Search in sources :

Example 1 with Resource

use of org.apache.druid.server.security.Resource in project druid by druid-io.

the class BasicSecurityResourceFilter method filter.

@Override
public ContainerRequest filter(ContainerRequest request) {
    final ResourceAction resourceAction = new ResourceAction(new Resource(SECURITY_RESOURCE_NAME, ResourceType.CONFIG), getAction(request));
    final Access authResult = AuthorizationUtils.authorizeResourceAction(getReq(), resourceAction, getAuthorizerMapper());
    if (!authResult.isAllowed()) {
        throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(StringUtils.format("Access-Check-Result: %s", authResult.toString())).build());
    }
    return request;
}
Also used : WebApplicationException(javax.ws.rs.WebApplicationException) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) ResourceAction(org.apache.druid.server.security.ResourceAction)

Example 2 with Resource

use of org.apache.druid.server.security.Resource in project druid by druid-io.

the class BasicRoleBasedAuthorizerTest method testAuthGroupMappingPatternRightMask.

@Test
public void testAuthGroupMappingPatternRightMask() {
    // Admin
    BasicAuthorizerGroupMapping adminGrroupMapping = new BasicAuthorizerGroupMapping("adminGrroupMapping", "CN=admin,*", null);
    updater.createGroupMapping(LDAP_AUTHORIZER_NAME, adminGrroupMapping);
    updater.createRole(LDAP_AUTHORIZER_NAME, "adminDruidRole");
    updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "adminGrroupMapping", "adminDruidRole");
    List<ResourceAction> adminPermissions = Arrays.asList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
    updater.setPermissions(LDAP_AUTHORIZER_NAME, "adminDruidRole", adminPermissions);
    // User
    BasicAuthorizerGroupMapping userGrroupMapping = new BasicAuthorizerGroupMapping("userGrroupMapping", "CN=user,*", null);
    updater.createGroupMapping(LDAP_AUTHORIZER_NAME, userGrroupMapping);
    updater.createRole(LDAP_AUTHORIZER_NAME, "userDruidRole");
    updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "userGrroupMapping", "userDruidRole");
    List<ResourceAction> userPermissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
    updater.setPermissions(LDAP_AUTHORIZER_NAME, "userDruidRole", userPermissions);
    Map<String, Object> contexMap = new HashMap<>();
    contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult);
    AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap);
    Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
    contexMap = new HashMap<>();
    contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult);
    authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap);
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertFalse(access.isAllowed());
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) HashMap(java.util.HashMap) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) ResourceAction(org.apache.druid.server.security.ResourceAction) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) Test(org.junit.Test)

Example 3 with Resource

use of org.apache.druid.server.security.Resource in project druid by druid-io.

the class BasicRoleBasedAuthorizerTest method testAuthMissingGroupMapping.

@Test
public void testAuthMissingGroupMapping() {
    BasicAuthorizerGroupMapping groupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "CN=unknown,*", null);
    updater.createGroupMapping(LDAP_AUTHORIZER_NAME, groupMapping);
    updater.createRole(LDAP_AUTHORIZER_NAME, "druidRole");
    updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
    List<ResourceAction> permissions = Arrays.asList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
    updater.setPermissions(LDAP_AUTHORIZER_NAME, "druidRole", permissions);
    Map<String, Object> contexMap = new HashMap<>();
    contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult);
    AuthenticationResult authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap);
    Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertFalse(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertFalse(access.isAllowed());
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) HashMap(java.util.HashMap) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) ResourceAction(org.apache.druid.server.security.ResourceAction) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) Test(org.junit.Test)

Example 4 with Resource

use of org.apache.druid.server.security.Resource in project druid by druid-io.

the class BasicRoleBasedAuthorizerTest method testAuthGroupMappingPatternLeftMask.

@Test
public void testAuthGroupMappingPatternLeftMask() {
    // Admin
    BasicAuthorizerGroupMapping adminGrroupMapping = new BasicAuthorizerGroupMapping("adminGrroupMapping", "*,CN=admin,OU=Platform,OU=Groupings,DC=corp,DC=apache,DC=org", null);
    updater.createGroupMapping(LDAP_AUTHORIZER_NAME, adminGrroupMapping);
    updater.createRole(LDAP_AUTHORIZER_NAME, "adminDruidRole");
    updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "adminGrroupMapping", "adminDruidRole");
    List<ResourceAction> adminPermissions = Arrays.asList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
    updater.setPermissions(LDAP_AUTHORIZER_NAME, "adminDruidRole", adminPermissions);
    // User
    BasicAuthorizerGroupMapping userGrroupMapping = new BasicAuthorizerGroupMapping("userGrroupMapping", "*,CN=user,OU=Druid,OU=Application,OU=Groupings,DC=corp,DC=apache,DC=org", null);
    updater.createGroupMapping(LDAP_AUTHORIZER_NAME, userGrroupMapping);
    updater.createRole(LDAP_AUTHORIZER_NAME, "userDruidRole");
    updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "userGrroupMapping", "userDruidRole");
    List<ResourceAction> userPermissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
    updater.setPermissions(LDAP_AUTHORIZER_NAME, "userDruidRole", userPermissions);
    Map<String, Object> contexMap = new HashMap<>();
    contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult);
    AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap);
    Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
    contexMap = new HashMap<>();
    contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult);
    authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap);
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertFalse(access.isAllowed());
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) HashMap(java.util.HashMap) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) ResourceAction(org.apache.druid.server.security.ResourceAction) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) Test(org.junit.Test)

Example 5 with Resource

use of org.apache.druid.server.security.Resource in project druid by druid-io.

the class BasicRoleBasedAuthorizerTest method testAuthGroupMapping.

@Test
public void testAuthGroupMapping() {
    BasicAuthorizerGroupMapping groupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "CN=admin,OU=Platform,OU=Groupings,DC=corp,DC=apache,DC=org", null);
    updater.createGroupMapping(LDAP_AUTHORIZER_NAME, groupMapping);
    updater.createRole(LDAP_AUTHORIZER_NAME, "druidRole");
    updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
    List<ResourceAction> permissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE));
    updater.setPermissions(LDAP_AUTHORIZER_NAME, "druidRole", permissions);
    Map<String, Object> contexMap = new HashMap<>();
    contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult);
    AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap);
    Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) HashMap(java.util.HashMap) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) ResourceAction(org.apache.druid.server.security.ResourceAction) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) Test(org.junit.Test)

Aggregations

Resource (org.apache.druid.server.security.Resource)43 ResourceAction (org.apache.druid.server.security.ResourceAction)35 Test (org.junit.Test)26 Access (org.apache.druid.server.security.Access)23 AuthenticationResult (org.apache.druid.server.security.AuthenticationResult)12 ForbiddenException (org.apache.druid.server.security.ForbiddenException)12 Response (javax.ws.rs.core.Response)10 HashMap (java.util.HashMap)8 Action (org.apache.druid.server.security.Action)8 Authorizer (org.apache.druid.server.security.Authorizer)7 AuthorizerMapper (org.apache.druid.server.security.AuthorizerMapper)7 ImmutableList (com.google.common.collect.ImmutableList)4 ArrayList (java.util.ArrayList)4 List (java.util.List)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 BasicAuthorizerGroupMapping (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)4 Function (com.google.common.base.Function)3 Set (java.util.Set)3 WebApplicationException (javax.ws.rs.WebApplicationException)3 JacksonConfigManager (org.apache.druid.common.config.JacksonConfigManager)3