use of org.apache.druid.server.security.Authorizer in project druid by druid-io.
the class CoordinatorPollingBasicAuthorizerCacheManager method initUserMaps.
private void initUserMaps() {
AuthorizerMapper authorizerMapper = injector.getInstance(AuthorizerMapper.class);
if (authorizerMapper == null || authorizerMapper.getAuthorizerMap() == null) {
return;
}
for (Map.Entry<String, Authorizer> entry : authorizerMapper.getAuthorizerMap().entrySet()) {
Authorizer authorizer = entry.getValue();
if (authorizer instanceof BasicRoleBasedAuthorizer) {
String authorizerName = entry.getKey();
authorizerPrefixes.add(authorizerName);
UserAndRoleMap userAndRoleMap = fetchUserAndRoleMapFromCoordinator(authorizerName, true);
if (userAndRoleMap != null) {
cachedUserMaps.put(authorizerName, userAndRoleMap.getUserMap());
cachedRoleMaps.put(authorizerName, userAndRoleMap.getRoleMap());
}
GroupMappingAndRoleMap groupMappingAndRoleMap = fetchGroupAndRoleMapFromCoordinator(authorizerName, true);
if (groupMappingAndRoleMap != null) {
cachedGroupMappingMaps.put(authorizerName, groupMappingAndRoleMap.getGroupMappingMap());
cachedGroupMappingRoleMaps.put(authorizerName, groupMappingAndRoleMap.getRoleMap());
}
}
}
}
use of org.apache.druid.server.security.Authorizer in project druid by druid-io.
the class CoordinatorBasicAuthorizerCacheNotifier method getAuthorizerConfigMap.
private Map<String, BasicAuthDBConfig> getAuthorizerConfigMap(AuthorizerMapper mapper) {
Preconditions.checkNotNull(mapper);
Preconditions.checkNotNull(mapper.getAuthorizerMap());
Map<String, BasicAuthDBConfig> authorizerConfigMap = new HashMap<>();
for (Map.Entry<String, Authorizer> entry : mapper.getAuthorizerMap().entrySet()) {
Authorizer authorizer = entry.getValue();
if (authorizer instanceof BasicRoleBasedAuthorizer) {
String authorizerName = entry.getKey();
BasicRoleBasedAuthorizer basicRoleBasedAuthorizer = (BasicRoleBasedAuthorizer) authorizer;
BasicAuthDBConfig dbConfig = basicRoleBasedAuthorizer.getDbConfig();
authorizerConfigMap.put(authorizerName, dbConfig);
}
}
return authorizerConfigMap;
}
use of org.apache.druid.server.security.Authorizer in project druid by druid-io.
the class CoordinatorBasicAuthorizerMetadataStorageUpdater method start.
@LifecycleStart
public void start() {
if (!lifecycleLock.canStart()) {
throw new ISE("can't start.");
}
if (authorizerMapper == null || authorizerMapper.getAuthorizerMap() == null) {
return;
}
try {
LOG.info("Starting CoordinatorBasicAuthorizerMetadataStorageUpdater");
BasicAuthUtils.maybeInitialize(() -> {
for (Map.Entry<String, Authorizer> entry : authorizerMapper.getAuthorizerMap().entrySet()) {
Authorizer authorizer = entry.getValue();
if (authorizer instanceof BasicRoleBasedAuthorizer) {
BasicRoleBasedAuthorizer basicRoleBasedAuthorizer = (BasicRoleBasedAuthorizer) authorizer;
BasicAuthDBConfig dbConfig = basicRoleBasedAuthorizer.getDbConfig();
String authorizerName = entry.getKey();
authorizerNames.add(authorizerName);
byte[] userMapBytes = getCurrentUserMapBytes(authorizerName);
Map<String, BasicAuthorizerUser> userMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, userMapBytes);
cachedUserMaps.put(authorizerName, new BasicAuthorizerUserMapBundle(userMap, userMapBytes));
byte[] groupMappingMapBytes = getCurrentGroupMappingMapBytes(authorizerName);
Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, groupMappingMapBytes);
cachedGroupMappingMaps.put(authorizerName, new BasicAuthorizerGroupMappingMapBundle(groupMappingMap, groupMappingMapBytes));
byte[] roleMapBytes = getCurrentRoleMapBytes(authorizerName);
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, roleMapBytes);
cachedRoleMaps.put(authorizerName, new BasicAuthorizerRoleMapBundle(roleMap, roleMapBytes));
initSuperUsersAndGroupMapping(authorizerName, userMap, roleMap, groupMappingMap, dbConfig.getInitialAdminUser(), dbConfig.getInitialAdminRole(), dbConfig.getInitialAdminGroupMapping());
}
}
return true;
});
ScheduledExecutors.scheduleWithFixedDelay(exec, new Duration(commonCacheConfig.getPollingPeriod()), new Duration(commonCacheConfig.getPollingPeriod()), () -> {
if (stopped) {
return ScheduledExecutors.Signal.STOP;
}
try {
LOG.debug("Scheduled db poll is running");
for (String authorizerName : authorizerNames) {
byte[] userMapBytes = getCurrentUserMapBytes(authorizerName);
Map<String, BasicAuthorizerUser> userMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, userMapBytes);
if (userMapBytes != null) {
synchronized (cachedUserMaps) {
cachedUserMaps.put(authorizerName, new BasicAuthorizerUserMapBundle(userMap, userMapBytes));
}
}
byte[] groupMappingMapBytes = getCurrentGroupMappingMapBytes(authorizerName);
Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, groupMappingMapBytes);
if (groupMappingMapBytes != null) {
synchronized (cachedGroupMappingMaps) {
cachedGroupMappingMaps.put(authorizerName, new BasicAuthorizerGroupMappingMapBundle(groupMappingMap, groupMappingMapBytes));
}
}
byte[] roleMapBytes = getCurrentRoleMapBytes(authorizerName);
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, roleMapBytes);
if (roleMapBytes != null) {
synchronized (cachedRoleMaps) {
cachedRoleMaps.put(authorizerName, new BasicAuthorizerRoleMapBundle(roleMap, roleMapBytes));
}
}
}
LOG.debug("Scheduled db poll is done");
} catch (Throwable t) {
LOG.makeAlert(t, "Error occured while polling for cachedUserMaps, cachedGroupMappingMaps, cachedRoleMaps.").emit();
}
return ScheduledExecutors.Signal.REPEAT;
});
lifecycleLock.started();
} finally {
lifecycleLock.exitStart();
}
}
use of org.apache.druid.server.security.Authorizer in project druid by druid-io.
the class OverlordResourceTest method setUp.
@Before
public void setUp() {
taskRunner = EasyMock.createMock(TaskRunner.class);
configManager = EasyMock.createMock(JacksonConfigManager.class);
provisioningStrategy = EasyMock.createMock(ProvisioningStrategy.class);
taskMaster = EasyMock.createStrictMock(TaskMaster.class);
taskStorageQueryAdapter = EasyMock.createStrictMock(TaskStorageQueryAdapter.class);
indexerMetadataStorageAdapter = EasyMock.createStrictMock(IndexerMetadataStorageAdapter.class);
req = EasyMock.createStrictMock(HttpServletRequest.class);
workerTaskRunnerQueryAdapter = EasyMock.createStrictMock(WorkerTaskRunnerQueryAdapter.class);
EasyMock.expect(taskMaster.getTaskRunner()).andReturn(Optional.of(taskRunner)).anyTimes();
AuthorizerMapper authMapper = new AuthorizerMapper(null) {
@Override
public Authorizer getAuthorizer(String name) {
return new Authorizer() {
@Override
public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action) {
final String username = authenticationResult.getIdentity();
switch(resource.getName()) {
case "allow":
return new Access(true);
case Datasources.WIKIPEDIA:
// Only "Wiki Reader" can read "wikipedia"
return new Access(action == Action.READ && Users.WIKI_READER.equals(username));
case Datasources.BUZZFEED:
// Only "Buzz Reader" can read "buzzfeed"
return new Access(action == Action.READ && Users.BUZZ_READER.equals(username));
default:
return new Access(false);
}
}
};
}
};
overlordResource = new OverlordResource(taskMaster, taskStorageQueryAdapter, indexerMetadataStorageAdapter, null, configManager, null, authMapper, workerTaskRunnerQueryAdapter, provisioningStrategy);
}
use of org.apache.druid.server.security.Authorizer in project druid by druid-io.
the class SeekableStreamIndexTaskRunnerAuthTest method setUp.
@Before
public void setUp() {
// Create an AuthorizerMapper that only allows access to a Datasource resource
AuthorizerMapper authorizerMapper = new AuthorizerMapper(null) {
@Override
public Authorizer getAuthorizer(String name) {
return (authenticationResult, resource, action) -> {
final String username = authenticationResult.getIdentity();
// - or, Datasource Write User requests Write access
if (resource.getType().equals(ResourceType.DATASOURCE)) {
return new Access((action == Action.READ && username.equals(Users.DATASOURCE_READ)) || (action == Action.WRITE && username.equals(Users.DATASOURCE_WRITE)));
}
// Do not allow access to any other resource
return new Access(false);
};
}
};
DataSchema dataSchema = new DataSchema("datasource", new TimestampSpec(null, null, null), new DimensionsSpec(Collections.emptyList()), new AggregatorFactory[] {}, new ArbitraryGranularitySpec(new AllGranularity(), Collections.emptyList()), TransformSpec.NONE, null, null);
SeekableStreamIndexTaskTuningConfig tuningConfig = mock(SeekableStreamIndexTaskTuningConfig.class);
SeekableStreamIndexTaskIOConfig<String, String> ioConfig = new TestSeekableStreamIndexTaskIOConfig();
// Initiliaze task and task runner
SeekableStreamIndexTask<String, String, ByteEntity> indexTask = new TestSeekableStreamIndexTask("id", dataSchema, tuningConfig, ioConfig);
taskRunner = new TestSeekableStreamIndexTaskRunner(indexTask, authorizerMapper);
}
Aggregations