use of org.apache.druid.server.security.ForbiddenException in project druid by druid-io.
the class SupervisorResource method specPost.
@POST
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public Response specPost(final SupervisorSpec spec, @Context final HttpServletRequest req) {
return asLeaderWithSupervisorManager(manager -> {
Preconditions.checkArgument(spec.getDataSources() != null && spec.getDataSources().size() > 0, "No dataSources found to perform authorization checks");
Access authResult = AuthorizationUtils.authorizeAllResourceActions(req, Iterables.transform(spec.getDataSources(), AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR), authorizerMapper);
if (!authResult.isAllowed()) {
throw new ForbiddenException(authResult.toString());
}
manager.createOrUpdateAndStartSupervisor(spec);
return Response.ok(ImmutableMap.of("id", spec.getId())).build();
});
}
use of org.apache.druid.server.security.ForbiddenException in project druid by druid-io.
the class SupervisorResourceFilter method filter.
@Override
public ContainerRequest filter(ContainerRequest request) {
final String supervisorId = Preconditions.checkNotNull(request.getPathSegments().get(Iterables.indexOf(request.getPathSegments(), new Predicate<PathSegment>() {
@Override
public boolean apply(PathSegment input) {
return "supervisor".equals(input.getPath());
}
}) + 1).getPath());
Optional<SupervisorSpec> supervisorSpecOptional = supervisorManager.getSupervisorSpec(supervisorId);
if (!supervisorSpecOptional.isPresent()) {
throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).entity(StringUtils.format("Cannot find any supervisor with id: [%s]", supervisorId)).build());
}
final SupervisorSpec spec = supervisorSpecOptional.get();
Preconditions.checkArgument(spec.getDataSources() != null && spec.getDataSources().size() > 0, "No dataSources found to perform authorization checks");
Function<String, ResourceAction> resourceActionFunction = getAction(request) == Action.READ ? AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR : AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR;
Access authResult = AuthorizationUtils.authorizeAllResourceActions(getReq(), Iterables.transform(spec.getDataSources(), resourceActionFunction), getAuthorizerMapper());
if (!authResult.isAllowed()) {
throw new ForbiddenException(authResult.toString());
}
return request;
}
use of org.apache.druid.server.security.ForbiddenException in project druid by druid-io.
the class SupervisorResourceFilterTest method testPostWhenUserHasNoWriteAccess.
@Test
public void testPostWhenUserHasNoWriteAccess() {
setExpectations("/druid/indexer/v1/supervisor/datasource1", "POST", "datasource1", Action.WRITE, false);
ForbiddenException expected = null;
try {
resourceFilter.filter(containerRequest);
} catch (ForbiddenException e) {
expected = e;
}
Assert.assertNotNull(expected);
verifyMocks();
}
use of org.apache.druid.server.security.ForbiddenException in project druid by druid-io.
the class SupervisorResourceFilterTest method testGetWhenUserHasNoReadAccess.
@Test
public void testGetWhenUserHasNoReadAccess() {
setExpectations("/druid/indexer/v1/supervisor/datasource1", "GET", "datasource1", Action.READ, false);
ForbiddenException expected = null;
try {
resourceFilter.filter(containerRequest);
} catch (ForbiddenException e) {
expected = e;
}
Assert.assertNotNull(expected);
verifyMocks();
}
use of org.apache.druid.server.security.ForbiddenException in project druid by druid-io.
the class ConfigResourceFilter method filter.
@Override
public ContainerRequest filter(ContainerRequest request) {
final ResourceAction resourceAction = new ResourceAction(new Resource("CONFIG", ResourceType.CONFIG), getAction(request));
final Access authResult = AuthorizationUtils.authorizeResourceAction(getReq(), resourceAction, getAuthorizerMapper());
if (!authResult.isAllowed()) {
throw new ForbiddenException(authResult.toString());
}
return request;
}
Aggregations