use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.
the class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest method testAddExistingRoleToGroupMappingFails.
@Test
public void testAddExistingRoleToGroupMappingFails() {
expectedException.expect(BasicSecurityDBResourceException.class);
expectedException.expectMessage("Group mapping [druid] already has role [druidRole].");
updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", null));
updater.createRole(AUTHORIZER_NAME, "druidRole");
updater.assignGroupMappingRole(AUTHORIZER_NAME, "druid", "druidRole");
updater.assignGroupMappingRole(AUTHORIZER_NAME, "druid", "druidRole");
}
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.
the class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest method testCreateDuplicateGroupMapping.
@Test
public void testCreateDuplicateGroupMapping() {
expectedException.expect(BasicSecurityDBResourceException.class);
expectedException.expectMessage("Group mapping [druid] already exists.");
updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", null));
updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", null));
}
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.
the class LDAPRoleProvider method getRoles.
@Override
public Set<String> getRoles(String authorizerPrefix, AuthenticationResult authenticationResult) {
Set<String> roleNames = new HashSet<>();
Map<String, BasicAuthorizerGroupMapping> groupMappingMap = cacheManager.getGroupMappingMap(authorizerPrefix);
if (groupMappingMap == null) {
throw new IAE("Could not load groupMappingMap for authorizer [%s]", authorizerPrefix);
}
Map<String, BasicAuthorizerUser> userMap = cacheManager.getUserMap(authorizerPrefix);
if (userMap == null) {
throw new IAE("Could not load userMap for authorizer [%s]", authorizerPrefix);
}
// Get the groups assigned to the LDAP user
SearchResult searchResult = Optional.ofNullable(authenticationResult.getContext()).map(contextMap -> contextMap.get(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY)).map(p -> {
if (p instanceof SearchResult) {
return (SearchResult) p;
} else {
return null;
}
}).orElse(null);
if (searchResult != null) {
try {
Set<LdapName> groupNamesFromLdap = getGroupsFromLdap(searchResult);
if (groupNamesFromLdap.isEmpty()) {
LOG.debug("User %s is not mapped to any groups", authenticationResult.getIdentity());
} else {
// Get the roles mapped to LDAP groups from the metastore.
// This allows us to authorize groups LDAP user belongs
roleNames.addAll(getRoles(groupMappingMap, groupNamesFromLdap));
}
} catch (NamingException e) {
LOG.error(e, "Exception in looking up groups for user %s", authenticationResult.getIdentity());
}
}
// Get the roles assigned to LDAP user from the metastore.
// This allow us to authorize LDAP users regardless of whether they belong to any groups or not in LDAP.
BasicAuthorizerUser user = userMap.get(authenticationResult.getIdentity());
if (user != null) {
roleNames.addAll(user.getRoles());
}
return roleNames;
}
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.
the class CoordinatorBasicAuthorizerMetadataStorageUpdater method initSuperUsersAndGroupMapping.
private void initSuperUsersAndGroupMapping(String authorizerName, Map<String, BasicAuthorizerUser> userMap, Map<String, BasicAuthorizerRole> roleMap, Map<String, BasicAuthorizerGroupMapping> groupMappingMap, String initialAdminUser, String initialAdminRole, String initialAdminGroupMapping) {
if (!roleMap.containsKey(BasicAuthUtils.ADMIN_NAME)) {
createRoleInternal(authorizerName, BasicAuthUtils.ADMIN_NAME);
setPermissionsInternal(authorizerName, BasicAuthUtils.ADMIN_NAME, SUPERUSER_PERMISSIONS);
}
if (!roleMap.containsKey(BasicAuthUtils.INTERNAL_USER_NAME)) {
createRoleInternal(authorizerName, BasicAuthUtils.INTERNAL_USER_NAME);
setPermissionsInternal(authorizerName, BasicAuthUtils.INTERNAL_USER_NAME, SUPERUSER_PERMISSIONS);
}
if (!userMap.containsKey(BasicAuthUtils.ADMIN_NAME)) {
createUserInternal(authorizerName, BasicAuthUtils.ADMIN_NAME);
assignUserRoleInternal(authorizerName, BasicAuthUtils.ADMIN_NAME, BasicAuthUtils.ADMIN_NAME);
}
if (!userMap.containsKey(BasicAuthUtils.INTERNAL_USER_NAME)) {
createUserInternal(authorizerName, BasicAuthUtils.INTERNAL_USER_NAME);
assignUserRoleInternal(authorizerName, BasicAuthUtils.INTERNAL_USER_NAME, BasicAuthUtils.INTERNAL_USER_NAME);
}
if (initialAdminRole != null && !(initialAdminRole.equals(BasicAuthUtils.ADMIN_NAME) || initialAdminRole.equals(BasicAuthUtils.INTERNAL_USER_NAME)) && !roleMap.containsKey(initialAdminRole)) {
createRoleInternal(authorizerName, initialAdminRole);
setPermissionsInternal(authorizerName, initialAdminRole, SUPERUSER_PERMISSIONS);
}
if (initialAdminUser != null && !(initialAdminUser.equals(BasicAuthUtils.ADMIN_NAME) || initialAdminUser.equals(BasicAuthUtils.INTERNAL_USER_NAME)) && !userMap.containsKey(initialAdminUser)) {
createUserInternal(authorizerName, initialAdminUser);
assignUserRoleInternal(authorizerName, initialAdminUser, initialAdminRole == null ? BasicAuthUtils.ADMIN_NAME : initialAdminRole);
}
if (initialAdminGroupMapping != null && !groupMappingMap.containsKey(BasicAuthUtils.ADMIN_GROUP_MAPPING_NAME)) {
BasicAuthorizerGroupMapping groupMapping = new BasicAuthorizerGroupMapping(BasicAuthUtils.ADMIN_GROUP_MAPPING_NAME, initialAdminGroupMapping, new HashSet<>(Collections.singletonList(initialAdminRole == null ? BasicAuthUtils.ADMIN_NAME : initialAdminRole)));
createGroupMappingInternal(authorizerName, groupMapping);
}
}
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.
the class CoordinatorBasicAuthorizerMetadataStorageUpdater method deleteRoleOnce.
private boolean deleteRoleOnce(String prefix, String roleName) {
byte[] oldRoleMapValue = getCurrentRoleMapBytes(prefix);
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, oldRoleMapValue);
if (roleMap.get(roleName) == null) {
throw new BasicSecurityDBResourceException("Role [%s] does not exist.", roleName);
} else {
roleMap.remove(roleName);
}
byte[] oldUserMapValue = getCurrentUserMapBytes(prefix);
Map<String, BasicAuthorizerUser> userMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, oldUserMapValue);
for (BasicAuthorizerUser user : userMap.values()) {
user.getRoles().remove(roleName);
}
byte[] newUserMapValue = BasicAuthUtils.serializeAuthorizerUserMap(objectMapper, userMap);
byte[] oldGroupMapValue = getCurrentGroupMappingMapBytes(prefix);
Map<String, BasicAuthorizerGroupMapping> groupMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, oldGroupMapValue);
for (BasicAuthorizerGroupMapping group : groupMap.values()) {
group.getRoles().remove(roleName);
}
byte[] newGroupMapValue = BasicAuthUtils.serializeAuthorizerGroupMappingMap(objectMapper, groupMap);
byte[] newRoleMapValue = BasicAuthUtils.serializeAuthorizerRoleMap(objectMapper, roleMap);
return tryUpdateUserAndRoleMap(prefix, userMap, oldUserMapValue, newUserMapValue, roleMap, oldRoleMapValue, newRoleMapValue) && tryUpdateGroupMappingAndRoleMap(prefix, groupMap, oldGroupMapValue, newGroupMapValue, roleMap, newRoleMapValue, newRoleMapValue);
}
Aggregations