Example 6 with AuthenticationResult
use of org.apache.druid.server.security.AuthenticationResult in project druid by druid-io.
the class NativeQueryMaker method execute.
private <T> Sequence<Object[]> execute(Query<T> query, final List<String> newFields, final List<SqlTypeName> newTypes) {
Hook.QUERY_PLAN.run(query);
if (query.getId() == null) {
final String queryId = UUID.randomUUID().toString();
plannerContext.addNativeQueryId(queryId);
query = query.withId(queryId);
}
query = query.withSqlQueryId(plannerContext.getSqlQueryId());
final AuthenticationResult authenticationResult = plannerContext.getAuthenticationResult();
final Access authorizationResult = plannerContext.getAuthorizationResult();
final QueryLifecycle queryLifecycle = queryLifecycleFactory.factorize();
// After calling "runSimple" the query will start running. We need to do this before reading the toolChest, since
// otherwise it won't yet be initialized. (A bummer, since ideally, we'd verify the toolChest exists and can do
// array-based results before starting the query; but in practice we don't expect this to happen since we keep
// tight control over which query types we generate in the SQL layer. They all support array-based results.)
final Sequence<T> results = queryLifecycle.runSimple(query, authenticationResult, authorizationResult);
// noinspection unchecked
final QueryToolChest<T, Query<T>> toolChest = queryLifecycle.getToolChest();
final List<String> resultArrayFields = toolChest.resultArraySignature(query).getColumnNames();
final Sequence<Object[]> resultArrays = toolChest.resultsAsArrays(query, results);
return mapResultSequence(resultArrays, resultArrayFields, newFields, newTypes);
}
Also used :
QueryLifecycle(org.apache.druid.server.QueryLifecycle)
TimeseriesQuery(org.apache.druid.query.timeseries.TimeseriesQuery)
Query(org.apache.druid.query.Query)
DruidQuery(org.apache.druid.sql.calcite.rel.DruidQuery)
Access(org.apache.druid.server.security.Access)
NlsString(org.apache.calcite.util.NlsString)
AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)
Example 7 with AuthenticationResult
use of org.apache.druid.server.security.AuthenticationResult in project druid by druid-io.
the class QueryResourceTest method testSecuredCancelQuery.
@Test(timeout = 60_000L)
public void testSecuredCancelQuery() throws Exception {
final CountDownLatch waitForCancellationLatch = new CountDownLatch(1);
final CountDownLatch waitFinishLatch = new CountDownLatch(2);
final CountDownLatch startAwaitLatch = new CountDownLatch(1);
final CountDownLatch cancelledCountDownLatch = new CountDownLatch(1);
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).anyTimes();
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(AUTHENTICATION_RESULT).anyTimes();
testServletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
EasyMock.expectLastCall().times(1);
EasyMock.replay(testServletRequest);
AuthorizerMapper authMapper = new AuthorizerMapper(null) {
@Override
public Authorizer getAuthorizer(String name) {
return new Authorizer() {
@Override
public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action) {
// WRITE corresponds to cancellation of query
if (action.equals(Action.READ)) {
try {
// Countdown startAwaitLatch as we want query cancellation to happen
// after we enter isAuthorized method so that we can handle the
// InterruptedException here because of query cancellation
startAwaitLatch.countDown();
waitForCancellationLatch.await();
} catch (InterruptedException e) {
// When the query is cancelled the control will reach here,
// countdown the latch and rethrow the exception so that error response is returned for the query
cancelledCountDownLatch.countDown();
throw new RuntimeException(e);
}
return new Access(true);
} else {
return new Access(true);
}
}
};
}
};
queryResource = new QueryResource(new QueryLifecycleFactory(WAREHOUSE, TEST_SEGMENT_WALKER, new DefaultGenericQueryMetricsFactory(), new NoopServiceEmitter(), testRequestLogger, new AuthConfig(), authMapper, Suppliers.ofInstance(new DefaultQueryConfig(ImmutableMap.of()))), jsonMapper, smileMapper, queryScheduler, new AuthConfig(), authMapper, ResponseContextConfig.newConfig(true), DRUID_NODE);
final String queryString = "{\"queryType\":\"timeBoundary\", \"dataSource\":\"allow\"," + "\"context\":{\"queryId\":\"id_1\"}}";
ObjectMapper mapper = new DefaultObjectMapper();
Query<?> query = mapper.readValue(queryString, Query.class);
ListenableFuture<?> future = MoreExecutors.listeningDecorator(Execs.singleThreaded("test_query_resource_%s")).submit(new Runnable() {
@Override
public void run() {
try {
Response response = queryResource.doPost(new ByteArrayInputStream(queryString.getBytes(StandardCharsets.UTF_8)), null, testServletRequest);
Assert.assertEquals(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode(), response.getStatus());
} catch (IOException e) {
throw new RuntimeException(e);
}
waitFinishLatch.countDown();
}
});
queryScheduler.registerQueryFuture(query, future);
startAwaitLatch.await();
Executors.newSingleThreadExecutor().submit(new Runnable() {
@Override
public void run() {
Response response = queryResource.cancelQuery("id_1", testServletRequest);
Assert.assertEquals(Response.Status.ACCEPTED.getStatusCode(), response.getStatus());
waitForCancellationLatch.countDown();
waitFinishLatch.countDown();
}
});
waitFinishLatch.await();
cancelledCountDownLatch.await();
}
Also used :
Action(org.apache.druid.server.security.Action)
Access(org.apache.druid.server.security.Access)
AuthConfig(org.apache.druid.server.security.AuthConfig)
QueryInterruptedException(org.apache.druid.query.QueryInterruptedException)
AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)
Authorizer(org.apache.druid.server.security.Authorizer)
AuthorizerMapper(org.apache.druid.server.security.AuthorizerMapper)
DefaultQueryConfig(org.apache.druid.query.DefaultQueryConfig)
DefaultGenericQueryMetricsFactory(org.apache.druid.query.DefaultGenericQueryMetricsFactory)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
DefaultObjectMapper(org.apache.druid.jackson.DefaultObjectMapper)
Resource(org.apache.druid.server.security.Resource)
NoopServiceEmitter(org.apache.druid.server.metrics.NoopServiceEmitter)
IOException(java.io.IOException)
CountDownLatch(java.util.concurrent.CountDownLatch)
Response(javax.ws.rs.core.Response)
ByteArrayInputStream(java.io.ByteArrayInputStream)
DefaultObjectMapper(org.apache.druid.jackson.DefaultObjectMapper)
Test(org.junit.Test)
Example 8 with AuthenticationResult
use of org.apache.druid.server.security.AuthenticationResult in project druid by druid-io.
the class QueryResourceTest method testDenySecuredCancelQuery.
@Test(timeout = 60_000L)
public void testDenySecuredCancelQuery() throws Exception {
final CountDownLatch waitForCancellationLatch = new CountDownLatch(1);
final CountDownLatch waitFinishLatch = new CountDownLatch(2);
final CountDownLatch startAwaitLatch = new CountDownLatch(1);
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).anyTimes();
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(AUTHENTICATION_RESULT).anyTimes();
testServletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
EasyMock.expectLastCall().times(1);
testServletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, false);
EasyMock.expectLastCall().times(1);
EasyMock.replay(testServletRequest);
AuthorizerMapper authMapper = new AuthorizerMapper(null) {
@Override
public Authorizer getAuthorizer(String name) {
return new Authorizer() {
@Override
public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action) {
// WRITE corresponds to cancellation of query
if (action.equals(Action.READ)) {
try {
waitForCancellationLatch.await();
} catch (InterruptedException e) {
throw new RuntimeException(e);
}
return new Access(true);
} else {
// Deny access to cancel the query
return new Access(false);
}
}
};
}
};
queryResource = new QueryResource(new QueryLifecycleFactory(WAREHOUSE, TEST_SEGMENT_WALKER, new DefaultGenericQueryMetricsFactory(), new NoopServiceEmitter(), testRequestLogger, new AuthConfig(), authMapper, Suppliers.ofInstance(new DefaultQueryConfig(ImmutableMap.of()))), jsonMapper, smileMapper, queryScheduler, new AuthConfig(), authMapper, ResponseContextConfig.newConfig(true), DRUID_NODE);
final String queryString = "{\"queryType\":\"timeBoundary\", \"dataSource\":\"allow\"," + "\"context\":{\"queryId\":\"id_1\"}}";
ObjectMapper mapper = new DefaultObjectMapper();
Query<?> query = mapper.readValue(queryString, Query.class);
ListenableFuture<?> future = MoreExecutors.listeningDecorator(Execs.singleThreaded("test_query_resource_%s")).submit(new Runnable() {
@Override
public void run() {
try {
startAwaitLatch.countDown();
Response response = queryResource.doPost(new ByteArrayInputStream(queryString.getBytes(StandardCharsets.UTF_8)), null, testServletRequest);
Assert.assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
} catch (IOException e) {
throw new RuntimeException(e);
}
waitFinishLatch.countDown();
}
});
queryScheduler.registerQueryFuture(query, future);
startAwaitLatch.await();
Executors.newSingleThreadExecutor().submit(new Runnable() {
@Override
public void run() {
try {
queryResource.cancelQuery("id_1", testServletRequest);
} catch (ForbiddenException e) {
waitForCancellationLatch.countDown();
waitFinishLatch.countDown();
}
}
});
waitFinishLatch.await();
}
Also used :
Action(org.apache.druid.server.security.Action)
Access(org.apache.druid.server.security.Access)
AuthConfig(org.apache.druid.server.security.AuthConfig)
QueryInterruptedException(org.apache.druid.query.QueryInterruptedException)
AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)
Authorizer(org.apache.druid.server.security.Authorizer)
AuthorizerMapper(org.apache.druid.server.security.AuthorizerMapper)
DefaultQueryConfig(org.apache.druid.query.DefaultQueryConfig)
DefaultGenericQueryMetricsFactory(org.apache.druid.query.DefaultGenericQueryMetricsFactory)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
DefaultObjectMapper(org.apache.druid.jackson.DefaultObjectMapper)
ForbiddenException(org.apache.druid.server.security.ForbiddenException)
Resource(org.apache.druid.server.security.Resource)
NoopServiceEmitter(org.apache.druid.server.metrics.NoopServiceEmitter)
IOException(java.io.IOException)
CountDownLatch(java.util.concurrent.CountDownLatch)
Response(javax.ws.rs.core.Response)
ByteArrayInputStream(java.io.ByteArrayInputStream)
DefaultObjectMapper(org.apache.druid.jackson.DefaultObjectMapper)
Test(org.junit.Test)
Example 9 with AuthenticationResult
use of org.apache.druid.server.security.AuthenticationResult in project druid by druid-io.
the class DruidMeta method prepare.
@Override
public StatementHandle prepare(final ConnectionHandle ch, final String sql, final long maxRowCount) {
try {
final StatementHandle statement = createStatement(ch);
final DruidStatement druidStatement;
try {
druidStatement = getDruidStatement(statement);
} catch (NoSuchStatementException e) {
throw logFailure(new ISE(e, e.getMessage()));
}
final DruidConnection druidConnection = getDruidConnection(statement.connectionId);
AuthenticationResult authenticationResult = authenticateConnection(druidConnection);
if (authenticationResult == null) {
throw logFailure(new ForbiddenException("Authentication failed."), "Authentication failed for statement[%s]", druidStatement.getStatementId());
}
statement.signature = druidStatement.prepare(sql, maxRowCount, authenticationResult).getSignature();
LOG.debug("Successfully prepared statement[%s] for execution", druidStatement.getStatementId());
return statement;
} catch (NoSuchConnectionException e) {
throw e;
} catch (Throwable t) {
throw errorHandler.sanitize(t);
}
}
Also used :
ForbiddenException(org.apache.druid.server.security.ForbiddenException)
NoSuchConnectionException(org.apache.calcite.avatica.NoSuchConnectionException)
NoSuchStatementException(org.apache.calcite.avatica.NoSuchStatementException)
ISE(org.apache.druid.java.util.common.ISE)
AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)
Example 10 with AuthenticationResult
use of org.apache.druid.server.security.AuthenticationResult in project druid by druid-io.
the class ParallelIndexSupervisorTaskResourceTest method newRequest.
private static HttpServletRequest newRequest() {
final HttpServletRequest request = EasyMock.niceMock(HttpServletRequest.class);
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null);
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(new AuthenticationResult("test", "test", "test", Collections.emptyMap()));
EasyMock.replay(request);
return request;
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)
Aggregations
AuthenticationResult (org.apache.druid.server.security.AuthenticationResult)58
Test (org.junit.Test)40
Response (javax.ws.rs.core.Response)25
Access (org.apache.druid.server.security.Access)17
HttpServletRequest (javax.servlet.http.HttpServletRequest)16
Resource (org.apache.druid.server.security.Resource)12
HashMap (java.util.HashMap)10
List (java.util.List)10
AuthConfig (org.apache.druid.server.security.AuthConfig)10
Authorizer (org.apache.druid.server.security.Authorizer)10
ImmutableList (com.google.common.collect.ImmutableList)9
Map (java.util.Map)9
HttpServletResponse (javax.servlet.http.HttpServletResponse)8
AuthorizerMapper (org.apache.druid.server.security.AuthorizerMapper)8
FilterChain (javax.servlet.FilterChain)7
Action (org.apache.druid.server.security.Action)7
ArrayList (java.util.ArrayList)6
Set (java.util.Set)6
TreeMap (java.util.TreeMap)6
DefaultObjectMapper (org.apache.druid.jackson.DefaultObjectMapper)6
