Search in sources :

Example 16 with ForbiddenException

use of org.apache.druid.server.security.ForbiddenException in project druid by druid-io.

the class DatasourceResourceFilter method filter.

@Override
public ContainerRequest filter(ContainerRequest request) {
    final ResourceAction resourceAction = new ResourceAction(new Resource(getRequestDatasourceName(request), ResourceType.DATASOURCE), getAction(request));
    final Access authResult = AuthorizationUtils.authorizeResourceAction(getReq(), resourceAction, getAuthorizerMapper());
    if (!authResult.isAllowed()) {
        throw new ForbiddenException(authResult.toString());
    }
    return request;
}
Also used : ForbiddenException(org.apache.druid.server.security.ForbiddenException) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) ResourceAction(org.apache.druid.server.security.ResourceAction)

Example 17 with ForbiddenException

use of org.apache.druid.server.security.ForbiddenException in project druid by druid-io.

the class QueryResource method cancelQuery.

@DELETE
@Path("{id}")
@Produces(MediaType.APPLICATION_JSON)
public Response cancelQuery(@PathParam("id") String queryId, @Context final HttpServletRequest req) {
    if (log.isDebugEnabled()) {
        log.debug("Received cancel request for query [%s]", queryId);
    }
    Set<String> datasources = queryScheduler.getQueryDatasources(queryId);
    if (datasources == null) {
        log.warn("QueryId [%s] not registered with QueryScheduler, cannot cancel", queryId);
        datasources = new TreeSet<>();
    }
    Access authResult = AuthorizationUtils.authorizeAllResourceActions(req, Iterables.transform(datasources, AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR), authorizerMapper);
    if (!authResult.isAllowed()) {
        throw new ForbiddenException(authResult.toString());
    }
    queryScheduler.cancelQuery(queryId);
    return Response.status(Response.Status.ACCEPTED).build();
}
Also used : ForbiddenException(org.apache.druid.server.security.ForbiddenException) Access(org.apache.druid.server.security.Access) Path(javax.ws.rs.Path) DELETE(javax.ws.rs.DELETE) Produces(javax.ws.rs.Produces)

Example 18 with ForbiddenException

use of org.apache.druid.server.security.ForbiddenException in project druid by druid-io.

the class ChatHandlers method authorizationCheck.

/**
 * Check authorization for the given action and dataSource.
 *
 * @return authorization result
 */
public static Access authorizationCheck(HttpServletRequest req, Action action, String dataSource, AuthorizerMapper authorizerMapper) {
    ResourceAction resourceAction = new ResourceAction(new Resource(dataSource, ResourceType.DATASOURCE), action);
    Access access = AuthorizationUtils.authorizeResourceAction(req, resourceAction, authorizerMapper);
    if (!access.isAllowed()) {
        throw new ForbiddenException(access.toString());
    }
    return access;
}
Also used : ForbiddenException(org.apache.druid.server.security.ForbiddenException) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) ResourceAction(org.apache.druid.server.security.ResourceAction)

Example 19 with ForbiddenException

use of org.apache.druid.server.security.ForbiddenException in project druid by druid-io.

the class TaskResourceFilter method filter.

@Override
public ContainerRequest filter(ContainerRequest request) {
    String taskId = Preconditions.checkNotNull(request.getPathSegments().get(Iterables.indexOf(request.getPathSegments(), input -> "task".equals(input.getPath())) + 1).getPath());
    IdUtils.validateId("taskId", taskId);
    Optional<Task> taskOptional = taskStorageQueryAdapter.getTask(taskId);
    if (!taskOptional.isPresent()) {
        throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).entity(StringUtils.format("Cannot find any task with id: [%s]", taskId)).build());
    }
    final String dataSourceName = Preconditions.checkNotNull(taskOptional.get().getDataSource());
    final ResourceAction resourceAction = new ResourceAction(new Resource(dataSourceName, ResourceType.DATASOURCE), getAction(request));
    final Access authResult = AuthorizationUtils.authorizeResourceAction(getReq(), resourceAction, getAuthorizerMapper());
    if (!authResult.isAllowed()) {
        throw new ForbiddenException(authResult.toString());
    }
    return request;
}
Also used : Task(org.apache.druid.indexing.common.task.Task) ForbiddenException(org.apache.druid.server.security.ForbiddenException) WebApplicationException(javax.ws.rs.WebApplicationException) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) ResourceAction(org.apache.druid.server.security.ResourceAction)

Example 20 with ForbiddenException

use of org.apache.druid.server.security.ForbiddenException in project druid by druid-io.

the class QueryResourceTest method testSecuredQuery.

@Test
public void testSecuredQuery() throws Exception {
    EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).anyTimes();
    EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
    EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(AUTHENTICATION_RESULT).anyTimes();
    testServletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, false);
    EasyMock.expectLastCall().times(1);
    testServletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
    EasyMock.expectLastCall().times(1);
    EasyMock.replay(testServletRequest);
    AuthorizerMapper authMapper = new AuthorizerMapper(null) {

        @Override
        public Authorizer getAuthorizer(String name) {
            return new Authorizer() {

                @Override
                public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action) {
                    if (resource.getName().equals("allow")) {
                        return new Access(true);
                    } else {
                        return new Access(false);
                    }
                }
            };
        }
    };
    queryResource = new QueryResource(new QueryLifecycleFactory(WAREHOUSE, TEST_SEGMENT_WALKER, new DefaultGenericQueryMetricsFactory(), new NoopServiceEmitter(), testRequestLogger, new AuthConfig(), authMapper, Suppliers.ofInstance(new DefaultQueryConfig(ImmutableMap.of()))), jsonMapper, smileMapper, queryScheduler, new AuthConfig(), authMapper, ResponseContextConfig.newConfig(true), DRUID_NODE);
    try {
        queryResource.doPost(new ByteArrayInputStream(SIMPLE_TIMESERIES_QUERY.getBytes(StandardCharsets.UTF_8)), null, /*pretty*/
        testServletRequest);
        Assert.fail("doPost did not throw ForbiddenException for an unauthorized query");
    } catch (ForbiddenException e) {
    }
    Response response = queryResource.doPost(new ByteArrayInputStream("{\"queryType\":\"timeBoundary\", \"dataSource\":\"allow\"}".getBytes(StandardCharsets.UTF_8)), null, /*pretty*/
    testServletRequest);
    final ByteArrayOutputStream baos = new ByteArrayOutputStream();
    ((StreamingOutput) response.getEntity()).write(baos);
    final List<Result<TimeBoundaryResultValue>> responses = jsonMapper.readValue(baos.toByteArray(), new TypeReference<List<Result<TimeBoundaryResultValue>>>() {
    });
    Assert.assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
    Assert.assertEquals(0, responses.size());
    Assert.assertEquals(1, testRequestLogger.getNativeQuerylogs().size());
    Assert.assertEquals(true, testRequestLogger.getNativeQuerylogs().get(0).getQueryStats().getStats().get("success"));
    Assert.assertEquals("druid", testRequestLogger.getNativeQuerylogs().get(0).getQueryStats().getStats().get("identity"));
}
Also used : Action(org.apache.druid.server.security.Action) ForbiddenException(org.apache.druid.server.security.ForbiddenException) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) NoopServiceEmitter(org.apache.druid.server.metrics.NoopServiceEmitter) StreamingOutput(javax.ws.rs.core.StreamingOutput) AuthConfig(org.apache.druid.server.security.AuthConfig) ByteArrayOutputStream(java.io.ByteArrayOutputStream) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) Result(org.apache.druid.query.Result) Response(javax.ws.rs.core.Response) ByteArrayInputStream(java.io.ByteArrayInputStream) Authorizer(org.apache.druid.server.security.Authorizer) TimeBoundaryResultValue(org.apache.druid.query.timeboundary.TimeBoundaryResultValue) AuthorizerMapper(org.apache.druid.server.security.AuthorizerMapper) List(java.util.List) ImmutableList(com.google.common.collect.ImmutableList) DefaultQueryConfig(org.apache.druid.query.DefaultQueryConfig) DefaultGenericQueryMetricsFactory(org.apache.druid.query.DefaultGenericQueryMetricsFactory) Test(org.junit.Test)

Aggregations

ForbiddenException (org.apache.druid.server.security.ForbiddenException)23 Access (org.apache.druid.server.security.Access)15 Resource (org.apache.druid.server.security.Resource)10 ResourceAction (org.apache.druid.server.security.ResourceAction)10 Produces (javax.ws.rs.Produces)6 Response (javax.ws.rs.core.Response)5 Test (org.junit.Test)5 IOException (java.io.IOException)4 Consumes (javax.ws.rs.Consumes)4 POST (javax.ws.rs.POST)4 AuthenticationResult (org.apache.druid.server.security.AuthenticationResult)4 JsonProcessingException (com.fasterxml.jackson.core.JsonProcessingException)3 Path (javax.ws.rs.Path)3 WebApplicationException (javax.ws.rs.WebApplicationException)3 StreamingOutput (javax.ws.rs.core.StreamingOutput)3 QueryInterruptedException (org.apache.druid.query.QueryInterruptedException)3 CountingOutputStream (com.google.common.io.CountingOutputStream)2 ByteArrayInputStream (java.io.ByteArrayInputStream)2 DELETE (javax.ws.rs.DELETE)2 PathSegment (javax.ws.rs.core.PathSegment)2