Search in sources :

Example 21 with BasicAuthorizerGroupMapping

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.

the class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest method testAddExistingRoleToGroupMappingFails.

@Test
public void testAddExistingRoleToGroupMappingFails() {
    expectedException.expect(BasicSecurityDBResourceException.class);
    expectedException.expectMessage("Group mapping [druid] already has role [druidRole].");
    updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", null));
    updater.createRole(AUTHORIZER_NAME, "druidRole");
    updater.assignGroupMappingRole(AUTHORIZER_NAME, "druid", "druidRole");
    updater.assignGroupMappingRole(AUTHORIZER_NAME, "druid", "druidRole");
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) Test(org.junit.Test)

Example 22 with BasicAuthorizerGroupMapping

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.

the class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest method testCreateDuplicateGroupMapping.

@Test
public void testCreateDuplicateGroupMapping() {
    expectedException.expect(BasicSecurityDBResourceException.class);
    expectedException.expectMessage("Group mapping [druid] already exists.");
    updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", null));
    updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", null));
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) Test(org.junit.Test)

Example 23 with BasicAuthorizerGroupMapping

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.

the class LDAPRoleProvider method getRoles.

@Override
public Set<String> getRoles(String authorizerPrefix, AuthenticationResult authenticationResult) {
    Set<String> roleNames = new HashSet<>();
    Map<String, BasicAuthorizerGroupMapping> groupMappingMap = cacheManager.getGroupMappingMap(authorizerPrefix);
    if (groupMappingMap == null) {
        throw new IAE("Could not load groupMappingMap for authorizer [%s]", authorizerPrefix);
    }
    Map<String, BasicAuthorizerUser> userMap = cacheManager.getUserMap(authorizerPrefix);
    if (userMap == null) {
        throw new IAE("Could not load userMap for authorizer [%s]", authorizerPrefix);
    }
    // Get the groups assigned to the LDAP user
    SearchResult searchResult = Optional.ofNullable(authenticationResult.getContext()).map(contextMap -> contextMap.get(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY)).map(p -> {
        if (p instanceof SearchResult) {
            return (SearchResult) p;
        } else {
            return null;
        }
    }).orElse(null);
    if (searchResult != null) {
        try {
            Set<LdapName> groupNamesFromLdap = getGroupsFromLdap(searchResult);
            if (groupNamesFromLdap.isEmpty()) {
                LOG.debug("User %s is not mapped to any groups", authenticationResult.getIdentity());
            } else {
                // Get the roles mapped to LDAP groups from the metastore.
                // This allows us to authorize groups LDAP user belongs
                roleNames.addAll(getRoles(groupMappingMap, groupNamesFromLdap));
            }
        } catch (NamingException e) {
            LOG.error(e, "Exception in looking up groups for user %s", authenticationResult.getIdentity());
        }
    }
    // Get the roles assigned to LDAP user from the metastore.
    // This allow us to authorize LDAP users regardless of whether they belong to any groups or not in LDAP.
    BasicAuthorizerUser user = userMap.get(authenticationResult.getIdentity());
    if (user != null) {
        roleNames.addAll(user.getRoles());
    }
    return roleNames;
}
Also used : Logger(org.apache.druid.java.util.common.logger.Logger) JsonProperty(com.fasterxml.jackson.annotation.JsonProperty) Arrays(java.util.Arrays) LdapName(javax.naming.ldap.LdapName) BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole) BasicAuthUtils(org.apache.druid.security.basic.BasicAuthUtils) NamingException(javax.naming.NamingException) TreeSet(java.util.TreeSet) BasicAuthorizerUser(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) HashSet(java.util.HashSet) JsonTypeName(com.fasterxml.jackson.annotation.JsonTypeName) Attribute(javax.naming.directory.Attribute) Locale(java.util.Locale) Map(java.util.Map) IAE(org.apache.druid.java.util.common.IAE) JacksonInject(com.fasterxml.jackson.annotation.JacksonInject) BasicAuthorizerCacheManager(org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheManager) RE(org.apache.druid.java.util.common.RE) StringUtils(org.apache.druid.java.util.common.StringUtils) Set(java.util.Set) InvalidNameException(javax.naming.InvalidNameException) JsonCreator(com.fasterxml.jackson.annotation.JsonCreator) Optional(java.util.Optional) VisibleForTesting(com.google.common.annotations.VisibleForTesting) BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) SearchResult(javax.naming.directory.SearchResult) SearchResult(javax.naming.directory.SearchResult) IAE(org.apache.druid.java.util.common.IAE) LdapName(javax.naming.ldap.LdapName) BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) BasicAuthorizerUser(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser) NamingException(javax.naming.NamingException) HashSet(java.util.HashSet)

Example 24 with BasicAuthorizerGroupMapping

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.

the class CoordinatorBasicAuthorizerMetadataStorageUpdater method initSuperUsersAndGroupMapping.

private void initSuperUsersAndGroupMapping(String authorizerName, Map<String, BasicAuthorizerUser> userMap, Map<String, BasicAuthorizerRole> roleMap, Map<String, BasicAuthorizerGroupMapping> groupMappingMap, String initialAdminUser, String initialAdminRole, String initialAdminGroupMapping) {
    if (!roleMap.containsKey(BasicAuthUtils.ADMIN_NAME)) {
        createRoleInternal(authorizerName, BasicAuthUtils.ADMIN_NAME);
        setPermissionsInternal(authorizerName, BasicAuthUtils.ADMIN_NAME, SUPERUSER_PERMISSIONS);
    }
    if (!roleMap.containsKey(BasicAuthUtils.INTERNAL_USER_NAME)) {
        createRoleInternal(authorizerName, BasicAuthUtils.INTERNAL_USER_NAME);
        setPermissionsInternal(authorizerName, BasicAuthUtils.INTERNAL_USER_NAME, SUPERUSER_PERMISSIONS);
    }
    if (!userMap.containsKey(BasicAuthUtils.ADMIN_NAME)) {
        createUserInternal(authorizerName, BasicAuthUtils.ADMIN_NAME);
        assignUserRoleInternal(authorizerName, BasicAuthUtils.ADMIN_NAME, BasicAuthUtils.ADMIN_NAME);
    }
    if (!userMap.containsKey(BasicAuthUtils.INTERNAL_USER_NAME)) {
        createUserInternal(authorizerName, BasicAuthUtils.INTERNAL_USER_NAME);
        assignUserRoleInternal(authorizerName, BasicAuthUtils.INTERNAL_USER_NAME, BasicAuthUtils.INTERNAL_USER_NAME);
    }
    if (initialAdminRole != null && !(initialAdminRole.equals(BasicAuthUtils.ADMIN_NAME) || initialAdminRole.equals(BasicAuthUtils.INTERNAL_USER_NAME)) && !roleMap.containsKey(initialAdminRole)) {
        createRoleInternal(authorizerName, initialAdminRole);
        setPermissionsInternal(authorizerName, initialAdminRole, SUPERUSER_PERMISSIONS);
    }
    if (initialAdminUser != null && !(initialAdminUser.equals(BasicAuthUtils.ADMIN_NAME) || initialAdminUser.equals(BasicAuthUtils.INTERNAL_USER_NAME)) && !userMap.containsKey(initialAdminUser)) {
        createUserInternal(authorizerName, initialAdminUser);
        assignUserRoleInternal(authorizerName, initialAdminUser, initialAdminRole == null ? BasicAuthUtils.ADMIN_NAME : initialAdminRole);
    }
    if (initialAdminGroupMapping != null && !groupMappingMap.containsKey(BasicAuthUtils.ADMIN_GROUP_MAPPING_NAME)) {
        BasicAuthorizerGroupMapping groupMapping = new BasicAuthorizerGroupMapping(BasicAuthUtils.ADMIN_GROUP_MAPPING_NAME, initialAdminGroupMapping, new HashSet<>(Collections.singletonList(initialAdminRole == null ? BasicAuthUtils.ADMIN_NAME : initialAdminRole)));
        createGroupMappingInternal(authorizerName, groupMapping);
    }
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)

Example 25 with BasicAuthorizerGroupMapping

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.

the class CoordinatorBasicAuthorizerMetadataStorageUpdater method deleteRoleOnce.

private boolean deleteRoleOnce(String prefix, String roleName) {
    byte[] oldRoleMapValue = getCurrentRoleMapBytes(prefix);
    Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, oldRoleMapValue);
    if (roleMap.get(roleName) == null) {
        throw new BasicSecurityDBResourceException("Role [%s] does not exist.", roleName);
    } else {
        roleMap.remove(roleName);
    }
    byte[] oldUserMapValue = getCurrentUserMapBytes(prefix);
    Map<String, BasicAuthorizerUser> userMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, oldUserMapValue);
    for (BasicAuthorizerUser user : userMap.values()) {
        user.getRoles().remove(roleName);
    }
    byte[] newUserMapValue = BasicAuthUtils.serializeAuthorizerUserMap(objectMapper, userMap);
    byte[] oldGroupMapValue = getCurrentGroupMappingMapBytes(prefix);
    Map<String, BasicAuthorizerGroupMapping> groupMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, oldGroupMapValue);
    for (BasicAuthorizerGroupMapping group : groupMap.values()) {
        group.getRoles().remove(roleName);
    }
    byte[] newGroupMapValue = BasicAuthUtils.serializeAuthorizerGroupMappingMap(objectMapper, groupMap);
    byte[] newRoleMapValue = BasicAuthUtils.serializeAuthorizerRoleMap(objectMapper, roleMap);
    return tryUpdateUserAndRoleMap(prefix, userMap, oldUserMapValue, newUserMapValue, roleMap, oldRoleMapValue, newRoleMapValue) && tryUpdateGroupMappingAndRoleMap(prefix, groupMap, oldGroupMapValue, newGroupMapValue, roleMap, newRoleMapValue, newRoleMapValue);
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) BasicSecurityDBResourceException(org.apache.druid.security.basic.BasicSecurityDBResourceException) BasicAuthorizerUser(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser) BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)

Aggregations

BasicAuthorizerGroupMapping (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)28 Test (org.junit.Test)17 BasicAuthorizerRole (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)12 HashMap (java.util.HashMap)7 HashSet (java.util.HashSet)7 Response (javax.ws.rs.core.Response)6 BasicSecurityDBResourceException (org.apache.druid.security.basic.BasicSecurityDBResourceException)5 BasicAuthorizerUser (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser)5 ResourceAction (org.apache.druid.server.security.ResourceAction)5 Map (java.util.Map)4 Access (org.apache.druid.server.security.Access)4 AuthenticationResult (org.apache.druid.server.security.AuthenticationResult)4 Resource (org.apache.druid.server.security.Resource)4 VisibleForTesting (com.google.common.annotations.VisibleForTesting)2 InvalidNameException (javax.naming.InvalidNameException)2 LdapName (javax.naming.ldap.LdapName)2 BasicRoleBasedAuthorizer (org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer)2 BasicAuthorizerGroupMappingFull (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingFull)2 BasicAuthorizerRoleFull (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleFull)2 BasicAuthorizerRoleSimplifiedPermissions (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions)2