Search in sources :

Example 11 with BasicAuthenticatorUser

use of org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser in project druid by druid-io.

the class MetadataStoreCredentialsValidator method validateCredentials.

@Override
@Nullable
public AuthenticationResult validateCredentials(String authenticatorName, String authorizerName, String username, char[] password) {
    Map<String, BasicAuthenticatorUser> userMap = cacheManager.get().getUserMap(authenticatorName);
    if (userMap == null) {
        throw new IAE("No userMap is available for authenticator with prefix: [%s]", authenticatorName);
    }
    BasicAuthenticatorUser user = userMap.get(username);
    if (user == null) {
        return null;
    }
    BasicAuthenticatorCredentials credentials = user.getCredentials();
    if (credentials == null) {
        return null;
    }
    byte[] recalculatedHash = BasicAuthUtils.hashPassword(password, credentials.getSalt(), credentials.getIterations());
    if (Arrays.equals(recalculatedHash, credentials.getHash())) {
        return new AuthenticationResult(username, authorizerName, authenticatorName, null);
    } else {
        LOG.debug("Password incorrect for metadata store user %s", username);
        throw new BasicSecurityAuthenticationException("User metadata store authentication failed.");
    }
}
Also used : BasicSecurityAuthenticationException(org.apache.druid.security.basic.BasicSecurityAuthenticationException) BasicAuthenticatorCredentials(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials) BasicAuthenticatorUser(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser) IAE(org.apache.druid.java.util.common.IAE) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) Nullable(javax.annotation.Nullable)

Example 12 with BasicAuthenticatorUser

use of org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser in project druid by druid-io.

the class CoordinatorPollingBasicAuthenticatorCacheManager method tryFetchUserMapFromCoordinator.

private Map<String, BasicAuthenticatorUser> tryFetchUserMapFromCoordinator(String prefix) throws Exception {
    Map<String, BasicAuthenticatorUser> userMap = null;
    Request req = druidLeaderClient.makeRequest(HttpMethod.GET, StringUtils.format("/druid-ext/basic-security/authentication/db/%s/cachedSerializedUserMap", prefix));
    BytesFullResponseHolder responseHolder = druidLeaderClient.go(req, new BytesFullResponseHandler());
    byte[] userMapBytes = responseHolder.getContent();
    if (ArrayUtils.isNotEmpty(userMapBytes)) {
        userMap = objectMapper.readValue(userMapBytes, BasicAuthUtils.AUTHENTICATOR_USER_MAP_TYPE_REFERENCE);
        if (userMap != null && commonCacheConfig.getCacheDirectory() != null) {
            writeUserMapToDisk(prefix, userMapBytes);
        }
    } else {
        LOG.info("Empty cached serialized user map retrieved, authenticator - %s", prefix);
    }
    return userMap;
}
Also used : BytesFullResponseHolder(org.apache.druid.java.util.http.client.response.BytesFullResponseHolder) Request(org.apache.druid.java.util.http.client.Request) BasicAuthenticatorUser(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser) BytesFullResponseHandler(org.apache.druid.java.util.http.client.response.BytesFullResponseHandler)

Example 13 with BasicAuthenticatorUser

use of org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser in project druid by druid-io.

the class CoordinatorPollingBasicAuthenticatorCacheManager method start.

@LifecycleStart
public void start() {
    if (!lifecycleLock.canStart()) {
        throw new ISE("can't start.");
    }
    LOG.info("Starting CoordinatorPollingBasicAuthenticatorCacheManager.");
    try {
        initUserMaps();
        ScheduledExecutors.scheduleWithFixedDelay(exec, new Duration(commonCacheConfig.getPollingPeriod()), new Duration(commonCacheConfig.getPollingPeriod()), () -> {
            try {
                long randomDelay = ThreadLocalRandom.current().nextLong(0, commonCacheConfig.getMaxRandomDelay());
                LOG.debug("Inserting cachedUserMaps random polling delay of [%s] ms", randomDelay);
                Thread.sleep(randomDelay);
                LOG.debug("Scheduled user cache poll is running");
                for (String authenticatorPrefix : authenticatorPrefixes) {
                    Map<String, BasicAuthenticatorUser> userMap = fetchUserMapFromCoordinator(authenticatorPrefix, false);
                    if (userMap != null) {
                        cachedUserMaps.put(authenticatorPrefix, userMap);
                    }
                }
                LOG.debug("Scheduled user cache poll is done");
            } catch (Throwable t) {
                LOG.makeAlert(t, "Error occured while polling for cachedUserMaps.").emit();
            }
        });
        lifecycleLock.started();
        LOG.info("Started CoordinatorPollingBasicAuthenticatorCacheManager.");
    } finally {
        lifecycleLock.exitStart();
    }
}
Also used : ISE(org.apache.druid.java.util.common.ISE) Duration(org.joda.time.Duration) BasicAuthenticatorUser(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser) LifecycleStart(org.apache.druid.java.util.common.lifecycle.LifecycleStart)

Example 14 with BasicAuthenticatorUser

use of org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser in project druid by druid-io.

the class CoordinatorPollingBasicAuthenticatorCacheManager method initUserMaps.

private void initUserMaps() {
    AuthenticatorMapper authenticatorMapper = injector.getInstance(AuthenticatorMapper.class);
    if (authenticatorMapper == null || authenticatorMapper.getAuthenticatorMap() == null) {
        return;
    }
    for (Map.Entry<String, Authenticator> entry : authenticatorMapper.getAuthenticatorMap().entrySet()) {
        Authenticator authenticator = entry.getValue();
        if (authenticator instanceof BasicHTTPAuthenticator) {
            String authenticatorName = entry.getKey();
            authenticatorPrefixes.add(authenticatorName);
            Map<String, BasicAuthenticatorUser> userMap = fetchUserMapFromCoordinator(authenticatorName, true);
            if (userMap != null) {
                cachedUserMaps.put(authenticatorName, userMap);
            }
        }
    }
}
Also used : AuthenticatorMapper(org.apache.druid.server.security.AuthenticatorMapper) BasicHTTPAuthenticator(org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator) BasicAuthenticatorUser(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser) Map(java.util.Map) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) Authenticator(org.apache.druid.server.security.Authenticator) BasicHTTPAuthenticator(org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator)

Example 15 with BasicAuthenticatorUser

use of org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser in project druid by druid-io.

the class CoordinatorBasicAuthenticatorMetadataStorageUpdater method start.

@LifecycleStart
public void start() {
    if (!lifecycleLock.canStart()) {
        throw new ISE("can't start.");
    }
    if (authenticatorMapper == null || authenticatorMapper.getAuthenticatorMap() == null) {
        return;
    }
    try {
        LOG.info("Starting CoordinatorBasicAuthenticatorMetadataStorageUpdater.");
        BasicAuthUtils.maybeInitialize(() -> {
            for (Map.Entry<String, Authenticator> entry : authenticatorMapper.getAuthenticatorMap().entrySet()) {
                Authenticator authenticator = entry.getValue();
                if (authenticator instanceof BasicHTTPAuthenticator) {
                    String authenticatorName = entry.getKey();
                    authenticatorPrefixes.add(authenticatorName);
                    BasicHTTPAuthenticator basicHTTPAuthenticator = (BasicHTTPAuthenticator) authenticator;
                    BasicAuthDBConfig dbConfig = basicHTTPAuthenticator.getDbConfig();
                    byte[] userMapBytes = getCurrentUserMapBytes(authenticatorName);
                    Map<String, BasicAuthenticatorUser> userMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, userMapBytes);
                    cachedUserMaps.put(authenticatorName, new BasicAuthenticatorUserMapBundle(userMap, userMapBytes));
                    if (dbConfig.getInitialAdminPassword() != null && !userMap.containsKey(BasicAuthUtils.ADMIN_NAME)) {
                        createUserInternal(authenticatorName, BasicAuthUtils.ADMIN_NAME);
                        setUserCredentialsInternal(authenticatorName, BasicAuthUtils.ADMIN_NAME, new BasicAuthenticatorCredentialUpdate(dbConfig.getInitialAdminPassword().getPassword(), BasicAuthUtils.DEFAULT_KEY_ITERATIONS));
                    }
                    if (dbConfig.getInitialInternalClientPassword() != null && !userMap.containsKey(BasicAuthUtils.INTERNAL_USER_NAME)) {
                        createUserInternal(authenticatorName, BasicAuthUtils.INTERNAL_USER_NAME);
                        setUserCredentialsInternal(authenticatorName, BasicAuthUtils.INTERNAL_USER_NAME, new BasicAuthenticatorCredentialUpdate(dbConfig.getInitialInternalClientPassword().getPassword(), BasicAuthUtils.DEFAULT_KEY_ITERATIONS));
                    }
                }
            }
            return true;
        });
        ScheduledExecutors.scheduleWithFixedDelay(exec, new Duration(commonCacheConfig.getPollingPeriod()), new Duration(commonCacheConfig.getPollingPeriod()), new Callable<ScheduledExecutors.Signal>() {

            @Override
            public ScheduledExecutors.Signal call() {
                if (stopped) {
                    return ScheduledExecutors.Signal.STOP;
                }
                try {
                    LOG.debug("Scheduled db userMap poll is running");
                    for (String authenticatorPrefix : authenticatorPrefixes) {
                        byte[] userMapBytes = getCurrentUserMapBytes(authenticatorPrefix);
                        Map<String, BasicAuthenticatorUser> userMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, userMapBytes);
                        if (userMapBytes != null) {
                            cachedUserMaps.put(authenticatorPrefix, new BasicAuthenticatorUserMapBundle(userMap, userMapBytes));
                        }
                    }
                    LOG.debug("Scheduled db userMap poll is done");
                } catch (Throwable t) {
                    LOG.makeAlert(t, "Error occured while polling for cachedUserMaps.").emit();
                }
                return ScheduledExecutors.Signal.REPEAT;
            }
        });
        lifecycleLock.started();
    } finally {
        lifecycleLock.exitStart();
    }
}
Also used : Duration(org.joda.time.Duration) BasicAuthenticatorUser(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser) BasicAuthenticatorUserMapBundle(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUserMapBundle) BasicHTTPAuthenticator(org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator) BasicAuthenticatorCredentialUpdate(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate) ISE(org.apache.druid.java.util.common.ISE) Map(java.util.Map) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) Authenticator(org.apache.druid.server.security.Authenticator) BasicHTTPAuthenticator(org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator) BasicAuthDBConfig(org.apache.druid.security.basic.BasicAuthDBConfig) LifecycleStart(org.apache.druid.java.util.common.lifecycle.LifecycleStart)

Aggregations

BasicAuthenticatorUser (org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser)15 Test (org.junit.Test)6 Response (javax.ws.rs.core.Response)4 BasicHTTPAuthenticator (org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator)4 BasicSecurityDBResourceException (org.apache.druid.security.basic.BasicSecurityDBResourceException)3 BasicAuthenticatorCredentialUpdate (org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate)3 BasicAuthenticatorCredentials (org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials)3 Map (java.util.Map)2 ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)2 ISE (org.apache.druid.java.util.common.ISE)2 LifecycleStart (org.apache.druid.java.util.common.lifecycle.LifecycleStart)2 Authenticator (org.apache.druid.server.security.Authenticator)2 Duration (org.joda.time.Duration)2 Nullable (javax.annotation.Nullable)1 IAE (org.apache.druid.java.util.common.IAE)1 Request (org.apache.druid.java.util.http.client.Request)1 BytesFullResponseHandler (org.apache.druid.java.util.http.client.response.BytesFullResponseHandler)1 BytesFullResponseHolder (org.apache.druid.java.util.http.client.response.BytesFullResponseHolder)1 BasicAuthDBConfig (org.apache.druid.security.basic.BasicAuthDBConfig)1 BasicSecurityAuthenticationException (org.apache.druid.security.basic.BasicSecurityAuthenticationException)1