Examples with Authenticator org.apache.druid.server.security.Authenticator used on opensource projects

Example 6 with Authenticator

use of org.apache.druid.server.security.Authenticator in project druid by druid-io.

the class CoordinatorJettyServerInitializer method initialize.

@Override
public void initialize(Server server, Injector injector) {
    final ServletContextHandler root = new ServletContextHandler(ServletContextHandler.SESSIONS);
    root.setInitParameter("org.eclipse.jetty.servlet.Default.dirAllowed", "false");
    ServletHolder holderPwd = new ServletHolder("default", DefaultServlet.class);
    root.addServlet(holderPwd, "/");
    final AuthConfig authConfig = injector.getInstance(AuthConfig.class);
    final ObjectMapper jsonMapper = injector.getInstance(Key.get(ObjectMapper.class, Json.class));
    final AuthenticatorMapper authenticatorMapper = injector.getInstance(AuthenticatorMapper.class);
    AuthenticationUtils.addSecuritySanityCheckFilter(root, jsonMapper);
    // perform no-op authorization/authentication for these resources
    AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, UNSECURED_PATHS);
    WebConsoleJettyServerInitializer.intializeServerForWebConsoleRoot(root);
    AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, authConfig.getUnsecuredPaths());
    if (beOverlord) {
        AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, CliOverlord.UNSECURED_PATHS);
    }
    List<Authenticator> authenticators = authenticatorMapper.getAuthenticatorChain();
    AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
    AuthenticationUtils.addAllowOptionsFilter(root, authConfig.isAllowUnauthenticatedHttpOptions());
    JettyServerInitUtils.addAllowHttpMethodsFilter(root, serverConfig.getAllowedHttpMethods());
    JettyServerInitUtils.addExtensionFilters(root, injector);
    // Check that requests were authorized before sending responses
    AuthenticationUtils.addPreResponseAuthorizationCheckFilter(root, authenticators, jsonMapper);
    // add some paths not to be redirected to leader.
    root.addFilter(GuiceFilter.class, "/status/*", null);
    root.addFilter(GuiceFilter.class, "/druid-internal/*", null);
    // redirect anything other than status to the current lead
    root.addFilter(new FilterHolder(injector.getInstance(RedirectFilter.class)), "/*", null);
    // The coordinator really needs a standarized api path
    // Can't use '/*' here because of Guice and Jetty static content conflicts
    root.addFilter(GuiceFilter.class, "/info/*", null);
    root.addFilter(GuiceFilter.class, "/druid/coordinator/*", null);
    if (beOverlord) {
        root.addFilter(GuiceFilter.class, "/druid/indexer/*", null);
    }
    root.addFilter(GuiceFilter.class, "/druid-ext/*", null);
    // this will be removed in the next major release
    root.addFilter(GuiceFilter.class, "/coordinator/*", null);
    if (!beOverlord) {
        root.addServlet(new ServletHolder(injector.getInstance(OverlordProxyServlet.class)), "/druid/indexer/*");
    }
    HandlerList handlerList = new HandlerList();
    handlerList.setHandlers(new Handler[] { WebConsoleJettyServerInitializer.createWebConsoleRewriteHandler(), JettyServerInitUtils.getJettyRequestLogHandler(), JettyServerInitUtils.wrapWithDefaultGzipHandler(root, serverConfig.getInflateBufferSize(), serverConfig.getCompressionLevel()) });
    server.setHandler(handlerList);
}

Example 7 with Authenticator

use of org.apache.druid.server.security.Authenticator in project druid by druid-io.

the class RouterJettyServerInitializer method initialize.

@Override
public void initialize(Server server, Injector injector) {
    final ServletContextHandler root = new ServletContextHandler(ServletContextHandler.SESSIONS);
    root.setInitParameter("org.eclipse.jetty.servlet.Default.dirAllowed", "false");
    root.addServlet(new ServletHolder(new DefaultServlet()), "/*");
    ServletHolder queryServletHolder = buildServletHolder(asyncQueryForwardingServlet, routerHttpClientConfig);
    root.addServlet(queryServletHolder, "/druid/v2/*");
    root.addServlet(queryServletHolder, "/druid/v1/lookups/*");
    if (managementProxyConfig.isEnabled()) {
        ServletHolder managementForwardingServletHolder = buildServletHolder(asyncManagementForwardingServlet, globalHttpClientConfig);
        root.addServlet(managementForwardingServletHolder, "/druid/coordinator/*");
        root.addServlet(managementForwardingServletHolder, "/druid/indexer/*");
        root.addServlet(managementForwardingServletHolder, "/proxy/*");
    }
    final ObjectMapper jsonMapper = injector.getInstance(Key.get(ObjectMapper.class, Json.class));
    final AuthenticatorMapper authenticatorMapper = injector.getInstance(AuthenticatorMapper.class);
    AuthenticationUtils.addSecuritySanityCheckFilter(root, jsonMapper);
    // perform no-op authorization/authentication for these resources
    AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, UNSECURED_PATHS);
    WebConsoleJettyServerInitializer.intializeServerForWebConsoleRoot(root);
    AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, authConfig.getUnsecuredPaths());
    final List<Authenticator> authenticators = authenticatorMapper.getAuthenticatorChain();
    AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
    AuthenticationUtils.addAllowOptionsFilter(root, authConfig.isAllowUnauthenticatedHttpOptions());
    JettyServerInitUtils.addAllowHttpMethodsFilter(root, serverConfig.getAllowedHttpMethods());
    JettyServerInitUtils.addExtensionFilters(root, injector);
    // Check that requests were authorized before sending responses
    AuthenticationUtils.addPreResponseAuthorizationCheckFilter(root, authenticators, jsonMapper);
    // Can't use '/*' here because of Guice conflicts with AsyncQueryForwardingServlet path
    root.addFilter(GuiceFilter.class, "/status/*", null);
    root.addFilter(GuiceFilter.class, "/druid/router/*", null);
    root.addFilter(GuiceFilter.class, "/druid-ext/*", null);
    final HandlerList handlerList = new HandlerList();
    handlerList.setHandlers(new Handler[] { WebConsoleJettyServerInitializer.createWebConsoleRewriteHandler(), JettyServerInitUtils.getJettyRequestLogHandler(), JettyServerInitUtils.wrapWithDefaultGzipHandler(root, serverConfig.getInflateBufferSize(), serverConfig.getCompressionLevel()) });
    server.setHandler(handlerList);
}

Example 8 with Authenticator

use of org.apache.druid.server.security.Authenticator in project druid by druid-io.

the class AsyncQueryForwardingServlet method sendProxyRequest.

@Override
protected void sendProxyRequest(HttpServletRequest clientRequest, HttpServletResponse proxyResponse, Request proxyRequest) {
    proxyRequest.timeout(httpClientConfig.getReadTimeout().getMillis(), TimeUnit.MILLISECONDS);
    proxyRequest.idleTimeout(httpClientConfig.getReadTimeout().getMillis(), TimeUnit.MILLISECONDS);
    byte[] avaticaQuery = (byte[]) clientRequest.getAttribute(AVATICA_QUERY_ATTRIBUTE);
    if (avaticaQuery != null) {
        proxyRequest.content(new BytesContentProvider(avaticaQuery));
    }
    final Query query = (Query) clientRequest.getAttribute(QUERY_ATTRIBUTE);
    final SqlQuery sqlQuery = (SqlQuery) clientRequest.getAttribute(SQL_QUERY_ATTRIBUTE);
    if (query != null) {
        setProxyRequestContent(proxyRequest, clientRequest, query);
    } else if (sqlQuery != null) {
        setProxyRequestContent(proxyRequest, clientRequest, sqlQuery);
    }
    // Since we can't see the request object on the remote side, we can't check whether the remote side actually
    // performed an authorization check here, so always set this to true for the proxy servlet.
    // If the remote node failed to perform an authorization check, PreResponseAuthorizationCheckFilter
    // will log that on the remote node.
    clientRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
    // Check if there is an authentication result and use it to decorate the proxy request if needed.
    AuthenticationResult authenticationResult = (AuthenticationResult) clientRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT);
    if (authenticationResult != null && authenticationResult.getAuthenticatedBy() != null) {
        Authenticator authenticator = authenticatorMapper.getAuthenticatorMap().get(authenticationResult.getAuthenticatedBy());
        if (authenticator != null) {
            authenticator.decorateProxyRequest(clientRequest, proxyResponse, proxyRequest);
        } else {
            LOG.error("Can not find Authenticator with Name [%s]", authenticationResult.getAuthenticatedBy());
        }
    }
    super.sendProxyRequest(clientRequest, proxyResponse, proxyRequest);
}

Example 9 with Authenticator

use of org.apache.druid.server.security.Authenticator in project druid by druid-io.

the class DruidMeta method authenticateConnection.

@Nullable
private AuthenticationResult authenticateConnection(final DruidConnection connection) {
    Map<String, Object> context = connection.context();
    for (Authenticator authenticator : authenticators) {
        LOG.debug("Attempting authentication with authenticator[%s]", authenticator.getClass());
        AuthenticationResult authenticationResult = authenticator.authenticateJDBCContext(context);
        if (authenticationResult != null) {
            LOG.debug("Authenticated identity[%s] for connection[%s]", authenticationResult.getIdentity(), connection.getConnectionId());
            return authenticationResult;
        }
    }
    LOG.debug("No successful authentication");
    return null;
}