Examples with Resource org.apache.druid.server.security.Resource used on opensource projects

Example 21 with Resource

use of org.apache.druid.server.security.Resource in project druid by druid-io.

the class CoordinatorBasicAuthorizerResourceTest method testConcurrentUpdate.

@Test
public void testConcurrentUpdate() {
    final int testMultiple = 100;
    // setup a user and the roles
    Response response = resource.createUser(req, AUTHORIZER_NAME, "druid");
    Assert.assertEquals(200, response.getStatus());
    List<ResourceAction> perms = ImmutableList.of(new ResourceAction(new Resource("A", ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource("B", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("C", ResourceType.CONFIG), Action.WRITE));
    for (int i = 0; i < testMultiple; i++) {
        String roleName = "druidRole-" + i;
        response = resource.createRole(req, AUTHORIZER_NAME, roleName);
        Assert.assertEquals(200, response.getStatus());
        response = resource.setRolePermissions(req, AUTHORIZER_NAME, roleName, perms);
        Assert.assertEquals(200, response.getStatus());
    }
    ExecutorService exec = Execs.multiThreaded(testMultiple, "thread---");
    int[] responseCodesAssign = new int[testMultiple];
    // assign 'testMultiple' roles to the user concurrently
    List<Callable<Void>> addRoleCallables = new ArrayList<>();
    for (int i = 0; i < testMultiple; i++) {
        final int innerI = i;
        String roleName = "druidRole-" + i;
        addRoleCallables.add(() -> {
            Response response12 = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid", roleName);
            responseCodesAssign[innerI] = response12.getStatus();
            return null;
        });
    }
    try {
        List<Future<Void>> futures = exec.invokeAll(addRoleCallables);
        for (Future future : futures) {
            future.get();
        }
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
    // the API can return !200 if the update attempt fails by exhausting retries because of
    // too much contention from other conflicting requests, make sure that we don't get any successful requests
    // that didn't actually take effect
    Set<String> roleNames = getRoleNamesAssignedToUser("druid");
    for (int i = 0; i < testMultiple; i++) {
        String roleName = "druidRole-" + i;
        if (responseCodesAssign[i] == 200 && !roleNames.contains(roleName)) {
            Assert.fail(StringUtils.format("Got response status 200 for assigning role [%s] but user did not have role.", roleName));
        }
    }
    // Now unassign the roles concurrently
    List<Callable<Void>> removeRoleCallables = new ArrayList<>();
    int[] responseCodesRemove = new int[testMultiple];
    for (int i = 0; i < testMultiple; i++) {
        final int innerI = i;
        String roleName = "druidRole-" + i;
        removeRoleCallables.add(() -> {
            Response response1 = resource.unassignRoleFromUser(req, AUTHORIZER_NAME, "druid", roleName);
            responseCodesRemove[innerI] = response1.getStatus();
            return null;
        });
    }
    try {
        List<Future<Void>> futures = exec.invokeAll(removeRoleCallables);
        for (Future future : futures) {
            future.get();
        }
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
    roleNames = getRoleNamesAssignedToUser("druid");
    for (int i = 0; i < testMultiple; i++) {
        String roleName = "druidRole-" + i;
        if (responseCodesRemove[i] == 200 && roleNames.contains(roleName)) {
            Assert.fail(StringUtils.format("Got response status 200 for removing role [%s] but user still has role.", roleName));
        }
    }
}

Example 22 with Resource

use of org.apache.druid.server.security.Resource in project druid by druid-io.

the class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest method testSetRolePermissions.

// role and permission tests
@Test
public void testSetRolePermissions() {
    updater.createUser(AUTHORIZER_NAME, "druid");
    updater.createRole(AUTHORIZER_NAME, "druidRole");
    updater.assignUserRole(AUTHORIZER_NAME, "druid", "druidRole");
    List<ResourceAction> permsToAdd = ImmutableList.of(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE));
    updater.setPermissions(AUTHORIZER_NAME, "druidRole", permsToAdd);
    Map<String, BasicAuthorizerUser> expectedUserMap = new HashMap<>(BASE_USER_MAP);
    expectedUserMap.put("druid", new BasicAuthorizerUser("druid", ImmutableSet.of("druidRole")));
    Map<String, BasicAuthorizerRole> expectedRoleMap = new HashMap<>(BASE_ROLE_MAP);
    expectedRoleMap.put("druidRole", new BasicAuthorizerRole("druidRole", BasicAuthorizerPermission.makePermissionList(permsToAdd)));
    Map<String, BasicAuthorizerUser> actualUserMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, updater.getCurrentUserMapBytes(AUTHORIZER_NAME));
    Map<String, BasicAuthorizerRole> actualRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, updater.getCurrentRoleMapBytes(AUTHORIZER_NAME));
    Assert.assertEquals(expectedUserMap, actualUserMap);
    Assert.assertEquals(expectedRoleMap, actualRoleMap);
    updater.setPermissions(AUTHORIZER_NAME, "druidRole", null);
    expectedRoleMap.put("druidRole", new BasicAuthorizerRole("druidRole", null));
    actualRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, updater.getCurrentRoleMapBytes(AUTHORIZER_NAME));
    Assert.assertEquals(expectedUserMap, actualUserMap);
    Assert.assertEquals(expectedRoleMap, actualRoleMap);
}

Example 23 with Resource

use of org.apache.druid.server.security.Resource in project druid by druid-io.

the class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest method testAddBadPermission.

@Test
public void testAddBadPermission() {
    expectedException.expect(BasicSecurityDBResourceException.class);
    expectedException.expectMessage("Invalid permission, resource name regex[??????????] does not compile.");
    updater.createRole(AUTHORIZER_NAME, "druidRole");
    List<ResourceAction> permsToAdd = ImmutableList.of(new ResourceAction(new Resource("??????????", ResourceType.DATASOURCE), Action.WRITE));
    updater.setPermissions(AUTHORIZER_NAME, "druidRole", permsToAdd);
}

Example 24 with Resource

use of org.apache.druid.server.security.Resource in project druid by druid-io.

the class BasicRoleBasedAuthorizer method permissionCheck.

private boolean permissionCheck(Resource resource, Action action, BasicAuthorizerPermission permission) {
    if (action != permission.getResourceAction().getAction()) {
        return false;
    }
    Resource permissionResource = permission.getResourceAction().getResource();
    if (!Objects.equals(permissionResource.getType(), resource.getType())) {
        return false;
    }
    Pattern resourceNamePattern = permission.getResourceNamePattern();
    Matcher resourceNameMatcher = resourceNamePattern.matcher(resource.getName());
    return resourceNameMatcher.matches();
}

Example 25 with Resource

use of org.apache.druid.server.security.Resource in project druid by druid-io.

the class BasicRoleBasedAuthorizerTest method testAuth.

@Test
public void testAuth() {
    updater.createUser(DB_AUTHORIZER_NAME, "druid");
    updater.createRole(DB_AUTHORIZER_NAME, "druidRole");
    updater.assignUserRole(DB_AUTHORIZER_NAME, "druid", "druidRole");
    List<ResourceAction> permissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE));
    updater.setPermissions(DB_AUTHORIZER_NAME, "druidRole", permissions);
    AuthenticationResult authenticationResult = new AuthenticationResult("druid", "druid", null, null);
    Access access = authorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertTrue(access.isAllowed());
    access = authorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
}