Search in sources :

Example 1 with BasicAuthorizerGroupMapping

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.

the class ITBasicAuthLdapConfigurationTest method createRoleWithPermissionsAndGroupMapping.

private void createRoleWithPermissionsAndGroupMapping(String group, Map<String, List<ResourceAction>> roleTopermissions) throws Exception {
    roleTopermissions.keySet().forEach(role -> HttpUtil.makeRequest(adminClient, HttpMethod.POST, StringUtils.format("%s/druid-ext/basic-security/authorization/db/ldapauth/roles/%s", config.getCoordinatorUrl(), role), null));
    for (Map.Entry<String, List<ResourceAction>> entry : roleTopermissions.entrySet()) {
        String role = entry.getKey();
        List<ResourceAction> permissions = entry.getValue();
        byte[] permissionsBytes = jsonMapper.writeValueAsBytes(permissions);
        HttpUtil.makeRequest(adminClient, HttpMethod.POST, StringUtils.format("%s/druid-ext/basic-security/authorization/db/ldapauth/roles/%s/permissions", config.getCoordinatorUrl(), role), permissionsBytes);
    }
    String groupMappingName = StringUtils.format("%sMapping", group);
    BasicAuthorizerGroupMapping groupMapping = new BasicAuthorizerGroupMapping(groupMappingName, StringUtils.format("cn=%s,ou=Groups,dc=example,dc=org", group), roleTopermissions.keySet());
    byte[] groupMappingBytes = jsonMapper.writeValueAsBytes(groupMapping);
    HttpUtil.makeRequest(adminClient, HttpMethod.POST, StringUtils.format("%s/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/%s", config.getCoordinatorUrl(), groupMappingName), groupMappingBytes);
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) List(java.util.List) ImmutableMap(com.google.common.collect.ImmutableMap) Map(java.util.Map) ResourceAction(org.apache.druid.server.security.ResourceAction)

Example 2 with BasicAuthorizerGroupMapping

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.

the class CoordinatorBasicAuthorizerMetadataStorageUpdater method assignGroupMappingRoleOnce.

private boolean assignGroupMappingRoleOnce(String prefix, String groupMappingName, String roleName) {
    byte[] oldRoleMapValue = getCurrentRoleMapBytes(prefix);
    Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, oldRoleMapValue);
    if (roleMap.get(roleName) == null) {
        throw new BasicSecurityDBResourceException("Role [%s] does not exist.", roleName);
    }
    byte[] oldGroupMappingMapValue = getCurrentGroupMappingMapBytes(prefix);
    Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, oldGroupMappingMapValue);
    BasicAuthorizerGroupMapping groupMapping = groupMappingMap.get(groupMappingName);
    if (groupMappingMap.get(groupMappingName) == null) {
        throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", groupMappingName);
    }
    if (groupMapping.getRoles().contains(roleName)) {
        throw new BasicSecurityDBResourceException("Group mapping [%s] already has role [%s].", groupMappingName, roleName);
    }
    groupMapping.getRoles().add(roleName);
    byte[] newGroupMapValue = BasicAuthUtils.serializeAuthorizerGroupMappingMap(objectMapper, groupMappingMap);
    // Role map is unchanged, but submit as an update to ensure that the table didn't change (e.g., role deleted)
    return tryUpdateGroupMappingAndRoleMap(prefix, groupMappingMap, oldGroupMappingMapValue, newGroupMapValue, roleMap, oldRoleMapValue, oldRoleMapValue);
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) BasicSecurityDBResourceException(org.apache.druid.security.basic.BasicSecurityDBResourceException) BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)

Example 3 with BasicAuthorizerGroupMapping

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.

the class BasicRoleBasedAuthorizerTest method testAuthGroupMappingPatternRightMask.

@Test
public void testAuthGroupMappingPatternRightMask() {
    // Admin
    BasicAuthorizerGroupMapping adminGrroupMapping = new BasicAuthorizerGroupMapping("adminGrroupMapping", "CN=admin,*", null);
    updater.createGroupMapping(LDAP_AUTHORIZER_NAME, adminGrroupMapping);
    updater.createRole(LDAP_AUTHORIZER_NAME, "adminDruidRole");
    updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "adminGrroupMapping", "adminDruidRole");
    List<ResourceAction> adminPermissions = Arrays.asList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
    updater.setPermissions(LDAP_AUTHORIZER_NAME, "adminDruidRole", adminPermissions);
    // User
    BasicAuthorizerGroupMapping userGrroupMapping = new BasicAuthorizerGroupMapping("userGrroupMapping", "CN=user,*", null);
    updater.createGroupMapping(LDAP_AUTHORIZER_NAME, userGrroupMapping);
    updater.createRole(LDAP_AUTHORIZER_NAME, "userDruidRole");
    updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "userGrroupMapping", "userDruidRole");
    List<ResourceAction> userPermissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
    updater.setPermissions(LDAP_AUTHORIZER_NAME, "userDruidRole", userPermissions);
    Map<String, Object> contexMap = new HashMap<>();
    contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult);
    AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap);
    Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
    contexMap = new HashMap<>();
    contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult);
    authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap);
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertFalse(access.isAllowed());
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) HashMap(java.util.HashMap) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) ResourceAction(org.apache.druid.server.security.ResourceAction) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) Test(org.junit.Test)

Example 4 with BasicAuthorizerGroupMapping

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.

the class BasicRoleBasedAuthorizerTest method testAuthMissingGroupMapping.

@Test
public void testAuthMissingGroupMapping() {
    BasicAuthorizerGroupMapping groupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "CN=unknown,*", null);
    updater.createGroupMapping(LDAP_AUTHORIZER_NAME, groupMapping);
    updater.createRole(LDAP_AUTHORIZER_NAME, "druidRole");
    updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
    List<ResourceAction> permissions = Arrays.asList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
    updater.setPermissions(LDAP_AUTHORIZER_NAME, "druidRole", permissions);
    Map<String, Object> contexMap = new HashMap<>();
    contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult);
    AuthenticationResult authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap);
    Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertFalse(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertFalse(access.isAllowed());
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) HashMap(java.util.HashMap) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) ResourceAction(org.apache.druid.server.security.ResourceAction) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) Test(org.junit.Test)

Example 5 with BasicAuthorizerGroupMapping

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.

the class CoordinatorBasicAuthorizerMetadataStorageUpdater method unassignGroupMappingRoleOnce.

private boolean unassignGroupMappingRoleOnce(String prefix, String groupMappingName, String roleName) {
    byte[] oldRoleMapValue = getCurrentRoleMapBytes(prefix);
    Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, oldRoleMapValue);
    if (roleMap.get(roleName) == null) {
        throw new BasicSecurityDBResourceException("Role [%s] does not exist.", roleName);
    }
    byte[] oldGroupMappingMapValue = getCurrentGroupMappingMapBytes(prefix);
    Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, oldGroupMappingMapValue);
    BasicAuthorizerGroupMapping groupMapping = groupMappingMap.get(groupMappingName);
    if (groupMappingMap.get(groupMappingName) == null) {
        throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", groupMappingName);
    }
    if (!groupMapping.getRoles().contains(roleName)) {
        throw new BasicSecurityDBResourceException("Group mapping [%s] does not have role [%s].", groupMappingName, roleName);
    }
    groupMapping.getRoles().remove(roleName);
    byte[] newGroupMapValue = BasicAuthUtils.serializeAuthorizerGroupMappingMap(objectMapper, groupMappingMap);
    // Role map is unchanged, but submit as an update to ensure that the table didn't change (e.g., role deleted)
    return tryUpdateGroupMappingAndRoleMap(prefix, groupMappingMap, oldGroupMappingMapValue, newGroupMapValue, roleMap, oldRoleMapValue, oldRoleMapValue);
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) BasicSecurityDBResourceException(org.apache.druid.security.basic.BasicSecurityDBResourceException) BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)

Aggregations

BasicAuthorizerGroupMapping (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)28 Test (org.junit.Test)17 BasicAuthorizerRole (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)12 HashMap (java.util.HashMap)7 HashSet (java.util.HashSet)7 Response (javax.ws.rs.core.Response)6 BasicSecurityDBResourceException (org.apache.druid.security.basic.BasicSecurityDBResourceException)5 BasicAuthorizerUser (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser)5 ResourceAction (org.apache.druid.server.security.ResourceAction)5 Map (java.util.Map)4 Access (org.apache.druid.server.security.Access)4 AuthenticationResult (org.apache.druid.server.security.AuthenticationResult)4 Resource (org.apache.druid.server.security.Resource)4 VisibleForTesting (com.google.common.annotations.VisibleForTesting)2 InvalidNameException (javax.naming.InvalidNameException)2 LdapName (javax.naming.ldap.LdapName)2 BasicRoleBasedAuthorizer (org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer)2 BasicAuthorizerGroupMappingFull (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingFull)2 BasicAuthorizerRoleFull (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleFull)2 BasicAuthorizerRoleSimplifiedPermissions (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions)2