use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.
the class ITBasicAuthLdapConfigurationTest method createRoleWithPermissionsAndGroupMapping.
private void createRoleWithPermissionsAndGroupMapping(String group, Map<String, List<ResourceAction>> roleTopermissions) throws Exception {
roleTopermissions.keySet().forEach(role -> HttpUtil.makeRequest(adminClient, HttpMethod.POST, StringUtils.format("%s/druid-ext/basic-security/authorization/db/ldapauth/roles/%s", config.getCoordinatorUrl(), role), null));
for (Map.Entry<String, List<ResourceAction>> entry : roleTopermissions.entrySet()) {
String role = entry.getKey();
List<ResourceAction> permissions = entry.getValue();
byte[] permissionsBytes = jsonMapper.writeValueAsBytes(permissions);
HttpUtil.makeRequest(adminClient, HttpMethod.POST, StringUtils.format("%s/druid-ext/basic-security/authorization/db/ldapauth/roles/%s/permissions", config.getCoordinatorUrl(), role), permissionsBytes);
}
String groupMappingName = StringUtils.format("%sMapping", group);
BasicAuthorizerGroupMapping groupMapping = new BasicAuthorizerGroupMapping(groupMappingName, StringUtils.format("cn=%s,ou=Groups,dc=example,dc=org", group), roleTopermissions.keySet());
byte[] groupMappingBytes = jsonMapper.writeValueAsBytes(groupMapping);
HttpUtil.makeRequest(adminClient, HttpMethod.POST, StringUtils.format("%s/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/%s", config.getCoordinatorUrl(), groupMappingName), groupMappingBytes);
}
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.
the class CoordinatorBasicAuthorizerMetadataStorageUpdater method assignGroupMappingRoleOnce.
private boolean assignGroupMappingRoleOnce(String prefix, String groupMappingName, String roleName) {
byte[] oldRoleMapValue = getCurrentRoleMapBytes(prefix);
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, oldRoleMapValue);
if (roleMap.get(roleName) == null) {
throw new BasicSecurityDBResourceException("Role [%s] does not exist.", roleName);
}
byte[] oldGroupMappingMapValue = getCurrentGroupMappingMapBytes(prefix);
Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, oldGroupMappingMapValue);
BasicAuthorizerGroupMapping groupMapping = groupMappingMap.get(groupMappingName);
if (groupMappingMap.get(groupMappingName) == null) {
throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", groupMappingName);
}
if (groupMapping.getRoles().contains(roleName)) {
throw new BasicSecurityDBResourceException("Group mapping [%s] already has role [%s].", groupMappingName, roleName);
}
groupMapping.getRoles().add(roleName);
byte[] newGroupMapValue = BasicAuthUtils.serializeAuthorizerGroupMappingMap(objectMapper, groupMappingMap);
// Role map is unchanged, but submit as an update to ensure that the table didn't change (e.g., role deleted)
return tryUpdateGroupMappingAndRoleMap(prefix, groupMappingMap, oldGroupMappingMapValue, newGroupMapValue, roleMap, oldRoleMapValue, oldRoleMapValue);
}
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.
the class BasicRoleBasedAuthorizerTest method testAuthGroupMappingPatternRightMask.
@Test
public void testAuthGroupMappingPatternRightMask() {
// Admin
BasicAuthorizerGroupMapping adminGrroupMapping = new BasicAuthorizerGroupMapping("adminGrroupMapping", "CN=admin,*", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, adminGrroupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "adminDruidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "adminGrroupMapping", "adminDruidRole");
List<ResourceAction> adminPermissions = Arrays.asList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
updater.setPermissions(LDAP_AUTHORIZER_NAME, "adminDruidRole", adminPermissions);
// User
BasicAuthorizerGroupMapping userGrroupMapping = new BasicAuthorizerGroupMapping("userGrroupMapping", "CN=user,*", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, userGrroupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "userDruidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "userGrroupMapping", "userDruidRole");
List<ResourceAction> userPermissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
updater.setPermissions(LDAP_AUTHORIZER_NAME, "userDruidRole", userPermissions);
Map<String, Object> contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult);
AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap);
Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertFalse(access.isAllowed());
contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult);
authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap);
access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertFalse(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.READ);
Assert.assertFalse(access.isAllowed());
}
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.
the class BasicRoleBasedAuthorizerTest method testAuthMissingGroupMapping.
@Test
public void testAuthMissingGroupMapping() {
BasicAuthorizerGroupMapping groupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "CN=unknown,*", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, groupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "druidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
List<ResourceAction> permissions = Arrays.asList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
updater.setPermissions(LDAP_AUTHORIZER_NAME, "druidRole", permissions);
Map<String, Object> contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult);
AuthenticationResult authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap);
Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertFalse(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
Assert.assertFalse(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertFalse(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.READ);
Assert.assertFalse(access.isAllowed());
}
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.
the class CoordinatorBasicAuthorizerMetadataStorageUpdater method unassignGroupMappingRoleOnce.
private boolean unassignGroupMappingRoleOnce(String prefix, String groupMappingName, String roleName) {
byte[] oldRoleMapValue = getCurrentRoleMapBytes(prefix);
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, oldRoleMapValue);
if (roleMap.get(roleName) == null) {
throw new BasicSecurityDBResourceException("Role [%s] does not exist.", roleName);
}
byte[] oldGroupMappingMapValue = getCurrentGroupMappingMapBytes(prefix);
Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, oldGroupMappingMapValue);
BasicAuthorizerGroupMapping groupMapping = groupMappingMap.get(groupMappingName);
if (groupMappingMap.get(groupMappingName) == null) {
throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", groupMappingName);
}
if (!groupMapping.getRoles().contains(roleName)) {
throw new BasicSecurityDBResourceException("Group mapping [%s] does not have role [%s].", groupMappingName, roleName);
}
groupMapping.getRoles().remove(roleName);
byte[] newGroupMapValue = BasicAuthUtils.serializeAuthorizerGroupMappingMap(objectMapper, groupMappingMap);
// Role map is unchanged, but submit as an update to ensure that the table didn't change (e.g., role deleted)
return tryUpdateGroupMappingAndRoleMap(prefix, groupMappingMap, oldGroupMappingMapValue, newGroupMapValue, roleMap, oldRoleMapValue, oldRoleMapValue);
}
Aggregations