Example 31 with Access
use of org.apache.druid.server.security.Access in project druid by druid-io.
the class SeekableStreamIndexTaskRunnerAuthTest method setUp.
@Before
public void setUp() {
// Create an AuthorizerMapper that only allows access to a Datasource resource
AuthorizerMapper authorizerMapper = new AuthorizerMapper(null) {
@Override
public Authorizer getAuthorizer(String name) {
return (authenticationResult, resource, action) -> {
final String username = authenticationResult.getIdentity();
// - or, Datasource Write User requests Write access
if (resource.getType().equals(ResourceType.DATASOURCE)) {
return new Access((action == Action.READ && username.equals(Users.DATASOURCE_READ)) || (action == Action.WRITE && username.equals(Users.DATASOURCE_WRITE)));
}
// Do not allow access to any other resource
return new Access(false);
};
}
};
DataSchema dataSchema = new DataSchema("datasource", new TimestampSpec(null, null, null), new DimensionsSpec(Collections.emptyList()), new AggregatorFactory[] {}, new ArbitraryGranularitySpec(new AllGranularity(), Collections.emptyList()), TransformSpec.NONE, null, null);
SeekableStreamIndexTaskTuningConfig tuningConfig = mock(SeekableStreamIndexTaskTuningConfig.class);
SeekableStreamIndexTaskIOConfig<String, String> ioConfig = new TestSeekableStreamIndexTaskIOConfig();
// Initiliaze task and task runner
SeekableStreamIndexTask<String, String, ByteEntity> indexTask = new TestSeekableStreamIndexTask("id", dataSchema, tuningConfig, ioConfig);
taskRunner = new TestSeekableStreamIndexTaskRunner(indexTask, authorizerMapper);
}
Also used :
TaskToolbox(org.apache.druid.indexing.common.TaskToolbox)
StreamPartition(org.apache.druid.indexing.seekablestream.common.StreamPartition)
ArbitraryGranularitySpec(org.apache.druid.segment.indexing.granularity.ArbitraryGranularitySpec)
RecordSupplier(org.apache.druid.indexing.seekablestream.common.RecordSupplier)
OrderedPartitionableRecord(org.apache.druid.indexing.seekablestream.common.OrderedPartitionableRecord)
AuthorizerMapper(org.apache.druid.server.security.AuthorizerMapper)
EasyMock.mock(org.easymock.EasyMock.mock)
AllGranularity(org.apache.druid.java.util.common.granularity.AllGranularity)
TimestampSpec(org.apache.druid.data.input.impl.TimestampSpec)
AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
Map(java.util.Map)
ForbiddenException(org.apache.druid.server.security.ForbiddenException)
EasyMock.replay(org.easymock.EasyMock.replay)
AuthConfig(org.apache.druid.server.security.AuthConfig)
TypeReference(com.fasterxml.jackson.core.type.TypeReference)
ExpectedException(org.junit.rules.ExpectedException)
Nonnull(javax.annotation.Nonnull)
Nullable(javax.annotation.Nullable)
Before(org.junit.Before)
DateTimes(org.apache.druid.java.util.common.DateTimes)
Access(org.apache.druid.server.security.Access)
ResourceType(org.apache.druid.server.security.ResourceType)
AggregatorFactory(org.apache.druid.query.aggregation.AggregatorFactory)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
Set(java.util.Set)
CsvInputFormat(org.apache.druid.data.input.impl.CsvInputFormat)
DimensionsSpec(org.apache.druid.data.input.impl.DimensionsSpec)
Test(org.junit.Test)
Action(org.apache.druid.server.security.Action)
EasyMock(org.easymock.EasyMock)
LockGranularity(org.apache.druid.indexing.common.LockGranularity)
OrderedSequenceNumber(org.apache.druid.indexing.seekablestream.common.OrderedSequenceNumber)
Consumer(java.util.function.Consumer)
List(java.util.List)
Rule(org.junit.Rule)
TreeMap(java.util.TreeMap)
ByteEntity(org.apache.druid.data.input.impl.ByteEntity)
DataSchema(org.apache.druid.segment.indexing.DataSchema)
Collections(java.util.Collections)
TransformSpec(org.apache.druid.segment.transform.TransformSpec)
Authorizer(org.apache.druid.server.security.Authorizer)
ByteEntity(org.apache.druid.data.input.impl.ByteEntity)
AllGranularity(org.apache.druid.java.util.common.granularity.AllGranularity)
Access(org.apache.druid.server.security.Access)
ArbitraryGranularitySpec(org.apache.druid.segment.indexing.granularity.ArbitraryGranularitySpec)
DataSchema(org.apache.druid.segment.indexing.DataSchema)
TimestampSpec(org.apache.druid.data.input.impl.TimestampSpec)
AuthorizerMapper(org.apache.druid.server.security.AuthorizerMapper)
DimensionsSpec(org.apache.druid.data.input.impl.DimensionsSpec)
Before(org.junit.Before)
Example 32 with Access
use of org.apache.druid.server.security.Access in project druid by druid-io.
the class QueryResourceTest method testSecuredQuery.
@Test
public void testSecuredQuery() throws Exception {
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).anyTimes();
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(AUTHENTICATION_RESULT).anyTimes();
testServletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, false);
EasyMock.expectLastCall().times(1);
testServletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
EasyMock.expectLastCall().times(1);
EasyMock.replay(testServletRequest);
AuthorizerMapper authMapper = new AuthorizerMapper(null) {
@Override
public Authorizer getAuthorizer(String name) {
return new Authorizer() {
@Override
public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action) {
if (resource.getName().equals("allow")) {
return new Access(true);
} else {
return new Access(false);
}
}
};
}
};
queryResource = new QueryResource(new QueryLifecycleFactory(WAREHOUSE, TEST_SEGMENT_WALKER, new DefaultGenericQueryMetricsFactory(), new NoopServiceEmitter(), testRequestLogger, new AuthConfig(), authMapper, Suppliers.ofInstance(new DefaultQueryConfig(ImmutableMap.of()))), jsonMapper, smileMapper, queryScheduler, new AuthConfig(), authMapper, ResponseContextConfig.newConfig(true), DRUID_NODE);
try {
queryResource.doPost(new ByteArrayInputStream(SIMPLE_TIMESERIES_QUERY.getBytes(StandardCharsets.UTF_8)), null, /*pretty*/
testServletRequest);
Assert.fail("doPost did not throw ForbiddenException for an unauthorized query");
} catch (ForbiddenException e) {
}
Response response = queryResource.doPost(new ByteArrayInputStream("{\"queryType\":\"timeBoundary\", \"dataSource\":\"allow\"}".getBytes(StandardCharsets.UTF_8)), null, /*pretty*/
testServletRequest);
final ByteArrayOutputStream baos = new ByteArrayOutputStream();
((StreamingOutput) response.getEntity()).write(baos);
final List<Result<TimeBoundaryResultValue>> responses = jsonMapper.readValue(baos.toByteArray(), new TypeReference<List<Result<TimeBoundaryResultValue>>>() {
});
Assert.assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
Assert.assertEquals(0, responses.size());
Assert.assertEquals(1, testRequestLogger.getNativeQuerylogs().size());
Assert.assertEquals(true, testRequestLogger.getNativeQuerylogs().get(0).getQueryStats().getStats().get("success"));
Assert.assertEquals("druid", testRequestLogger.getNativeQuerylogs().get(0).getQueryStats().getStats().get("identity"));
}
Also used :
Action(org.apache.druid.server.security.Action)
ForbiddenException(org.apache.druid.server.security.ForbiddenException)
Resource(org.apache.druid.server.security.Resource)
Access(org.apache.druid.server.security.Access)
NoopServiceEmitter(org.apache.druid.server.metrics.NoopServiceEmitter)
StreamingOutput(javax.ws.rs.core.StreamingOutput)
AuthConfig(org.apache.druid.server.security.AuthConfig)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)
AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)
Result(org.apache.druid.query.Result)
Response(javax.ws.rs.core.Response)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Authorizer(org.apache.druid.server.security.Authorizer)
TimeBoundaryResultValue(org.apache.druid.query.timeboundary.TimeBoundaryResultValue)
AuthorizerMapper(org.apache.druid.server.security.AuthorizerMapper)
List(java.util.List)
ImmutableList(com.google.common.collect.ImmutableList)
DefaultQueryConfig(org.apache.druid.query.DefaultQueryConfig)
DefaultGenericQueryMetricsFactory(org.apache.druid.query.DefaultGenericQueryMetricsFactory)
Test(org.junit.Test)
Example 33 with Access
use of org.apache.druid.server.security.Access in project druid by druid-io.
the class ResourceFilterTestHelper method setUpMockExpectations.
public void setUpMockExpectations(String requestPath, boolean authCheckResult, String requestMethod) {
EasyMock.expect(request.getPath()).andReturn(requestPath).anyTimes();
EasyMock.expect(request.getPathSegments()).andReturn(ImmutableList.copyOf(Iterables.transform(Arrays.asList(requestPath.split("/")), new Function<String, PathSegment>() {
@Override
public PathSegment apply(final String input) {
return new PathSegment() {
@Override
public String getPath() {
return input;
}
@Override
public MultivaluedMap<String, String> getMatrixParameters() {
return null;
}
};
}
}))).anyTimes();
EasyMock.expect(request.getMethod()).andReturn(requestMethod).anyTimes();
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).anyTimes();
AuthenticationResult authenticationResult = new AuthenticationResult("druid", "druid", null, null);
EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(authenticationResult).atLeastOnce();
req.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, authCheckResult);
EasyMock.expectLastCall().anyTimes();
EasyMock.expect(authorizerMapper.getAuthorizer(EasyMock.anyString())).andReturn(new Authorizer() {
@Override
public Access authorize(AuthenticationResult authenticationResult1, Resource resource, Action action) {
return new Access(authCheckResult);
}
}).atLeastOnce();
}
Also used :
Function(com.google.common.base.Function)
Action(org.apache.druid.server.security.Action)
Authorizer(org.apache.druid.server.security.Authorizer)
Resource(org.apache.druid.server.security.Resource)
Access(org.apache.druid.server.security.Access)
PathSegment(javax.ws.rs.core.PathSegment)
AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)
Example 34 with Access
use of org.apache.druid.server.security.Access in project druid by druid-io.
the class SqlLifecycle method validateAndAuthorize.
/**
* Validate SQL query and authorize against any datasources or views which the query. Like
* {@link #validateAndAuthorize(AuthenticationResult)} but for a {@link HttpServletRequest}.
*
* If successful, the lifecycle will first transition from {@link State#INITIALIZED} first to
* {@link State#AUTHORIZING} and then to either {@link State#AUTHORIZED} or {@link State#UNAUTHORIZED}.
*/
public void validateAndAuthorize(HttpServletRequest req) {
transition(State.INITIALIZED, State.AUTHORIZING);
AuthenticationResult authResult = AuthorizationUtils.authenticationResultFromRequest(req);
validate(authResult);
Access access = doAuthorize(AuthorizationUtils.authorizeAllResourceActions(req, validationResult.getResourceActions(), plannerFactory.getAuthorizerMapper()));
checkAccess(access);
}
Also used :
Access(org.apache.druid.server.security.Access)
AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)
Example 35 with Access
use of org.apache.druid.server.security.Access in project druid by druid-io.
the class SqlResource method cancelQuery.
@DELETE
@Path("{id}")
@Produces(MediaType.APPLICATION_JSON)
public Response cancelQuery(@PathParam("id") String sqlQueryId, @Context final HttpServletRequest req) {
log.debug("Received cancel request for query [%s]", sqlQueryId);
List<SqlLifecycle> lifecycles = sqlLifecycleManager.getAll(sqlQueryId);
if (lifecycles.isEmpty()) {
return Response.status(Status.NOT_FOUND).build();
}
Set<ResourceAction> resources = lifecycles.stream().flatMap(lifecycle -> lifecycle.getRequiredResourceActions().stream()).collect(Collectors.toSet());
Access access = AuthorizationUtils.authorizeAllResourceActions(req, resources, authorizerMapper);
if (access.isAllowed()) {
// should remove only the lifecycles in the snapshot.
sqlLifecycleManager.removeAll(sqlQueryId, lifecycles);
lifecycles.forEach(SqlLifecycle::cancel);
return Response.status(Status.ACCEPTED).build();
} else {
return Response.status(Status.FORBIDDEN).build();
}
}
Also used :
Logger(org.apache.druid.java.util.common.logger.Logger)
SqlLifecycle(org.apache.druid.sql.SqlLifecycle)
PathParam(javax.ws.rs.PathParam)
Produces(javax.ws.rs.Produces)
AuthorizerMapper(org.apache.druid.server.security.AuthorizerMapper)
Inject(com.google.inject.Inject)
CountingOutputStream(com.google.common.io.CountingOutputStream)
BadQueryException(org.apache.druid.query.BadQueryException)
Path(javax.ws.rs.Path)
Yielders(org.apache.druid.java.util.common.guava.Yielders)
QueryCapacityExceededException(org.apache.druid.query.QueryCapacityExceededException)
HttpServletRequest(javax.servlet.http.HttpServletRequest)
MediaType(javax.ws.rs.core.MediaType)
Consumes(javax.ws.rs.Consumes)
SqlPlanningException(org.apache.druid.sql.SqlPlanningException)
ForbiddenException(org.apache.druid.server.security.ForbiddenException)
Yielder(org.apache.druid.java.util.common.guava.Yielder)
Status(javax.ws.rs.core.Response.Status)
Nullable(javax.annotation.Nullable)
DELETE(javax.ws.rs.DELETE)
SanitizableException(org.apache.druid.common.exception.SanitizableException)
Sequence(org.apache.druid.java.util.common.guava.Sequence)
Access(org.apache.druid.server.security.Access)
POST(javax.ws.rs.POST)
Context(javax.ws.rs.core.Context)
ServerConfig(org.apache.druid.server.initialization.ServerConfig)
QueryInterruptedException(org.apache.druid.query.QueryInterruptedException)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
SqlLifecycleFactory(org.apache.druid.sql.SqlLifecycleFactory)
StringUtils(org.apache.druid.java.util.common.StringUtils)
Set(java.util.Set)
JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException)
SqlRowTransformer(org.apache.druid.sql.SqlRowTransformer)
StreamingOutput(javax.ws.rs.core.StreamingOutput)
IOException(java.io.IOException)
Json(org.apache.druid.guice.annotations.Json)
AuthorizationUtils(org.apache.druid.server.security.AuthorizationUtils)
SqlLifecycleManager(org.apache.druid.sql.SqlLifecycleManager)
Collectors(java.util.stream.Collectors)
List(java.util.List)
QueryTimeoutException(org.apache.druid.query.QueryTimeoutException)
Response(javax.ws.rs.core.Response)
ResourceAction(org.apache.druid.server.security.ResourceAction)
ResourceLimitExceededException(org.apache.druid.query.ResourceLimitExceededException)
Preconditions(com.google.common.base.Preconditions)
RelOptPlanner(org.apache.calcite.plan.RelOptPlanner)
QueryUnsupportedException(org.apache.druid.query.QueryUnsupportedException)
SqlLifecycle(org.apache.druid.sql.SqlLifecycle)
Access(org.apache.druid.server.security.Access)
ResourceAction(org.apache.druid.server.security.ResourceAction)
Path(javax.ws.rs.Path)
DELETE(javax.ws.rs.DELETE)
Produces(javax.ws.rs.Produces)
Aggregations
Access (org.apache.druid.server.security.Access)35
Resource (org.apache.druid.server.security.Resource)22
ForbiddenException (org.apache.druid.server.security.ForbiddenException)18
ResourceAction (org.apache.druid.server.security.ResourceAction)18
AuthenticationResult (org.apache.druid.server.security.AuthenticationResult)15
Test (org.junit.Test)11
Response (javax.ws.rs.core.Response)8
Action (org.apache.druid.server.security.Action)8
Authorizer (org.apache.druid.server.security.Authorizer)8
AuthorizerMapper (org.apache.druid.server.security.AuthorizerMapper)8
Produces (javax.ws.rs.Produces)7
List (java.util.List)5
Consumes (javax.ws.rs.Consumes)5
POST (javax.ws.rs.POST)5
Path (javax.ws.rs.Path)5
WebApplicationException (javax.ws.rs.WebApplicationException)5
ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)4
HashMap (java.util.HashMap)4
Set (java.util.Set)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
