Search in sources :

Example 1 with BasicAuthorizerGroupMappingFull

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingFull in project druid by druid-io.

the class CoordinatorBasicAuthorizerResourceHandler method getGroupMappingFull.

private Response getGroupMappingFull(String authorizerName, String groupMappingName) {
    Map<String, BasicAuthorizerGroupMapping> groupMappings = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, storageUpdater.getCurrentGroupMappingMapBytes(authorizerName));
    try {
        BasicAuthorizerGroupMapping groupMapping = groupMappings.get(groupMappingName);
        if (groupMapping == null) {
            throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", groupMappingName);
        }
        Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, storageUpdater.getCurrentRoleMapBytes(authorizerName));
        Set<BasicAuthorizerRole> roles = new HashSet<>();
        for (String roleName : groupMapping.getRoles()) {
            BasicAuthorizerRole role = roleMap.get(roleName);
            if (role == null) {
                log.error("Group mapping [%s] had role [%s], but role was not found.", groupMappingName, roleName);
            } else {
                roles.add(role);
            }
        }
        BasicAuthorizerGroupMappingFull fullGroup = new BasicAuthorizerGroupMappingFull(groupMapping.getName(), groupMapping.getGroupPattern(), roles);
        return Response.ok(fullGroup).build();
    } catch (BasicSecurityDBResourceException e) {
        return makeResponseForBasicSecurityDBResourceException(e);
    }
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) BasicAuthorizerGroupMappingFull(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingFull) BasicSecurityDBResourceException(org.apache.druid.security.basic.BasicSecurityDBResourceException) BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole) HashSet(java.util.HashSet)

Example 2 with BasicAuthorizerGroupMappingFull

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingFull in project druid by druid-io.

the class CoordinatorBasicAuthorizerResourceTest method testUsersGroupMappingsRolesAndPerms.

@Test
public void testUsersGroupMappingsRolesAndPerms() {
    Response response = resource.createUser(req, AUTHORIZER_NAME, "druid");
    Assert.assertEquals(200, response.getStatus());
    response = resource.createUser(req, AUTHORIZER_NAME, "druid2");
    Assert.assertEquals(200, response.getStatus());
    response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", new BasicAuthorizerGroupMapping("druidGroupMapping", "", new HashSet<>()));
    Assert.assertEquals(200, response.getStatus());
    response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", new BasicAuthorizerGroupMapping("druid2GroupMapping", "", new HashSet<>()));
    Assert.assertEquals(200, response.getStatus());
    response = resource.createRole(req, AUTHORIZER_NAME, "druidRole");
    Assert.assertEquals(200, response.getStatus());
    response = resource.createRole(req, AUTHORIZER_NAME, "druidRole2");
    Assert.assertEquals(200, response.getStatus());
    List<ResourceAction> perms = ImmutableList.of(new ResourceAction(new Resource("A", ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource("B", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("C", ResourceType.CONFIG), Action.WRITE));
    List<ResourceAction> perms2 = ImmutableList.of(new ResourceAction(new Resource("D", ResourceType.STATE), Action.READ), new ResourceAction(new Resource("E", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("F", ResourceType.CONFIG), Action.WRITE));
    response = resource.setRolePermissions(req, AUTHORIZER_NAME, "druidRole", perms);
    Assert.assertEquals(200, response.getStatus());
    response = resource.setRolePermissions(req, AUTHORIZER_NAME, "druidRole2", perms2);
    Assert.assertEquals(200, response.getStatus());
    response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid", "druidRole");
    Assert.assertEquals(200, response.getStatus());
    response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid", "druidRole2");
    Assert.assertEquals(200, response.getStatus());
    response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid2", "druidRole");
    Assert.assertEquals(200, response.getStatus());
    response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid2", "druidRole2");
    Assert.assertEquals(200, response.getStatus());
    response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
    Assert.assertEquals(200, response.getStatus());
    response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole2");
    Assert.assertEquals(200, response.getStatus());
    response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "druidRole");
    Assert.assertEquals(200, response.getStatus());
    response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "druidRole2");
    Assert.assertEquals(200, response.getStatus());
    BasicAuthorizerRole expectedRole = new BasicAuthorizerRole("druidRole", BasicAuthorizerPermission.makePermissionList(perms));
    BasicAuthorizerRole expectedRole2 = new BasicAuthorizerRole("druidRole2", BasicAuthorizerPermission.makePermissionList(perms2));
    Set<BasicAuthorizerRole> expectedRoles = Sets.newHashSet(expectedRole, expectedRole2);
    BasicAuthorizerUserFull expectedUserFull = new BasicAuthorizerUserFull("druid", expectedRoles);
    response = resource.getUser(req, AUTHORIZER_NAME, "druid", "", null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFull, response.getEntity());
    BasicAuthorizerUserFullSimplifiedPermissions expectedUserFullSimplifiedPermissions = new BasicAuthorizerUserFullSimplifiedPermissions("druid", BasicAuthorizerRoleSimplifiedPermissions.convertRoles(expectedRoles));
    response = resource.getUser(req, AUTHORIZER_NAME, "druid", "", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFullSimplifiedPermissions, response.getEntity());
    BasicAuthorizerUserFull expectedUserFull2 = new BasicAuthorizerUserFull("druid2", expectedRoles);
    response = resource.getUser(req, AUTHORIZER_NAME, "druid2", "", null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFull2, response.getEntity());
    BasicAuthorizerUserFullSimplifiedPermissions expectedUserFullSimplifiedPermissions2 = new BasicAuthorizerUserFullSimplifiedPermissions("druid2", BasicAuthorizerRoleSimplifiedPermissions.convertRoles(expectedRoles));
    response = resource.getUser(req, AUTHORIZER_NAME, "druid2", "", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFullSimplifiedPermissions2, response.getEntity());
    BasicAuthorizerGroupMappingFull expectedGroupMappingFull = new BasicAuthorizerGroupMappingFull("druidGroupMapping", "", expectedRoles);
    response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedGroupMappingFull, response.getEntity());
    BasicAuthorizerGroupMappingFull expectedGroupMappingFull2 = new BasicAuthorizerGroupMappingFull("druid2GroupMapping", "", expectedRoles);
    response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedGroupMappingFull2, response.getEntity());
    Set<String> expectedUserSet = Sets.newHashSet("druid", "druid2");
    Set<String> expectedGroupMappingSet = Sets.newHashSet("druidGroupMapping", "druid2GroupMapping");
    BasicAuthorizerRoleFull expectedRoleFull = new BasicAuthorizerRoleFull("druidRole", expectedUserSet, expectedGroupMappingSet, BasicAuthorizerPermission.makePermissionList(perms));
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", "", null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRoleFull, response.getEntity());
    BasicAuthorizerRoleSimplifiedPermissions expectedRoleSimplifiedPerms = new BasicAuthorizerRoleSimplifiedPermissions("druidRole", expectedUserSet, perms);
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", "", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRoleSimplifiedPerms, response.getEntity());
    expectedRoleSimplifiedPerms = new BasicAuthorizerRoleSimplifiedPermissions("druidRole", null, perms);
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", null, "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRoleSimplifiedPerms, response.getEntity());
    BasicAuthorizerRoleFull expectedRoleFull2 = new BasicAuthorizerRoleFull("druidRole2", expectedUserSet, expectedGroupMappingSet, BasicAuthorizerPermission.makePermissionList(perms2));
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole2", "", null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRoleFull2, response.getEntity());
    BasicAuthorizerRoleSimplifiedPermissions expectedRoleSimplifiedPerms2 = new BasicAuthorizerRoleSimplifiedPermissions("druidRole2", expectedUserSet, perms2);
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole2", "", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRoleSimplifiedPerms2, response.getEntity());
    expectedRoleSimplifiedPerms2 = new BasicAuthorizerRoleSimplifiedPermissions("druidRole2", null, perms2);
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole2", null, "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRoleSimplifiedPerms2, response.getEntity());
    perms = ImmutableList.of(new ResourceAction(new Resource("A", ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource("C", ResourceType.CONFIG), Action.WRITE));
    perms2 = ImmutableList.of(new ResourceAction(new Resource("E", ResourceType.DATASOURCE), Action.WRITE));
    response = resource.setRolePermissions(req, AUTHORIZER_NAME, "druidRole", perms);
    Assert.assertEquals(200, response.getStatus());
    response = resource.setRolePermissions(req, AUTHORIZER_NAME, "druidRole2", perms2);
    Assert.assertEquals(200, response.getStatus());
    expectedRole = new BasicAuthorizerRole("druidRole", BasicAuthorizerPermission.makePermissionList(perms));
    expectedRole2 = new BasicAuthorizerRole("druidRole2", BasicAuthorizerPermission.makePermissionList(perms2));
    expectedRoles = Sets.newHashSet(expectedRole, expectedRole2);
    expectedUserFull = new BasicAuthorizerUserFull("druid", expectedRoles);
    expectedUserFull2 = new BasicAuthorizerUserFull("druid2", expectedRoles);
    expectedUserFullSimplifiedPermissions = new BasicAuthorizerUserFullSimplifiedPermissions("druid", BasicAuthorizerRoleSimplifiedPermissions.convertRoles(expectedRoles));
    expectedUserFullSimplifiedPermissions2 = new BasicAuthorizerUserFullSimplifiedPermissions("druid2", BasicAuthorizerRoleSimplifiedPermissions.convertRoles(expectedRoles));
    response = resource.getUser(req, AUTHORIZER_NAME, "druid", "", null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFull, response.getEntity());
    response = resource.getUser(req, AUTHORIZER_NAME, "druid", "", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFullSimplifiedPermissions, response.getEntity());
    response = resource.getUser(req, AUTHORIZER_NAME, "druid2", "", null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFull2, response.getEntity());
    response = resource.getUser(req, AUTHORIZER_NAME, "druid2", "", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFullSimplifiedPermissions2, response.getEntity());
    response = resource.unassignRoleFromUser(req, AUTHORIZER_NAME, "druid", "druidRole");
    Assert.assertEquals(200, response.getStatus());
    response = resource.unassignRoleFromUser(req, AUTHORIZER_NAME, "druid2", "druidRole2");
    Assert.assertEquals(200, response.getStatus());
    response = resource.unassignRoleFromGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
    Assert.assertEquals(200, response.getStatus());
    response = resource.unassignRoleFromGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "druidRole2");
    Assert.assertEquals(200, response.getStatus());
    expectedUserFull = new BasicAuthorizerUserFull("druid", Sets.newHashSet(expectedRole2));
    expectedUserFull2 = new BasicAuthorizerUserFull("druid2", Sets.newHashSet(expectedRole));
    expectedRoleFull = new BasicAuthorizerRoleFull("druidRole", Sets.newHashSet("druid2"), Sets.newHashSet("druid2GroupMapping"), BasicAuthorizerPermission.makePermissionList(perms));
    expectedRoleFull2 = new BasicAuthorizerRoleFull("druidRole2", Sets.newHashSet("druid"), Sets.newHashSet("druidGroupMapping"), BasicAuthorizerPermission.makePermissionList(perms2));
    expectedUserFullSimplifiedPermissions = new BasicAuthorizerUserFullSimplifiedPermissions("druid", BasicAuthorizerRoleSimplifiedPermissions.convertRoles(expectedUserFull.getRoles()));
    expectedUserFullSimplifiedPermissions2 = new BasicAuthorizerUserFullSimplifiedPermissions("druid2", BasicAuthorizerRoleSimplifiedPermissions.convertRoles(expectedUserFull2.getRoles()));
    expectedRoleSimplifiedPerms = new BasicAuthorizerRoleSimplifiedPermissions(expectedRoleFull);
    expectedRoleSimplifiedPerms2 = new BasicAuthorizerRoleSimplifiedPermissions(expectedRoleFull2);
    response = resource.getUser(req, AUTHORIZER_NAME, "druid", "", null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFull, response.getEntity());
    response = resource.getUser(req, AUTHORIZER_NAME, "druid", "", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFullSimplifiedPermissions, response.getEntity());
    response = resource.getUser(req, AUTHORIZER_NAME, "druid2", "", null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFull2, response.getEntity());
    response = resource.getUser(req, AUTHORIZER_NAME, "druid2", "", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFullSimplifiedPermissions2, response.getEntity());
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", "", null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRoleFull, response.getEntity());
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", "", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRoleSimplifiedPerms, response.getEntity());
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole2", "", null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRoleFull2, response.getEntity());
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole2", "", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRoleSimplifiedPerms2, response.getEntity());
}
Also used : BasicAuthorizerGroupMappingFull(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingFull) BasicAuthorizerRoleSimplifiedPermissions(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions) BasicAuthorizerRoleFull(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleFull) BasicAuthorizerResource(org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResource) Resource(org.apache.druid.server.security.Resource) BasicAuthorizerUserFull(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFull) Response(javax.ws.rs.core.Response) BasicAuthorizerUserFullSimplifiedPermissions(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFullSimplifiedPermissions) BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole) ResourceAction(org.apache.druid.server.security.ResourceAction) Test(org.junit.Test)

Aggregations

BasicAuthorizerGroupMapping (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)2 BasicAuthorizerGroupMappingFull (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingFull)2 BasicAuthorizerRole (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)2 HashSet (java.util.HashSet)1 Response (javax.ws.rs.core.Response)1 BasicSecurityDBResourceException (org.apache.druid.security.basic.BasicSecurityDBResourceException)1 BasicAuthorizerResource (org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResource)1 BasicAuthorizerRoleFull (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleFull)1 BasicAuthorizerRoleSimplifiedPermissions (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions)1 BasicAuthorizerUserFull (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFull)1 BasicAuthorizerUserFullSimplifiedPermissions (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFullSimplifiedPermissions)1 Resource (org.apache.druid.server.security.Resource)1 ResourceAction (org.apache.druid.server.security.ResourceAction)1 Test (org.junit.Test)1