use of org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials in project druid by druid-io.
the class LDAPCredentialsValidator method validateCredentials.
@Override
public AuthenticationResult validateCredentials(String authenticatorName, String authorizerName, String username, char[] password) {
SearchResult userResult;
LdapName userDn;
Map<String, Object> contextMap = new HashMap<>();
LdapUserPrincipal principal = this.cache.getOrExpire(username);
if (principal != null && principal.hasSameCredentials(password)) {
contextMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, principal.getSearchResult());
return new AuthenticationResult(username, authorizerName, authenticatorName, contextMap);
} else {
ClassLoader currentClassLoader = Thread.currentThread().getContextClassLoader();
try {
// Set the context classloader same as the loader of this class so that BasicSecuritySSLSocketFactory
// class can be found
Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader());
InitialDirContext dirContext = new InitialDirContext(bindProperties(this.ldapConfig));
try {
userResult = getLdapUserObject(this.ldapConfig, dirContext, username);
if (userResult == null) {
LOG.debug("User not found: %s", username);
return null;
}
userDn = new LdapName(userResult.getNameInNamespace());
} finally {
try {
dirContext.close();
} catch (Exception ignored) {
// ignored
}
}
} catch (NamingException e) {
LOG.error(e, "Exception during user lookup");
return null;
} finally {
Thread.currentThread().setContextClassLoader(currentClassLoader);
}
if (!validatePassword(this.ldapConfig, userDn, password)) {
LOG.debug("Password incorrect for LDAP user %s", username);
throw new BasicSecurityAuthenticationException("User LDAP authentication failed.");
}
byte[] salt = BasicAuthUtils.generateSalt();
byte[] hash = BasicAuthUtils.hashPassword(password, salt, this.ldapConfig.getCredentialIterations());
LdapUserPrincipal newPrincipal = new LdapUserPrincipal(username, new BasicAuthenticatorCredentials(salt, hash, this.ldapConfig.getCredentialIterations()), userResult);
this.cache.put(username, newPrincipal);
contextMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userResult);
return new AuthenticationResult(username, authorizerName, authenticatorName, contextMap);
}
}
use of org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials in project druid by druid-io.
the class CoordinatorBasicAuthenticatorMetadataStorageUpdaterTest method setCredentials.
@Test
public void setCredentials() {
updater.createUser(AUTHENTICATOR_NAME, "druid");
updater.setUserCredentials(AUTHENTICATOR_NAME, "druid", new BasicAuthenticatorCredentialUpdate("helloworld", null));
Map<String, BasicAuthenticatorUser> userMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, updater.getCurrentUserMapBytes(AUTHENTICATOR_NAME));
BasicAuthenticatorCredentials credentials = userMap.get("druid").getCredentials();
byte[] recalculatedHash = BasicAuthUtils.hashPassword("helloworld".toCharArray(), credentials.getSalt(), credentials.getIterations());
Assert.assertArrayEquals(credentials.getHash(), recalculatedHash);
// Validate cache user map methods
Map<String, BasicAuthenticatorUser> expectedUserMap = ImmutableMap.of("druid", new BasicAuthenticatorUser("druid", credentials));
byte[] expectedSerializeUserMap = BasicAuthUtils.serializeAuthenticatorUserMap(objectMapper, expectedUserMap);
Assert.assertArrayEquals(expectedSerializeUserMap, updater.getCurrentUserMapBytes(AUTHENTICATOR_NAME));
Assert.assertEquals(expectedUserMap, updater.getCachedUserMap(AUTHENTICATOR_NAME));
Assert.assertArrayEquals(expectedSerializeUserMap, updater.getCachedSerializedUserMap(AUTHENTICATOR_NAME));
}
use of org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials in project druid by druid-io.
the class CoordinatorBasicAuthenticatorResourceTest method testUserCredentials.
@Test
public void testUserCredentials() {
Response response = resource.createUser(req, AUTHENTICATOR_NAME, "druid");
Assert.assertEquals(200, response.getStatus());
response = resource.updateUserCredentials(req, AUTHENTICATOR_NAME, "druid", new BasicAuthenticatorCredentialUpdate("helloworld", null));
Assert.assertEquals(200, response.getStatus());
response = resource.getUser(req, AUTHENTICATOR_NAME, "druid");
Assert.assertEquals(200, response.getStatus());
BasicAuthenticatorUser actualUser = (BasicAuthenticatorUser) response.getEntity();
Assert.assertEquals("druid", actualUser.getName());
BasicAuthenticatorCredentials credentials = actualUser.getCredentials();
byte[] salt = credentials.getSalt();
byte[] hash = credentials.getHash();
int iterations = credentials.getIterations();
Assert.assertEquals(BasicAuthUtils.SALT_LENGTH, salt.length);
Assert.assertEquals(BasicAuthUtils.KEY_LENGTH / 8, hash.length);
Assert.assertEquals(BasicAuthUtils.DEFAULT_KEY_ITERATIONS, iterations);
byte[] recalculatedHash = BasicAuthUtils.hashPassword("helloworld".toCharArray(), salt, iterations);
Assert.assertArrayEquals(recalculatedHash, hash);
response = resource.getCachedSerializedUserMap(req, AUTHENTICATOR_NAME);
Assert.assertEquals(200, response.getStatus());
Assert.assertTrue(response.getEntity() instanceof byte[]);
Map<String, BasicAuthenticatorUser> cachedUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, (byte[]) response.getEntity());
Assert.assertNotNull(cachedUserMap);
Assert.assertNotNull(cachedUserMap.get("druid"));
Assert.assertEquals("druid", cachedUserMap.get("druid").getName());
BasicAuthenticatorCredentials cachedUserCredentials = cachedUserMap.get("druid").getCredentials();
salt = cachedUserCredentials.getSalt();
hash = cachedUserCredentials.getHash();
iterations = cachedUserCredentials.getIterations();
Assert.assertEquals(BasicAuthUtils.SALT_LENGTH, salt.length);
Assert.assertEquals(BasicAuthUtils.KEY_LENGTH / 8, hash.length);
Assert.assertEquals(BasicAuthUtils.DEFAULT_KEY_ITERATIONS, iterations);
recalculatedHash = BasicAuthUtils.hashPassword("helloworld".toCharArray(), salt, iterations);
Assert.assertArrayEquals(recalculatedHash, hash);
response = resource.deleteUser(req, AUTHENTICATOR_NAME, "druid");
Assert.assertEquals(200, response.getStatus());
response = resource.getUser(req, AUTHENTICATOR_NAME, "druid");
Assert.assertEquals(400, response.getStatus());
Assert.assertEquals(errorMapWithMsg("User [druid] does not exist."), response.getEntity());
response = resource.updateUserCredentials(req, AUTHENTICATOR_NAME, "druid", new BasicAuthenticatorCredentialUpdate("helloworld", null));
Assert.assertEquals(400, response.getStatus());
Assert.assertEquals(errorMapWithMsg("User [druid] does not exist."), response.getEntity());
}
use of org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials in project druid by druid-io.
the class MetadataStoreCredentialsValidator method validateCredentials.
@Override
@Nullable
public AuthenticationResult validateCredentials(String authenticatorName, String authorizerName, String username, char[] password) {
Map<String, BasicAuthenticatorUser> userMap = cacheManager.get().getUserMap(authenticatorName);
if (userMap == null) {
throw new IAE("No userMap is available for authenticator with prefix: [%s]", authenticatorName);
}
BasicAuthenticatorUser user = userMap.get(username);
if (user == null) {
return null;
}
BasicAuthenticatorCredentials credentials = user.getCredentials();
if (credentials == null) {
return null;
}
byte[] recalculatedHash = BasicAuthUtils.hashPassword(password, credentials.getSalt(), credentials.getIterations());
if (Arrays.equals(recalculatedHash, credentials.getHash())) {
return new AuthenticationResult(username, authorizerName, authenticatorName, null);
} else {
LOG.debug("Password incorrect for metadata store user %s", username);
throw new BasicSecurityAuthenticationException("User metadata store authentication failed.");
}
}
use of org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials in project druid by druid-io.
the class CoordinatorBasicAuthenticatorMetadataStorageUpdater method setUserCredentialsInternal.
private void setUserCredentialsInternal(String prefix, String userName, BasicAuthenticatorCredentialUpdate update) {
BasicAuthenticatorCredentials credentials;
// use default iteration count from Authenticator if not specified in request
if (update.getIterations() == -1) {
BasicHTTPAuthenticator authenticator = (BasicHTTPAuthenticator) authenticatorMapper.getAuthenticatorMap().get(prefix);
credentials = new BasicAuthenticatorCredentials(new BasicAuthenticatorCredentialUpdate(update.getPassword(), authenticator.getDbConfig().getCredentialIterations()));
} else {
credentials = new BasicAuthenticatorCredentials(update);
}
int attempts = 0;
while (attempts < numRetries) {
if (setUserCredentialOnce(prefix, userName, credentials)) {
return;
} else {
attempts++;
}
try {
Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
} catch (InterruptedException ie) {
throw new RuntimeException(ie);
}
}
throw new ISE("Could not set credentials for user[%s] due to concurrent update contention.", userName);
}
Aggregations