Example 21 with BasicAuthorizerRole
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole in project druid by druid-io.
the class CoordinatorBasicAuthorizerResourceTest method testDeleteAssignedRole.
@Test
public void testDeleteAssignedRole() {
Response response = resource.createRole(req, AUTHORIZER_NAME, "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.createUser(req, AUTHORIZER_NAME, "druid");
Assert.assertEquals(200, response.getStatus());
response = resource.createUser(req, AUTHORIZER_NAME, "druid2");
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid2", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", new BasicAuthorizerGroupMapping("druidGroupMapping", "", new HashSet<>()));
Assert.assertEquals(200, response.getStatus());
response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", new BasicAuthorizerGroupMapping("druid2GroupMapping", "", new HashSet<>()));
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.getUser(req, AUTHORIZER_NAME, "druid", null, null);
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerUser expectedUser = new BasicAuthorizerUser("druid", ImmutableSet.of("druidRole"));
Assert.assertEquals(expectedUser, response.getEntity());
response = resource.getUser(req, AUTHORIZER_NAME, "druid2", null, null);
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerUser expectedUser2 = new BasicAuthorizerUser("druid2", ImmutableSet.of("druidRole"));
Assert.assertEquals(expectedUser2, response.getEntity());
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", null);
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerGroupMapping expectedGroupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "", ImmutableSet.of("druidRole"));
Assert.assertEquals(expectedGroupMapping, response.getEntity());
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", null);
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerGroupMapping expectedGroupMapping2 = new BasicAuthorizerGroupMapping("druid2GroupMapping", "", ImmutableSet.of("druidRole"));
Assert.assertEquals(expectedGroupMapping2, response.getEntity());
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", null, null);
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerRole expectedRole = new BasicAuthorizerRole("druidRole", ImmutableList.of());
Assert.assertEquals(expectedRole, response.getEntity());
response = resource.deleteRole(req, AUTHORIZER_NAME, "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.getUser(req, AUTHORIZER_NAME, "druid", null, null);
Assert.assertEquals(200, response.getStatus());
expectedUser = new BasicAuthorizerUser("druid", ImmutableSet.of());
Assert.assertEquals(expectedUser, response.getEntity());
response = resource.getUser(req, AUTHORIZER_NAME, "druid2", null, null);
Assert.assertEquals(200, response.getStatus());
expectedUser2 = new BasicAuthorizerUser("druid2", ImmutableSet.of());
Assert.assertEquals(expectedUser2, response.getEntity());
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", null);
Assert.assertEquals(200, response.getStatus());
expectedGroupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "", ImmutableSet.of());
Assert.assertEquals(expectedGroupMapping, response.getEntity());
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", null);
Assert.assertEquals(200, response.getStatus());
expectedGroupMapping2 = new BasicAuthorizerGroupMapping("druid2GroupMapping", "", ImmutableSet.of());
Assert.assertEquals(expectedGroupMapping2, response.getEntity());
}
Also used :
Response(javax.ws.rs.core.Response)
BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)
BasicAuthorizerUser(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser)
BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)
Test(org.junit.Test)
Example 22 with BasicAuthorizerRole
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole in project druid by druid-io.
the class BasicRoleBasedAuthorizer method authorize.
@Override
@SuppressWarnings("unchecked")
public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action) {
if (authenticationResult == null) {
throw new IAE("authenticationResult is null where it should never be.");
}
Set<String> roleNames = new HashSet<>(roleProvider.getRoles(name, authenticationResult));
Map<String, BasicAuthorizerRole> roleMap = roleProvider.getRoleMap(name);
if (roleNames.isEmpty()) {
return new Access(false);
}
if (roleMap == null) {
throw new IAE("Could not load roleMap for authorizer [%s]", name);
}
for (String roleName : roleNames) {
BasicAuthorizerRole role = roleMap.get(roleName);
if (role != null) {
for (BasicAuthorizerPermission permission : role.getPermissions()) {
if (permissionCheck(resource, action, permission)) {
return new Access(true);
}
}
}
}
return new Access(false);
}
Also used :
Access(org.apache.druid.server.security.Access)
BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)
IAE(org.apache.druid.java.util.common.IAE)
BasicAuthorizerPermission(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerPermission)
HashSet(java.util.HashSet)
Example 23 with BasicAuthorizerRole
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole in project druid by druid-io.
the class BasicAuthUtilsTest method testPermissionSerdeIsChillAboutUnknownEnumStuffs.
@Test
public void testPermissionSerdeIsChillAboutUnknownEnumStuffs() throws JsonProcessingException {
final String someRoleName = "some-role";
final String otherRoleName = "other-role";
final String thirdRoleName = "third-role";
final ResourceAction fooRead = new ResourceAction(new Resource("foo", ResourceType.DATASOURCE), Action.READ);
final ResourceAction barRead = new ResourceAction(new Resource("bar", ResourceType.DATASOURCE), Action.READ);
final ResourceAction customRead = new ResourceAction(new Resource("bar", "CUSTOM"), Action.READ);
final ObjectMapper mapper = TestHelper.makeJsonMapper();
mapper.registerModules(new BasicSecurityDruidModule().getJacksonModules());
Map<String, Object> rawMap = new HashMap<>();
rawMap.put(someRoleName, new BasicAuthorizerRole(someRoleName, BasicAuthorizerPermission.makePermissionList(ImmutableList.of(fooRead, barRead))));
// custom ResourceType
rawMap.put(otherRoleName, ImmutableMap.of("name", otherRoleName, "permissions", ImmutableList.of(ImmutableMap.of("resourceAction", fooRead, "resourceNamePattern", "foo"), ImmutableMap.of("resourceAction", customRead, "resourceNamePattern", "bar"))));
// bad Action
rawMap.put(thirdRoleName, ImmutableMap.of("name", thirdRoleName, "permissions", ImmutableList.of(ImmutableMap.of("resourceAction", ImmutableMap.of("resource", ImmutableMap.of("name", "some-view", "type", "VIEW"), "action", "READ"), "resourceNamePattern", "some-view"), ImmutableMap.of("resourceAction", ImmutableMap.of("resource", ImmutableMap.of("name", "foo", "type", "DATASOURCE"), "action", "UNKNOWN"), "resourceNamePattern", "some-view"))));
byte[] mapBytes = mapper.writeValueAsBytes(rawMap);
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(mapper, mapBytes);
Assert.assertNotNull(roleMap);
Assert.assertEquals(3, roleMap.size());
Assert.assertTrue(roleMap.containsKey(someRoleName));
Assert.assertEquals(2, roleMap.get(someRoleName).getPermissions().size());
Assert.assertEquals(BasicAuthorizerPermission.makePermissionList(ImmutableList.of(fooRead, barRead)), roleMap.get(someRoleName).getPermissions());
// this one has custom resource type... this test is somewhat pointless, it made more sense when type was an enum
Assert.assertTrue(roleMap.containsKey(otherRoleName));
Assert.assertEquals(2, roleMap.get(otherRoleName).getPermissions().size());
Assert.assertEquals(BasicAuthorizerPermission.makePermissionList(ImmutableList.of(fooRead, customRead)), roleMap.get(otherRoleName).getPermissions());
// this one has an unknown Action, expect only 1 permission to deserialize correctly and failure ignored
Assert.assertTrue(roleMap.containsKey(thirdRoleName));
Assert.assertEquals(1, roleMap.get(thirdRoleName).getPermissions().size());
Assert.assertEquals(BasicAuthorizerPermission.makePermissionList(ImmutableList.of(new ResourceAction(new Resource("some-view", ResourceType.VIEW), Action.READ))), roleMap.get(thirdRoleName).getPermissions());
}
Also used :
HashMap(java.util.HashMap)
BasicSecurityDruidModule(org.apache.druid.security.basic.BasicSecurityDruidModule)
Resource(org.apache.druid.server.security.Resource)
BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
ResourceAction(org.apache.druid.server.security.ResourceAction)
Test(org.junit.Test)
Example 24 with BasicAuthorizerRole
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole in project druid by druid-io.
the class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest method testAddAndRemoveRoleToUser.
// role, user, and group mapping tests
@Test
public void testAddAndRemoveRoleToUser() {
updater.createUser(AUTHORIZER_NAME, "druid");
updater.createRole(AUTHORIZER_NAME, "druidRole");
updater.assignUserRole(AUTHORIZER_NAME, "druid", "druidRole");
Map<String, BasicAuthorizerUser> expectedUserMap = new HashMap<>(BASE_USER_MAP);
expectedUserMap.put("druid", new BasicAuthorizerUser("druid", ImmutableSet.of("druidRole")));
Map<String, BasicAuthorizerRole> expectedRoleMap = new HashMap<>(BASE_ROLE_MAP);
expectedRoleMap.put("druidRole", new BasicAuthorizerRole("druidRole", ImmutableList.of()));
Map<String, BasicAuthorizerUser> actualUserMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, updater.getCurrentUserMapBytes(AUTHORIZER_NAME));
Map<String, BasicAuthorizerRole> actualRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, updater.getCurrentRoleMapBytes(AUTHORIZER_NAME));
Assert.assertEquals(expectedUserMap, actualUserMap);
Assert.assertEquals(expectedRoleMap, actualRoleMap);
updater.unassignUserRole(AUTHORIZER_NAME, "druid", "druidRole");
expectedUserMap.put("druid", new BasicAuthorizerUser("druid", ImmutableSet.of()));
actualUserMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, updater.getCurrentUserMapBytes(AUTHORIZER_NAME));
Assert.assertEquals(expectedUserMap, actualUserMap);
Assert.assertEquals(expectedRoleMap, actualRoleMap);
}
Also used :
BasicAuthorizerUser(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser)
HashMap(java.util.HashMap)
BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)
Test(org.junit.Test)
Example 25 with BasicAuthorizerRole
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole in project druid by druid-io.
the class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest method testCreateDeleteRole.
// role tests
@Test
public void testCreateDeleteRole() {
updater.createRole(AUTHORIZER_NAME, "druid");
Map<String, BasicAuthorizerRole> expectedRoleMap = new HashMap<>(BASE_ROLE_MAP);
expectedRoleMap.put("druid", new BasicAuthorizerRole("druid", ImmutableList.of()));
Map<String, BasicAuthorizerRole> actualRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, updater.getCurrentRoleMapBytes(AUTHORIZER_NAME));
Assert.assertEquals(expectedRoleMap, actualRoleMap);
updater.deleteRole(AUTHORIZER_NAME, "druid");
expectedRoleMap.remove("druid");
actualRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, updater.getCurrentRoleMapBytes(AUTHORIZER_NAME));
Assert.assertEquals(expectedRoleMap, actualRoleMap);
}
Also used :
HashMap(java.util.HashMap)
BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)
Test(org.junit.Test)
Aggregations
BasicAuthorizerRole (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)28
Test (org.junit.Test)13
BasicAuthorizerGroupMapping (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)11
BasicAuthorizerUser (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser)11
BasicSecurityDBResourceException (org.apache.druid.security.basic.BasicSecurityDBResourceException)10
HashMap (java.util.HashMap)7
Response (javax.ws.rs.core.Response)7
HashSet (java.util.HashSet)5
BasicAuthorizerRoleSimplifiedPermissions (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions)4
Resource (org.apache.druid.server.security.Resource)4
ResourceAction (org.apache.druid.server.security.ResourceAction)4
BasicAuthorizerUserFull (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFull)3
BasicRoleBasedAuthorizer (org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer)2
BasicAuthorizerResource (org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResource)2
BasicAuthorizerGroupMappingFull (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingFull)2
BasicAuthorizerRoleFull (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleFull)2
BasicAuthorizerUserFullSimplifiedPermissions (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFullSimplifiedPermissions)2
ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)1
Map (java.util.Map)1
ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)1
