Search in sources :

Example 6 with Authorizer

use of org.apache.druid.server.security.Authorizer in project druid by druid-io.

the class CoordinatorPollingBasicAuthorizerCacheManager method initUserMaps.

private void initUserMaps() {
    AuthorizerMapper authorizerMapper = injector.getInstance(AuthorizerMapper.class);
    if (authorizerMapper == null || authorizerMapper.getAuthorizerMap() == null) {
        return;
    }
    for (Map.Entry<String, Authorizer> entry : authorizerMapper.getAuthorizerMap().entrySet()) {
        Authorizer authorizer = entry.getValue();
        if (authorizer instanceof BasicRoleBasedAuthorizer) {
            String authorizerName = entry.getKey();
            authorizerPrefixes.add(authorizerName);
            UserAndRoleMap userAndRoleMap = fetchUserAndRoleMapFromCoordinator(authorizerName, true);
            if (userAndRoleMap != null) {
                cachedUserMaps.put(authorizerName, userAndRoleMap.getUserMap());
                cachedRoleMaps.put(authorizerName, userAndRoleMap.getRoleMap());
            }
            GroupMappingAndRoleMap groupMappingAndRoleMap = fetchGroupAndRoleMapFromCoordinator(authorizerName, true);
            if (groupMappingAndRoleMap != null) {
                cachedGroupMappingMaps.put(authorizerName, groupMappingAndRoleMap.getGroupMappingMap());
                cachedGroupMappingRoleMaps.put(authorizerName, groupMappingAndRoleMap.getRoleMap());
            }
        }
    }
}
Also used : UserAndRoleMap(org.apache.druid.security.basic.authorization.entity.UserAndRoleMap) GroupMappingAndRoleMap(org.apache.druid.security.basic.authorization.entity.GroupMappingAndRoleMap) BasicRoleBasedAuthorizer(org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer) Authorizer(org.apache.druid.server.security.Authorizer) AuthorizerMapper(org.apache.druid.server.security.AuthorizerMapper) BasicRoleBasedAuthorizer(org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer) UserAndRoleMap(org.apache.druid.security.basic.authorization.entity.UserAndRoleMap) Map(java.util.Map) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) GroupMappingAndRoleMap(org.apache.druid.security.basic.authorization.entity.GroupMappingAndRoleMap)

Example 7 with Authorizer

use of org.apache.druid.server.security.Authorizer in project druid by druid-io.

the class CoordinatorBasicAuthorizerCacheNotifier method getAuthorizerConfigMap.

private Map<String, BasicAuthDBConfig> getAuthorizerConfigMap(AuthorizerMapper mapper) {
    Preconditions.checkNotNull(mapper);
    Preconditions.checkNotNull(mapper.getAuthorizerMap());
    Map<String, BasicAuthDBConfig> authorizerConfigMap = new HashMap<>();
    for (Map.Entry<String, Authorizer> entry : mapper.getAuthorizerMap().entrySet()) {
        Authorizer authorizer = entry.getValue();
        if (authorizer instanceof BasicRoleBasedAuthorizer) {
            String authorizerName = entry.getKey();
            BasicRoleBasedAuthorizer basicRoleBasedAuthorizer = (BasicRoleBasedAuthorizer) authorizer;
            BasicAuthDBConfig dbConfig = basicRoleBasedAuthorizer.getDbConfig();
            authorizerConfigMap.put(authorizerName, dbConfig);
        }
    }
    return authorizerConfigMap;
}
Also used : HashMap(java.util.HashMap) BasicRoleBasedAuthorizer(org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer) Authorizer(org.apache.druid.server.security.Authorizer) BasicRoleBasedAuthorizer(org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer) HashMap(java.util.HashMap) Map(java.util.Map) BasicAuthDBConfig(org.apache.druid.security.basic.BasicAuthDBConfig)

Example 8 with Authorizer

use of org.apache.druid.server.security.Authorizer in project druid by druid-io.

the class CoordinatorBasicAuthorizerMetadataStorageUpdater method start.

@LifecycleStart
public void start() {
    if (!lifecycleLock.canStart()) {
        throw new ISE("can't start.");
    }
    if (authorizerMapper == null || authorizerMapper.getAuthorizerMap() == null) {
        return;
    }
    try {
        LOG.info("Starting CoordinatorBasicAuthorizerMetadataStorageUpdater");
        BasicAuthUtils.maybeInitialize(() -> {
            for (Map.Entry<String, Authorizer> entry : authorizerMapper.getAuthorizerMap().entrySet()) {
                Authorizer authorizer = entry.getValue();
                if (authorizer instanceof BasicRoleBasedAuthorizer) {
                    BasicRoleBasedAuthorizer basicRoleBasedAuthorizer = (BasicRoleBasedAuthorizer) authorizer;
                    BasicAuthDBConfig dbConfig = basicRoleBasedAuthorizer.getDbConfig();
                    String authorizerName = entry.getKey();
                    authorizerNames.add(authorizerName);
                    byte[] userMapBytes = getCurrentUserMapBytes(authorizerName);
                    Map<String, BasicAuthorizerUser> userMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, userMapBytes);
                    cachedUserMaps.put(authorizerName, new BasicAuthorizerUserMapBundle(userMap, userMapBytes));
                    byte[] groupMappingMapBytes = getCurrentGroupMappingMapBytes(authorizerName);
                    Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, groupMappingMapBytes);
                    cachedGroupMappingMaps.put(authorizerName, new BasicAuthorizerGroupMappingMapBundle(groupMappingMap, groupMappingMapBytes));
                    byte[] roleMapBytes = getCurrentRoleMapBytes(authorizerName);
                    Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, roleMapBytes);
                    cachedRoleMaps.put(authorizerName, new BasicAuthorizerRoleMapBundle(roleMap, roleMapBytes));
                    initSuperUsersAndGroupMapping(authorizerName, userMap, roleMap, groupMappingMap, dbConfig.getInitialAdminUser(), dbConfig.getInitialAdminRole(), dbConfig.getInitialAdminGroupMapping());
                }
            }
            return true;
        });
        ScheduledExecutors.scheduleWithFixedDelay(exec, new Duration(commonCacheConfig.getPollingPeriod()), new Duration(commonCacheConfig.getPollingPeriod()), () -> {
            if (stopped) {
                return ScheduledExecutors.Signal.STOP;
            }
            try {
                LOG.debug("Scheduled db poll is running");
                for (String authorizerName : authorizerNames) {
                    byte[] userMapBytes = getCurrentUserMapBytes(authorizerName);
                    Map<String, BasicAuthorizerUser> userMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, userMapBytes);
                    if (userMapBytes != null) {
                        synchronized (cachedUserMaps) {
                            cachedUserMaps.put(authorizerName, new BasicAuthorizerUserMapBundle(userMap, userMapBytes));
                        }
                    }
                    byte[] groupMappingMapBytes = getCurrentGroupMappingMapBytes(authorizerName);
                    Map<String, BasicAuthorizerGroupMapping> groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, groupMappingMapBytes);
                    if (groupMappingMapBytes != null) {
                        synchronized (cachedGroupMappingMaps) {
                            cachedGroupMappingMaps.put(authorizerName, new BasicAuthorizerGroupMappingMapBundle(groupMappingMap, groupMappingMapBytes));
                        }
                    }
                    byte[] roleMapBytes = getCurrentRoleMapBytes(authorizerName);
                    Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, roleMapBytes);
                    if (roleMapBytes != null) {
                        synchronized (cachedRoleMaps) {
                            cachedRoleMaps.put(authorizerName, new BasicAuthorizerRoleMapBundle(roleMap, roleMapBytes));
                        }
                    }
                }
                LOG.debug("Scheduled db poll is done");
            } catch (Throwable t) {
                LOG.makeAlert(t, "Error occured while polling for cachedUserMaps, cachedGroupMappingMaps, cachedRoleMaps.").emit();
            }
            return ScheduledExecutors.Signal.REPEAT;
        });
        lifecycleLock.started();
    } finally {
        lifecycleLock.exitStart();
    }
}
Also used : Duration(org.joda.time.Duration) BasicAuthorizerRoleMapBundle(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleMapBundle) BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) BasicAuthorizerUserMapBundle(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserMapBundle) BasicAuthorizerUser(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser) Authorizer(org.apache.druid.server.security.Authorizer) BasicRoleBasedAuthorizer(org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer) BasicAuthorizerGroupMappingMapBundle(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingMapBundle) ISE(org.apache.druid.java.util.common.ISE) BasicRoleBasedAuthorizer(org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer) BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole) UserAndRoleMap(org.apache.druid.security.basic.authorization.entity.UserAndRoleMap) Map(java.util.Map) ConcurrentHashMap(java.util.concurrent.ConcurrentHashMap) GroupMappingAndRoleMap(org.apache.druid.security.basic.authorization.entity.GroupMappingAndRoleMap) BasicAuthDBConfig(org.apache.druid.security.basic.BasicAuthDBConfig) LifecycleStart(org.apache.druid.java.util.common.lifecycle.LifecycleStart)

Example 9 with Authorizer

use of org.apache.druid.server.security.Authorizer in project druid by druid-io.

the class OverlordResourceTest method setUp.

@Before
public void setUp() {
    taskRunner = EasyMock.createMock(TaskRunner.class);
    configManager = EasyMock.createMock(JacksonConfigManager.class);
    provisioningStrategy = EasyMock.createMock(ProvisioningStrategy.class);
    taskMaster = EasyMock.createStrictMock(TaskMaster.class);
    taskStorageQueryAdapter = EasyMock.createStrictMock(TaskStorageQueryAdapter.class);
    indexerMetadataStorageAdapter = EasyMock.createStrictMock(IndexerMetadataStorageAdapter.class);
    req = EasyMock.createStrictMock(HttpServletRequest.class);
    workerTaskRunnerQueryAdapter = EasyMock.createStrictMock(WorkerTaskRunnerQueryAdapter.class);
    EasyMock.expect(taskMaster.getTaskRunner()).andReturn(Optional.of(taskRunner)).anyTimes();
    AuthorizerMapper authMapper = new AuthorizerMapper(null) {

        @Override
        public Authorizer getAuthorizer(String name) {
            return new Authorizer() {

                @Override
                public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action) {
                    final String username = authenticationResult.getIdentity();
                    switch(resource.getName()) {
                        case "allow":
                            return new Access(true);
                        case Datasources.WIKIPEDIA:
                            // Only "Wiki Reader" can read "wikipedia"
                            return new Access(action == Action.READ && Users.WIKI_READER.equals(username));
                        case Datasources.BUZZFEED:
                            // Only "Buzz Reader" can read "buzzfeed"
                            return new Access(action == Action.READ && Users.BUZZ_READER.equals(username));
                        default:
                            return new Access(false);
                    }
                }
            };
        }
    };
    overlordResource = new OverlordResource(taskMaster, taskStorageQueryAdapter, indexerMetadataStorageAdapter, null, configManager, null, authMapper, workerTaskRunnerQueryAdapter, provisioningStrategy);
}
Also used : IndexerMetadataStorageAdapter(org.apache.druid.indexing.overlord.IndexerMetadataStorageAdapter) Action(org.apache.druid.server.security.Action) JacksonConfigManager(org.apache.druid.common.config.JacksonConfigManager) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) TaskStorageQueryAdapter(org.apache.druid.indexing.overlord.TaskStorageQueryAdapter) TaskRunner(org.apache.druid.indexing.overlord.TaskRunner) WorkerTaskRunner(org.apache.druid.indexing.overlord.WorkerTaskRunner) ProvisioningStrategy(org.apache.druid.indexing.overlord.autoscaling.ProvisioningStrategy) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) HttpServletRequest(javax.servlet.http.HttpServletRequest) Authorizer(org.apache.druid.server.security.Authorizer) AuthorizerMapper(org.apache.druid.server.security.AuthorizerMapper) TaskMaster(org.apache.druid.indexing.overlord.TaskMaster) WorkerTaskRunnerQueryAdapter(org.apache.druid.indexing.overlord.WorkerTaskRunnerQueryAdapter) Before(org.junit.Before)

Example 10 with Authorizer

use of org.apache.druid.server.security.Authorizer in project druid by druid-io.

the class SeekableStreamIndexTaskRunnerAuthTest method setUp.

@Before
public void setUp() {
    // Create an AuthorizerMapper that only allows access to a Datasource resource
    AuthorizerMapper authorizerMapper = new AuthorizerMapper(null) {

        @Override
        public Authorizer getAuthorizer(String name) {
            return (authenticationResult, resource, action) -> {
                final String username = authenticationResult.getIdentity();
                // - or, Datasource Write User requests Write access
                if (resource.getType().equals(ResourceType.DATASOURCE)) {
                    return new Access((action == Action.READ && username.equals(Users.DATASOURCE_READ)) || (action == Action.WRITE && username.equals(Users.DATASOURCE_WRITE)));
                }
                // Do not allow access to any other resource
                return new Access(false);
            };
        }
    };
    DataSchema dataSchema = new DataSchema("datasource", new TimestampSpec(null, null, null), new DimensionsSpec(Collections.emptyList()), new AggregatorFactory[] {}, new ArbitraryGranularitySpec(new AllGranularity(), Collections.emptyList()), TransformSpec.NONE, null, null);
    SeekableStreamIndexTaskTuningConfig tuningConfig = mock(SeekableStreamIndexTaskTuningConfig.class);
    SeekableStreamIndexTaskIOConfig<String, String> ioConfig = new TestSeekableStreamIndexTaskIOConfig();
    // Initiliaze task and task runner
    SeekableStreamIndexTask<String, String, ByteEntity> indexTask = new TestSeekableStreamIndexTask("id", dataSchema, tuningConfig, ioConfig);
    taskRunner = new TestSeekableStreamIndexTaskRunner(indexTask, authorizerMapper);
}
Also used : TaskToolbox(org.apache.druid.indexing.common.TaskToolbox) StreamPartition(org.apache.druid.indexing.seekablestream.common.StreamPartition) ArbitraryGranularitySpec(org.apache.druid.segment.indexing.granularity.ArbitraryGranularitySpec) RecordSupplier(org.apache.druid.indexing.seekablestream.common.RecordSupplier) OrderedPartitionableRecord(org.apache.druid.indexing.seekablestream.common.OrderedPartitionableRecord) AuthorizerMapper(org.apache.druid.server.security.AuthorizerMapper) EasyMock.mock(org.easymock.EasyMock.mock) AllGranularity(org.apache.druid.java.util.common.granularity.AllGranularity) TimestampSpec(org.apache.druid.data.input.impl.TimestampSpec) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) HttpServletRequest(javax.servlet.http.HttpServletRequest) Map(java.util.Map) ForbiddenException(org.apache.druid.server.security.ForbiddenException) EasyMock.replay(org.easymock.EasyMock.replay) AuthConfig(org.apache.druid.server.security.AuthConfig) TypeReference(com.fasterxml.jackson.core.type.TypeReference) ExpectedException(org.junit.rules.ExpectedException) Nonnull(javax.annotation.Nonnull) Nullable(javax.annotation.Nullable) Before(org.junit.Before) DateTimes(org.apache.druid.java.util.common.DateTimes) Access(org.apache.druid.server.security.Access) ResourceType(org.apache.druid.server.security.ResourceType) AggregatorFactory(org.apache.druid.query.aggregation.AggregatorFactory) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) Set(java.util.Set) CsvInputFormat(org.apache.druid.data.input.impl.CsvInputFormat) DimensionsSpec(org.apache.druid.data.input.impl.DimensionsSpec) Test(org.junit.Test) Action(org.apache.druid.server.security.Action) EasyMock(org.easymock.EasyMock) LockGranularity(org.apache.druid.indexing.common.LockGranularity) OrderedSequenceNumber(org.apache.druid.indexing.seekablestream.common.OrderedSequenceNumber) Consumer(java.util.function.Consumer) List(java.util.List) Rule(org.junit.Rule) TreeMap(java.util.TreeMap) ByteEntity(org.apache.druid.data.input.impl.ByteEntity) DataSchema(org.apache.druid.segment.indexing.DataSchema) Collections(java.util.Collections) TransformSpec(org.apache.druid.segment.transform.TransformSpec) Authorizer(org.apache.druid.server.security.Authorizer) ByteEntity(org.apache.druid.data.input.impl.ByteEntity) AllGranularity(org.apache.druid.java.util.common.granularity.AllGranularity) Access(org.apache.druid.server.security.Access) ArbitraryGranularitySpec(org.apache.druid.segment.indexing.granularity.ArbitraryGranularitySpec) DataSchema(org.apache.druid.segment.indexing.DataSchema) TimestampSpec(org.apache.druid.data.input.impl.TimestampSpec) AuthorizerMapper(org.apache.druid.server.security.AuthorizerMapper) DimensionsSpec(org.apache.druid.data.input.impl.DimensionsSpec) Before(org.junit.Before)

Aggregations

Authorizer (org.apache.druid.server.security.Authorizer)12 Access (org.apache.druid.server.security.Access)8 AuthenticationResult (org.apache.druid.server.security.AuthenticationResult)8 AuthorizerMapper (org.apache.druid.server.security.AuthorizerMapper)8 Action (org.apache.druid.server.security.Action)7 Resource (org.apache.druid.server.security.Resource)7 Test (org.junit.Test)5 Map (java.util.Map)4 Response (javax.ws.rs.core.Response)4 AuthConfig (org.apache.druid.server.security.AuthConfig)4 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)3 ByteArrayInputStream (java.io.ByteArrayInputStream)3 List (java.util.List)3 HttpServletRequest (javax.servlet.http.HttpServletRequest)3 BasicRoleBasedAuthorizer (org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer)3 ForbiddenException (org.apache.druid.server.security.ForbiddenException)3 ImmutableList (com.google.common.collect.ImmutableList)2 IOException (java.io.IOException)2 Set (java.util.Set)2 ConcurrentHashMap (java.util.concurrent.ConcurrentHashMap)2