Example 26 with AuthenticationResult
use of org.apache.druid.server.security.AuthenticationResult in project druid by druid-io.
the class BasicRoleBasedAuthorizerTest method testAuthGroupMappingPatternLeftMask.
@Test
public void testAuthGroupMappingPatternLeftMask() {
// Admin
BasicAuthorizerGroupMapping adminGrroupMapping = new BasicAuthorizerGroupMapping("adminGrroupMapping", "*,CN=admin,OU=Platform,OU=Groupings,DC=corp,DC=apache,DC=org", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, adminGrroupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "adminDruidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "adminGrroupMapping", "adminDruidRole");
List<ResourceAction> adminPermissions = Arrays.asList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
updater.setPermissions(LDAP_AUTHORIZER_NAME, "adminDruidRole", adminPermissions);
// User
BasicAuthorizerGroupMapping userGrroupMapping = new BasicAuthorizerGroupMapping("userGrroupMapping", "*,CN=user,OU=Druid,OU=Application,OU=Groupings,DC=corp,DC=apache,DC=org", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, userGrroupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "userDruidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "userGrroupMapping", "userDruidRole");
List<ResourceAction> userPermissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
updater.setPermissions(LDAP_AUTHORIZER_NAME, "userDruidRole", userPermissions);
Map<String, Object> contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult);
AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap);
Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertFalse(access.isAllowed());
contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult);
authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap);
access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertFalse(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.READ);
Assert.assertFalse(access.isAllowed());
}
Also used :
BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)
HashMap(java.util.HashMap)
Resource(org.apache.druid.server.security.Resource)
Access(org.apache.druid.server.security.Access)
ResourceAction(org.apache.druid.server.security.ResourceAction)
AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)
Test(org.junit.Test)
Example 27 with AuthenticationResult
use of org.apache.druid.server.security.AuthenticationResult in project druid by druid-io.
the class BasicRoleBasedAuthorizerTest method testAuthGroupMapping.
@Test
public void testAuthGroupMapping() {
BasicAuthorizerGroupMapping groupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "CN=admin,OU=Platform,OU=Groupings,DC=corp,DC=apache,DC=org", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, groupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "druidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
List<ResourceAction> permissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE));
updater.setPermissions(LDAP_AUTHORIZER_NAME, "druidRole", permissions);
Map<String, Object> contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult);
AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap);
Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertFalse(access.isAllowed());
}
Also used :
BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)
HashMap(java.util.HashMap)
Resource(org.apache.druid.server.security.Resource)
Access(org.apache.druid.server.security.Access)
ResourceAction(org.apache.druid.server.security.ResourceAction)
AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)
Test(org.junit.Test)
Example 28 with AuthenticationResult
use of org.apache.druid.server.security.AuthenticationResult in project druid by druid-io.
the class Pac4jFilter method doFilter.
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
// could get HTTP redirect even if one of the druid authenticators in chain has successfully authenticated.
if (servletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT) != null) {
filterChain.doFilter(servletRequest, servletResponse);
return;
}
HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
J2EContext context = new J2EContext(httpServletRequest, httpServletResponse, sessionStore);
if (Pac4jCallbackResource.SELF_URL.equals(httpServletRequest.getRequestURI())) {
callbackLogic.perform(context, pac4jConfig, NOOP_HTTP_ACTION_ADAPTER, "/", true, false, false, null);
} else {
String uid = securityLogic.perform(context, pac4jConfig, (J2EContext ctx, Collection<CommonProfile> profiles, Object... parameters) -> {
if (profiles.isEmpty()) {
LOGGER.warn("No profiles found after OIDC auth.");
return null;
} else {
return profiles.iterator().next().getId();
}
}, NOOP_HTTP_ACTION_ADAPTER, null, null, null, null);
if (uid != null) {
AuthenticationResult authenticationResult = new AuthenticationResult(uid, authorizerName, name, null);
servletRequest.setAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT, authenticationResult);
filterChain.doFilter(servletRequest, servletResponse);
}
}
}
Also used :
HttpServletRequest(javax.servlet.http.HttpServletRequest)
HttpServletResponse(javax.servlet.http.HttpServletResponse)
Collection(java.util.Collection)
J2EContext(org.pac4j.core.context.J2EContext)
AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)
Example 29 with AuthenticationResult
use of org.apache.druid.server.security.AuthenticationResult in project druid by druid-io.
the class BasicRoleBasedAuthorizerTest method testAuth.
@Test
public void testAuth() {
updater.createUser(DB_AUTHORIZER_NAME, "druid");
updater.createRole(DB_AUTHORIZER_NAME, "druidRole");
updater.assignUserRole(DB_AUTHORIZER_NAME, "druid", "druidRole");
List<ResourceAction> permissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE));
updater.setPermissions(DB_AUTHORIZER_NAME, "druidRole", permissions);
AuthenticationResult authenticationResult = new AuthenticationResult("druid", "druid", null, null);
Access access = authorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertTrue(access.isAllowed());
access = authorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertFalse(access.isAllowed());
}
Also used :
Resource(org.apache.druid.server.security.Resource)
Access(org.apache.druid.server.security.Access)
ResourceAction(org.apache.druid.server.security.ResourceAction)
AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)
Test(org.junit.Test)
Example 30 with AuthenticationResult
use of org.apache.druid.server.security.AuthenticationResult in project druid by druid-io.
the class LDAPCredentialsValidator method validateCredentials.
@Override
public AuthenticationResult validateCredentials(String authenticatorName, String authorizerName, String username, char[] password) {
SearchResult userResult;
LdapName userDn;
Map<String, Object> contextMap = new HashMap<>();
LdapUserPrincipal principal = this.cache.getOrExpire(username);
if (principal != null && principal.hasSameCredentials(password)) {
contextMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, principal.getSearchResult());
return new AuthenticationResult(username, authorizerName, authenticatorName, contextMap);
} else {
ClassLoader currentClassLoader = Thread.currentThread().getContextClassLoader();
try {
// Set the context classloader same as the loader of this class so that BasicSecuritySSLSocketFactory
// class can be found
Thread.currentThread().setContextClassLoader(this.getClass().getClassLoader());
InitialDirContext dirContext = new InitialDirContext(bindProperties(this.ldapConfig));
try {
userResult = getLdapUserObject(this.ldapConfig, dirContext, username);
if (userResult == null) {
LOG.debug("User not found: %s", username);
return null;
}
userDn = new LdapName(userResult.getNameInNamespace());
} finally {
try {
dirContext.close();
} catch (Exception ignored) {
// ignored
}
}
} catch (NamingException e) {
LOG.error(e, "Exception during user lookup");
return null;
} finally {
Thread.currentThread().setContextClassLoader(currentClassLoader);
}
if (!validatePassword(this.ldapConfig, userDn, password)) {
LOG.debug("Password incorrect for LDAP user %s", username);
throw new BasicSecurityAuthenticationException("User LDAP authentication failed.");
}
byte[] salt = BasicAuthUtils.generateSalt();
byte[] hash = BasicAuthUtils.hashPassword(password, salt, this.ldapConfig.getCredentialIterations());
LdapUserPrincipal newPrincipal = new LdapUserPrincipal(username, new BasicAuthenticatorCredentials(salt, hash, this.ldapConfig.getCredentialIterations()), userResult);
this.cache.put(username, newPrincipal);
contextMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userResult);
return new AuthenticationResult(username, authorizerName, authenticatorName, contextMap);
}
}
Also used :
BasicSecurityAuthenticationException(org.apache.druid.security.basic.BasicSecurityAuthenticationException)
HashMap(java.util.HashMap)
LinkedHashMap(java.util.LinkedHashMap)
SearchResult(javax.naming.directory.SearchResult)
InitialDirContext(javax.naming.directory.InitialDirContext)
BasicSecurityAuthenticationException(org.apache.druid.security.basic.BasicSecurityAuthenticationException)
NamingException(javax.naming.NamingException)
AuthenticationException(javax.naming.AuthenticationException)
LdapName(javax.naming.ldap.LdapName)
AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)
BasicAuthenticatorCredentials(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials)
NamingException(javax.naming.NamingException)
LdapUserPrincipal(org.apache.druid.security.basic.authentication.LdapUserPrincipal)
Aggregations
AuthenticationResult (org.apache.druid.server.security.AuthenticationResult)58
Test (org.junit.Test)40
Response (javax.ws.rs.core.Response)25
Access (org.apache.druid.server.security.Access)17
HttpServletRequest (javax.servlet.http.HttpServletRequest)16
Resource (org.apache.druid.server.security.Resource)12
HashMap (java.util.HashMap)10
List (java.util.List)10
AuthConfig (org.apache.druid.server.security.AuthConfig)10
Authorizer (org.apache.druid.server.security.Authorizer)10
ImmutableList (com.google.common.collect.ImmutableList)9
Map (java.util.Map)9
HttpServletResponse (javax.servlet.http.HttpServletResponse)8
AuthorizerMapper (org.apache.druid.server.security.AuthorizerMapper)8
FilterChain (javax.servlet.FilterChain)7
Action (org.apache.druid.server.security.Action)7
ArrayList (java.util.ArrayList)6
Set (java.util.Set)6
TreeMap (java.util.TreeMap)6
DefaultObjectMapper (org.apache.druid.jackson.DefaultObjectMapper)6
