use of org.apache.druid.server.security.Authorizer in project druid by druid-io.
the class DataSourcesResourceTest method testSecuredGetFullQueryableDataSources.
@Test
public void testSecuredGetFullQueryableDataSources() {
AuthenticationResult authenticationResult = new AuthenticationResult("druid", "druid", null, null);
// first request
EasyMock.expect(server.getDataSources()).andReturn(ImmutableList.of(listDataSources.get(0), listDataSources.get(1))).once();
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).once();
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(authenticationResult).once();
request.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
EasyMock.expectLastCall().times(1);
EasyMock.expect(inventoryView.getInventory()).andReturn(ImmutableList.of(server)).once();
// second request
EasyMock.expect(server.getDataSources()).andReturn(ImmutableList.of(listDataSources.get(0), listDataSources.get(1))).once();
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).once();
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).once();
EasyMock.expect(request.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(authenticationResult).once();
request.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
EasyMock.expectLastCall().times(1);
EasyMock.expect(inventoryView.getInventory()).andReturn(ImmutableList.of(server)).once();
EasyMock.replay(inventoryView, server, request);
AuthorizerMapper authMapper = new AuthorizerMapper(null) {
@Override
public Authorizer getAuthorizer(String name) {
return new Authorizer() {
@Override
public Access authorize(AuthenticationResult authenticationResult1, Resource resource, Action action) {
if (resource.getName().equals("datasource1")) {
return new Access(true);
} else {
return new Access(false);
}
}
};
}
};
DataSourcesResource dataSourcesResource = new DataSourcesResource(inventoryView, null, null, null, authMapper, null);
Response response = dataSourcesResource.getQueryableDataSources("full", null, request);
Set<ImmutableDruidDataSource> result = (Set<ImmutableDruidDataSource>) response.getEntity();
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(1, result.size());
ImmutableDruidDataSourceTestUtils.assertEquals(listDataSources.get(0).toImmutableDruidDataSource(), Iterables.getOnlyElement(result));
response = dataSourcesResource.getQueryableDataSources(null, null, request);
List<String> result1 = (List<String>) response.getEntity();
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(1, result1.size());
Assert.assertTrue(result1.contains("datasource1"));
EasyMock.verify(inventoryView, server, request);
}
use of org.apache.druid.server.security.Authorizer in project druid by druid-io.
the class QueryResourceTest method testSecuredCancelQuery.
@Test(timeout = 60_000L)
public void testSecuredCancelQuery() throws Exception {
final CountDownLatch waitForCancellationLatch = new CountDownLatch(1);
final CountDownLatch waitFinishLatch = new CountDownLatch(2);
final CountDownLatch startAwaitLatch = new CountDownLatch(1);
final CountDownLatch cancelledCountDownLatch = new CountDownLatch(1);
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).anyTimes();
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(AUTHENTICATION_RESULT).anyTimes();
testServletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
EasyMock.expectLastCall().times(1);
EasyMock.replay(testServletRequest);
AuthorizerMapper authMapper = new AuthorizerMapper(null) {
@Override
public Authorizer getAuthorizer(String name) {
return new Authorizer() {
@Override
public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action) {
// WRITE corresponds to cancellation of query
if (action.equals(Action.READ)) {
try {
// Countdown startAwaitLatch as we want query cancellation to happen
// after we enter isAuthorized method so that we can handle the
// InterruptedException here because of query cancellation
startAwaitLatch.countDown();
waitForCancellationLatch.await();
} catch (InterruptedException e) {
// When the query is cancelled the control will reach here,
// countdown the latch and rethrow the exception so that error response is returned for the query
cancelledCountDownLatch.countDown();
throw new RuntimeException(e);
}
return new Access(true);
} else {
return new Access(true);
}
}
};
}
};
queryResource = new QueryResource(new QueryLifecycleFactory(WAREHOUSE, TEST_SEGMENT_WALKER, new DefaultGenericQueryMetricsFactory(), new NoopServiceEmitter(), testRequestLogger, new AuthConfig(), authMapper, Suppliers.ofInstance(new DefaultQueryConfig(ImmutableMap.of()))), jsonMapper, smileMapper, queryScheduler, new AuthConfig(), authMapper, ResponseContextConfig.newConfig(true), DRUID_NODE);
final String queryString = "{\"queryType\":\"timeBoundary\", \"dataSource\":\"allow\"," + "\"context\":{\"queryId\":\"id_1\"}}";
ObjectMapper mapper = new DefaultObjectMapper();
Query<?> query = mapper.readValue(queryString, Query.class);
ListenableFuture<?> future = MoreExecutors.listeningDecorator(Execs.singleThreaded("test_query_resource_%s")).submit(new Runnable() {
@Override
public void run() {
try {
Response response = queryResource.doPost(new ByteArrayInputStream(queryString.getBytes(StandardCharsets.UTF_8)), null, testServletRequest);
Assert.assertEquals(Response.Status.INTERNAL_SERVER_ERROR.getStatusCode(), response.getStatus());
} catch (IOException e) {
throw new RuntimeException(e);
}
waitFinishLatch.countDown();
}
});
queryScheduler.registerQueryFuture(query, future);
startAwaitLatch.await();
Executors.newSingleThreadExecutor().submit(new Runnable() {
@Override
public void run() {
Response response = queryResource.cancelQuery("id_1", testServletRequest);
Assert.assertEquals(Response.Status.ACCEPTED.getStatusCode(), response.getStatus());
waitForCancellationLatch.countDown();
waitFinishLatch.countDown();
}
});
waitFinishLatch.await();
cancelledCountDownLatch.await();
}
use of org.apache.druid.server.security.Authorizer in project druid by druid-io.
the class QueryResourceTest method testDenySecuredCancelQuery.
@Test(timeout = 60_000L)
public void testDenySecuredCancelQuery() throws Exception {
final CountDownLatch waitForCancellationLatch = new CountDownLatch(1);
final CountDownLatch waitFinishLatch = new CountDownLatch(2);
final CountDownLatch startAwaitLatch = new CountDownLatch(1);
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).anyTimes();
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(AUTHENTICATION_RESULT).anyTimes();
testServletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
EasyMock.expectLastCall().times(1);
testServletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, false);
EasyMock.expectLastCall().times(1);
EasyMock.replay(testServletRequest);
AuthorizerMapper authMapper = new AuthorizerMapper(null) {
@Override
public Authorizer getAuthorizer(String name) {
return new Authorizer() {
@Override
public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action) {
// WRITE corresponds to cancellation of query
if (action.equals(Action.READ)) {
try {
waitForCancellationLatch.await();
} catch (InterruptedException e) {
throw new RuntimeException(e);
}
return new Access(true);
} else {
// Deny access to cancel the query
return new Access(false);
}
}
};
}
};
queryResource = new QueryResource(new QueryLifecycleFactory(WAREHOUSE, TEST_SEGMENT_WALKER, new DefaultGenericQueryMetricsFactory(), new NoopServiceEmitter(), testRequestLogger, new AuthConfig(), authMapper, Suppliers.ofInstance(new DefaultQueryConfig(ImmutableMap.of()))), jsonMapper, smileMapper, queryScheduler, new AuthConfig(), authMapper, ResponseContextConfig.newConfig(true), DRUID_NODE);
final String queryString = "{\"queryType\":\"timeBoundary\", \"dataSource\":\"allow\"," + "\"context\":{\"queryId\":\"id_1\"}}";
ObjectMapper mapper = new DefaultObjectMapper();
Query<?> query = mapper.readValue(queryString, Query.class);
ListenableFuture<?> future = MoreExecutors.listeningDecorator(Execs.singleThreaded("test_query_resource_%s")).submit(new Runnable() {
@Override
public void run() {
try {
startAwaitLatch.countDown();
Response response = queryResource.doPost(new ByteArrayInputStream(queryString.getBytes(StandardCharsets.UTF_8)), null, testServletRequest);
Assert.assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
} catch (IOException e) {
throw new RuntimeException(e);
}
waitFinishLatch.countDown();
}
});
queryScheduler.registerQueryFuture(query, future);
startAwaitLatch.await();
Executors.newSingleThreadExecutor().submit(new Runnable() {
@Override
public void run() {
try {
queryResource.cancelQuery("id_1", testServletRequest);
} catch (ForbiddenException e) {
waitForCancellationLatch.countDown();
waitFinishLatch.countDown();
}
}
});
waitFinishLatch.await();
}
use of org.apache.druid.server.security.Authorizer in project druid by druid-io.
the class AsyncQueryForwardingServletTest method setupInjector.
@Override
protected Injector setupInjector() {
return Initialization.makeInjectorWithModules(GuiceInjectors.makeStartupInjector(), ImmutableList.<Module>of(new Module() {
@Override
public void configure(Binder binder) {
JsonConfigProvider.bindInstance(binder, Key.get(DruidNode.class, Self.class), new DruidNode("test", "localhost", false, null, null, true, false));
binder.bind(JettyServerInitializer.class).to(ProxyJettyServerInit.class).in(LazySingleton.class);
binder.bind(AuthorizerMapper.class).toInstance(new AuthorizerMapper(null) {
@Override
public Authorizer getAuthorizer(String name) {
return new AllowAllAuthorizer();
}
});
Jerseys.addResource(binder, SlowResource.class);
Jerseys.addResource(binder, ExceptionResource.class);
Jerseys.addResource(binder, DefaultResource.class);
LifecycleModule.register(binder, Server.class);
}
}));
}
use of org.apache.druid.server.security.Authorizer in project druid by druid-io.
the class SupervisorResourceFilterTest method setExpectations.
private void setExpectations(String path, String requestMethod, String datasource, Action expectedAction, boolean userHasAccess) {
expect(containerRequest.getPathSegments()).andReturn(getPathSegments(path)).anyTimes();
expect(containerRequest.getMethod()).andReturn(requestMethod).anyTimes();
SupervisorSpec supervisorSpec = EasyMock.createMock(SupervisorSpec.class);
expect(supervisorSpec.getDataSources()).andReturn(Collections.singletonList(datasource)).anyTimes();
expect(supervisorManager.getSupervisorSpec(datasource)).andReturn(Optional.of(supervisorSpec)).atLeastOnce();
HttpServletRequest servletRequest = EasyMock.createMock(HttpServletRequest.class);
expect(servletRequest.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
expect(servletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).anyTimes();
servletRequest.setAttribute(isA(String.class), anyObject());
final String authorizerName = "authorizer";
AuthenticationResult authResult = EasyMock.createMock(AuthenticationResult.class);
expect(authResult.getAuthorizerName()).andReturn(authorizerName).anyTimes();
Authorizer authorizer = EasyMock.createMock(Authorizer.class);
expect(authorizer.authorize(authResult, new Resource(datasource, ResourceType.DATASOURCE), expectedAction)).andReturn(new Access(userHasAccess)).anyTimes();
expect(authorizerMapper.getAuthorizer(authorizerName)).andReturn(authorizer).atLeastOnce();
expect(servletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(authResult).atLeastOnce();
resourceFilter.setReq(servletRequest);
mocksToVerify = Arrays.asList(authorizerMapper, supervisorSpec, supervisorManager, servletRequest, authorizer, authResult, containerRequest);
replayMocks();
}
Aggregations