use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.
the class CoordinatorBasicAuthorizerResourceHandler method getGroupMappingFull.
private Response getGroupMappingFull(String authorizerName, String groupMappingName) {
Map<String, BasicAuthorizerGroupMapping> groupMappings = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, storageUpdater.getCurrentGroupMappingMapBytes(authorizerName));
try {
BasicAuthorizerGroupMapping groupMapping = groupMappings.get(groupMappingName);
if (groupMapping == null) {
throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", groupMappingName);
}
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, storageUpdater.getCurrentRoleMapBytes(authorizerName));
Set<BasicAuthorizerRole> roles = new HashSet<>();
for (String roleName : groupMapping.getRoles()) {
BasicAuthorizerRole role = roleMap.get(roleName);
if (role == null) {
log.error("Group mapping [%s] had role [%s], but role was not found.", groupMappingName, roleName);
} else {
roles.add(role);
}
}
BasicAuthorizerGroupMappingFull fullGroup = new BasicAuthorizerGroupMappingFull(groupMapping.getName(), groupMapping.getGroupPattern(), roles);
return Response.ok(fullGroup).build();
} catch (BasicSecurityDBResourceException e) {
return makeResponseForBasicSecurityDBResourceException(e);
}
}
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.
the class CoordinatorBasicAuthorizerResourceHandler method getAllGroupMappings.
@Override
public Response getAllGroupMappings(String authorizerName) {
final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName);
if (authorizer == null) {
return makeResponseForAuthorizerNotFound(authorizerName);
}
Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, storageUpdater.getCurrentGroupMappingMapBytes(authorizerName));
return Response.ok(groupMappingMap.keySet()).build();
}
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.
the class BasicRoleBasedAuthorizerTest method testAuthGroupMappingPatternLeftMask.
@Test
public void testAuthGroupMappingPatternLeftMask() {
// Admin
BasicAuthorizerGroupMapping adminGrroupMapping = new BasicAuthorizerGroupMapping("adminGrroupMapping", "*,CN=admin,OU=Platform,OU=Groupings,DC=corp,DC=apache,DC=org", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, adminGrroupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "adminDruidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "adminGrroupMapping", "adminDruidRole");
List<ResourceAction> adminPermissions = Arrays.asList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
updater.setPermissions(LDAP_AUTHORIZER_NAME, "adminDruidRole", adminPermissions);
// User
BasicAuthorizerGroupMapping userGrroupMapping = new BasicAuthorizerGroupMapping("userGrroupMapping", "*,CN=user,OU=Druid,OU=Application,OU=Groupings,DC=corp,DC=apache,DC=org", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, userGrroupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "userDruidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "userGrroupMapping", "userDruidRole");
List<ResourceAction> userPermissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
updater.setPermissions(LDAP_AUTHORIZER_NAME, "userDruidRole", userPermissions);
Map<String, Object> contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult);
AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap);
Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertFalse(access.isAllowed());
contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult);
authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap);
access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertFalse(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.READ);
Assert.assertFalse(access.isAllowed());
}
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.
the class BasicRoleBasedAuthorizerTest method testAuthGroupMapping.
@Test
public void testAuthGroupMapping() {
BasicAuthorizerGroupMapping groupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "CN=admin,OU=Platform,OU=Groupings,DC=corp,DC=apache,DC=org", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, groupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "druidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
List<ResourceAction> permissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE));
updater.setPermissions(LDAP_AUTHORIZER_NAME, "druidRole", permissions);
Map<String, Object> contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult);
AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap);
Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertFalse(access.isAllowed());
}
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.
the class CoordinatorBasicAuthorizerResourceTest method testGroupMappingRoleAssignment.
@Test
public void testGroupMappingRoleAssignment() {
Response response = resource.createRole(req, AUTHORIZER_NAME, "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", new BasicAuthorizerGroupMapping("druidGroupMapping", "", new HashSet<>()));
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", null);
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerGroupMapping expectedGroupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "", ImmutableSet.of("druidRole"));
Assert.assertEquals(expectedGroupMapping, response.getEntity());
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", null, null);
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerRole expectedRole = new BasicAuthorizerRole("druidRole", ImmutableList.of());
Assert.assertEquals(expectedRole, response.getEntity());
response = resource.unassignRoleFromGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", null);
Assert.assertEquals(200, response.getStatus());
expectedGroupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "", ImmutableSet.of());
Assert.assertEquals(expectedGroupMapping, response.getEntity());
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", null, null);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedRole, response.getEntity());
}
Aggregations