentUserMapBytes(AUTHENTICATOR_NAME));
    Assert.assertEquals(expectedUserMap, updater.getCachedUserMap(AUTHENTICATOR_NAME));
    Assert.assertArrayEquals(expectedSerializeUserMap, updater.getCachedSerializedUserMap(AUTHENTICATOR_NAME));
}
Also used : BasicAuthenticatorCredentials(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials) BasicAuthenticatorCredentialUpdate(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate) BasicAuthenticatorUser(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser) Test(org.junit.Test)

Example 2 with BasicAuthenticatorCredentialUpdate

use of org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate in project druid by druid-io.

the class CoordinatorBasicAuthenticatorResourceTest method testUserCredentials.

@Test
public void testUserCredentials() {
    Response response = resource.createUser(req, AUTHENTICATOR_NAME, "druid");
    Assert.assertEquals(200, response.getStatus());
    response = resource.updateUserCredentials(req, AUTHENTICATOR_NAME, "druid", new BasicAuthenticatorCredentialUpdate("helloworld", null));
    Assert.assertEquals(200, response.getStatus());
    response = resource.getUser(req, AUTHENTICATOR_NAME, "druid");
    Assert.assertEquals(200, response.getStatus());
    BasicAuthenticatorUser actualUser = (BasicAuthenticatorUser) response.getEntity();
    Assert.assertEquals("druid", actualUser.getName());
    BasicAuthenticatorCredentials credentials = actualUser.getCredentials();
    byte[] salt = credentials.getSalt();
    byte[] hash = credentials.getHash();
    int iterations = credentials.getIterations();
    Assert.assertEquals(BasicAuthUtils.SALT_LENGTH, salt.length);
    Assert.assertEquals(BasicAuthUtils.KEY_LENGTH / 8, hash.length);
    Assert.assertEquals(BasicAuthUtils.DEFAULT_KEY_ITERATIONS, iterations);
    byte[] recalculatedHash = BasicAuthUtils.hashPassword("helloworld".toCharArray(), salt, iterations);
    Assert.assertArrayEquals(recalculatedHash, hash);
    response = resource.getCachedSerializedUserMap(req, AUTHENTICATOR_NAME);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertTrue(response.getEntity() instanceof byte[]);
    Map<String, BasicAuthenticatorUser> cachedUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, (byte[]) response.getEntity());
    Assert.assertNotNull(cachedUserMap);
    Assert.assertNotNull(cachedUserMap.get("druid"));
    Assert.assertEquals("druid", cachedUserMap.get("druid").getName());
    BasicAuthenticatorCredentials cachedUserCredentials = cachedUserMap.get("druid").getCredentials();
    salt = cachedUserCredentials.getSalt();
    hash = cachedUserCredentials.getHash();
    iterations = cachedUserCredentials.getIterations();
    Assert.assertEquals(BasicAuthUtils.SALT_LENGTH, salt.length);
    Assert.assertEquals(BasicAuthUtils.KEY_LENGTH / 8, hash.length);
    Assert.assertEquals(BasicAuthUtils.DEFAULT_KEY_ITERATIONS, iterations);
    recalculatedHash = BasicAuthUtils.hashPassword("helloworld".toCharArray(), salt, iterations);
    Assert.assertArrayEquals(recalculatedHash, hash);
    response = resource.deleteUser(req, AUTHENTICATOR_NAME, "druid");
    Assert.assertEquals(200, response.getStatus());
    response = resource.getUser(req, AUTHENTICATOR_NAME, "druid");
    Assert.assertEquals(400, response.getStatus());
    Assert.assertEquals(errorMapWithMsg("User [druid] does not exist."), response.getEntity());
    response = resource.updateUserCredentials(req, AUTHENTICATOR_NAME, "druid", new BasicAuthenticatorCredentialUpdate("helloworld", null));
    Assert.assertEquals(400, response.getStatus());
    Assert.assertEquals(errorMapWithMsg("User [druid] does not exist."), response.getEntity());
}
Also used : Response(javax.ws.rs.core.Response) BasicAuthenticatorCredentials(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials) BasicAuthenticatorCredentialUpdate(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate) BasicAuthenticatorUser(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser) Test(org.junit.Test)

Example 3 with BasicAuthenticatorCredentialUpdate

use of org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate in project druid by druid-io.

the class ITBasicAuthConfigurationTest method setupTestSpecificHttpClients.

@Override
protected void setupTestSpecificHttpClients() throws Exception {
    // create a new user+role that can read /status
    createUserAndRoleWithPermissions(adminClient, "druid", "helloworld", "druidrole", STATE_ONLY_PERMISSIONS);
    // create 100 users
    for (int i = 0; i < 100; i++) {
        HttpUtil.makeRequest(adminClient, HttpMethod.POST, config.getCoordinatorUrl() + "/druid-ext/basic-security/authentication/db/basic/users/druid" + i, null);
        HttpUtil.makeRequest(adminClient, HttpMethod.POST, config.getCoordinatorUrl() + "/druid-ext/basic-security/authorization/db/basic/users/druid" + i, null);
        LOG.info("Finished creating user druid" + i);
    }
    // setup the last of 100 users and check that it works
    HttpUtil.makeRequest(adminClient, HttpMethod.POST, config.getCoordinatorUrl() + "/druid-ext/basic-security/authentication/db/basic/users/druid99/credentials", jsonMapper.writeValueAsBytes(new BasicAuthenticatorCredentialUpdate("helloworld", 5000)));
    HttpUtil.makeRequest(adminClient, HttpMethod.POST, config.getCoordinatorUrl() + "/druid-ext/basic-security/authorization/db/basic/users/druid99/roles/druidrole", null);
    druid99 = new CredentialedHttpClient(new BasicCredentials("druid99", "helloworld"), httpClient);
}
Also used : CredentialedHttpClient(org.apache.druid.java.util.http.client.CredentialedHttpClient) BasicAuthenticatorCredentialUpdate(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate) BasicCredentials(org.apache.druid.java.util.http.client.auth.BasicCredentials)

Example 4 with BasicAuthenticatorCredentialUpdate

use of org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate in project druid by druid-io.

the class CoordinatorBasicAuthenticatorMetadataStorageUpdater method setUserCredentialsInternal.

private void setUserCredentialsInternal(String prefix, String userName, BasicAuthenticatorCredentialUpdate update) {
    BasicAuthenticatorCredentials credentials;
    // use default iteration count from Authenticator if not specified in request
    if (update.getIterations() == -1) {
        BasicHTTPAuthenticator authenticator = (BasicHTTPAuthenticator) authenticatorMapper.getAuthenticatorMap().get(prefix);
        credentials = new BasicAuthenticatorCredentials(new BasicAuthenticatorCredentialUpdate(update.getPassword(), authenticator.getDbConfig().getCredentialIterations()));
    } else {
        credentials = new BasicAuthenticatorCredentials(update);
    }
    int attempts = 0;
    while (attempts < numRetries) {
        if (setUserCredentialOnce(prefix, userName, credentials)) {
            return;
        } else {
            attempts++;
        }
        try {
            Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
        } catch (InterruptedException ie) {
            throw new RuntimeException(ie);
        }
    }
    throw new ISE("Could not set credentials for user[%s] due to concurrent update contention.", userName);
}
Also used : BasicHTTPAuthenticator(org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator) BasicAuthenticatorCredentials(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials) BasicAuthenticatorCredentialUpdate(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate) ISE(org.apache.druid.java.util.common.ISE)

Example 5 with BasicAuthenticatorCredentialUpdate

use of org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate in project druid by druid-io.

the class CoordinatorBasicAuthenticatorMetadataStorageUpdater method start.

@LifecycleStart
public void start() {
    if (!lifecycleLock.canStart()) {
        throw new ISE("can't start.");
    }
    if (authenticatorMapper == null || authenticatorMapper.getAuthenticatorMap() == null) {
        return;
    }
    try {
        LOG.info("Starting CoordinatorBasicAuthenticatorMetadataStorageUpdater.");
        BasicAuthUtils.maybeInitialize(() -> {
            for (Map.Entry<String, Authenticator> entry : authenticatorMapper.getAuthenticatorMap().entrySet()) {
                Authenticator authenticator = entry.getValue();
                if (authenticator instanceof BasicHTTPAuthenticator) {
                    String authenticatorName = entry.getKey();
                    authenticatorPrefixes.add(authenticatorName);
                    BasicHTTPAuthenticator basicHTTPAuthenticator = (BasicHTTPAuthenticator) authenticator;
                    BasicAuthDBConfig dbConfig = basicHTTPAuthenticator.getDbConfig();
                    byte[] userMapBytes = getCurrentUserMapBytes(authenticatorName);
                    Map<String, BasicAuthenticatorUser> userMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, userMapBytes);
                    cachedUserMaps.put(authenticatorName, new BasicAuthenticatorUserMapBundle(userMap, userMapBytes));
                    if (dbConfig.getInitialAdminPassword() != null && !userMap.containsKey(BasicAuthUtils.ADMIN_NAME)) {
                        createUserInternal(authenticatorName, BasicAuthUtils.ADMIN_NAME);
                        setUserCredentialsInternal(authenticatorName, BasicAuthUtils.ADMIN_NAME, new BasicAuthenticatorCredentialUpdate(dbConfig.getInitialAdminPassword().getPassword(), BasicAuthUtils.DEFAULT_KEY_ITERATIONS));
                    }
                    if (dbConfig.getInitialInternalClientPassword() != null && !userMap.containsKey(BasicAuthUtils.INTERNAL_USER_NAME)) {
                        createUserInternal(authenticatorName, BasicAuthUtils.INTERNAL_USER_NAME);
                        setUserCredentialsInternal(authenticatorName, BasicAuthUtils.INTERNAL_USER_NAME, new BasicAuthenticatorCredentialUpdate(dbConfig.getInitialInternalClientPassword().getPassword(), BasicAuthUtils.DEFAULT_KEY_ITERATIONS));
                    }
                }
            }
            return true;
        });
        ScheduledExecutors.scheduleWithFixedDelay(exec, new Duration(commonCacheConfig.getPollingPeriod()), new Duration(commonCacheConfig.getPollingPeriod()), new Callable<ScheduledExecutors.Signal>() {

            @Override
            public ScheduledExecutors.Signal call() {
                if (stopped) {
                    return ScheduledExecutors.Signal.STOP;
                }
                try {
                    LOG.debug("Scheduled db userMap poll is running");
                    for (String authenticatorPrefix : authenticatorPrefixes) {
                        byte[] userMapBytes = getCurrentUserMapBytes(authenticatorPrefix);
                        Map<String, BasicAuthenticatorUser> userMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, userMapBytes);
                        if (userMapBytes != null) {
                            cachedUserMaps.put(authenticatorPrefix, new BasicAuthenticatorUserMapBundle(userMap, userMapBytes));
                        }
                    }
                    LOG.debug("Scheduled db userMap poll is done");
                } catch (Throwable t) {
                    LOG.makeAlert(t, "Error occured while polling for cachedUserMaps.").emit();
                }
                return ScheduledExecutors.Signal.REPEAT;
            }
        });
        lifecycleLock.started();
    } finally {
        lifecycleLock.exitStart();
    }
}
Also used : Duration(org.joda.time.Duration) BasicAuthenticatorUser(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser) BasicAuthenticatorUserMapBundle(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUserMapBundle) BasicHTTPAuthenticator(org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator) BasicAuthenticatorCredentialUpdate(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate) ISE(org.apache.druid.java.util.common.ISE) Map(java.util.Map) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) Authenticator(org.apache.druid.server.security.Authenticator) BasicHTTPAuthenticator(org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator) BasicAuthDBConfig(org.apache.druid.security.basic.BasicAuthDBConfig) LifecycleStart(org.apache.druid.java.util.common.lifecycle.LifecycleStart)

Aggregations

BasicAuthenticatorCredentialUpdate (org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate)5 BasicAuthenticatorCredentials (org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials)3 BasicAuthenticatorUser (org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser)3 ISE (org.apache.druid.java.util.common.ISE)2 BasicHTTPAuthenticator (org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator)2 Test (org.junit.Test)2 Map (java.util.Map)1 ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)1 Response (javax.ws.rs.core.Response)1 LifecycleStart (org.apache.druid.java.util.common.lifecycle.LifecycleStart)1 CredentialedHttpClient (org.apache.druid.java.util.http.client.CredentialedHttpClient)1 BasicCredentials (org.apache.druid.java.util.http.client.auth.BasicCredentials)1 BasicAuthDBConfig (org.apache.druid.security.basic.BasicAuthDBConfig)1 BasicAuthenticatorUserMapBundle (org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUserMapBundle)1 Authenticator (org.apache.druid.server.security.Authenticator)1 Duration (org.joda.time.Duration)1