Example 16 with ForbiddenException
use of org.apache.druid.server.security.ForbiddenException in project druid by druid-io.
the class DatasourceResourceFilter method filter.
@Override
public ContainerRequest filter(ContainerRequest request) {
final ResourceAction resourceAction = new ResourceAction(new Resource(getRequestDatasourceName(request), ResourceType.DATASOURCE), getAction(request));
final Access authResult = AuthorizationUtils.authorizeResourceAction(getReq(), resourceAction, getAuthorizerMapper());
if (!authResult.isAllowed()) {
throw new ForbiddenException(authResult.toString());
}
return request;
}
Also used :
ForbiddenException(org.apache.druid.server.security.ForbiddenException)
Resource(org.apache.druid.server.security.Resource)
Access(org.apache.druid.server.security.Access)
ResourceAction(org.apache.druid.server.security.ResourceAction)
Example 17 with ForbiddenException
use of org.apache.druid.server.security.ForbiddenException in project druid by druid-io.
the class QueryResource method cancelQuery.
@DELETE
@Path("{id}")
@Produces(MediaType.APPLICATION_JSON)
public Response cancelQuery(@PathParam("id") String queryId, @Context final HttpServletRequest req) {
if (log.isDebugEnabled()) {
log.debug("Received cancel request for query [%s]", queryId);
}
Set<String> datasources = queryScheduler.getQueryDatasources(queryId);
if (datasources == null) {
log.warn("QueryId [%s] not registered with QueryScheduler, cannot cancel", queryId);
datasources = new TreeSet<>();
}
Access authResult = AuthorizationUtils.authorizeAllResourceActions(req, Iterables.transform(datasources, AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR), authorizerMapper);
if (!authResult.isAllowed()) {
throw new ForbiddenException(authResult.toString());
}
queryScheduler.cancelQuery(queryId);
return Response.status(Response.Status.ACCEPTED).build();
}
Also used :
ForbiddenException(org.apache.druid.server.security.ForbiddenException)
Access(org.apache.druid.server.security.Access)
Path(javax.ws.rs.Path)
DELETE(javax.ws.rs.DELETE)
Produces(javax.ws.rs.Produces)
Example 18 with ForbiddenException
use of org.apache.druid.server.security.ForbiddenException in project druid by druid-io.
the class ChatHandlers method authorizationCheck.
/**
* Check authorization for the given action and dataSource.
*
* @return authorization result
*/
public static Access authorizationCheck(HttpServletRequest req, Action action, String dataSource, AuthorizerMapper authorizerMapper) {
ResourceAction resourceAction = new ResourceAction(new Resource(dataSource, ResourceType.DATASOURCE), action);
Access access = AuthorizationUtils.authorizeResourceAction(req, resourceAction, authorizerMapper);
if (!access.isAllowed()) {
throw new ForbiddenException(access.toString());
}
return access;
}
Also used :
ForbiddenException(org.apache.druid.server.security.ForbiddenException)
Resource(org.apache.druid.server.security.Resource)
Access(org.apache.druid.server.security.Access)
ResourceAction(org.apache.druid.server.security.ResourceAction)
Example 19 with ForbiddenException
use of org.apache.druid.server.security.ForbiddenException in project druid by druid-io.
the class TaskResourceFilter method filter.
@Override
public ContainerRequest filter(ContainerRequest request) {
String taskId = Preconditions.checkNotNull(request.getPathSegments().get(Iterables.indexOf(request.getPathSegments(), input -> "task".equals(input.getPath())) + 1).getPath());
IdUtils.validateId("taskId", taskId);
Optional<Task> taskOptional = taskStorageQueryAdapter.getTask(taskId);
if (!taskOptional.isPresent()) {
throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).entity(StringUtils.format("Cannot find any task with id: [%s]", taskId)).build());
}
final String dataSourceName = Preconditions.checkNotNull(taskOptional.get().getDataSource());
final ResourceAction resourceAction = new ResourceAction(new Resource(dataSourceName, ResourceType.DATASOURCE), getAction(request));
final Access authResult = AuthorizationUtils.authorizeResourceAction(getReq(), resourceAction, getAuthorizerMapper());
if (!authResult.isAllowed()) {
throw new ForbiddenException(authResult.toString());
}
return request;
}
Also used :
Task(org.apache.druid.indexing.common.task.Task)
ForbiddenException(org.apache.druid.server.security.ForbiddenException)
WebApplicationException(javax.ws.rs.WebApplicationException)
Resource(org.apache.druid.server.security.Resource)
Access(org.apache.druid.server.security.Access)
ResourceAction(org.apache.druid.server.security.ResourceAction)
Example 20 with ForbiddenException
use of org.apache.druid.server.security.ForbiddenException in project druid by druid-io.
the class QueryResourceTest method testSecuredQuery.
@Test
public void testSecuredQuery() throws Exception {
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).anyTimes();
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(AUTHENTICATION_RESULT).anyTimes();
testServletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, false);
EasyMock.expectLastCall().times(1);
testServletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
EasyMock.expectLastCall().times(1);
EasyMock.replay(testServletRequest);
AuthorizerMapper authMapper = new AuthorizerMapper(null) {
@Override
public Authorizer getAuthorizer(String name) {
return new Authorizer() {
@Override
public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action) {
if (resource.getName().equals("allow")) {
return new Access(true);
} else {
return new Access(false);
}
}
};
}
};
queryResource = new QueryResource(new QueryLifecycleFactory(WAREHOUSE, TEST_SEGMENT_WALKER, new DefaultGenericQueryMetricsFactory(), new NoopServiceEmitter(), testRequestLogger, new AuthConfig(), authMapper, Suppliers.ofInstance(new DefaultQueryConfig(ImmutableMap.of()))), jsonMapper, smileMapper, queryScheduler, new AuthConfig(), authMapper, ResponseContextConfig.newConfig(true), DRUID_NODE);
try {
queryResource.doPost(new ByteArrayInputStream(SIMPLE_TIMESERIES_QUERY.getBytes(StandardCharsets.UTF_8)), null, /*pretty*/
testServletRequest);
Assert.fail("doPost did not throw ForbiddenException for an unauthorized query");
} catch (ForbiddenException e) {
}
Response response = queryResource.doPost(new ByteArrayInputStream("{\"queryType\":\"timeBoundary\", \"dataSource\":\"allow\"}".getBytes(StandardCharsets.UTF_8)), null, /*pretty*/
testServletRequest);
final ByteArrayOutputStream baos = new ByteArrayOutputStream();
((StreamingOutput) response.getEntity()).write(baos);
final List<Result<TimeBoundaryResultValue>> responses = jsonMapper.readValue(baos.toByteArray(), new TypeReference<List<Result<TimeBoundaryResultValue>>>() {
});
Assert.assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
Assert.assertEquals(0, responses.size());
Assert.assertEquals(1, testRequestLogger.getNativeQuerylogs().size());
Assert.assertEquals(true, testRequestLogger.getNativeQuerylogs().get(0).getQueryStats().getStats().get("success"));
Assert.assertEquals("druid", testRequestLogger.getNativeQuerylogs().get(0).getQueryStats().getStats().get("identity"));
}
Also used :
Action(org.apache.druid.server.security.Action)
ForbiddenException(org.apache.druid.server.security.ForbiddenException)
Resource(org.apache.druid.server.security.Resource)
Access(org.apache.druid.server.security.Access)
NoopServiceEmitter(org.apache.druid.server.metrics.NoopServiceEmitter)
StreamingOutput(javax.ws.rs.core.StreamingOutput)
AuthConfig(org.apache.druid.server.security.AuthConfig)
ByteArrayOutputStream(java.io.ByteArrayOutputStream)
AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)
AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)
Result(org.apache.druid.query.Result)
Response(javax.ws.rs.core.Response)
ByteArrayInputStream(java.io.ByteArrayInputStream)
Authorizer(org.apache.druid.server.security.Authorizer)
TimeBoundaryResultValue(org.apache.druid.query.timeboundary.TimeBoundaryResultValue)
AuthorizerMapper(org.apache.druid.server.security.AuthorizerMapper)
List(java.util.List)
ImmutableList(com.google.common.collect.ImmutableList)
DefaultQueryConfig(org.apache.druid.query.DefaultQueryConfig)
DefaultGenericQueryMetricsFactory(org.apache.druid.query.DefaultGenericQueryMetricsFactory)
Test(org.junit.Test)
Aggregations
ForbiddenException (org.apache.druid.server.security.ForbiddenException)23
Access (org.apache.druid.server.security.Access)15
Resource (org.apache.druid.server.security.Resource)10
ResourceAction (org.apache.druid.server.security.ResourceAction)10
Produces (javax.ws.rs.Produces)6
Response (javax.ws.rs.core.Response)5
Test (org.junit.Test)5
IOException (java.io.IOException)4
Consumes (javax.ws.rs.Consumes)4
POST (javax.ws.rs.POST)4
AuthenticationResult (org.apache.druid.server.security.AuthenticationResult)4
JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)3
Path (javax.ws.rs.Path)3
WebApplicationException (javax.ws.rs.WebApplicationException)3
StreamingOutput (javax.ws.rs.core.StreamingOutput)3
QueryInterruptedException (org.apache.druid.query.QueryInterruptedException)3
CountingOutputStream (com.google.common.io.CountingOutputStream)2
ByteArrayInputStream (java.io.ByteArrayInputStream)2
DELETE (javax.ws.rs.DELETE)2
PathSegment (javax.ws.rs.core.PathSegment)2
