Example 11 with BasicAuthorizerUser
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser in project druid by druid-io.
the class CoordinatorBasicAuthorizerResourceTest method testDeleteAssignedRole.
@Test
public void testDeleteAssignedRole() {
Response response = resource.createRole(req, AUTHORIZER_NAME, "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.createUser(req, AUTHORIZER_NAME, "druid");
Assert.assertEquals(200, response.getStatus());
response = resource.createUser(req, AUTHORIZER_NAME, "druid2");
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid2", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", new BasicAuthorizerGroupMapping("druidGroupMapping", "", new HashSet<>()));
Assert.assertEquals(200, response.getStatus());
response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", new BasicAuthorizerGroupMapping("druid2GroupMapping", "", new HashSet<>()));
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.getUser(req, AUTHORIZER_NAME, "druid", null, null);
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerUser expectedUser = new BasicAuthorizerUser("druid", ImmutableSet.of("druidRole"));
Assert.assertEquals(expectedUser, response.getEntity());
response = resource.getUser(req, AUTHORIZER_NAME, "druid2", null, null);
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerUser expectedUser2 = new BasicAuthorizerUser("druid2", ImmutableSet.of("druidRole"));
Assert.assertEquals(expectedUser2, response.getEntity());
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", null);
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerGroupMapping expectedGroupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "", ImmutableSet.of("druidRole"));
Assert.assertEquals(expectedGroupMapping, response.getEntity());
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", null);
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerGroupMapping expectedGroupMapping2 = new BasicAuthorizerGroupMapping("druid2GroupMapping", "", ImmutableSet.of("druidRole"));
Assert.assertEquals(expectedGroupMapping2, response.getEntity());
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", null, null);
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerRole expectedRole = new BasicAuthorizerRole("druidRole", ImmutableList.of());
Assert.assertEquals(expectedRole, response.getEntity());
response = resource.deleteRole(req, AUTHORIZER_NAME, "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.getUser(req, AUTHORIZER_NAME, "druid", null, null);
Assert.assertEquals(200, response.getStatus());
expectedUser = new BasicAuthorizerUser("druid", ImmutableSet.of());
Assert.assertEquals(expectedUser, response.getEntity());
response = resource.getUser(req, AUTHORIZER_NAME, "druid2", null, null);
Assert.assertEquals(200, response.getStatus());
expectedUser2 = new BasicAuthorizerUser("druid2", ImmutableSet.of());
Assert.assertEquals(expectedUser2, response.getEntity());
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", null);
Assert.assertEquals(200, response.getStatus());
expectedGroupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "", ImmutableSet.of());
Assert.assertEquals(expectedGroupMapping, response.getEntity());
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", null);
Assert.assertEquals(200, response.getStatus());
expectedGroupMapping2 = new BasicAuthorizerGroupMapping("druid2GroupMapping", "", ImmutableSet.of());
Assert.assertEquals(expectedGroupMapping2, response.getEntity());
}
Also used :
Response(javax.ws.rs.core.Response)
BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)
BasicAuthorizerUser(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser)
BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)
Test(org.junit.Test)
Example 12 with BasicAuthorizerUser
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser in project druid by druid-io.
the class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest method testCreateDeleteUser.
// user tests
@Test
public void testCreateDeleteUser() {
updater.createUser(AUTHORIZER_NAME, "druid");
Map<String, BasicAuthorizerUser> expectedUserMap = new HashMap<>(BASE_USER_MAP);
expectedUserMap.put("druid", new BasicAuthorizerUser("druid", ImmutableSet.of()));
Map<String, BasicAuthorizerUser> actualUserMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, updater.getCurrentUserMapBytes(AUTHORIZER_NAME));
Assert.assertEquals(expectedUserMap, actualUserMap);
updater.deleteUser(AUTHORIZER_NAME, "druid");
expectedUserMap.remove("druid");
actualUserMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, updater.getCurrentUserMapBytes(AUTHORIZER_NAME));
Assert.assertEquals(expectedUserMap, actualUserMap);
}
Also used :
BasicAuthorizerUser(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser)
HashMap(java.util.HashMap)
Test(org.junit.Test)
Example 13 with BasicAuthorizerUser
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser in project druid by druid-io.
the class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest method testAddAndRemoveRoleToUser.
// role, user, and group mapping tests
@Test
public void testAddAndRemoveRoleToUser() {
updater.createUser(AUTHORIZER_NAME, "druid");
updater.createRole(AUTHORIZER_NAME, "druidRole");
updater.assignUserRole(AUTHORIZER_NAME, "druid", "druidRole");
Map<String, BasicAuthorizerUser> expectedUserMap = new HashMap<>(BASE_USER_MAP);
expectedUserMap.put("druid", new BasicAuthorizerUser("druid", ImmutableSet.of("druidRole")));
Map<String, BasicAuthorizerRole> expectedRoleMap = new HashMap<>(BASE_ROLE_MAP);
expectedRoleMap.put("druidRole", new BasicAuthorizerRole("druidRole", ImmutableList.of()));
Map<String, BasicAuthorizerUser> actualUserMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, updater.getCurrentUserMapBytes(AUTHORIZER_NAME));
Map<String, BasicAuthorizerRole> actualRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, updater.getCurrentRoleMapBytes(AUTHORIZER_NAME));
Assert.assertEquals(expectedUserMap, actualUserMap);
Assert.assertEquals(expectedRoleMap, actualRoleMap);
updater.unassignUserRole(AUTHORIZER_NAME, "druid", "druidRole");
expectedUserMap.put("druid", new BasicAuthorizerUser("druid", ImmutableSet.of()));
actualUserMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, updater.getCurrentUserMapBytes(AUTHORIZER_NAME));
Assert.assertEquals(expectedUserMap, actualUserMap);
Assert.assertEquals(expectedRoleMap, actualRoleMap);
}
Also used :
BasicAuthorizerUser(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser)
HashMap(java.util.HashMap)
BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)
Test(org.junit.Test)
Example 14 with BasicAuthorizerUser
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser in project druid by druid-io.
the class LDAPRoleProvider method getRoles.
@Override
public Set<String> getRoles(String authorizerPrefix, AuthenticationResult authenticationResult) {
Set<String> roleNames = new HashSet<>();
Map<String, BasicAuthorizerGroupMapping> groupMappingMap = cacheManager.getGroupMappingMap(authorizerPrefix);
if (groupMappingMap == null) {
throw new IAE("Could not load groupMappingMap for authorizer [%s]", authorizerPrefix);
}
Map<String, BasicAuthorizerUser> userMap = cacheManager.getUserMap(authorizerPrefix);
if (userMap == null) {
throw new IAE("Could not load userMap for authorizer [%s]", authorizerPrefix);
}
// Get the groups assigned to the LDAP user
SearchResult searchResult = Optional.ofNullable(authenticationResult.getContext()).map(contextMap -> contextMap.get(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY)).map(p -> {
if (p instanceof SearchResult) {
return (SearchResult) p;
} else {
return null;
}
}).orElse(null);
if (searchResult != null) {
try {
Set<LdapName> groupNamesFromLdap = getGroupsFromLdap(searchResult);
if (groupNamesFromLdap.isEmpty()) {
LOG.debug("User %s is not mapped to any groups", authenticationResult.getIdentity());
} else {
// Get the roles mapped to LDAP groups from the metastore.
// This allows us to authorize groups LDAP user belongs
roleNames.addAll(getRoles(groupMappingMap, groupNamesFromLdap));
}
} catch (NamingException e) {
LOG.error(e, "Exception in looking up groups for user %s", authenticationResult.getIdentity());
}
}
// Get the roles assigned to LDAP user from the metastore.
// This allow us to authorize LDAP users regardless of whether they belong to any groups or not in LDAP.
BasicAuthorizerUser user = userMap.get(authenticationResult.getIdentity());
if (user != null) {
roleNames.addAll(user.getRoles());
}
return roleNames;
}
Also used :
Logger(org.apache.druid.java.util.common.logger.Logger)
JsonProperty(com.fasterxml.jackson.annotation.JsonProperty)
Arrays(java.util.Arrays)
LdapName(javax.naming.ldap.LdapName)
BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)
BasicAuthUtils(org.apache.druid.security.basic.BasicAuthUtils)
NamingException(javax.naming.NamingException)
TreeSet(java.util.TreeSet)
BasicAuthorizerUser(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser)
AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)
HashSet(java.util.HashSet)
JsonTypeName(com.fasterxml.jackson.annotation.JsonTypeName)
Attribute(javax.naming.directory.Attribute)
Locale(java.util.Locale)
Map(java.util.Map)
IAE(org.apache.druid.java.util.common.IAE)
JacksonInject(com.fasterxml.jackson.annotation.JacksonInject)
BasicAuthorizerCacheManager(org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheManager)
RE(org.apache.druid.java.util.common.RE)
StringUtils(org.apache.druid.java.util.common.StringUtils)
Set(java.util.Set)
InvalidNameException(javax.naming.InvalidNameException)
JsonCreator(com.fasterxml.jackson.annotation.JsonCreator)
Optional(java.util.Optional)
VisibleForTesting(com.google.common.annotations.VisibleForTesting)
BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)
SearchResult(javax.naming.directory.SearchResult)
SearchResult(javax.naming.directory.SearchResult)
IAE(org.apache.druid.java.util.common.IAE)
LdapName(javax.naming.ldap.LdapName)
BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)
BasicAuthorizerUser(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser)
NamingException(javax.naming.NamingException)
HashSet(java.util.HashSet)
Example 15 with BasicAuthorizerUser
use of org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser in project druid by druid-io.
the class CoordinatorBasicAuthorizerMetadataStorageUpdater method deleteRoleOnce.
private boolean deleteRoleOnce(String prefix, String roleName) {
byte[] oldRoleMapValue = getCurrentRoleMapBytes(prefix);
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, oldRoleMapValue);
if (roleMap.get(roleName) == null) {
throw new BasicSecurityDBResourceException("Role [%s] does not exist.", roleName);
} else {
roleMap.remove(roleName);
}
byte[] oldUserMapValue = getCurrentUserMapBytes(prefix);
Map<String, BasicAuthorizerUser> userMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, oldUserMapValue);
for (BasicAuthorizerUser user : userMap.values()) {
user.getRoles().remove(roleName);
}
byte[] newUserMapValue = BasicAuthUtils.serializeAuthorizerUserMap(objectMapper, userMap);
byte[] oldGroupMapValue = getCurrentGroupMappingMapBytes(prefix);
Map<String, BasicAuthorizerGroupMapping> groupMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, oldGroupMapValue);
for (BasicAuthorizerGroupMapping group : groupMap.values()) {
group.getRoles().remove(roleName);
}
byte[] newGroupMapValue = BasicAuthUtils.serializeAuthorizerGroupMappingMap(objectMapper, groupMap);
byte[] newRoleMapValue = BasicAuthUtils.serializeAuthorizerRoleMap(objectMapper, roleMap);
return tryUpdateUserAndRoleMap(prefix, userMap, oldUserMapValue, newUserMapValue, roleMap, oldRoleMapValue, newRoleMapValue) && tryUpdateGroupMappingAndRoleMap(prefix, groupMap, oldGroupMapValue, newGroupMapValue, roleMap, newRoleMapValue, newRoleMapValue);
}
Also used :
BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)
BasicSecurityDBResourceException(org.apache.druid.security.basic.BasicSecurityDBResourceException)
BasicAuthorizerUser(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser)
BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)
Aggregations
BasicAuthorizerUser (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser)17
BasicAuthorizerRole (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)12
Test (org.junit.Test)7
BasicSecurityDBResourceException (org.apache.druid.security.basic.BasicSecurityDBResourceException)6
BasicAuthorizerGroupMapping (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)5
HashMap (java.util.HashMap)4
HashSet (java.util.HashSet)3
Response (javax.ws.rs.core.Response)3
Map (java.util.Map)2
IAE (org.apache.druid.java.util.common.IAE)2
BasicRoleBasedAuthorizer (org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer)2
BasicAuthorizerRoleSimplifiedPermissions (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions)2
JacksonInject (com.fasterxml.jackson.annotation.JacksonInject)1
JsonCreator (com.fasterxml.jackson.annotation.JsonCreator)1
JsonProperty (com.fasterxml.jackson.annotation.JsonProperty)1
JsonTypeName (com.fasterxml.jackson.annotation.JsonTypeName)1
VisibleForTesting (com.google.common.annotations.VisibleForTesting)1
Arrays (java.util.Arrays)1
Locale (java.util.Locale)1
Optional (java.util.Optional)1
