Search in sources :

Example 1 with AuthenticatorMapper

use of org.apache.druid.server.security.AuthenticatorMapper in project druid by druid-io.

the class MiddleManagerJettyServerInitializer method initialize.

@Override
public void initialize(Server server, Injector injector) {
    final ServletContextHandler root = new ServletContextHandler(ServletContextHandler.SESSIONS);
    root.addServlet(new ServletHolder(new DefaultServlet()), "/*");
    final AuthConfig authConfig = injector.getInstance(AuthConfig.class);
    final ObjectMapper jsonMapper = injector.getInstance(Key.get(ObjectMapper.class, Json.class));
    final AuthenticatorMapper authenticatorMapper = injector.getInstance(AuthenticatorMapper.class);
    AuthenticationUtils.addSecuritySanityCheckFilter(root, jsonMapper);
    // perform no-op authorization/authentication for these resources
    AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, UNSECURED_PATHS);
    AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, authConfig.getUnsecuredPaths());
    final List<Authenticator> authenticators = authenticatorMapper.getAuthenticatorChain();
    AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
    AuthenticationUtils.addAllowOptionsFilter(root, authConfig.isAllowUnauthenticatedHttpOptions());
    JettyServerInitUtils.addAllowHttpMethodsFilter(root, serverConfig.getAllowedHttpMethods());
    JettyServerInitUtils.addExtensionFilters(root, injector);
    // Check that requests were authorized before sending responses
    AuthenticationUtils.addPreResponseAuthorizationCheckFilter(root, authenticators, jsonMapper);
    root.addFilter(GuiceFilter.class, "/*", null);
    final HandlerList handlerList = new HandlerList();
    handlerList.setHandlers(new Handler[] { JettyServerInitUtils.getJettyRequestLogHandler(), JettyServerInitUtils.wrapWithDefaultGzipHandler(root, serverConfig.getInflateBufferSize(), serverConfig.getCompressionLevel()), new DefaultHandler() });
    server.setHandler(handlerList);
}
Also used : AuthenticatorMapper(org.apache.druid.server.security.AuthenticatorMapper) HandlerList(org.eclipse.jetty.server.handler.HandlerList) ServletHolder(org.eclipse.jetty.servlet.ServletHolder) DefaultServlet(org.eclipse.jetty.servlet.DefaultServlet) AuthConfig(org.apache.druid.server.security.AuthConfig) Json(org.apache.druid.guice.annotations.Json) ServletContextHandler(org.eclipse.jetty.servlet.ServletContextHandler) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) Authenticator(org.apache.druid.server.security.Authenticator) DefaultHandler(org.eclipse.jetty.server.handler.DefaultHandler)

Example 2 with AuthenticatorMapper

use of org.apache.druid.server.security.AuthenticatorMapper in project druid by druid-io.

the class QueryJettyServerInitializer method initialize.

@Override
public void initialize(Server server, Injector injector) {
    final ServletContextHandler root = new ServletContextHandler(ServletContextHandler.SESSIONS);
    root.addServlet(new ServletHolder(new DefaultServlet()), "/*");
    // Add LimitRequestsFilter as first in the chain if enabled.
    if (serverConfig.isEnableRequestLimit()) {
        // To reject xth request, limit should be set to x-1 because (x+1)st request wouldn't reach filter
        // but rather wait on jetty queue.
        Preconditions.checkArgument(serverConfig.getNumThreads() > 1, "numThreads must be > 1 to enable Request Limit Filter.");
        log.info("Enabling Request Limit Filter with limit [%d].", serverConfig.getNumThreads() - 1);
        root.addFilter(new FilterHolder(new LimitRequestsFilter(serverConfig.getNumThreads() - 1)), "/*", null);
    }
    final ObjectMapper jsonMapper = injector.getInstance(Key.get(ObjectMapper.class, Json.class));
    final AuthenticatorMapper authenticatorMapper = injector.getInstance(AuthenticatorMapper.class);
    AuthenticationUtils.addSecuritySanityCheckFilter(root, jsonMapper);
    // perform no-op authorization for these resources
    AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, UNSECURED_PATHS);
    AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, authConfig.getUnsecuredPaths());
    List<Authenticator> authenticators = authenticatorMapper.getAuthenticatorChain();
    AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
    AuthenticationUtils.addAllowOptionsFilter(root, authConfig.isAllowUnauthenticatedHttpOptions());
    JettyServerInitUtils.addAllowHttpMethodsFilter(root, serverConfig.getAllowedHttpMethods());
    JettyServerInitUtils.addExtensionFilters(root, injector);
    // Check that requests were authorized before sending responses
    AuthenticationUtils.addPreResponseAuthorizationCheckFilter(root, authenticators, jsonMapper);
    root.addFilter(GuiceFilter.class, "/*", null);
    final HandlerList handlerList = new HandlerList();
    // Do not change the order of the handlers that have already been added
    for (Handler handler : server.getHandlers()) {
        handlerList.addHandler(handler);
    }
    handlerList.addHandler(JettyServerInitUtils.getJettyRequestLogHandler());
    // Add all extension handlers
    for (Handler handler : extensionHandlers) {
        handlerList.addHandler(handler);
    }
    // Add Gzip handler at the very end
    handlerList.addHandler(JettyServerInitUtils.wrapWithDefaultGzipHandler(root, serverConfig.getInflateBufferSize(), serverConfig.getCompressionLevel()));
    final StatisticsHandler statisticsHandler = new StatisticsHandler();
    statisticsHandler.setHandler(handlerList);
    server.setHandler(statisticsHandler);
}
Also used : HandlerList(org.eclipse.jetty.server.handler.HandlerList) FilterHolder(org.eclipse.jetty.servlet.FilterHolder) ServletHolder(org.eclipse.jetty.servlet.ServletHolder) ServletContextHandler(org.eclipse.jetty.servlet.ServletContextHandler) Handler(org.eclipse.jetty.server.Handler) StatisticsHandler(org.eclipse.jetty.server.handler.StatisticsHandler) Json(org.apache.druid.guice.annotations.Json) AuthenticatorMapper(org.apache.druid.server.security.AuthenticatorMapper) LimitRequestsFilter(org.apache.druid.server.initialization.jetty.LimitRequestsFilter) DefaultServlet(org.eclipse.jetty.servlet.DefaultServlet) ServletContextHandler(org.eclipse.jetty.servlet.ServletContextHandler) StatisticsHandler(org.eclipse.jetty.server.handler.StatisticsHandler) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) Authenticator(org.apache.druid.server.security.Authenticator)

Example 3 with AuthenticatorMapper

use of org.apache.druid.server.security.AuthenticatorMapper in project druid by druid-io.

the class AsyncQueryForwardingServletTest method testHandleExceptionWithFilterDisabled.

@Test
public void testHandleExceptionWithFilterDisabled() throws Exception {
    String errorMessage = "test exception message";
    ObjectMapper mockMapper = Mockito.mock(ObjectMapper.class);
    HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
    ServletOutputStream outputStream = Mockito.mock(ServletOutputStream.class);
    Mockito.when(response.getOutputStream()).thenReturn(outputStream);
    final AsyncQueryForwardingServlet servlet = new AsyncQueryForwardingServlet(new MapQueryToolChestWarehouse(ImmutableMap.of()), mockMapper, TestHelper.makeSmileMapper(), null, null, null, new NoopServiceEmitter(), new NoopRequestLogger(), new DefaultGenericQueryMetricsFactory(), new AuthenticatorMapper(ImmutableMap.of()), new Properties(), new ServerConfig());
    Exception testException = new IllegalStateException(errorMessage);
    servlet.handleException(response, mockMapper, testException);
    ArgumentCaptor<Exception> captor = ArgumentCaptor.forClass(Exception.class);
    Mockito.verify(mockMapper).writeValue(ArgumentMatchers.eq(outputStream), captor.capture());
    Assert.assertTrue(captor.getValue() instanceof QueryException);
    Assert.assertEquals(QueryInterruptedException.UNKNOWN_EXCEPTION, ((QueryException) captor.getValue()).getErrorCode());
    Assert.assertEquals(errorMessage, captor.getValue().getMessage());
    Assert.assertEquals(IllegalStateException.class.getName(), ((QueryException) captor.getValue()).getErrorClass());
}
Also used : ServletOutputStream(javax.servlet.ServletOutputStream) HttpServletResponse(javax.servlet.http.HttpServletResponse) NoopRequestLogger(org.apache.druid.server.log.NoopRequestLogger) NoopServiceEmitter(org.apache.druid.server.metrics.NoopServiceEmitter) Properties(java.util.Properties) QueryException(org.apache.druid.query.QueryException) QueryInterruptedException(org.apache.druid.query.QueryInterruptedException) JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException) IOException(java.io.IOException) AuthenticatorMapper(org.apache.druid.server.security.AuthenticatorMapper) ServerConfig(org.apache.druid.server.initialization.ServerConfig) QueryException(org.apache.druid.query.QueryException) MapQueryToolChestWarehouse(org.apache.druid.query.MapQueryToolChestWarehouse) DefaultGenericQueryMetricsFactory(org.apache.druid.query.DefaultGenericQueryMetricsFactory) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) BaseJettyTest(org.apache.druid.server.initialization.BaseJettyTest) Test(org.junit.Test)

Example 4 with AuthenticatorMapper

use of org.apache.druid.server.security.AuthenticatorMapper in project druid by druid-io.

the class AsyncQueryForwardingServletTest method testHandleExceptionWithFilterEnabledButMessageMatchAllowedRegex.

@Test
public void testHandleExceptionWithFilterEnabledButMessageMatchAllowedRegex() throws Exception {
    String errorMessage = "test exception message";
    ObjectMapper mockMapper = Mockito.mock(ObjectMapper.class);
    HttpServletResponse response = Mockito.mock(HttpServletResponse.class);
    ServletOutputStream outputStream = Mockito.mock(ServletOutputStream.class);
    Mockito.when(response.getOutputStream()).thenReturn(outputStream);
    final AsyncQueryForwardingServlet servlet = new AsyncQueryForwardingServlet(new MapQueryToolChestWarehouse(ImmutableMap.of()), mockMapper, TestHelper.makeSmileMapper(), null, null, null, new NoopServiceEmitter(), new NoopRequestLogger(), new DefaultGenericQueryMetricsFactory(), new AuthenticatorMapper(ImmutableMap.of()), new Properties(), new ServerConfig() {

        @Override
        public boolean isShowDetailedJettyErrors() {
            return true;
        }

        @Override
        public ErrorResponseTransformStrategy getErrorResponseTransformStrategy() {
            return new AllowedRegexErrorResponseTransformStrategy(ImmutableList.of("test .*"));
        }
    });
    Exception testException = new IllegalStateException(errorMessage);
    servlet.handleException(response, mockMapper, testException);
    ArgumentCaptor<Exception> captor = ArgumentCaptor.forClass(Exception.class);
    Mockito.verify(mockMapper).writeValue(ArgumentMatchers.eq(outputStream), captor.capture());
    Assert.assertTrue(captor.getValue() instanceof QueryException);
    Assert.assertEquals(QueryInterruptedException.UNKNOWN_EXCEPTION, ((QueryException) captor.getValue()).getErrorCode());
    Assert.assertEquals(errorMessage, captor.getValue().getMessage());
    Assert.assertNull(((QueryException) captor.getValue()).getErrorClass());
    Assert.assertNull(((QueryException) captor.getValue()).getHost());
}
Also used : ServletOutputStream(javax.servlet.ServletOutputStream) HttpServletResponse(javax.servlet.http.HttpServletResponse) NoopRequestLogger(org.apache.druid.server.log.NoopRequestLogger) NoopServiceEmitter(org.apache.druid.server.metrics.NoopServiceEmitter) Properties(java.util.Properties) QueryException(org.apache.druid.query.QueryException) QueryInterruptedException(org.apache.druid.query.QueryInterruptedException) JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException) IOException(java.io.IOException) AuthenticatorMapper(org.apache.druid.server.security.AuthenticatorMapper) ServerConfig(org.apache.druid.server.initialization.ServerConfig) QueryException(org.apache.druid.query.QueryException) ErrorResponseTransformStrategy(org.apache.druid.common.exception.ErrorResponseTransformStrategy) AllowedRegexErrorResponseTransformStrategy(org.apache.druid.common.exception.AllowedRegexErrorResponseTransformStrategy) MapQueryToolChestWarehouse(org.apache.druid.query.MapQueryToolChestWarehouse) AllowedRegexErrorResponseTransformStrategy(org.apache.druid.common.exception.AllowedRegexErrorResponseTransformStrategy) DefaultGenericQueryMetricsFactory(org.apache.druid.query.DefaultGenericQueryMetricsFactory) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) BaseJettyTest(org.apache.druid.server.initialization.BaseJettyTest) Test(org.junit.Test)

Example 5 with AuthenticatorMapper

use of org.apache.druid.server.security.AuthenticatorMapper in project druid by druid-io.

the class AsyncQueryForwardingServletTest method verifyServletCallsForQuery.

/**
 * Verifies that the Servlet calls the right methods the right number of times.
 */
private void verifyServletCallsForQuery(Object query, boolean isSql, QueryHostFinder hostFinder, Properties properties) throws Exception {
    final ObjectMapper jsonMapper = TestHelper.makeJsonMapper();
    final HttpServletRequest requestMock = EasyMock.createMock(HttpServletRequest.class);
    final ByteArrayInputStream inputStream = new ByteArrayInputStream(jsonMapper.writeValueAsBytes(query));
    final ServletInputStream servletInputStream = new ServletInputStream() {

        private boolean finished;

        @Override
        public boolean isFinished() {
            return finished;
        }

        @Override
        public boolean isReady() {
            return true;
        }

        @Override
        public void setReadListener(final ReadListener readListener) {
        // do nothing
        }

        @Override
        public int read() {
            final int b = inputStream.read();
            if (b < 0) {
                finished = true;
            }
            return b;
        }
    };
    EasyMock.expect(requestMock.getContentType()).andReturn("application/json").times(2);
    requestMock.setAttribute("org.apache.druid.proxy.objectMapper", jsonMapper);
    EasyMock.expectLastCall();
    EasyMock.expect(requestMock.getRequestURI()).andReturn(isSql ? "/druid/v2/sql" : "/druid/v2/");
    EasyMock.expect(requestMock.getMethod()).andReturn("POST");
    EasyMock.expect(requestMock.getInputStream()).andReturn(servletInputStream);
    requestMock.setAttribute(isSql ? "org.apache.druid.proxy.sqlQuery" : "org.apache.druid.proxy.query", query);
    requestMock.setAttribute("org.apache.druid.proxy.to.host", "1.2.3.4:9999");
    requestMock.setAttribute("org.apache.druid.proxy.to.host.scheme", "http");
    EasyMock.expectLastCall();
    EasyMock.replay(requestMock);
    final AtomicLong didService = new AtomicLong();
    final AsyncQueryForwardingServlet servlet = new AsyncQueryForwardingServlet(new MapQueryToolChestWarehouse(ImmutableMap.of()), jsonMapper, TestHelper.makeSmileMapper(), hostFinder, null, null, new NoopServiceEmitter(), new NoopRequestLogger(), new DefaultGenericQueryMetricsFactory(), new AuthenticatorMapper(ImmutableMap.of()), properties, new ServerConfig()) {

        @Override
        protected void doService(final HttpServletRequest request, final HttpServletResponse response) {
            didService.incrementAndGet();
        }
    };
    servlet.service(requestMock, null);
    // This test is mostly about verifying that the servlet calls the right methods the right number of times.
    EasyMock.verify(hostFinder, requestMock);
    Assert.assertEquals(1, didService.get());
}
Also used : NoopRequestLogger(org.apache.druid.server.log.NoopRequestLogger) HttpServletResponse(javax.servlet.http.HttpServletResponse) NoopServiceEmitter(org.apache.druid.server.metrics.NoopServiceEmitter) ReadListener(javax.servlet.ReadListener) HttpServletRequest(javax.servlet.http.HttpServletRequest) AuthenticatorMapper(org.apache.druid.server.security.AuthenticatorMapper) ServerConfig(org.apache.druid.server.initialization.ServerConfig) AtomicLong(java.util.concurrent.atomic.AtomicLong) ServletInputStream(javax.servlet.ServletInputStream) ByteArrayInputStream(java.io.ByteArrayInputStream) MapQueryToolChestWarehouse(org.apache.druid.query.MapQueryToolChestWarehouse) DefaultGenericQueryMetricsFactory(org.apache.druid.query.DefaultGenericQueryMetricsFactory) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)

Aggregations

AuthenticatorMapper (org.apache.druid.server.security.AuthenticatorMapper)14 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)13 HttpServletResponse (javax.servlet.http.HttpServletResponse)7 DefaultGenericQueryMetricsFactory (org.apache.druid.query.DefaultGenericQueryMetricsFactory)7 MapQueryToolChestWarehouse (org.apache.druid.query.MapQueryToolChestWarehouse)7 ServerConfig (org.apache.druid.server.initialization.ServerConfig)7 NoopRequestLogger (org.apache.druid.server.log.NoopRequestLogger)7 NoopServiceEmitter (org.apache.druid.server.metrics.NoopServiceEmitter)7 JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)6 IOException (java.io.IOException)6 Properties (java.util.Properties)6 ServletOutputStream (javax.servlet.ServletOutputStream)6 QueryException (org.apache.druid.query.QueryException)6 QueryInterruptedException (org.apache.druid.query.QueryInterruptedException)6 BaseJettyTest (org.apache.druid.server.initialization.BaseJettyTest)6 Test (org.junit.Test)6 HttpServletRequest (javax.servlet.http.HttpServletRequest)5 Authenticator (org.apache.druid.server.security.Authenticator)5 AllowedRegexErrorResponseTransformStrategy (org.apache.druid.common.exception.AllowedRegexErrorResponseTransformStrategy)4 ErrorResponseTransformStrategy (org.apache.druid.common.exception.ErrorResponseTransformStrategy)4