Search in sources :

Example 36 with Resource

use of org.apache.druid.server.security.Resource in project druid by druid-io.

the class OverlordResourceTest method setUp.

@Before
public void setUp() {
    taskRunner = EasyMock.createMock(TaskRunner.class);
    configManager = EasyMock.createMock(JacksonConfigManager.class);
    provisioningStrategy = EasyMock.createMock(ProvisioningStrategy.class);
    taskMaster = EasyMock.createStrictMock(TaskMaster.class);
    taskStorageQueryAdapter = EasyMock.createStrictMock(TaskStorageQueryAdapter.class);
    indexerMetadataStorageAdapter = EasyMock.createStrictMock(IndexerMetadataStorageAdapter.class);
    req = EasyMock.createStrictMock(HttpServletRequest.class);
    workerTaskRunnerQueryAdapter = EasyMock.createStrictMock(WorkerTaskRunnerQueryAdapter.class);
    EasyMock.expect(taskMaster.getTaskRunner()).andReturn(Optional.of(taskRunner)).anyTimes();
    AuthorizerMapper authMapper = new AuthorizerMapper(null) {

        @Override
        public Authorizer getAuthorizer(String name) {
            return new Authorizer() {

                @Override
                public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action) {
                    final String username = authenticationResult.getIdentity();
                    switch(resource.getName()) {
                        case "allow":
                            return new Access(true);
                        case Datasources.WIKIPEDIA:
                            // Only "Wiki Reader" can read "wikipedia"
                            return new Access(action == Action.READ && Users.WIKI_READER.equals(username));
                        case Datasources.BUZZFEED:
                            // Only "Buzz Reader" can read "buzzfeed"
                            return new Access(action == Action.READ && Users.BUZZ_READER.equals(username));
                        default:
                            return new Access(false);
                    }
                }
            };
        }
    };
    overlordResource = new OverlordResource(taskMaster, taskStorageQueryAdapter, indexerMetadataStorageAdapter, null, configManager, null, authMapper, workerTaskRunnerQueryAdapter, provisioningStrategy);
}
Also used : IndexerMetadataStorageAdapter(org.apache.druid.indexing.overlord.IndexerMetadataStorageAdapter) Action(org.apache.druid.server.security.Action) JacksonConfigManager(org.apache.druid.common.config.JacksonConfigManager) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) TaskStorageQueryAdapter(org.apache.druid.indexing.overlord.TaskStorageQueryAdapter) TaskRunner(org.apache.druid.indexing.overlord.TaskRunner) WorkerTaskRunner(org.apache.druid.indexing.overlord.WorkerTaskRunner) ProvisioningStrategy(org.apache.druid.indexing.overlord.autoscaling.ProvisioningStrategy) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) HttpServletRequest(javax.servlet.http.HttpServletRequest) Authorizer(org.apache.druid.server.security.Authorizer) AuthorizerMapper(org.apache.druid.server.security.AuthorizerMapper) TaskMaster(org.apache.druid.indexing.overlord.TaskMaster) WorkerTaskRunnerQueryAdapter(org.apache.druid.indexing.overlord.WorkerTaskRunnerQueryAdapter) Before(org.junit.Before)

Example 37 with Resource

use of org.apache.druid.server.security.Resource in project druid by druid-io.

the class QueryResourceTest method testSecuredQuery.

@Test
public void testSecuredQuery() throws Exception {
    EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).anyTimes();
    EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
    EasyMock.expect(testServletRequest.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(AUTHENTICATION_RESULT).anyTimes();
    testServletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, false);
    EasyMock.expectLastCall().times(1);
    testServletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
    EasyMock.expectLastCall().times(1);
    EasyMock.replay(testServletRequest);
    AuthorizerMapper authMapper = new AuthorizerMapper(null) {

        @Override
        public Authorizer getAuthorizer(String name) {
            return new Authorizer() {

                @Override
                public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action) {
                    if (resource.getName().equals("allow")) {
                        return new Access(true);
                    } else {
                        return new Access(false);
                    }
                }
            };
        }
    };
    queryResource = new QueryResource(new QueryLifecycleFactory(WAREHOUSE, TEST_SEGMENT_WALKER, new DefaultGenericQueryMetricsFactory(), new NoopServiceEmitter(), testRequestLogger, new AuthConfig(), authMapper, Suppliers.ofInstance(new DefaultQueryConfig(ImmutableMap.of()))), jsonMapper, smileMapper, queryScheduler, new AuthConfig(), authMapper, ResponseContextConfig.newConfig(true), DRUID_NODE);
    try {
        queryResource.doPost(new ByteArrayInputStream(SIMPLE_TIMESERIES_QUERY.getBytes(StandardCharsets.UTF_8)), null, /*pretty*/
        testServletRequest);
        Assert.fail("doPost did not throw ForbiddenException for an unauthorized query");
    } catch (ForbiddenException e) {
    }
    Response response = queryResource.doPost(new ByteArrayInputStream("{\"queryType\":\"timeBoundary\", \"dataSource\":\"allow\"}".getBytes(StandardCharsets.UTF_8)), null, /*pretty*/
    testServletRequest);
    final ByteArrayOutputStream baos = new ByteArrayOutputStream();
    ((StreamingOutput) response.getEntity()).write(baos);
    final List<Result<TimeBoundaryResultValue>> responses = jsonMapper.readValue(baos.toByteArray(), new TypeReference<List<Result<TimeBoundaryResultValue>>>() {
    });
    Assert.assertEquals(Response.Status.OK.getStatusCode(), response.getStatus());
    Assert.assertEquals(0, responses.size());
    Assert.assertEquals(1, testRequestLogger.getNativeQuerylogs().size());
    Assert.assertEquals(true, testRequestLogger.getNativeQuerylogs().get(0).getQueryStats().getStats().get("success"));
    Assert.assertEquals("druid", testRequestLogger.getNativeQuerylogs().get(0).getQueryStats().getStats().get("identity"));
}
Also used : Action(org.apache.druid.server.security.Action) ForbiddenException(org.apache.druid.server.security.ForbiddenException) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) NoopServiceEmitter(org.apache.druid.server.metrics.NoopServiceEmitter) StreamingOutput(javax.ws.rs.core.StreamingOutput) AuthConfig(org.apache.druid.server.security.AuthConfig) ByteArrayOutputStream(java.io.ByteArrayOutputStream) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) Result(org.apache.druid.query.Result) Response(javax.ws.rs.core.Response) ByteArrayInputStream(java.io.ByteArrayInputStream) Authorizer(org.apache.druid.server.security.Authorizer) TimeBoundaryResultValue(org.apache.druid.query.timeboundary.TimeBoundaryResultValue) AuthorizerMapper(org.apache.druid.server.security.AuthorizerMapper) List(java.util.List) ImmutableList(com.google.common.collect.ImmutableList) DefaultQueryConfig(org.apache.druid.query.DefaultQueryConfig) DefaultGenericQueryMetricsFactory(org.apache.druid.query.DefaultGenericQueryMetricsFactory) Test(org.junit.Test)

Example 38 with Resource

use of org.apache.druid.server.security.Resource in project druid by druid-io.

the class ResourceFilterTestHelper method setUpMockExpectations.

public void setUpMockExpectations(String requestPath, boolean authCheckResult, String requestMethod) {
    EasyMock.expect(request.getPath()).andReturn(requestPath).anyTimes();
    EasyMock.expect(request.getPathSegments()).andReturn(ImmutableList.copyOf(Iterables.transform(Arrays.asList(requestPath.split("/")), new Function<String, PathSegment>() {

        @Override
        public PathSegment apply(final String input) {
            return new PathSegment() {

                @Override
                public String getPath() {
                    return input;
                }

                @Override
                public MultivaluedMap<String, String> getMatrixParameters() {
                    return null;
                }
            };
        }
    }))).anyTimes();
    EasyMock.expect(request.getMethod()).andReturn(requestMethod).anyTimes();
    EasyMock.expect(req.getAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH)).andReturn(null).anyTimes();
    EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED)).andReturn(null).anyTimes();
    AuthenticationResult authenticationResult = new AuthenticationResult("druid", "druid", null, null);
    EasyMock.expect(req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT)).andReturn(authenticationResult).atLeastOnce();
    req.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, authCheckResult);
    EasyMock.expectLastCall().anyTimes();
    EasyMock.expect(authorizerMapper.getAuthorizer(EasyMock.anyString())).andReturn(new Authorizer() {

        @Override
        public Access authorize(AuthenticationResult authenticationResult1, Resource resource, Action action) {
            return new Access(authCheckResult);
        }
    }).atLeastOnce();
}
Also used : Function(com.google.common.base.Function) Action(org.apache.druid.server.security.Action) Authorizer(org.apache.druid.server.security.Authorizer) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) PathSegment(javax.ws.rs.core.PathSegment) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult)

Example 39 with Resource

use of org.apache.druid.server.security.Resource in project druid by druid-io.

the class DruidPlannerResourceAnalyzeTest method testSubquery.

@Test
public void testSubquery() {
    final String sql = "SELECT COUNT(*)\n" + "FROM (\n" + "  SELECT DISTINCT dim2\n" + "  FROM druid.foo\n" + "  WHERE SUBSTRING(dim2, 1, 1) IN (\n" + "    SELECT SUBSTRING(dim1, 1, 1) FROM druid.numfoo WHERE dim1 IS NOT NULL\n" + "  )\n" + ")";
    Set<ResourceAction> requiredResources = analyzeResources(PLANNER_CONFIG_DEFAULT, sql, CalciteTests.REGULAR_USER_AUTH_RESULT);
    Assert.assertEquals(ImmutableSet.of(new ResourceAction(new Resource("foo", ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource("numfoo", ResourceType.DATASOURCE), Action.READ)), requiredResources);
}
Also used : Resource(org.apache.druid.server.security.Resource) ResourceAction(org.apache.druid.server.security.ResourceAction) Test(org.junit.Test)

Example 40 with Resource

use of org.apache.druid.server.security.Resource in project druid by druid-io.

the class DruidPlannerResourceAnalyzeTest method testSubqueryView.

@Test
public void testSubqueryView() {
    final String sql = "SELECT COUNT(*)\n" + "FROM (\n" + "  SELECT DISTINCT dim2\n" + "  FROM druid.foo\n" + "  WHERE SUBSTRING(dim2, 1, 1) IN (\n" + "    SELECT SUBSTRING(dim1, 1, 1) FROM view.cview WHERE dim2 IS NOT NULL\n" + "  )\n" + ")";
    Set<ResourceAction> requiredResources = analyzeResources(PLANNER_CONFIG_DEFAULT, sql, CalciteTests.REGULAR_USER_AUTH_RESULT);
    Assert.assertEquals(ImmutableSet.of(new ResourceAction(new Resource("foo", ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource("cview", ResourceType.VIEW), Action.READ)), requiredResources);
}
Also used : Resource(org.apache.druid.server.security.Resource) ResourceAction(org.apache.druid.server.security.ResourceAction) Test(org.junit.Test)

Aggregations

Resource (org.apache.druid.server.security.Resource)43 ResourceAction (org.apache.druid.server.security.ResourceAction)35 Test (org.junit.Test)26 Access (org.apache.druid.server.security.Access)23 AuthenticationResult (org.apache.druid.server.security.AuthenticationResult)12 ForbiddenException (org.apache.druid.server.security.ForbiddenException)12 Response (javax.ws.rs.core.Response)10 HashMap (java.util.HashMap)8 Action (org.apache.druid.server.security.Action)8 Authorizer (org.apache.druid.server.security.Authorizer)7 AuthorizerMapper (org.apache.druid.server.security.AuthorizerMapper)7 ImmutableList (com.google.common.collect.ImmutableList)4 ArrayList (java.util.ArrayList)4 List (java.util.List)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 BasicAuthorizerGroupMapping (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)4 Function (com.google.common.base.Function)3 Set (java.util.Set)3 WebApplicationException (javax.ws.rs.WebApplicationException)3 JacksonConfigManager (org.apache.druid.common.config.JacksonConfigManager)3