Search in sources :

Example 11 with ResourceAction

use of org.apache.druid.server.security.ResourceAction in project druid by druid-io.

the class OverlordResource method taskPost.

/**
 * Warning, magic: {@link org.apache.druid.client.indexing.HttpIndexingServiceClient#runTask} may call this method
 * remotely with {@link ClientTaskQuery} objects, but we deserialize {@link Task} objects. See the comment for {@link
 * ClientTaskQuery} for details.
 */
@POST
@Path("/task")
@Consumes(MediaType.APPLICATION_JSON)
@Produces(MediaType.APPLICATION_JSON)
public Response taskPost(final Task task, @Context final HttpServletRequest req) {
    final String dataSource = task.getDataSource();
    final ResourceAction resourceAction = new ResourceAction(new Resource(dataSource, ResourceType.DATASOURCE), Action.WRITE);
    Access authResult = AuthorizationUtils.authorizeResourceAction(req, resourceAction, authorizerMapper);
    if (!authResult.isAllowed()) {
        throw new ForbiddenException(authResult.getMessage());
    }
    return asLeaderWith(taskMaster.getTaskQueue(), new Function<TaskQueue, Response>() {

        @Override
        public Response apply(TaskQueue taskQueue) {
            try {
                taskQueue.add(task);
                return Response.ok(ImmutableMap.of("task", task.getId())).build();
            } catch (EntryExistsException e) {
                return Response.status(Response.Status.BAD_REQUEST).entity(ImmutableMap.of("error", StringUtils.format("Task[%s] already exists!", task.getId()))).build();
            }
        }
    });
}
Also used : Response(javax.ws.rs.core.Response) ForbiddenException(org.apache.druid.server.security.ForbiddenException) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) TaskQueue(org.apache.druid.indexing.overlord.TaskQueue) EntryExistsException(org.apache.druid.metadata.EntryExistsException) ResourceAction(org.apache.druid.server.security.ResourceAction) Path(javax.ws.rs.Path) POST(javax.ws.rs.POST) Consumes(javax.ws.rs.Consumes) Produces(javax.ws.rs.Produces)

Example 12 with ResourceAction

use of org.apache.druid.server.security.ResourceAction in project druid by druid-io.

the class OverlordResource method killPendingSegments.

@DELETE
@Path("/pendingSegments/{dataSource}")
@Produces(MediaType.APPLICATION_JSON)
public Response killPendingSegments(@PathParam("dataSource") String dataSource, @QueryParam("interval") String deleteIntervalString, @Context HttpServletRequest request) {
    final Interval deleteInterval = Intervals.of(deleteIntervalString);
    // check auth for dataSource
    final Access authResult = AuthorizationUtils.authorizeAllResourceActions(request, ImmutableList.of(new ResourceAction(new Resource(dataSource, ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource(dataSource, ResourceType.DATASOURCE), Action.WRITE)), authorizerMapper);
    if (!authResult.isAllowed()) {
        throw new ForbiddenException(authResult.getMessage());
    }
    if (taskMaster.isLeader()) {
        final int numDeleted = indexerMetadataStorageAdapter.deletePendingSegments(dataSource, deleteInterval);
        return Response.ok().entity(ImmutableMap.of("numDeleted", numDeleted)).build();
    } else {
        return Response.status(Status.SERVICE_UNAVAILABLE).build();
    }
}
Also used : ForbiddenException(org.apache.druid.server.security.ForbiddenException) Access(org.apache.druid.server.security.Access) Resource(org.apache.druid.server.security.Resource) Interval(org.joda.time.Interval) ResourceAction(org.apache.druid.server.security.ResourceAction) Path(javax.ws.rs.Path) DELETE(javax.ws.rs.DELETE) Produces(javax.ws.rs.Produces)

Example 13 with ResourceAction

use of org.apache.druid.server.security.ResourceAction in project druid by druid-io.

the class SupervisorResourceFilter method filter.

@Override
public ContainerRequest filter(ContainerRequest request) {
    final String supervisorId = Preconditions.checkNotNull(request.getPathSegments().get(Iterables.indexOf(request.getPathSegments(), new Predicate<PathSegment>() {

        @Override
        public boolean apply(PathSegment input) {
            return "supervisor".equals(input.getPath());
        }
    }) + 1).getPath());
    Optional<SupervisorSpec> supervisorSpecOptional = supervisorManager.getSupervisorSpec(supervisorId);
    if (!supervisorSpecOptional.isPresent()) {
        throw new WebApplicationException(Response.status(Response.Status.NOT_FOUND).entity(StringUtils.format("Cannot find any supervisor with id: [%s]", supervisorId)).build());
    }
    final SupervisorSpec spec = supervisorSpecOptional.get();
    Preconditions.checkArgument(spec.getDataSources() != null && spec.getDataSources().size() > 0, "No dataSources found to perform authorization checks");
    Function<String, ResourceAction> resourceActionFunction = getAction(request) == Action.READ ? AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR : AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR;
    Access authResult = AuthorizationUtils.authorizeAllResourceActions(getReq(), Iterables.transform(spec.getDataSources(), resourceActionFunction), getAuthorizerMapper());
    if (!authResult.isAllowed()) {
        throw new ForbiddenException(authResult.toString());
    }
    return request;
}
Also used : ForbiddenException(org.apache.druid.server.security.ForbiddenException) WebApplicationException(javax.ws.rs.WebApplicationException) Access(org.apache.druid.server.security.Access) PathSegment(javax.ws.rs.core.PathSegment) SupervisorSpec(org.apache.druid.indexing.overlord.supervisor.SupervisorSpec) ResourceAction(org.apache.druid.server.security.ResourceAction)

Example 14 with ResourceAction

use of org.apache.druid.server.security.ResourceAction in project druid by druid-io.

the class ITBasicAuthLdapConfigurationTest method createRoleWithPermissionsAndGroupMapping.

private void createRoleWithPermissionsAndGroupMapping(String group, Map<String, List<ResourceAction>> roleTopermissions) throws Exception {
    roleTopermissions.keySet().forEach(role -> HttpUtil.makeRequest(adminClient, HttpMethod.POST, StringUtils.format("%s/druid-ext/basic-security/authorization/db/ldapauth/roles/%s", config.getCoordinatorUrl(), role), null));
    for (Map.Entry<String, List<ResourceAction>> entry : roleTopermissions.entrySet()) {
        String role = entry.getKey();
        List<ResourceAction> permissions = entry.getValue();
        byte[] permissionsBytes = jsonMapper.writeValueAsBytes(permissions);
        HttpUtil.makeRequest(adminClient, HttpMethod.POST, StringUtils.format("%s/druid-ext/basic-security/authorization/db/ldapauth/roles/%s/permissions", config.getCoordinatorUrl(), role), permissionsBytes);
    }
    String groupMappingName = StringUtils.format("%sMapping", group);
    BasicAuthorizerGroupMapping groupMapping = new BasicAuthorizerGroupMapping(groupMappingName, StringUtils.format("cn=%s,ou=Groups,dc=example,dc=org", group), roleTopermissions.keySet());
    byte[] groupMappingBytes = jsonMapper.writeValueAsBytes(groupMapping);
    HttpUtil.makeRequest(adminClient, HttpMethod.POST, StringUtils.format("%s/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/%s", config.getCoordinatorUrl(), groupMappingName), groupMappingBytes);
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) List(java.util.List) ImmutableMap(com.google.common.collect.ImmutableMap) Map(java.util.Map) ResourceAction(org.apache.druid.server.security.ResourceAction)

Example 15 with ResourceAction

use of org.apache.druid.server.security.ResourceAction in project druid by druid-io.

the class BasicSecurityResourceFilter method filter.

@Override
public ContainerRequest filter(ContainerRequest request) {
    final ResourceAction resourceAction = new ResourceAction(new Resource(SECURITY_RESOURCE_NAME, ResourceType.CONFIG), getAction(request));
    final Access authResult = AuthorizationUtils.authorizeResourceAction(getReq(), resourceAction, getAuthorizerMapper());
    if (!authResult.isAllowed()) {
        throw new WebApplicationException(Response.status(Response.Status.FORBIDDEN).entity(StringUtils.format("Access-Check-Result: %s", authResult.toString())).build());
    }
    return request;
}
Also used : WebApplicationException(javax.ws.rs.WebApplicationException) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) ResourceAction(org.apache.druid.server.security.ResourceAction)

Aggregations

ResourceAction (org.apache.druid.server.security.ResourceAction)40 Resource (org.apache.druid.server.security.Resource)35 Test (org.junit.Test)22 Access (org.apache.druid.server.security.Access)19 ForbiddenException (org.apache.druid.server.security.ForbiddenException)13 HashMap (java.util.HashMap)8 Response (javax.ws.rs.core.Response)8 Path (javax.ws.rs.Path)6 Produces (javax.ws.rs.Produces)6 List (java.util.List)5 POST (javax.ws.rs.POST)5 WebApplicationException (javax.ws.rs.WebApplicationException)5 BasicAuthorizerGroupMapping (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)5 Inject (com.google.inject.Inject)4 Set (java.util.Set)4 Collectors (java.util.stream.Collectors)4 Nullable (javax.annotation.Nullable)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 Consumes (javax.ws.rs.Consumes)4 DELETE (javax.ws.rs.DELETE)4