Search in sources :

Example 1 with BasicAuthenticatorCredentials

use of org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials in project druid by druid-io.

the class LDAPCredentialsValidator method validateCredentials.

@Override
public AuthenticationResult validateCredentials(String authenticatorName, String authorizerName, String username, char[] password) {
    SearchResult userResult;
    LdapName userDn;
    Map<String, Object> contextMap = new HashMap<>();
    LdapUserPrincipal principal = this.cache.getOrExpire(username);
    if (principal != null && principal.hasSameCredentials(password)) {
        contextMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, principal.getSearchResult());
        return new AuthenticationResult(username, authorizerName, authenticatorName, contextMap);
    } else {
        ClassLoader currentClassLoader = Thread.currentThread().getContextClassLoader();
        try {
            // Set the context classloader same as the loader of this class so that BasicSecuritySSLSocketFactory
            // class can be found
            Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader());
            InitialDirContext dirContext = new InitialDirContext(bindProperties(this.ldapConfig));
            try {
                userResult = getLdapUserObject(this.ldapConfig, dirContext, username);
                if (userResult == null) {
                    LOG.debug("User not found: %s", username);
                    return null;
                }
                userDn = new LdapName(userResult.getNameInNamespace());
            } finally {
                try {
                    dirContext.close();
                } catch (Exception ignored) {
                // ignored
                }
            }
        } catch (NamingException e) {
            LOG.error(e, "Exception during user lookup");
            return null;
        } finally {
            Thread.currentThread().setContextClassLoader(currentClassLoader);
        }
        if (!validatePassword(this.ldapConfig, userDn, password)) {
            LOG.debug("Password incorrect for LDAP user %s", username);
            throw new BasicSecurityAuthenticationException("User LDAP authentication failed.");
        }
        byte[] salt = BasicAuthUtils.generateSalt();
        byte[] hash = BasicAuthUtils.hashPassword(password, salt, this.ldapConfig.getCredentialIterations());
        LdapUserPrincipal newPrincipal = new LdapUserPrincipal(username, new BasicAuthenticatorCredentials(salt, hash, this.ldapConfig.getCredentialIterations()), userResult);
        this.cache.put(username, newPrincipal);
        contextMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userResult);
        return new AuthenticationResult(username, authorizerName, authenticatorName, contextMap);
    }
}
Also used : BasicSecurityAuthenticationException(org.apache.druid.security.basic.BasicSecurityAuthenticationException) HashMap(java.util.HashMap) LinkedHashMap(java.util.LinkedHashMap) SearchResult(javax.naming.directory.SearchResult) InitialDirContext(javax.naming.directory.InitialDirContext) BasicSecurityAuthenticationException(org.apache.druid.security.basic.BasicSecurityAuthenticationException) NamingException(javax.naming.NamingException) AuthenticationException(javax.naming.AuthenticationException) LdapName(javax.naming.ldap.LdapName) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) BasicAuthenticatorCredentials(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials) NamingException(javax.naming.NamingException) LdapUserPrincipal(org.apache.druid.security.basic.authentication.LdapUserPrincipal)

Example 2 with BasicAuthenticatorCredentials

use of org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials in project druid by druid-io.

the class CoordinatorBasicAuthenticatorMetadataStorageUpdaterTest method setCredentials.

@Test
public void setCredentials() {
    updater.createUser(AUTHENTICATOR_NAME, "druid");
    updater.setUserCredentials(AUTHENTICATOR_NAME, "druid", new BasicAuthenticatorCredentialUpdate("helloworld", null));
    Map<String, BasicAuthenticatorUser> userMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, updater.getCurrentUserMapBytes(AUTHENTICATOR_NAME));
    BasicAuthenticatorCredentials credentials = userMap.get("druid").getCredentials();
    byte[] recalculatedHash = BasicAuthUtils.hashPassword("helloworld".toCharArray(), credentials.getSalt(), credentials.getIterations());
    Assert.assertArrayEquals(credentials.getHash(), recalculatedHash);
    // Validate cache user map methods
    Map<String, BasicAuthenticatorUser> expectedUserMap = ImmutableMap.of("druid", new BasicAuthenticatorUser("druid", credentials));
    byte[] expectedSerializeUserMap = BasicAuthUtils.serializeAuthenticatorUserMap(objectMapper, expectedUserMap);
    Assert.assertArrayEquals(expectedSerializeUserMap, updater.getCurrentUserMapBytes(AUTHENTICATOR_NAME));
    Assert.assertEquals(expectedUserMap, updater.getCachedUserMap(AUTHENTICATOR_NAME));
    Assert.assertArrayEquals(expectedSerializeUserMap, updater.getCachedSerializedUserMap(AUTHENTICATOR_NAME));
}
Also used : BasicAuthenticatorCredentials(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials) BasicAuthenticatorCredentialUpdate(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate) BasicAuthenticatorUser(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser) Test(org.junit.Test)

Example 3 with BasicAuthenticatorCredentials

use of org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials in project druid by druid-io.

the class CoordinatorBasicAuthenticatorResourceTest method testUserCredentials.

@Test
public void testUserCredentials() {
    Response response = resource.createUser(req, AUTHENTICATOR_NAME, "druid");
    Assert.assertEquals(200, response.getStatus());
    response = resource.updateUserCredentials(req, AUTHENTICATOR_NAME, "druid", new BasicAuthenticatorCredentialUpdate("helloworld", null));
    Assert.assertEquals(200, response.getStatus());
    response = resource.getUser(req, AUTHENTICATOR_NAME, "druid");
    Assert.assertEquals(200, response.getStatus());
    BasicAuthenticatorUser actualUser = (BasicAuthenticatorUser) response.getEntity();
    Assert.assertEquals("druid", actualUser.getName());
    BasicAuthenticatorCredentials credentials = actualUser.getCredentials();
    byte[] salt = credentials.getSalt();
    byte[] hash = credentials.getHash();
    int iterations = credentials.getIterations();
    Assert.assertEquals(BasicAuthUtils.SALT_LENGTH, salt.length);
    Assert.assertEquals(BasicAuthUtils.KEY_LENGTH / 8, hash.length);
    Assert.assertEquals(BasicAuthUtils.DEFAULT_KEY_ITERATIONS, iterations);
    byte[] recalculatedHash = BasicAuthUtils.hashPassword("helloworld".toCharArray(), salt, iterations);
    Assert.assertArrayEquals(recalculatedHash, hash);
    response = resource.getCachedSerializedUserMap(req, AUTHENTICATOR_NAME);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertTrue(response.getEntity() instanceof byte[]);
    Map<String, BasicAuthenticatorUser> cachedUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, (byte[]) response.getEntity());
    Assert.assertNotNull(cachedUserMap);
    Assert.assertNotNull(cachedUserMap.get("druid"));
    Assert.assertEquals("druid", cachedUserMap.get("druid").getName());
    BasicAuthenticatorCredentials cachedUserCredentials = cachedUserMap.get("druid").getCredentials();
    salt = cachedUserCredentials.getSalt();
    hash = cachedUserCredentials.getHash();
    iterations = cachedUserCredentials.getIterations();
    Assert.assertEquals(BasicAuthUtils.SALT_LENGTH, salt.length);
    Assert.assertEquals(BasicAuthUtils.KEY_LENGTH / 8, hash.length);
    Assert.assertEquals(BasicAuthUtils.DEFAULT_KEY_ITERATIONS, iterations);
    recalculatedHash = BasicAuthUtils.hashPassword("helloworld".toCharArray(), salt, iterations);
    Assert.assertArrayEquals(recalculatedHash, hash);
    response = resource.deleteUser(req, AUTHENTICATOR_NAME, "druid");
    Assert.assertEquals(200, response.getStatus());
    response = resource.getUser(req, AUTHENTICATOR_NAME, "druid");
    Assert.assertEquals(400, response.getStatus());
    Assert.assertEquals(errorMapWithMsg("User [druid] does not exist."), response.getEntity());
    response = resource.updateUserCredentials(req, AUTHENTICATOR_NAME, "druid", new BasicAuthenticatorCredentialUpdate("helloworld", null));
    Assert.assertEquals(400, response.getStatus());
    Assert.assertEquals(errorMapWithMsg("User [druid] does not exist."), response.getEntity());
}
Also used : Response(javax.ws.rs.core.Response) BasicAuthenticatorCredentials(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials) BasicAuthenticatorCredentialUpdate(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate) BasicAuthenticatorUser(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser) Test(org.junit.Test)

Example 4 with BasicAuthenticatorCredentials

use of org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials in project druid by druid-io.

the class MetadataStoreCredentialsValidator method validateCredentials.

@Override
@Nullable
public AuthenticationResult validateCredentials(String authenticatorName, String authorizerName, String username, char[] password) {
    Map<String, BasicAuthenticatorUser> userMap = cacheManager.get().getUserMap(authenticatorName);
    if (userMap == null) {
        throw new IAE("No userMap is available for authenticator with prefix: [%s]", authenticatorName);
    }
    BasicAuthenticatorUser user = userMap.get(username);
    if (user == null) {
        return null;
    }
    BasicAuthenticatorCredentials credentials = user.getCredentials();
    if (credentials == null) {
        return null;
    }
    byte[] recalculatedHash = BasicAuthUtils.hashPassword(password, credentials.getSalt(), credentials.getIterations());
    if (Arrays.equals(recalculatedHash, credentials.getHash())) {
        return new AuthenticationResult(username, authorizerName, authenticatorName, null);
    } else {
        LOG.debug("Password incorrect for metadata store user %s", username);
        throw new BasicSecurityAuthenticationException("User metadata store authentication failed.");
    }
}
Also used : BasicSecurityAuthenticationException(org.apache.druid.security.basic.BasicSecurityAuthenticationException) BasicAuthenticatorCredentials(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials) BasicAuthenticatorUser(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser) IAE(org.apache.druid.java.util.common.IAE) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) Nullable(javax.annotation.Nullable)

Example 5 with BasicAuthenticatorCredentials

use of org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials in project druid by druid-io.

the class CoordinatorBasicAuthenticatorMetadataStorageUpdater method setUserCredentialsInternal.

private void setUserCredentialsInternal(String prefix, String userName, BasicAuthenticatorCredentialUpdate update) {
    BasicAuthenticatorCredentials credentials;
    // use default iteration count from Authenticator if not specified in request
    if (update.getIterations() == -1) {
        BasicHTTPAuthenticator authenticator = (BasicHTTPAuthenticator) authenticatorMapper.getAuthenticatorMap().get(prefix);
        credentials = new BasicAuthenticatorCredentials(new BasicAuthenticatorCredentialUpdate(update.getPassword(), authenticator.getDbConfig().getCredentialIterations()));
    } else {
        credentials = new BasicAuthenticatorCredentials(update);
    }
    int attempts = 0;
    while (attempts < numRetries) {
        if (setUserCredentialOnce(prefix, userName, credentials)) {
            return;
        } else {
            attempts++;
        }
        try {
            Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY));
        } catch (InterruptedException ie) {
            throw new RuntimeException(ie);
        }
    }
    throw new ISE("Could not set credentials for user[%s] due to concurrent update contention.", userName);
}
Also used : BasicHTTPAuthenticator(org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator) BasicAuthenticatorCredentials(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials) BasicAuthenticatorCredentialUpdate(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate) ISE(org.apache.druid.java.util.common.ISE)

Aggregations

BasicAuthenticatorCredentials (org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials)5 BasicAuthenticatorCredentialUpdate (org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate)3 BasicAuthenticatorUser (org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser)3 BasicSecurityAuthenticationException (org.apache.druid.security.basic.BasicSecurityAuthenticationException)2 AuthenticationResult (org.apache.druid.server.security.AuthenticationResult)2 Test (org.junit.Test)2 HashMap (java.util.HashMap)1 LinkedHashMap (java.util.LinkedHashMap)1 Nullable (javax.annotation.Nullable)1 AuthenticationException (javax.naming.AuthenticationException)1 NamingException (javax.naming.NamingException)1 InitialDirContext (javax.naming.directory.InitialDirContext)1 SearchResult (javax.naming.directory.SearchResult)1 LdapName (javax.naming.ldap.LdapName)1 Response (javax.ws.rs.core.Response)1 IAE (org.apache.druid.java.util.common.IAE)1 ISE (org.apache.druid.java.util.common.ISE)1 BasicHTTPAuthenticator (org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator)1 LdapUserPrincipal (org.apache.druid.security.basic.authentication.LdapUserPrincipal)1