use of org.apache.druid.server.security.Resource in project druid by druid-io.
the class DruidPlanner method validate.
/**
* Validates a SQL query and populates {@link PlannerContext#getResourceActions()}.
*
* @return set of {@link Resource} corresponding to any Druid datasources or views which are taking part in the query.
*/
public ValidationResult validate() throws SqlParseException, ValidationException {
resetPlanner();
final ParsedNodes parsed = ParsedNodes.create(planner.parse(plannerContext.getSql()));
final SqlValidator validator = getValidator();
final SqlNode validatedQueryNode;
try {
validatedQueryNode = validator.validate(rewriteDynamicParameters(parsed.getQueryNode()));
} catch (RuntimeException e) {
throw new ValidationException(e);
}
SqlResourceCollectorShuttle resourceCollectorShuttle = new SqlResourceCollectorShuttle(validator, plannerContext);
validatedQueryNode.accept(resourceCollectorShuttle);
final Set<ResourceAction> resourceActions = new HashSet<>(resourceCollectorShuttle.getResourceActions());
if (parsed.getInsertNode() != null) {
final String targetDataSource = validateAndGetDataSourceForInsert(parsed.getInsertNode());
resourceActions.add(new ResourceAction(new Resource(targetDataSource, ResourceType.DATASOURCE), Action.WRITE));
}
plannerContext.setResourceActions(resourceActions);
return new ValidationResult(resourceActions);
}
use of org.apache.druid.server.security.Resource in project druid by druid-io.
the class IndexTaskUtils method datasourceAuthorizationCheck.
/**
* Authorizes action to be performed on a task's datasource
*
* @return authorization result
*/
public static Access datasourceAuthorizationCheck(final HttpServletRequest req, Action action, String datasource, AuthorizerMapper authorizerMapper) {
ResourceAction resourceAction = new ResourceAction(new Resource(datasource, ResourceType.DATASOURCE), action);
Access access = AuthorizationUtils.authorizeResourceAction(req, resourceAction, authorizerMapper);
if (!access.isAllowed()) {
throw new ForbiddenException(access.toString());
}
return access;
}
use of org.apache.druid.server.security.Resource in project druid by druid-io.
the class OverlordResource method taskPost.
/**
* Warning, magic: {@link org.apache.druid.client.indexing.HttpIndexingServiceClient#runTask} may call this method
* remotely with {@link ClientTaskQuery} objects, but we deserialize {@link Task} objects. See the comment for {@link
* ClientTaskQuery} for details.
*/
@POST
@Path("/task")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public Response taskPost(final Task task, @Context final HttpServletRequest req) {
final String dataSource = task.getDataSource();
final ResourceAction resourceAction = new ResourceAction(new Resource(dataSource, ResourceType.DATASOURCE), Action.WRITE);
Access authResult = AuthorizationUtils.authorizeResourceAction(req, resourceAction, authorizerMapper);
if (!authResult.isAllowed()) {
throw new ForbiddenException(authResult.getMessage());
}
return asLeaderWith(taskMaster.getTaskQueue(), new Function<TaskQueue, Response>() {
@Override
public Response apply(TaskQueue taskQueue) {
try {
taskQueue.add(task);
return Response.ok(ImmutableMap.of("task", task.getId())).build();
} catch (EntryExistsException e) {
return Response.status(Response.Status.BAD_REQUEST).entity(ImmutableMap.of("error", StringUtils.format("Task[%s] already exists!", task.getId()))).build();
}
}
});
}
use of org.apache.druid.server.security.Resource in project druid by druid-io.
the class OverlordResource method killPendingSegments.
@DELETE
@Path("/pendingSegments/{dataSource}")
@Produces(MediaType.APPLICATION_JSON)
public Response killPendingSegments(@PathParam("dataSource") String dataSource, @QueryParam("interval") String deleteIntervalString, @Context HttpServletRequest request) {
final Interval deleteInterval = Intervals.of(deleteIntervalString);
// check auth for dataSource
final Access authResult = AuthorizationUtils.authorizeAllResourceActions(request, ImmutableList.of(new ResourceAction(new Resource(dataSource, ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource(dataSource, ResourceType.DATASOURCE), Action.WRITE)), authorizerMapper);
if (!authResult.isAllowed()) {
throw new ForbiddenException(authResult.getMessage());
}
if (taskMaster.isLeader()) {
final int numDeleted = indexerMetadataStorageAdapter.deletePendingSegments(dataSource, deleteInterval);
return Response.ok().entity(ImmutableMap.of("numDeleted", numDeleted)).build();
} else {
return Response.status(Status.SERVICE_UNAVAILABLE).build();
}
}
use of org.apache.druid.server.security.Resource in project druid by druid-io.
the class SupervisorResourceFilterTest method setExpectations.
private void setExpectations(String path, String requestMethod, String datasource, Action expectedAction, boolean userHasAccess) {
expect(containerRequest.getPathSegments()).andReturn(getPathSegments(path)).anyTimes();
expect(containerRequest.getMethod()).andReturn(requestMethod).anyTimes();
SupervisorSpec supervisorSpec = EasyMock.createMock(SupervisorSpec.class);
expect(supervisorSpec.getDataSources()).andReturn(Collections.singletonList(datasource)).anyTimes();
expect(supervisorManager.getSupervisorSpec(datasource)).andReturn(Optional.of(supervisorSpec)).atLeastOnce();
HttpServletRequest servletRequest = EasyMock.createMock(HttpServletRequest.class);
expect(servletRequest.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
expect(servletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).anyTimes();
servletRequest.setAttribute(isA(String.class), anyObject());
final String authorizerName = "authorizer";
AuthenticationResult authResult = EasyMock.createMock(AuthenticationResult.class);
expect(authResult.getAuthorizerName()).andReturn(authorizerName).anyTimes();
Authorizer authorizer = EasyMock.createMock(Authorizer.class);
expect(authorizer.authorize(authResult, new Resource(datasource, ResourceType.DATASOURCE), expectedAction)).andReturn(new Access(userHasAccess)).anyTimes();
expect(authorizerMapper.getAuthorizer(authorizerName)).andReturn(authorizer).atLeastOnce();
expect(servletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(authResult).atLeastOnce();
resourceFilter.setReq(servletRequest);
mocksToVerify = Arrays.asList(authorizerMapper, supervisorSpec, supervisorManager, servletRequest, authorizer, authResult, containerRequest);
replayMocks();
}
Aggregations