use of org.apache.druid.server.security.Resource in project druid by druid-io.
the class BasicSecurityResourceFilter method filter.
@Override
public ContainerRequest filter(ContainerRequest request) {
final ResourceAction resourceAction = new ResourceAction(new Resource(SECURITY_RESOURCE_NAME, ResourceType.CONFIG), getAction(request));
final Access authResult = AuthorizationUtils.authorizeResourceAction(getReq(), resourceAction, getAuthorizerMapper());
if (!authResult.isAllowed()) {
throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(StringUtils.format("Access-Check-Result: %s", authResult.toString())).build());
}
return request;
}
use of org.apache.druid.server.security.Resource in project druid by druid-io.
the class BasicRoleBasedAuthorizerTest method testAuthGroupMappingPatternRightMask.
@Test
public void testAuthGroupMappingPatternRightMask() {
// Admin
BasicAuthorizerGroupMapping adminGrroupMapping = new BasicAuthorizerGroupMapping("adminGrroupMapping", "CN=admin,*", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, adminGrroupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "adminDruidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "adminGrroupMapping", "adminDruidRole");
List<ResourceAction> adminPermissions = Arrays.asList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
updater.setPermissions(LDAP_AUTHORIZER_NAME, "adminDruidRole", adminPermissions);
// User
BasicAuthorizerGroupMapping userGrroupMapping = new BasicAuthorizerGroupMapping("userGrroupMapping", "CN=user,*", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, userGrroupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "userDruidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "userGrroupMapping", "userDruidRole");
List<ResourceAction> userPermissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
updater.setPermissions(LDAP_AUTHORIZER_NAME, "userDruidRole", userPermissions);
Map<String, Object> contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult);
AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap);
Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertFalse(access.isAllowed());
contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult);
authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap);
access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertFalse(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.READ);
Assert.assertFalse(access.isAllowed());
}
use of org.apache.druid.server.security.Resource in project druid by druid-io.
the class BasicRoleBasedAuthorizerTest method testAuthMissingGroupMapping.
@Test
public void testAuthMissingGroupMapping() {
BasicAuthorizerGroupMapping groupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "CN=unknown,*", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, groupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "druidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
List<ResourceAction> permissions = Arrays.asList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
updater.setPermissions(LDAP_AUTHORIZER_NAME, "druidRole", permissions);
Map<String, Object> contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult);
AuthenticationResult authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap);
Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertFalse(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
Assert.assertFalse(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertFalse(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.READ);
Assert.assertFalse(access.isAllowed());
}
use of org.apache.druid.server.security.Resource in project druid by druid-io.
the class BasicRoleBasedAuthorizerTest method testAuthGroupMappingPatternLeftMask.
@Test
public void testAuthGroupMappingPatternLeftMask() {
// Admin
BasicAuthorizerGroupMapping adminGrroupMapping = new BasicAuthorizerGroupMapping("adminGrroupMapping", "*,CN=admin,OU=Platform,OU=Groupings,DC=corp,DC=apache,DC=org", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, adminGrroupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "adminDruidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "adminGrroupMapping", "adminDruidRole");
List<ResourceAction> adminPermissions = Arrays.asList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
updater.setPermissions(LDAP_AUTHORIZER_NAME, "adminDruidRole", adminPermissions);
// User
BasicAuthorizerGroupMapping userGrroupMapping = new BasicAuthorizerGroupMapping("userGrroupMapping", "*,CN=user,OU=Druid,OU=Application,OU=Groupings,DC=corp,DC=apache,DC=org", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, userGrroupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "userDruidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "userGrroupMapping", "userDruidRole");
List<ResourceAction> userPermissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
updater.setPermissions(LDAP_AUTHORIZER_NAME, "userDruidRole", userPermissions);
Map<String, Object> contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult);
AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap);
Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertFalse(access.isAllowed());
contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult);
authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap);
access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertFalse(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.READ);
Assert.assertFalse(access.isAllowed());
}
use of org.apache.druid.server.security.Resource in project druid by druid-io.
the class BasicRoleBasedAuthorizerTest method testAuthGroupMapping.
@Test
public void testAuthGroupMapping() {
BasicAuthorizerGroupMapping groupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "CN=admin,OU=Platform,OU=Groupings,DC=corp,DC=apache,DC=org", null);
updater.createGroupMapping(LDAP_AUTHORIZER_NAME, groupMapping);
updater.createRole(LDAP_AUTHORIZER_NAME, "druidRole");
updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
List<ResourceAction> permissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE));
updater.setPermissions(LDAP_AUTHORIZER_NAME, "druidRole", permissions);
Map<String, Object> contexMap = new HashMap<>();
contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult);
AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap);
Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertTrue(access.isAllowed());
access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertFalse(access.isAllowed());
}
Aggregations