Search in sources :

Example 6 with BasicAuthorizerGroupMapping

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.

the class CoordinatorBasicAuthorizerResourceHandler method getGroupMappingFull.

private Response getGroupMappingFull(String authorizerName, String groupMappingName) {
    Map<String, BasicAuthorizerGroupMapping> groupMappings = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, storageUpdater.getCurrentGroupMappingMapBytes(authorizerName));
    try {
        BasicAuthorizerGroupMapping groupMapping = groupMappings.get(groupMappingName);
        if (groupMapping == null) {
            throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", groupMappingName);
        }
        Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, storageUpdater.getCurrentRoleMapBytes(authorizerName));
        Set<BasicAuthorizerRole> roles = new HashSet<>();
        for (String roleName : groupMapping.getRoles()) {
            BasicAuthorizerRole role = roleMap.get(roleName);
            if (role == null) {
                log.error("Group mapping [%s] had role [%s], but role was not found.", groupMappingName, roleName);
            } else {
                roles.add(role);
            }
        }
        BasicAuthorizerGroupMappingFull fullGroup = new BasicAuthorizerGroupMappingFull(groupMapping.getName(), groupMapping.getGroupPattern(), roles);
        return Response.ok(fullGroup).build();
    } catch (BasicSecurityDBResourceException e) {
        return makeResponseForBasicSecurityDBResourceException(e);
    }
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) BasicAuthorizerGroupMappingFull(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingFull) BasicSecurityDBResourceException(org.apache.druid.security.basic.BasicSecurityDBResourceException) BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole) HashSet(java.util.HashSet)

Example 7 with BasicAuthorizerGroupMapping

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.

the class CoordinatorBasicAuthorizerResourceHandler method getAllGroupMappings.

@Override
public Response getAllGroupMappings(String authorizerName) {
    final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName);
    if (authorizer == null) {
        return makeResponseForAuthorizerNotFound(authorizerName);
    }
    Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, storageUpdater.getCurrentGroupMappingMapBytes(authorizerName));
    return Response.ok(groupMappingMap.keySet()).build();
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) BasicRoleBasedAuthorizer(org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer)

Example 8 with BasicAuthorizerGroupMapping

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.

the class BasicRoleBasedAuthorizerTest method testAuthGroupMappingPatternLeftMask.

@Test
public void testAuthGroupMappingPatternLeftMask() {
    // Admin
    BasicAuthorizerGroupMapping adminGrroupMapping = new BasicAuthorizerGroupMapping("adminGrroupMapping", "*,CN=admin,OU=Platform,OU=Groupings,DC=corp,DC=apache,DC=org", null);
    updater.createGroupMapping(LDAP_AUTHORIZER_NAME, adminGrroupMapping);
    updater.createRole(LDAP_AUTHORIZER_NAME, "adminDruidRole");
    updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "adminGrroupMapping", "adminDruidRole");
    List<ResourceAction> adminPermissions = Arrays.asList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
    updater.setPermissions(LDAP_AUTHORIZER_NAME, "adminDruidRole", adminPermissions);
    // User
    BasicAuthorizerGroupMapping userGrroupMapping = new BasicAuthorizerGroupMapping("userGrroupMapping", "*,CN=user,OU=Druid,OU=Application,OU=Groupings,DC=corp,DC=apache,DC=org", null);
    updater.createGroupMapping(LDAP_AUTHORIZER_NAME, userGrroupMapping);
    updater.createRole(LDAP_AUTHORIZER_NAME, "userDruidRole");
    updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "userGrroupMapping", "userDruidRole");
    List<ResourceAction> userPermissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
    updater.setPermissions(LDAP_AUTHORIZER_NAME, "userDruidRole", userPermissions);
    Map<String, Object> contexMap = new HashMap<>();
    contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult);
    AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap);
    Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
    contexMap = new HashMap<>();
    contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult);
    authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap);
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertFalse(access.isAllowed());
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) HashMap(java.util.HashMap) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) ResourceAction(org.apache.druid.server.security.ResourceAction) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) Test(org.junit.Test)

Example 9 with BasicAuthorizerGroupMapping

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.

the class BasicRoleBasedAuthorizerTest method testAuthGroupMapping.

@Test
public void testAuthGroupMapping() {
    BasicAuthorizerGroupMapping groupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "CN=admin,OU=Platform,OU=Groupings,DC=corp,DC=apache,DC=org", null);
    updater.createGroupMapping(LDAP_AUTHORIZER_NAME, groupMapping);
    updater.createRole(LDAP_AUTHORIZER_NAME, "druidRole");
    updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
    List<ResourceAction> permissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE));
    updater.setPermissions(LDAP_AUTHORIZER_NAME, "druidRole", permissions);
    Map<String, Object> contexMap = new HashMap<>();
    contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult);
    AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap);
    Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) HashMap(java.util.HashMap) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) ResourceAction(org.apache.druid.server.security.ResourceAction) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) Test(org.junit.Test)

Example 10 with BasicAuthorizerGroupMapping

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.

the class CoordinatorBasicAuthorizerResourceTest method testGroupMappingRoleAssignment.

@Test
public void testGroupMappingRoleAssignment() {
    Response response = resource.createRole(req, AUTHORIZER_NAME, "druidRole");
    Assert.assertEquals(200, response.getStatus());
    response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", new BasicAuthorizerGroupMapping("druidGroupMapping", "", new HashSet<>()));
    Assert.assertEquals(200, response.getStatus());
    response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
    Assert.assertEquals(200, response.getStatus());
    response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", null);
    Assert.assertEquals(200, response.getStatus());
    BasicAuthorizerGroupMapping expectedGroupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "", ImmutableSet.of("druidRole"));
    Assert.assertEquals(expectedGroupMapping, response.getEntity());
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", null, null);
    Assert.assertEquals(200, response.getStatus());
    BasicAuthorizerRole expectedRole = new BasicAuthorizerRole("druidRole", ImmutableList.of());
    Assert.assertEquals(expectedRole, response.getEntity());
    response = resource.unassignRoleFromGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
    Assert.assertEquals(200, response.getStatus());
    response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", null);
    Assert.assertEquals(200, response.getStatus());
    expectedGroupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "", ImmutableSet.of());
    Assert.assertEquals(expectedGroupMapping, response.getEntity());
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", null, null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRole, response.getEntity());
}
Also used : Response(javax.ws.rs.core.Response) BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole) Test(org.junit.Test)

Aggregations

BasicAuthorizerGroupMapping (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)28 Test (org.junit.Test)17 BasicAuthorizerRole (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)12 HashMap (java.util.HashMap)7 HashSet (java.util.HashSet)7 Response (javax.ws.rs.core.Response)6 BasicSecurityDBResourceException (org.apache.druid.security.basic.BasicSecurityDBResourceException)5 BasicAuthorizerUser (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser)5 ResourceAction (org.apache.druid.server.security.ResourceAction)5 Map (java.util.Map)4 Access (org.apache.druid.server.security.Access)4 AuthenticationResult (org.apache.druid.server.security.AuthenticationResult)4 Resource (org.apache.druid.server.security.Resource)4 VisibleForTesting (com.google.common.annotations.VisibleForTesting)2 InvalidNameException (javax.naming.InvalidNameException)2 LdapName (javax.naming.ldap.LdapName)2 BasicRoleBasedAuthorizer (org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer)2 BasicAuthorizerGroupMappingFull (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingFull)2 BasicAuthorizerRoleFull (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleFull)2 BasicAuthorizerRoleSimplifiedPermissions (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions)2