Search in sources :

Example 26 with BasicAuthorizerGroupMapping

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.

the class CoordinatorBasicAuthorizerMetadataStorageUpdater method start.

@LifecycleStart
public void start() {
    if (!lifecycleLock.canStart()) {
        throw new ISE("can't start.");
    }
    if (authorizerMapper == null || authorizerMapper.getAuthorizerMap() == null) {
        return;
    }
    try {
        LOG.info("Starting CoordinatorBasicAuthorizerMetadataStorageUpdater");
        BasicAuthUtils.maybeInitialize(() -> {
            for (Map.Entry<String, Authorizer> entry : authorizerMapper.getAuthorizerMap().entrySet()) {
                Authorizer authorizer = entry.getValue();
                if (authorizer instanceof BasicRoleBasedAuthorizer) {
                    BasicRoleBasedAuthorizer basicRoleBasedAuthorizer = (BasicRoleBasedAuthorizer) authorizer;
                    BasicAuthDBConfig dbConfig = basicRoleBasedAuthorizer.getDbConfig();
                    String authorizerName = entry.getKey();
                    authorizerNames.add(authorizerName);
                    byte[] userMapBytes = getCurrentUserMapBytes(authorizerName);
                    Map<String, BasicAuthorizerUser> userMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, userMapBytes);
                    cachedUserMaps.put(authorizerName, new BasicAuthorizerUserMapBundle(userMap, userMapBytes));
                    byte[] groupMappingMapBytes = getCurrentGroupMappingMapBytes(authorizerName);
                    Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, groupMappingMapBytes);
                    cachedGroupMappingMaps.put(authorizerName, new BasicAuthorizerGroupMappingMapBundle(groupMappingMap, groupMappingMapBytes));
                    byte[] roleMapBytes = getCurrentRoleMapBytes(authorizerName);
                    Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, roleMapBytes);
                    cachedRoleMaps.put(authorizerName, new BasicAuthorizerRoleMapBundle(roleMap, roleMapBytes));
                    initSuperUsersAndGroupMapping(authorizerName, userMap, roleMap, groupMappingMap, dbConfig.getInitialAdminUser(), dbConfig.getInitialAdminRole(), dbConfig.getInitialAdminGroupMapping());
                }
            }
            return true;
        });
        ScheduledExecutors.scheduleWithFixedDelay(exec, new Duration(commonCacheConfig.getPollingPeriod()), new Duration(commonCacheConfig.getPollingPeriod()), () -> {
            if (stopped) {
                return ScheduledExecutors.Signal.STOP;
            }
            try {
                LOG.debug("Scheduled db poll is running");
                for (String authorizerName : authorizerNames) {
                    byte[] userMapBytes = getCurrentUserMapBytes(authorizerName);
                    Map<String, BasicAuthorizerUser> userMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, userMapBytes);
                    if (userMapBytes != null) {
                        synchronized (cachedUserMaps) {
                            cachedUserMaps.put(authorizerName, new BasicAuthorizerUserMapBundle(userMap, userMapBytes));
                        }
                    }
                    byte[] groupMappingMapBytes = getCurrentGroupMappingMapBytes(authorizerName);
                    Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, groupMappingMapBytes);
                    if (groupMappingMapBytes != null) {
                        synchronized (cachedGroupMappingMaps) {
                            cachedGroupMappingMaps.put(authorizerName, new BasicAuthorizerGroupMappingMapBundle(groupMappingMap, groupMappingMapBytes));
                        }
                    }
                    byte[] roleMapBytes = getCurrentRoleMapBytes(authorizerName);
                    Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, roleMapBytes);
                    if (roleMapBytes != null) {
                        synchronized (cachedRoleMaps) {
                            cachedRoleMaps.put(authorizerName, new BasicAuthorizerRoleMapBundle(roleMap, roleMapBytes));
                        }
                    }
                }
                LOG.debug("Scheduled db poll is done");
            } catch (Throwable t) {
                LOG.makeAlert(t, "Error occured while polling for cachedUserMaps, cachedGroupMappingMaps, cachedRoleMaps.").emit();
            }
            return ScheduledExecutors.Signal.REPEAT;
        });
        lifecycleLock.started();
    } finally {
        lifecycleLock.exitStart();
    }
}
Also used : Duration(org.joda.time.Duration) BasicAuthorizerRoleMapBundle(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleMapBundle) BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) BasicAuthorizerUserMapBundle(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserMapBundle) BasicAuthorizerUser(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser) Authorizer(org.apache.druid.server.security.Authorizer) BasicRoleBasedAuthorizer(org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer) BasicAuthorizerGroupMappingMapBundle(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingMapBundle) ISE(org.apache.druid.java.util.common.ISE) BasicRoleBasedAuthorizer(org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer) BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole) UserAndRoleMap(org.apache.druid.security.basic.authorization.entity.UserAndRoleMap) Map(java.util.Map) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) GroupMappingAndRoleMap(org.apache.druid.security.basic.authorization.entity.GroupMappingAndRoleMap) BasicAuthDBConfig(org.apache.druid.security.basic.BasicAuthDBConfig) LifecycleStart(org.apache.druid.java.util.common.lifecycle.LifecycleStart)

Example 27 with BasicAuthorizerGroupMapping

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.

the class CoordinatorBasicAuthorizerResourceHandler method getRoleFull.

private Response getRoleFull(String authorizerName, String roleName, boolean simplifyPermissions) {
    Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, storageUpdater.getCurrentRoleMapBytes(authorizerName));
    try {
        BasicAuthorizerRole role = roleMap.get(roleName);
        if (role == null) {
            throw new BasicSecurityDBResourceException("Role [%s] does not exist.", roleName);
        }
        Map<String, BasicAuthorizerUser> userMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, storageUpdater.getCurrentUserMapBytes(authorizerName));
        Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, storageUpdater.getCurrentGroupMappingMapBytes(authorizerName));
        Set<String> users = new HashSet<>();
        for (BasicAuthorizerUser user : userMap.values()) {
            if (user.getRoles().contains(roleName)) {
                users.add(user.getName());
            }
        }
        Set<String> groupMappings = new HashSet<>();
        for (BasicAuthorizerGroupMapping group : groupMappingMap.values()) {
            if (group.getRoles().contains(roleName)) {
                groupMappings.add(group.getName());
            }
        }
        if (simplifyPermissions) {
            return Response.ok(new BasicAuthorizerRoleSimplifiedPermissions(role, users)).build();
        } else {
            BasicAuthorizerRoleFull roleFull = new BasicAuthorizerRoleFull(roleName, users, groupMappings, role.getPermissions());
            return Response.ok(roleFull).build();
        }
    } catch (BasicSecurityDBResourceException e) {
        return makeResponseForBasicSecurityDBResourceException(e);
    }
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) BasicSecurityDBResourceException(org.apache.druid.security.basic.BasicSecurityDBResourceException) BasicAuthorizerRoleSimplifiedPermissions(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions) BasicAuthorizerUser(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser) BasicAuthorizerRoleFull(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleFull) BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole) HashSet(java.util.HashSet)

Example 28 with BasicAuthorizerGroupMapping

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping in project druid by druid-io.

the class LDAPRoleProvider method getRoles.

@VisibleForTesting
public Set<String> getRoles(Map<String, BasicAuthorizerGroupMapping> groupMappingMap, Set<LdapName> groupNamesFromLdap) {
    Set<String> roles = new HashSet<>();
    if (groupMappingMap.size() == 0) {
        return roles;
    }
    for (LdapName groupName : groupNamesFromLdap) {
        for (Map.Entry<String, BasicAuthorizerGroupMapping> groupMappingEntry : groupMappingMap.entrySet()) {
            BasicAuthorizerGroupMapping groupMapping = groupMappingEntry.getValue();
            String mask = groupMapping.getGroupPattern();
            try {
                if (mask.startsWith("*,")) {
                    LdapName ln = new LdapName(mask.substring(2));
                    if (groupName.startsWith(ln)) {
                        roles.addAll(groupMapping.getRoles());
                    }
                } else if (mask.endsWith(",*")) {
                    LdapName ln = new LdapName(mask.substring(0, mask.length() - 2));
                    if (groupName.endsWith(ln)) {
                        roles.addAll(groupMapping.getRoles());
                    }
                } else {
                    LdapName ln = new LdapName(mask);
                    if (groupName.equals(ln)) {
                        roles.addAll(groupMapping.getRoles());
                    }
                }
            } catch (InvalidNameException e) {
                throw new RuntimeException(String.format(Locale.getDefault(), "Configuration problem - Invalid groupMapping '%s'", mask));
            }
        }
    }
    return roles;
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) InvalidNameException(javax.naming.InvalidNameException) Map(java.util.Map) HashSet(java.util.HashSet) LdapName(javax.naming.ldap.LdapName) VisibleForTesting(com.google.common.annotations.VisibleForTesting)

Aggregations

BasicAuthorizerGroupMapping (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)28 Test (org.junit.Test)17 BasicAuthorizerRole (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)12 HashMap (java.util.HashMap)7 HashSet (java.util.HashSet)7 Response (javax.ws.rs.core.Response)6 BasicSecurityDBResourceException (org.apache.druid.security.basic.BasicSecurityDBResourceException)5 BasicAuthorizerUser (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser)5 ResourceAction (org.apache.druid.server.security.ResourceAction)5 Map (java.util.Map)4 Access (org.apache.druid.server.security.Access)4 AuthenticationResult (org.apache.druid.server.security.AuthenticationResult)4 Resource (org.apache.druid.server.security.Resource)4 VisibleForTesting (com.google.common.annotations.VisibleForTesting)2 InvalidNameException (javax.naming.InvalidNameException)2 LdapName (javax.naming.ldap.LdapName)2 BasicRoleBasedAuthorizer (org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer)2 BasicAuthorizerGroupMappingFull (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingFull)2 BasicAuthorizerRoleFull (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleFull)2 BasicAuthorizerRoleSimplifiedPermissions (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions)2