Search in sources :

Example 1 with BasicAuthorizerRoleSimplifiedPermissions

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions in project druid by druid-io.

the class CoordinatorBasicAuthorizerResourceHandler method getUserFull.

private Response getUserFull(String authorizerName, String userName, boolean simplifyPermissions) {
    Map<String, BasicAuthorizerUser> userMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, storageUpdater.getCurrentUserMapBytes(authorizerName));
    try {
        BasicAuthorizerUser user = userMap.get(userName);
        if (user == null) {
            throw new BasicSecurityDBResourceException("User [%s] does not exist.", userName);
        }
        Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, storageUpdater.getCurrentRoleMapBytes(authorizerName));
        if (simplifyPermissions) {
            Set<BasicAuthorizerRoleSimplifiedPermissions> roles = getRolesForUserWithSimplifiedPermissions(user, roleMap);
            BasicAuthorizerUserFullSimplifiedPermissions fullUser = new BasicAuthorizerUserFullSimplifiedPermissions(userName, roles);
            return Response.ok(fullUser).build();
        } else {
            Set<BasicAuthorizerRole> roles = getRolesForUser(user, roleMap);
            BasicAuthorizerUserFull fullUser = new BasicAuthorizerUserFull(userName, roles);
            return Response.ok(fullUser).build();
        }
    } catch (BasicSecurityDBResourceException e) {
        return makeResponseForBasicSecurityDBResourceException(e);
    }
}
Also used : BasicAuthorizerUserFullSimplifiedPermissions(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFullSimplifiedPermissions) BasicSecurityDBResourceException(org.apache.druid.security.basic.BasicSecurityDBResourceException) BasicAuthorizerRoleSimplifiedPermissions(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions) BasicAuthorizerUser(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser) BasicAuthorizerUserFull(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFull) BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)

Example 2 with BasicAuthorizerRoleSimplifiedPermissions

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions in project druid by druid-io.

the class CoordinatorBasicAuthorizerResourceHandler method getRolesForUserWithSimplifiedPermissions.

private Set<BasicAuthorizerRoleSimplifiedPermissions> getRolesForUserWithSimplifiedPermissions(BasicAuthorizerUser user, Map<String, BasicAuthorizerRole> roleMap) {
    Set<BasicAuthorizerRoleSimplifiedPermissions> roles = new HashSet<>();
    for (String roleName : user.getRoles()) {
        BasicAuthorizerRole role = roleMap.get(roleName);
        if (role == null) {
            log.error("User [%s] had role [%s], but role object was not found.", user.getName(), roleName);
        } else {
            BasicAuthorizerRoleSimplifiedPermissions roleWithSimplifiedPermissions = new BasicAuthorizerRoleSimplifiedPermissions(role.getName(), null, BasicAuthorizerRoleSimplifiedPermissions.convertPermissions(role.getPermissions()));
            roles.add(roleWithSimplifiedPermissions);
        }
    }
    return roles;
}
Also used : BasicAuthorizerRoleSimplifiedPermissions(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions) BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole) HashSet(java.util.HashSet)

Example 3 with BasicAuthorizerRoleSimplifiedPermissions

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions in project druid by druid-io.

the class CoordinatorBasicAuthorizerResourceTest method testUsersGroupMappingsRolesAndPerms.

@Test
public void testUsersGroupMappingsRolesAndPerms() {
    Response response = resource.createUser(req, AUTHORIZER_NAME, "druid");
    Assert.assertEquals(200, response.getStatus());
    response = resource.createUser(req, AUTHORIZER_NAME, "druid2");
    Assert.assertEquals(200, response.getStatus());
    response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", new BasicAuthorizerGroupMapping("druidGroupMapping", "", new HashSet<>()));
    Assert.assertEquals(200, response.getStatus());
    response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", new BasicAuthorizerGroupMapping("druid2GroupMapping", "", new HashSet<>()));
    Assert.assertEquals(200, response.getStatus());
    response = resource.createRole(req, AUTHORIZER_NAME, "druidRole");
    Assert.assertEquals(200, response.getStatus());
    response = resource.createRole(req, AUTHORIZER_NAME, "druidRole2");
    Assert.assertEquals(200, response.getStatus());
    List<ResourceAction> perms = ImmutableList.of(new ResourceAction(new Resource("A", ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource("B", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("C", ResourceType.CONFIG), Action.WRITE));
    List<ResourceAction> perms2 = ImmutableList.of(new ResourceAction(new Resource("D", ResourceType.STATE), Action.READ), new ResourceAction(new Resource("E", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("F", ResourceType.CONFIG), Action.WRITE));
    response = resource.setRolePermissions(req, AUTHORIZER_NAME, "druidRole", perms);
    Assert.assertEquals(200, response.getStatus());
    response = resource.setRolePermissions(req, AUTHORIZER_NAME, "druidRole2", perms2);
    Assert.assertEquals(200, response.getStatus());
    response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid", "druidRole");
    Assert.assertEquals(200, response.getStatus());
    response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid", "druidRole2");
    Assert.assertEquals(200, response.getStatus());
    response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid2", "druidRole");
    Assert.assertEquals(200, response.getStatus());
    response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid2", "druidRole2");
    Assert.assertEquals(200, response.getStatus());
    response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
    Assert.assertEquals(200, response.getStatus());
    response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole2");
    Assert.assertEquals(200, response.getStatus());
    response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "druidRole");
    Assert.assertEquals(200, response.getStatus());
    response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "druidRole2");
    Assert.assertEquals(200, response.getStatus());
    BasicAuthorizerRole expectedRole = new BasicAuthorizerRole("druidRole", BasicAuthorizerPermission.makePermissionList(perms));
    BasicAuthorizerRole expectedRole2 = new BasicAuthorizerRole("druidRole2", BasicAuthorizerPermission.makePermissionList(perms2));
    Set<BasicAuthorizerRole> expectedRoles = Sets.newHashSet(expectedRole, expectedRole2);
    BasicAuthorizerUserFull expectedUserFull = new BasicAuthorizerUserFull("druid", expectedRoles);
    response = resource.getUser(req, AUTHORIZER_NAME, "druid", "", null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFull, response.getEntity());
    BasicAuthorizerUserFullSimplifiedPermissions expectedUserFullSimplifiedPermissions = new BasicAuthorizerUserFullSimplifiedPermissions("druid", BasicAuthorizerRoleSimplifiedPermissions.convertRoles(expectedRoles));
    response = resource.getUser(req, AUTHORIZER_NAME, "druid", "", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFullSimplifiedPermissions, response.getEntity());
    BasicAuthorizerUserFull expectedUserFull2 = new BasicAuthorizerUserFull("druid2", expectedRoles);
    response = resource.getUser(req, AUTHORIZER_NAME, "druid2", "", null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFull2, response.getEntity());
    BasicAuthorizerUserFullSimplifiedPermissions expectedUserFullSimplifiedPermissions2 = new BasicAuthorizerUserFullSimplifiedPermissions("druid2", BasicAuthorizerRoleSimplifiedPermissions.convertRoles(expectedRoles));
    response = resource.getUser(req, AUTHORIZER_NAME, "druid2", "", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFullSimplifiedPermissions2, response.getEntity());
    BasicAuthorizerGroupMappingFull expectedGroupMappingFull = new BasicAuthorizerGroupMappingFull("druidGroupMapping", "", expectedRoles);
    response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedGroupMappingFull, response.getEntity());
    BasicAuthorizerGroupMappingFull expectedGroupMappingFull2 = new BasicAuthorizerGroupMappingFull("druid2GroupMapping", "", expectedRoles);
    response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedGroupMappingFull2, response.getEntity());
    Set<String> expectedUserSet = Sets.newHashSet("druid", "druid2");
    Set<String> expectedGroupMappingSet = Sets.newHashSet("druidGroupMapping", "druid2GroupMapping");
    BasicAuthorizerRoleFull expectedRoleFull = new BasicAuthorizerRoleFull("druidRole", expectedUserSet, expectedGroupMappingSet, BasicAuthorizerPermission.makePermissionList(perms));
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", "", null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRoleFull, response.getEntity());
    BasicAuthorizerRoleSimplifiedPermissions expectedRoleSimplifiedPerms = new BasicAuthorizerRoleSimplifiedPermissions("druidRole", expectedUserSet, perms);
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", "", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRoleSimplifiedPerms, response.getEntity());
    expectedRoleSimplifiedPerms = new BasicAuthorizerRoleSimplifiedPermissions("druidRole", null, perms);
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", null, "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRoleSimplifiedPerms, response.getEntity());
    BasicAuthorizerRoleFull expectedRoleFull2 = new BasicAuthorizerRoleFull("druidRole2", expectedUserSet, expectedGroupMappingSet, BasicAuthorizerPermission.makePermissionList(perms2));
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole2", "", null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRoleFull2, response.getEntity());
    BasicAuthorizerRoleSimplifiedPermissions expectedRoleSimplifiedPerms2 = new BasicAuthorizerRoleSimplifiedPermissions("druidRole2", expectedUserSet, perms2);
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole2", "", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRoleSimplifiedPerms2, response.getEntity());
    expectedRoleSimplifiedPerms2 = new BasicAuthorizerRoleSimplifiedPermissions("druidRole2", null, perms2);
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole2", null, "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRoleSimplifiedPerms2, response.getEntity());
    perms = ImmutableList.of(new ResourceAction(new Resource("A", ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource("C", ResourceType.CONFIG), Action.WRITE));
    perms2 = ImmutableList.of(new ResourceAction(new Resource("E", ResourceType.DATASOURCE), Action.WRITE));
    response = resource.setRolePermissions(req, AUTHORIZER_NAME, "druidRole", perms);
    Assert.assertEquals(200, response.getStatus());
    response = resource.setRolePermissions(req, AUTHORIZER_NAME, "druidRole2", perms2);
    Assert.assertEquals(200, response.getStatus());
    expectedRole = new BasicAuthorizerRole("druidRole", BasicAuthorizerPermission.makePermissionList(perms));
    expectedRole2 = new BasicAuthorizerRole("druidRole2", BasicAuthorizerPermission.makePermissionList(perms2));
    expectedRoles = Sets.newHashSet(expectedRole, expectedRole2);
    expectedUserFull = new BasicAuthorizerUserFull("druid", expectedRoles);
    expectedUserFull2 = new BasicAuthorizerUserFull("druid2", expectedRoles);
    expectedUserFullSimplifiedPermissions = new BasicAuthorizerUserFullSimplifiedPermissions("druid", BasicAuthorizerRoleSimplifiedPermissions.convertRoles(expectedRoles));
    expectedUserFullSimplifiedPermissions2 = new BasicAuthorizerUserFullSimplifiedPermissions("druid2", BasicAuthorizerRoleSimplifiedPermissions.convertRoles(expectedRoles));
    response = resource.getUser(req, AUTHORIZER_NAME, "druid", "", null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFull, response.getEntity());
    response = resource.getUser(req, AUTHORIZER_NAME, "druid", "", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFullSimplifiedPermissions, response.getEntity());
    response = resource.getUser(req, AUTHORIZER_NAME, "druid2", "", null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFull2, response.getEntity());
    response = resource.getUser(req, AUTHORIZER_NAME, "druid2", "", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFullSimplifiedPermissions2, response.getEntity());
    response = resource.unassignRoleFromUser(req, AUTHORIZER_NAME, "druid", "druidRole");
    Assert.assertEquals(200, response.getStatus());
    response = resource.unassignRoleFromUser(req, AUTHORIZER_NAME, "druid2", "druidRole2");
    Assert.assertEquals(200, response.getStatus());
    response = resource.unassignRoleFromGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
    Assert.assertEquals(200, response.getStatus());
    response = resource.unassignRoleFromGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "druidRole2");
    Assert.assertEquals(200, response.getStatus());
    expectedUserFull = new BasicAuthorizerUserFull("druid", Sets.newHashSet(expectedRole2));
    expectedUserFull2 = new BasicAuthorizerUserFull("druid2", Sets.newHashSet(expectedRole));
    expectedRoleFull = new BasicAuthorizerRoleFull("druidRole", Sets.newHashSet("druid2"), Sets.newHashSet("druid2GroupMapping"), BasicAuthorizerPermission.makePermissionList(perms));
    expectedRoleFull2 = new BasicAuthorizerRoleFull("druidRole2", Sets.newHashSet("druid"), Sets.newHashSet("druidGroupMapping"), BasicAuthorizerPermission.makePermissionList(perms2));
    expectedUserFullSimplifiedPermissions = new BasicAuthorizerUserFullSimplifiedPermissions("druid", BasicAuthorizerRoleSimplifiedPermissions.convertRoles(expectedUserFull.getRoles()));
    expectedUserFullSimplifiedPermissions2 = new BasicAuthorizerUserFullSimplifiedPermissions("druid2", BasicAuthorizerRoleSimplifiedPermissions.convertRoles(expectedUserFull2.getRoles()));
    expectedRoleSimplifiedPerms = new BasicAuthorizerRoleSimplifiedPermissions(expectedRoleFull);
    expectedRoleSimplifiedPerms2 = new BasicAuthorizerRoleSimplifiedPermissions(expectedRoleFull2);
    response = resource.getUser(req, AUTHORIZER_NAME, "druid", "", null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFull, response.getEntity());
    response = resource.getUser(req, AUTHORIZER_NAME, "druid", "", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFullSimplifiedPermissions, response.getEntity());
    response = resource.getUser(req, AUTHORIZER_NAME, "druid2", "", null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFull2, response.getEntity());
    response = resource.getUser(req, AUTHORIZER_NAME, "druid2", "", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedUserFullSimplifiedPermissions2, response.getEntity());
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", "", null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRoleFull, response.getEntity());
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", "", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRoleSimplifiedPerms, response.getEntity());
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole2", "", null);
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRoleFull2, response.getEntity());
    response = resource.getRole(req, AUTHORIZER_NAME, "druidRole2", "", "");
    Assert.assertEquals(200, response.getStatus());
    Assert.assertEquals(expectedRoleSimplifiedPerms2, response.getEntity());
}
Also used : BasicAuthorizerGroupMappingFull(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingFull) BasicAuthorizerRoleSimplifiedPermissions(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions) BasicAuthorizerRoleFull(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleFull) BasicAuthorizerResource(org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResource) Resource(org.apache.druid.server.security.Resource) BasicAuthorizerUserFull(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFull) Response(javax.ws.rs.core.Response) BasicAuthorizerUserFullSimplifiedPermissions(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFullSimplifiedPermissions) BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole) ResourceAction(org.apache.druid.server.security.ResourceAction) Test(org.junit.Test)

Example 4 with BasicAuthorizerRoleSimplifiedPermissions

use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions in project druid by druid-io.

the class CoordinatorBasicAuthorizerResourceHandler method getRoleFull.

private Response getRoleFull(String authorizerName, String roleName, boolean simplifyPermissions) {
    Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, storageUpdater.getCurrentRoleMapBytes(authorizerName));
    try {
        BasicAuthorizerRole role = roleMap.get(roleName);
        if (role == null) {
            throw new BasicSecurityDBResourceException("Role [%s] does not exist.", roleName);
        }
        Map<String, BasicAuthorizerUser> userMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, storageUpdater.getCurrentUserMapBytes(authorizerName));
        Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, storageUpdater.getCurrentGroupMappingMapBytes(authorizerName));
        Set<String> users = new HashSet<>();
        for (BasicAuthorizerUser user : userMap.values()) {
            if (user.getRoles().contains(roleName)) {
                users.add(user.getName());
            }
        }
        Set<String> groupMappings = new HashSet<>();
        for (BasicAuthorizerGroupMapping group : groupMappingMap.values()) {
            if (group.getRoles().contains(roleName)) {
                groupMappings.add(group.getName());
            }
        }
        if (simplifyPermissions) {
            return Response.ok(new BasicAuthorizerRoleSimplifiedPermissions(role, users)).build();
        } else {
            BasicAuthorizerRoleFull roleFull = new BasicAuthorizerRoleFull(roleName, users, groupMappings, role.getPermissions());
            return Response.ok(roleFull).build();
        }
    } catch (BasicSecurityDBResourceException e) {
        return makeResponseForBasicSecurityDBResourceException(e);
    }
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) BasicSecurityDBResourceException(org.apache.druid.security.basic.BasicSecurityDBResourceException) BasicAuthorizerRoleSimplifiedPermissions(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions) BasicAuthorizerUser(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser) BasicAuthorizerRoleFull(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleFull) BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole) HashSet(java.util.HashSet)

Aggregations

BasicAuthorizerRole (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)4 BasicAuthorizerRoleSimplifiedPermissions (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions)4 HashSet (java.util.HashSet)2 BasicSecurityDBResourceException (org.apache.druid.security.basic.BasicSecurityDBResourceException)2 BasicAuthorizerGroupMapping (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)2 BasicAuthorizerRoleFull (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleFull)2 BasicAuthorizerUser (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser)2 BasicAuthorizerUserFull (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFull)2 BasicAuthorizerUserFullSimplifiedPermissions (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFullSimplifiedPermissions)2 Response (javax.ws.rs.core.Response)1 BasicAuthorizerResource (org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResource)1 BasicAuthorizerGroupMappingFull (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingFull)1 Resource (org.apache.druid.server.security.Resource)1 ResourceAction (org.apache.druid.server.security.ResourceAction)1 Test (org.junit.Test)1