Search in sources :

Example 6 with BasicAuthorizerRole

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole in project druid by druid-io.

the class CoordinatorBasicAuthorizerMetadataStorageUpdater method unassignGroupMappingRoleOnce.

private boolean unassignGroupMappingRoleOnce(String prefix, String groupMappingName, String roleName) {
    byte[] oldRoleMapValue = getCurrentRoleMapBytes(prefix);
    Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, oldRoleMapValue);
    if (roleMap.get(roleName) == null) {
        throw new BasicSecurityDBResourceException("Role [%s] does not exist.", roleName);
    }
    byte[] oldGroupMappingMapValue = getCurrentGroupMappingMapBytes(prefix);
    Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, oldGroupMappingMapValue);
    BasicAuthorizerGroupMapping groupMapping = groupMappingMap.get(groupMappingName);
    if (groupMappingMap.get(groupMappingName) == null) {
        throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", groupMappingName);
    }
    if (!groupMapping.getRoles().contains(roleName)) {
        throw new BasicSecurityDBResourceException("Group mapping [%s] does not have role [%s].", groupMappingName, roleName);
    }
    groupMapping.getRoles().remove(roleName);
    byte[] newGroupMapValue = BasicAuthUtils.serializeAuthorizerGroupMappingMap(objectMapper, groupMappingMap);
    // Role map is unchanged, but submit as an update to ensure that the table didn't change (e.g., role deleted)
    return tryUpdateGroupMappingAndRoleMap(prefix, groupMappingMap, oldGroupMappingMapValue, newGroupMapValue, roleMap, oldRoleMapValue, oldRoleMapValue);
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) BasicSecurityDBResourceException(org.apache.druid.security.basic.BasicSecurityDBResourceException) BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)

Example 7 with BasicAuthorizerRole

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole in project druid by druid-io.

the class CoordinatorBasicAuthorizerResourceHandler method getAllRoles.

@Override
public Response getAllRoles(String authorizerName) {
    final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName);
    if (authorizer == null) {
        return makeResponseForAuthorizerNotFound(authorizerName);
    }
    Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, storageUpdater.getCurrentRoleMapBytes(authorizerName));
    return Response.ok(roleMap.keySet()).build();
}
Also used : BasicRoleBasedAuthorizer(org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer) BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)

Example 8 with BasicAuthorizerRole

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole in project druid by druid-io.

the class CoordinatorBasicAuthorizerResourceHandler method getGroupMappingFull.

private Response getGroupMappingFull(String authorizerName, String groupMappingName) {
    Map<String, BasicAuthorizerGroupMapping> groupMappings = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, storageUpdater.getCurrentGroupMappingMapBytes(authorizerName));
    try {
        BasicAuthorizerGroupMapping groupMapping = groupMappings.get(groupMappingName);
        if (groupMapping == null) {
            throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", groupMappingName);
        }
        Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, storageUpdater.getCurrentRoleMapBytes(authorizerName));
        Set<BasicAuthorizerRole> roles = new HashSet<>();
        for (String roleName : groupMapping.getRoles()) {
            BasicAuthorizerRole role = roleMap.get(roleName);
            if (role == null) {
                log.error("Group mapping [%s] had role [%s], but role was not found.", groupMappingName, roleName);
            } else {
                roles.add(role);
            }
        }
        BasicAuthorizerGroupMappingFull fullGroup = new BasicAuthorizerGroupMappingFull(groupMapping.getName(), groupMapping.getGroupPattern(), roles);
        return Response.ok(fullGroup).build();
    } catch (BasicSecurityDBResourceException e) {
        return makeResponseForBasicSecurityDBResourceException(e);
    }
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) BasicAuthorizerGroupMappingFull(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingFull) BasicSecurityDBResourceException(org.apache.druid.security.basic.BasicSecurityDBResourceException) BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole) HashSet(java.util.HashSet)

Example 9 with BasicAuthorizerRole

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole in project druid by druid-io.

the class CoordinatorBasicAuthorizerResourceHandler method getUserFull.

private Response getUserFull(String authorizerName, String userName, boolean simplifyPermissions) {
    Map<String, BasicAuthorizerUser> userMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, storageUpdater.getCurrentUserMapBytes(authorizerName));
    try {
        BasicAuthorizerUser user = userMap.get(userName);
        if (user == null) {
            throw new BasicSecurityDBResourceException("User [%s] does not exist.", userName);
        }
        Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, storageUpdater.getCurrentRoleMapBytes(authorizerName));
        if (simplifyPermissions) {
            Set<BasicAuthorizerRoleSimplifiedPermissions> roles = getRolesForUserWithSimplifiedPermissions(user, roleMap);
            BasicAuthorizerUserFullSimplifiedPermissions fullUser = new BasicAuthorizerUserFullSimplifiedPermissions(userName, roles);
            return Response.ok(fullUser).build();
        } else {
            Set<BasicAuthorizerRole> roles = getRolesForUser(user, roleMap);
            BasicAuthorizerUserFull fullUser = new BasicAuthorizerUserFull(userName, roles);
            return Response.ok(fullUser).build();
        }
    } catch (BasicSecurityDBResourceException e) {
        return makeResponseForBasicSecurityDBResourceException(e);
    }
}
Also used : BasicAuthorizerUserFullSimplifiedPermissions(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFullSimplifiedPermissions) BasicSecurityDBResourceException(org.apache.druid.security.basic.BasicSecurityDBResourceException) BasicAuthorizerRoleSimplifiedPermissions(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions) BasicAuthorizerUser(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser) BasicAuthorizerUserFull(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFull) BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)

Example 10 with BasicAuthorizerRole

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole in project druid by druid-io.

the class CoordinatorBasicAuthorizerResourceHandler method getRolesForUserWithSimplifiedPermissions.

private Set<BasicAuthorizerRoleSimplifiedPermissions> getRolesForUserWithSimplifiedPermissions(BasicAuthorizerUser user, Map<String, BasicAuthorizerRole> roleMap) {
    Set<BasicAuthorizerRoleSimplifiedPermissions> roles = new HashSet<>();
    for (String roleName : user.getRoles()) {
        BasicAuthorizerRole role = roleMap.get(roleName);
        if (role == null) {
            log.error("User [%s] had role [%s], but role object was not found.", user.getName(), roleName);
        } else {
            BasicAuthorizerRoleSimplifiedPermissions roleWithSimplifiedPermissions = new BasicAuthorizerRoleSimplifiedPermissions(role.getName(), null, BasicAuthorizerRoleSimplifiedPermissions.convertPermissions(role.getPermissions()));
            roles.add(roleWithSimplifiedPermissions);
        }
    }
    return roles;
}
Also used : BasicAuthorizerRoleSimplifiedPermissions(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions) BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole) HashSet(java.util.HashSet)

Aggregations

BasicAuthorizerRole (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)28 Test (org.junit.Test)13 BasicAuthorizerGroupMapping (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)11 BasicAuthorizerUser (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser)11 BasicSecurityDBResourceException (org.apache.druid.security.basic.BasicSecurityDBResourceException)10 HashMap (java.util.HashMap)7 Response (javax.ws.rs.core.Response)7 HashSet (java.util.HashSet)5 BasicAuthorizerRoleSimplifiedPermissions (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions)4 Resource (org.apache.druid.server.security.Resource)4 ResourceAction (org.apache.druid.server.security.ResourceAction)4 BasicAuthorizerUserFull (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFull)3 BasicRoleBasedAuthorizer (org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer)2 BasicAuthorizerResource (org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResource)2 BasicAuthorizerGroupMappingFull (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingFull)2 BasicAuthorizerRoleFull (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleFull)2 BasicAuthorizerUserFullSimplifiedPermissions (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFullSimplifiedPermissions)2 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)1 Map (java.util.Map)1 ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)1