Search in sources :

Example 11 with Resource

use of org.apache.druid.server.security.Resource in project druid by druid-io.

the class DruidPlanner method validate.

/**
 * Validates a SQL query and populates {@link PlannerContext#getResourceActions()}.
 *
 * @return set of {@link Resource} corresponding to any Druid datasources or views which are taking part in the query.
 */
public ValidationResult validate() throws SqlParseException, ValidationException {
    resetPlanner();
    final ParsedNodes parsed = ParsedNodes.create(planner.parse(plannerContext.getSql()));
    final SqlValidator validator = getValidator();
    final SqlNode validatedQueryNode;
    try {
        validatedQueryNode = validator.validate(rewriteDynamicParameters(parsed.getQueryNode()));
    } catch (RuntimeException e) {
        throw new ValidationException(e);
    }
    SqlResourceCollectorShuttle resourceCollectorShuttle = new SqlResourceCollectorShuttle(validator, plannerContext);
    validatedQueryNode.accept(resourceCollectorShuttle);
    final Set<ResourceAction> resourceActions = new HashSet<>(resourceCollectorShuttle.getResourceActions());
    if (parsed.getInsertNode() != null) {
        final String targetDataSource = validateAndGetDataSourceForInsert(parsed.getInsertNode());
        resourceActions.add(new ResourceAction(new Resource(targetDataSource, ResourceType.DATASOURCE), Action.WRITE));
    }
    plannerContext.setResourceActions(resourceActions);
    return new ValidationResult(resourceActions);
}
Also used : ValidationException(org.apache.calcite.tools.ValidationException) SqlValidator(org.apache.calcite.sql.validate.SqlValidator) Resource(org.apache.druid.server.security.Resource) SqlNode(org.apache.calcite.sql.SqlNode) ResourceAction(org.apache.druid.server.security.ResourceAction) HashSet(java.util.HashSet)

Example 12 with Resource

use of org.apache.druid.server.security.Resource in project druid by druid-io.

the class IndexTaskUtils method datasourceAuthorizationCheck.

/**
 * Authorizes action to be performed on a task's datasource
 *
 * @return authorization result
 */
public static Access datasourceAuthorizationCheck(final HttpServletRequest req, Action action, String datasource, AuthorizerMapper authorizerMapper) {
    ResourceAction resourceAction = new ResourceAction(new Resource(datasource, ResourceType.DATASOURCE), action);
    Access access = AuthorizationUtils.authorizeResourceAction(req, resourceAction, authorizerMapper);
    if (!access.isAllowed()) {
        throw new ForbiddenException(access.toString());
    }
    return access;
}
Also used : ForbiddenException(org.apache.druid.server.security.ForbiddenException) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) ResourceAction(org.apache.druid.server.security.ResourceAction)

Example 13 with Resource

use of org.apache.druid.server.security.Resource in project druid by druid-io.

the class OverlordResource method taskPost.

/**
 * Warning, magic: {@link org.apache.druid.client.indexing.HttpIndexingServiceClient#runTask} may call this method
 * remotely with {@link ClientTaskQuery} objects, but we deserialize {@link Task} objects. See the comment for {@link
 * ClientTaskQuery} for details.
 */
@POST
@Path("/task")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public Response taskPost(final Task task, @Context final HttpServletRequest req) {
    final String dataSource = task.getDataSource();
    final ResourceAction resourceAction = new ResourceAction(new Resource(dataSource, ResourceType.DATASOURCE), Action.WRITE);
    Access authResult = AuthorizationUtils.authorizeResourceAction(req, resourceAction, authorizerMapper);
    if (!authResult.isAllowed()) {
        throw new ForbiddenException(authResult.getMessage());
    }
    return asLeaderWith(taskMaster.getTaskQueue(), new Function<TaskQueue, Response>() {

        @Override
        public Response apply(TaskQueue taskQueue) {
            try {
                taskQueue.add(task);
                return Response.ok(ImmutableMap.of("task", task.getId())).build();
            } catch (EntryExistsException e) {
                return Response.status(Response.Status.BAD_REQUEST).entity(ImmutableMap.of("error", StringUtils.format("Task[%s] already exists!", task.getId()))).build();
            }
        }
    });
}
Also used : Response(javax.ws.rs.core.Response) ForbiddenException(org.apache.druid.server.security.ForbiddenException) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) TaskQueue(org.apache.druid.indexing.overlord.TaskQueue) EntryExistsException(org.apache.druid.metadata.EntryExistsException) ResourceAction(org.apache.druid.server.security.ResourceAction) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces)

Example 14 with Resource

use of org.apache.druid.server.security.Resource in project druid by druid-io.

the class OverlordResource method killPendingSegments.

@DELETE
@Path("/pendingSegments/{dataSource}")
@Produces(MediaType.APPLICATION_JSON)
public Response killPendingSegments(@PathParam("dataSource") String dataSource, @QueryParam("interval") String deleteIntervalString, @Context HttpServletRequest request) {
    final Interval deleteInterval = Intervals.of(deleteIntervalString);
    // check auth for dataSource
    final Access authResult = AuthorizationUtils.authorizeAllResourceActions(request, ImmutableList.of(new ResourceAction(new Resource(dataSource, ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource(dataSource, ResourceType.DATASOURCE), Action.WRITE)), authorizerMapper);
    if (!authResult.isAllowed()) {
        throw new ForbiddenException(authResult.getMessage());
    }
    if (taskMaster.isLeader()) {
        final int numDeleted = indexerMetadataStorageAdapter.deletePendingSegments(dataSource, deleteInterval);
        return Response.ok().entity(ImmutableMap.of("numDeleted", numDeleted)).build();
    } else {
        return Response.status(Status.SERVICE_UNAVAILABLE).build();
    }
}
Also used : ForbiddenException(org.apache.druid.server.security.ForbiddenException) Access(org.apache.druid.server.security.Access) Resource(org.apache.druid.server.security.Resource) Interval(org.joda.time.Interval) ResourceAction(org.apache.druid.server.security.ResourceAction) Path(javax.ws.rs.Path) DELETE(javax.ws.rs.DELETE) Produces(javax.ws.rs.Produces)

Example 15 with Resource

use of org.apache.druid.server.security.Resource in project druid by druid-io.

the class SupervisorResourceFilterTest method setExpectations.

private void setExpectations(String path, String requestMethod, String datasource, Action expectedAction, boolean userHasAccess) {
    expect(containerRequest.getPathSegments()).andReturn(getPathSegments(path)).anyTimes();
    expect(containerRequest.getMethod()).andReturn(requestMethod).anyTimes();
    SupervisorSpec supervisorSpec = EasyMock.createMock(SupervisorSpec.class);
    expect(supervisorSpec.getDataSources()).andReturn(Collections.singletonList(datasource)).anyTimes();
    expect(supervisorManager.getSupervisorSpec(datasource)).andReturn(Optional.of(supervisorSpec)).atLeastOnce();
    HttpServletRequest servletRequest = EasyMock.createMock(HttpServletRequest.class);
    expect(servletRequest.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
    expect(servletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).anyTimes();
    servletRequest.setAttribute(isA(String.class), anyObject());
    final String authorizerName = "authorizer";
    AuthenticationResult authResult = EasyMock.createMock(AuthenticationResult.class);
    expect(authResult.getAuthorizerName()).andReturn(authorizerName).anyTimes();
    Authorizer authorizer = EasyMock.createMock(Authorizer.class);
    expect(authorizer.authorize(authResult, new Resource(datasource, ResourceType.DATASOURCE), expectedAction)).andReturn(new Access(userHasAccess)).anyTimes();
    expect(authorizerMapper.getAuthorizer(authorizerName)).andReturn(authorizer).atLeastOnce();
    expect(servletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(authResult).atLeastOnce();
    resourceFilter.setReq(servletRequest);
    mocksToVerify = Arrays.asList(authorizerMapper, supervisorSpec, supervisorManager, servletRequest, authorizer, authResult, containerRequest);
    replayMocks();
}
Also used : HttpServletRequest(javax.servlet.http.HttpServletRequest) Authorizer(org.apache.druid.server.security.Authorizer) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) SupervisorSpec(org.apache.druid.indexing.overlord.supervisor.SupervisorSpec) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)

Aggregations

Resource (org.apache.druid.server.security.Resource)43 ResourceAction (org.apache.druid.server.security.ResourceAction)35 Test (org.junit.Test)26 Access (org.apache.druid.server.security.Access)23 AuthenticationResult (org.apache.druid.server.security.AuthenticationResult)12 ForbiddenException (org.apache.druid.server.security.ForbiddenException)12 Response (javax.ws.rs.core.Response)10 HashMap (java.util.HashMap)8 Action (org.apache.druid.server.security.Action)8 Authorizer (org.apache.druid.server.security.Authorizer)7 AuthorizerMapper (org.apache.druid.server.security.AuthorizerMapper)7 ImmutableList (com.google.common.collect.ImmutableList)4 ArrayList (java.util.ArrayList)4 List (java.util.List)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 BasicAuthorizerGroupMapping (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)4 Function (com.google.common.base.Function)3 Set (java.util.Set)3 WebApplicationException (javax.ws.rs.WebApplicationException)3 JacksonConfigManager (org.apache.druid.common.config.JacksonConfigManager)3