Example 1 with Authenticator
use of org.apache.druid.server.security.Authenticator in project druid by druid-io.
the class MiddleManagerJettyServerInitializer method initialize.
@Override
public void initialize(Server server, Injector injector) {
final ServletContextHandler root = new ServletContextHandler(ServletContextHandler.SESSIONS);
root.addServlet(new ServletHolder(new DefaultServlet()), "/*");
final AuthConfig authConfig = injector.getInstance(AuthConfig.class);
final ObjectMapper jsonMapper = injector.getInstance(Key.get(ObjectMapper.class, Json.class));
final AuthenticatorMapper authenticatorMapper = injector.getInstance(AuthenticatorMapper.class);
AuthenticationUtils.addSecuritySanityCheckFilter(root, jsonMapper);
// perform no-op authorization/authentication for these resources
AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, UNSECURED_PATHS);
AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, authConfig.getUnsecuredPaths());
final List<Authenticator> authenticators = authenticatorMapper.getAuthenticatorChain();
AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
AuthenticationUtils.addAllowOptionsFilter(root, authConfig.isAllowUnauthenticatedHttpOptions());
JettyServerInitUtils.addAllowHttpMethodsFilter(root, serverConfig.getAllowedHttpMethods());
JettyServerInitUtils.addExtensionFilters(root, injector);
// Check that requests were authorized before sending responses
AuthenticationUtils.addPreResponseAuthorizationCheckFilter(root, authenticators, jsonMapper);
root.addFilter(GuiceFilter.class, "/*", null);
final HandlerList handlerList = new HandlerList();
handlerList.setHandlers(new Handler[] { JettyServerInitUtils.getJettyRequestLogHandler(), JettyServerInitUtils.wrapWithDefaultGzipHandler(root, serverConfig.getInflateBufferSize(), serverConfig.getCompressionLevel()), new DefaultHandler() });
server.setHandler(handlerList);
}
Also used :
AuthenticatorMapper(org.apache.druid.server.security.AuthenticatorMapper)
HandlerList(org.eclipse.jetty.server.handler.HandlerList)
ServletHolder(org.eclipse.jetty.servlet.ServletHolder)
DefaultServlet(org.eclipse.jetty.servlet.DefaultServlet)
AuthConfig(org.apache.druid.server.security.AuthConfig)
Json(org.apache.druid.guice.annotations.Json)
ServletContextHandler(org.eclipse.jetty.servlet.ServletContextHandler)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
Authenticator(org.apache.druid.server.security.Authenticator)
DefaultHandler(org.eclipse.jetty.server.handler.DefaultHandler)
Example 2 with Authenticator
use of org.apache.druid.server.security.Authenticator in project druid by druid-io.
the class QueryJettyServerInitializer method initialize.
@Override
public void initialize(Server server, Injector injector) {
final ServletContextHandler root = new ServletContextHandler(ServletContextHandler.SESSIONS);
root.addServlet(new ServletHolder(new DefaultServlet()), "/*");
// Add LimitRequestsFilter as first in the chain if enabled.
if (serverConfig.isEnableRequestLimit()) {
// To reject xth request, limit should be set to x-1 because (x+1)st request wouldn't reach filter
// but rather wait on jetty queue.
Preconditions.checkArgument(serverConfig.getNumThreads() > 1, "numThreads must be > 1 to enable Request Limit Filter.");
log.info("Enabling Request Limit Filter with limit [%d].", serverConfig.getNumThreads() - 1);
root.addFilter(new FilterHolder(new LimitRequestsFilter(serverConfig.getNumThreads() - 1)), "/*", null);
}
final ObjectMapper jsonMapper = injector.getInstance(Key.get(ObjectMapper.class, Json.class));
final AuthenticatorMapper authenticatorMapper = injector.getInstance(AuthenticatorMapper.class);
AuthenticationUtils.addSecuritySanityCheckFilter(root, jsonMapper);
// perform no-op authorization for these resources
AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, UNSECURED_PATHS);
AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, authConfig.getUnsecuredPaths());
List<Authenticator> authenticators = authenticatorMapper.getAuthenticatorChain();
AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
AuthenticationUtils.addAllowOptionsFilter(root, authConfig.isAllowUnauthenticatedHttpOptions());
JettyServerInitUtils.addAllowHttpMethodsFilter(root, serverConfig.getAllowedHttpMethods());
JettyServerInitUtils.addExtensionFilters(root, injector);
// Check that requests were authorized before sending responses
AuthenticationUtils.addPreResponseAuthorizationCheckFilter(root, authenticators, jsonMapper);
root.addFilter(GuiceFilter.class, "/*", null);
final HandlerList handlerList = new HandlerList();
// Do not change the order of the handlers that have already been added
for (Handler handler : server.getHandlers()) {
handlerList.addHandler(handler);
}
handlerList.addHandler(JettyServerInitUtils.getJettyRequestLogHandler());
// Add all extension handlers
for (Handler handler : extensionHandlers) {
handlerList.addHandler(handler);
}
// Add Gzip handler at the very end
handlerList.addHandler(JettyServerInitUtils.wrapWithDefaultGzipHandler(root, serverConfig.getInflateBufferSize(), serverConfig.getCompressionLevel()));
final StatisticsHandler statisticsHandler = new StatisticsHandler();
statisticsHandler.setHandler(handlerList);
server.setHandler(statisticsHandler);
}
Also used :
HandlerList(org.eclipse.jetty.server.handler.HandlerList)
FilterHolder(org.eclipse.jetty.servlet.FilterHolder)
ServletHolder(org.eclipse.jetty.servlet.ServletHolder)
ServletContextHandler(org.eclipse.jetty.servlet.ServletContextHandler)
Handler(org.eclipse.jetty.server.Handler)
StatisticsHandler(org.eclipse.jetty.server.handler.StatisticsHandler)
Json(org.apache.druid.guice.annotations.Json)
AuthenticatorMapper(org.apache.druid.server.security.AuthenticatorMapper)
LimitRequestsFilter(org.apache.druid.server.initialization.jetty.LimitRequestsFilter)
DefaultServlet(org.eclipse.jetty.servlet.DefaultServlet)
ServletContextHandler(org.eclipse.jetty.servlet.ServletContextHandler)
StatisticsHandler(org.eclipse.jetty.server.handler.StatisticsHandler)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
Authenticator(org.apache.druid.server.security.Authenticator)
Example 3 with Authenticator
use of org.apache.druid.server.security.Authenticator in project druid by druid-io.
the class CoordinatorPollingBasicAuthenticatorCacheManager method initUserMaps.
private void initUserMaps() {
AuthenticatorMapper authenticatorMapper = injector.getInstance(AuthenticatorMapper.class);
if (authenticatorMapper == null || authenticatorMapper.getAuthenticatorMap() == null) {
return;
}
for (Map.Entry<String, Authenticator> entry : authenticatorMapper.getAuthenticatorMap().entrySet()) {
Authenticator authenticator = entry.getValue();
if (authenticator instanceof BasicHTTPAuthenticator) {
String authenticatorName = entry.getKey();
authenticatorPrefixes.add(authenticatorName);
Map<String, BasicAuthenticatorUser> userMap = fetchUserMapFromCoordinator(authenticatorName, true);
if (userMap != null) {
cachedUserMaps.put(authenticatorName, userMap);
}
}
}
}
Also used :
AuthenticatorMapper(org.apache.druid.server.security.AuthenticatorMapper)
BasicHTTPAuthenticator(org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator)
BasicAuthenticatorUser(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser)
Map(java.util.Map)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
Authenticator(org.apache.druid.server.security.Authenticator)
BasicHTTPAuthenticator(org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator)
Example 4 with Authenticator
use of org.apache.druid.server.security.Authenticator in project druid by druid-io.
the class CoordinatorBasicAuthenticatorMetadataStorageUpdater method start.
@LifecycleStart
public void start() {
if (!lifecycleLock.canStart()) {
throw new ISE("can't start.");
}
if (authenticatorMapper == null || authenticatorMapper.getAuthenticatorMap() == null) {
return;
}
try {
LOG.info("Starting CoordinatorBasicAuthenticatorMetadataStorageUpdater.");
BasicAuthUtils.maybeInitialize(() -> {
for (Map.Entry<String, Authenticator> entry : authenticatorMapper.getAuthenticatorMap().entrySet()) {
Authenticator authenticator = entry.getValue();
if (authenticator instanceof BasicHTTPAuthenticator) {
String authenticatorName = entry.getKey();
authenticatorPrefixes.add(authenticatorName);
BasicHTTPAuthenticator basicHTTPAuthenticator = (BasicHTTPAuthenticator) authenticator;
BasicAuthDBConfig dbConfig = basicHTTPAuthenticator.getDbConfig();
byte[] userMapBytes = getCurrentUserMapBytes(authenticatorName);
Map<String, BasicAuthenticatorUser> userMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, userMapBytes);
cachedUserMaps.put(authenticatorName, new BasicAuthenticatorUserMapBundle(userMap, userMapBytes));
if (dbConfig.getInitialAdminPassword() != null && !userMap.containsKey(BasicAuthUtils.ADMIN_NAME)) {
createUserInternal(authenticatorName, BasicAuthUtils.ADMIN_NAME);
setUserCredentialsInternal(authenticatorName, BasicAuthUtils.ADMIN_NAME, new BasicAuthenticatorCredentialUpdate(dbConfig.getInitialAdminPassword().getPassword(), BasicAuthUtils.DEFAULT_KEY_ITERATIONS));
}
if (dbConfig.getInitialInternalClientPassword() != null && !userMap.containsKey(BasicAuthUtils.INTERNAL_USER_NAME)) {
createUserInternal(authenticatorName, BasicAuthUtils.INTERNAL_USER_NAME);
setUserCredentialsInternal(authenticatorName, BasicAuthUtils.INTERNAL_USER_NAME, new BasicAuthenticatorCredentialUpdate(dbConfig.getInitialInternalClientPassword().getPassword(), BasicAuthUtils.DEFAULT_KEY_ITERATIONS));
}
}
}
return true;
});
ScheduledExecutors.scheduleWithFixedDelay(exec, new Duration(commonCacheConfig.getPollingPeriod()), new Duration(commonCacheConfig.getPollingPeriod()), new Callable<ScheduledExecutors.Signal>() {
@Override
public ScheduledExecutors.Signal call() {
if (stopped) {
return ScheduledExecutors.Signal.STOP;
}
try {
LOG.debug("Scheduled db userMap poll is running");
for (String authenticatorPrefix : authenticatorPrefixes) {
byte[] userMapBytes = getCurrentUserMapBytes(authenticatorPrefix);
Map<String, BasicAuthenticatorUser> userMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, userMapBytes);
if (userMapBytes != null) {
cachedUserMaps.put(authenticatorPrefix, new BasicAuthenticatorUserMapBundle(userMap, userMapBytes));
}
}
LOG.debug("Scheduled db userMap poll is done");
} catch (Throwable t) {
LOG.makeAlert(t, "Error occured while polling for cachedUserMaps.").emit();
}
return ScheduledExecutors.Signal.REPEAT;
}
});
lifecycleLock.started();
} finally {
lifecycleLock.exitStart();
}
}
Also used :
Duration(org.joda.time.Duration)
BasicAuthenticatorUser(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser)
BasicAuthenticatorUserMapBundle(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUserMapBundle)
BasicHTTPAuthenticator(org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator)
BasicAuthenticatorCredentialUpdate(org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate)
ISE(org.apache.druid.java.util.common.ISE)
Map(java.util.Map)
ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap)
Authenticator(org.apache.druid.server.security.Authenticator)
BasicHTTPAuthenticator(org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator)
BasicAuthDBConfig(org.apache.druid.security.basic.BasicAuthDBConfig)
LifecycleStart(org.apache.druid.java.util.common.lifecycle.LifecycleStart)
Example 5 with Authenticator
use of org.apache.druid.server.security.Authenticator in project druid by druid-io.
the class CoordinatorBasicAuthenticatorCacheNotifier method initAuthenticatorConfigMap.
private Map<String, BasicAuthDBConfig> initAuthenticatorConfigMap(AuthenticatorMapper mapper) {
Preconditions.checkNotNull(mapper);
Preconditions.checkNotNull(mapper.getAuthenticatorMap());
Map<String, BasicAuthDBConfig> authenticatorConfigMap = new HashMap<>();
for (Map.Entry<String, Authenticator> entry : mapper.getAuthenticatorMap().entrySet()) {
Authenticator authenticator = entry.getValue();
if (authenticator instanceof BasicHTTPAuthenticator) {
String authenticatorName = entry.getKey();
BasicHTTPAuthenticator basicHTTPAuthenticator = (BasicHTTPAuthenticator) authenticator;
BasicAuthDBConfig dbConfig = basicHTTPAuthenticator.getDbConfig();
authenticatorConfigMap.put(authenticatorName, dbConfig);
}
}
return authenticatorConfigMap;
}
Also used :
BasicHTTPAuthenticator(org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator)
HashMap(java.util.HashMap)
HashMap(java.util.HashMap)
Map(java.util.Map)
BasicAuthDBConfig(org.apache.druid.security.basic.BasicAuthDBConfig)
Authenticator(org.apache.druid.server.security.Authenticator)
BasicHTTPAuthenticator(org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator)
Aggregations
Authenticator (org.apache.druid.server.security.Authenticator)9
AuthenticatorMapper (org.apache.druid.server.security.AuthenticatorMapper)5
ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)4
Json (org.apache.druid.guice.annotations.Json)4
HandlerList (org.eclipse.jetty.server.handler.HandlerList)4
ServletContextHandler (org.eclipse.jetty.servlet.ServletContextHandler)4
ServletHolder (org.eclipse.jetty.servlet.ServletHolder)4
Map (java.util.Map)3
BasicHTTPAuthenticator (org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator)3
DefaultServlet (org.eclipse.jetty.servlet.DefaultServlet)3
ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)2
BasicAuthDBConfig (org.apache.druid.security.basic.BasicAuthDBConfig)2
BasicAuthenticatorUser (org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser)2
AuthConfig (org.apache.druid.server.security.AuthConfig)2
AuthenticationResult (org.apache.druid.server.security.AuthenticationResult)2
FilterHolder (org.eclipse.jetty.servlet.FilterHolder)2
HashMap (java.util.HashMap)1
Nullable (javax.annotation.Nullable)1
ISE (org.apache.druid.java.util.common.ISE)1
LifecycleStart (org.apache.druid.java.util.common.lifecycle.LifecycleStart)1
