Search in sources :

Example 16 with AuthorizerMapper

use of org.apache.druid.server.security.AuthorizerMapper in project druid by druid-io.

the class MetadataResource method getAllUsedSegmentsWithOvershadowedStatus.

private Response getAllUsedSegmentsWithOvershadowedStatus(HttpServletRequest req, @Nullable Set<String> dataSources) {
    DataSourcesSnapshot dataSourcesSnapshot = segmentsMetadataManager.getSnapshotOfDataSourcesWithAllUsedSegments();
    Collection<ImmutableDruidDataSource> dataSourcesWithUsedSegments = dataSourcesSnapshot.getDataSourcesWithAllUsedSegments();
    if (dataSources != null && !dataSources.isEmpty()) {
        dataSourcesWithUsedSegments = dataSourcesWithUsedSegments.stream().filter(dataSourceWithUsedSegments -> dataSources.contains(dataSourceWithUsedSegments.getName())).collect(Collectors.toList());
    }
    final Stream<DataSegment> usedSegments = dataSourcesWithUsedSegments.stream().flatMap(t -> t.getSegments().stream());
    final Set<SegmentId> overshadowedSegments = dataSourcesSnapshot.getOvershadowedSegments();
    final Stream<SegmentWithOvershadowedStatus> usedSegmentsWithOvershadowedStatus = usedSegments.map(segment -> new SegmentWithOvershadowedStatus(segment, overshadowedSegments.contains(segment.getId())));
    final Function<SegmentWithOvershadowedStatus, Iterable<ResourceAction>> raGenerator = segment -> Collections.singletonList(AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR.apply(segment.getDataSegment().getDataSource()));
    final Iterable<SegmentWithOvershadowedStatus> authorizedSegments = AuthorizationUtils.filterAuthorizedResources(req, usedSegmentsWithOvershadowedStatus::iterator, raGenerator, authorizerMapper);
    Response.ResponseBuilder builder = Response.status(Response.Status.OK);
    return builder.entity(authorizedSegments).build();
}
Also used : Iterables(com.google.common.collect.Iterables) PathParam(javax.ws.rs.PathParam) Produces(javax.ws.rs.Produces) GET(javax.ws.rs.GET) AuthorizerMapper(org.apache.druid.server.security.AuthorizerMapper) Inject(com.google.inject.Inject) SegmentWithOvershadowedStatus(org.apache.druid.timeline.SegmentWithOvershadowedStatus) Path(javax.ws.rs.Path) Collections2(com.google.common.collect.Collections2) ResourceFilters(com.sun.jersey.spi.container.ResourceFilters) DataSourcesSnapshot(org.apache.druid.client.DataSourcesSnapshot) TreeSet(java.util.TreeSet) Interval(org.joda.time.Interval) HttpServletRequest(javax.servlet.http.HttpServletRequest) MediaType(javax.ws.rs.core.MediaType) QueryParam(javax.ws.rs.QueryParam) ImmutableDruidDataSource(org.apache.druid.client.ImmutableDruidDataSource) Nullable(javax.annotation.Nullable) JettyUtils(org.apache.druid.server.JettyUtils) Function(com.google.common.base.Function) POST(javax.ws.rs.POST) Context(javax.ws.rs.core.Context) SegmentsMetadataManager(org.apache.druid.metadata.SegmentsMetadataManager) Collection(java.util.Collection) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) Segments(org.apache.druid.indexing.overlord.Segments) Set(java.util.Set) Json(org.apache.druid.guice.annotations.Json) AuthorizationUtils(org.apache.druid.server.security.AuthorizationUtils) Collectors(java.util.stream.Collectors) DatasourceResourceFilter(org.apache.druid.server.http.security.DatasourceResourceFilter) List(java.util.List) Stream(java.util.stream.Stream) Response(javax.ws.rs.core.Response) ResourceAction(org.apache.druid.server.security.ResourceAction) IndexerMetadataStorageCoordinator(org.apache.druid.indexing.overlord.IndexerMetadataStorageCoordinator) DataSegment(org.apache.druid.timeline.DataSegment) UriInfo(javax.ws.rs.core.UriInfo) SegmentId(org.apache.druid.timeline.SegmentId) Collections(java.util.Collections) ImmutableDruidDataSource(org.apache.druid.client.ImmutableDruidDataSource) SegmentId(org.apache.druid.timeline.SegmentId) DataSegment(org.apache.druid.timeline.DataSegment) Response(javax.ws.rs.core.Response) SegmentWithOvershadowedStatus(org.apache.druid.timeline.SegmentWithOvershadowedStatus) DataSourcesSnapshot(org.apache.druid.client.DataSourcesSnapshot)

Example 17 with AuthorizerMapper

use of org.apache.druid.server.security.AuthorizerMapper in project druid by druid-io.

the class QueryResourceTest method testSecuredQuery.

@Test
public void testSecuredQuery() throws Exception {
    EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).anyTimes();
    EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
    EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(AUTHENTICATION_RESULT).anyTimes();
    testServletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, false);
    EasyMock.expectLastCall().times(1);
    testServletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
    EasyMock.expectLastCall().times(1);
    EasyMock.replay(testServletRequest);
    AuthorizerMapper authMapper = new AuthorizerMapper(null) {

        @Override
        public Authorizer getAuthorizer(String name) {
            return new Authorizer() {

                @Override
                public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action) {
                    if (resource.getName().equals("allow")) {
                        return new Access(true);
                    } else {
                        return new Access(false);
                    }
                }
            };
        }
    };
    queryResource = new QueryResource(new QueryLifecycleFactory(WAREHOUSE, TEST_SEGMENT_WALKER, new DefaultGenericQueryMetricsFactory(), new NoopServiceEmitter(), testRequestLogger, new AuthConfig(), authMapper, Suppliers.ofInstance(new DefaultQueryConfig(ImmutableMap.of()))), jsonMapper, smileMapper, queryScheduler, new AuthConfig(), authMapper, ResponseContextConfig.newConfig(true), DRUID_NODE);
    try {
        queryResource.doPost(new ByteArrayInputStream(SIMPLE_TIMESERIES_QUERY.getBytes(StandardCharsets.UTF_8)), null, /*pretty*/
        testServletRequest);
        Assert.fail("doPost did not throw ForbiddenException for an unauthorized query");
    } catch (ForbiddenException e) {
    }
    Response response = queryResource.doPost(new ByteArrayInputStream("{\"queryType\":\"timeBoundary\", \"dataSource\":\"allow\"}".getBytes(StandardCharsets.UTF_8)), null, /*pretty*/
    testServletRequest);
    final ByteArrayOutputStream baos = new ByteArrayOutputStream();
    ((StreamingOutput) response.getEntity()).write(baos);
    final List<Result<TimeBoundaryResultValue>> responses = jsonMapper.readValue(baos.toByteArray(), new TypeReference<List<Result<TimeBoundaryResultValue>>>() {
    });
    Assert.assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
    Assert.assertEquals(0, responses.size());
    Assert.assertEquals(1, testRequestLogger.getNativeQuerylogs().size());
    Assert.assertEquals(true, testRequestLogger.getNativeQuerylogs().get(0).getQueryStats().getStats().get("success"));
    Assert.assertEquals("druid", testRequestLogger.getNativeQuerylogs().get(0).getQueryStats().getStats().get("identity"));
}
Also used : Action(org.apache.druid.server.security.Action) ForbiddenException(org.apache.druid.server.security.ForbiddenException) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) NoopServiceEmitter(org.apache.druid.server.metrics.NoopServiceEmitter) StreamingOutput(javax.ws.rs.core.StreamingOutput) AuthConfig(org.apache.druid.server.security.AuthConfig) ByteArrayOutputStream(java.io.ByteArrayOutputStream) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) Result(org.apache.druid.query.Result) Response(javax.ws.rs.core.Response) ByteArrayInputStream(java.io.ByteArrayInputStream) Authorizer(org.apache.druid.server.security.Authorizer) TimeBoundaryResultValue(org.apache.druid.query.timeboundary.TimeBoundaryResultValue) AuthorizerMapper(org.apache.druid.server.security.AuthorizerMapper) List(java.util.List) ImmutableList(com.google.common.collect.ImmutableList) DefaultQueryConfig(org.apache.druid.query.DefaultQueryConfig) DefaultGenericQueryMetricsFactory(org.apache.druid.query.DefaultGenericQueryMetricsFactory) Test(org.junit.Test)

Example 18 with AuthorizerMapper

use of org.apache.druid.server.security.AuthorizerMapper in project druid by druid-io.

the class SqlResource method cancelQuery.

@DELETE
@Path("{id}")
@Produces(MediaType.APPLICATION_JSON)
public Response cancelQuery(@PathParam("id") String sqlQueryId, @Context final HttpServletRequest req) {
    log.debug("Received cancel request for query [%s]", sqlQueryId);
    List<SqlLifecycle> lifecycles = sqlLifecycleManager.getAll(sqlQueryId);
    if (lifecycles.isEmpty()) {
        return Response.status(Status.NOT_FOUND).build();
    }
    Set<ResourceAction> resources = lifecycles.stream().flatMap(lifecycle -> lifecycle.getRequiredResourceActions().stream()).collect(Collectors.toSet());
    Access access = AuthorizationUtils.authorizeAllResourceActions(req, resources, authorizerMapper);
    if (access.isAllowed()) {
        // should remove only the lifecycles in the snapshot.
        sqlLifecycleManager.removeAll(sqlQueryId, lifecycles);
        lifecycles.forEach(SqlLifecycle::cancel);
        return Response.status(Status.ACCEPTED).build();
    } else {
        return Response.status(Status.FORBIDDEN).build();
    }
}
Also used : Logger(org.apache.druid.java.util.common.logger.Logger) SqlLifecycle(org.apache.druid.sql.SqlLifecycle) PathParam(javax.ws.rs.PathParam) Produces(javax.ws.rs.Produces) AuthorizerMapper(org.apache.druid.server.security.AuthorizerMapper) Inject(com.google.inject.Inject) CountingOutputStream(com.google.common.io.CountingOutputStream) BadQueryException(org.apache.druid.query.BadQueryException) Path(javax.ws.rs.Path) Yielders(org.apache.druid.java.util.common.guava.Yielders) QueryCapacityExceededException(org.apache.druid.query.QueryCapacityExceededException) HttpServletRequest(javax.servlet.http.HttpServletRequest) MediaType(javax.ws.rs.core.MediaType) Consumes(javax.ws.rs.Consumes) SqlPlanningException(org.apache.druid.sql.SqlPlanningException) ForbiddenException(org.apache.druid.server.security.ForbiddenException) Yielder(org.apache.druid.java.util.common.guava.Yielder) Status(javax.ws.rs.core.Response.Status) Nullable(javax.annotation.Nullable) DELETE(javax.ws.rs.DELETE) SanitizableException(org.apache.druid.common.exception.SanitizableException) Sequence(org.apache.druid.java.util.common.guava.Sequence) Access(org.apache.druid.server.security.Access) POST(javax.ws.rs.POST) Context(javax.ws.rs.core.Context) ServerConfig(org.apache.druid.server.initialization.ServerConfig) QueryInterruptedException(org.apache.druid.query.QueryInterruptedException) ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper) SqlLifecycleFactory(org.apache.druid.sql.SqlLifecycleFactory) StringUtils(org.apache.druid.java.util.common.StringUtils) Set(java.util.Set) JsonProcessingException(com.fasterxml.jackson.core.JsonProcessingException) SqlRowTransformer(org.apache.druid.sql.SqlRowTransformer) StreamingOutput(javax.ws.rs.core.StreamingOutput) IOException(java.io.IOException) Json(org.apache.druid.guice.annotations.Json) AuthorizationUtils(org.apache.druid.server.security.AuthorizationUtils) SqlLifecycleManager(org.apache.druid.sql.SqlLifecycleManager) Collectors(java.util.stream.Collectors) List(java.util.List) QueryTimeoutException(org.apache.druid.query.QueryTimeoutException) Response(javax.ws.rs.core.Response) ResourceAction(org.apache.druid.server.security.ResourceAction) ResourceLimitExceededException(org.apache.druid.query.ResourceLimitExceededException) Preconditions(com.google.common.base.Preconditions) RelOptPlanner(org.apache.calcite.plan.RelOptPlanner) QueryUnsupportedException(org.apache.druid.query.QueryUnsupportedException) SqlLifecycle(org.apache.druid.sql.SqlLifecycle) Access(org.apache.druid.server.security.Access) ResourceAction(org.apache.druid.server.security.ResourceAction) Path(javax.ws.rs.Path) DELETE(javax.ws.rs.DELETE) Produces(javax.ws.rs.Produces)

Aggregations

AuthorizerMapper (org.apache.druid.server.security.AuthorizerMapper)18 ObjectMapper (com.fasterxml.jackson.databind.ObjectMapper)10 Response (javax.ws.rs.core.Response)10 Access (org.apache.druid.server.security.Access)10 Action (org.apache.druid.server.security.Action)10 List (java.util.List)9 HttpServletRequest (javax.servlet.http.HttpServletRequest)8 Set (java.util.Set)7 Resource (org.apache.druid.server.security.Resource)7 Collections (java.util.Collections)6 Map (java.util.Map)6 Nullable (javax.annotation.Nullable)6 Path (javax.ws.rs.Path)6 Produces (javax.ws.rs.Produces)6 Context (javax.ws.rs.core.Context)6 MediaType (javax.ws.rs.core.MediaType)6 ForbiddenException (org.apache.druid.server.security.ForbiddenException)6 Collectors (java.util.stream.Collectors)5 GET (javax.ws.rs.GET)5 POST (javax.ws.rs.POST)5