Examples with ResourceAction org.apache.druid.server.security.ResourceAction used on opensource projects

Search in sources :

Example 16 with ResourceAction

use of org.apache.druid.server.security.ResourceAction in project druid by druid-io.

the class BasicRoleBasedAuthorizerTest method testAuthGroupMappingPatternRightMask.

@Test
public void testAuthGroupMappingPatternRightMask() {
    // Admin
    BasicAuthorizerGroupMapping adminGrroupMapping = new BasicAuthorizerGroupMapping("adminGrroupMapping", "CN=admin,*", null);
    updater.createGroupMapping(LDAP_AUTHORIZER_NAME, adminGrroupMapping);
    updater.createRole(LDAP_AUTHORIZER_NAME, "adminDruidRole");
    updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "adminGrroupMapping", "adminDruidRole");
    List<ResourceAction> adminPermissions = Arrays.asList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
    updater.setPermissions(LDAP_AUTHORIZER_NAME, "adminDruidRole", adminPermissions);
    // User
    BasicAuthorizerGroupMapping userGrroupMapping = new BasicAuthorizerGroupMapping("userGrroupMapping", "CN=user,*", null);
    updater.createGroupMapping(LDAP_AUTHORIZER_NAME, userGrroupMapping);
    updater.createRole(LDAP_AUTHORIZER_NAME, "userDruidRole");
    updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "userGrroupMapping", "userDruidRole");
    List<ResourceAction> userPermissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
    updater.setPermissions(LDAP_AUTHORIZER_NAME, "userDruidRole", userPermissions);
    Map<String, Object> contexMap = new HashMap<>();
    contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult);
    AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap);
    Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
    contexMap = new HashMap<>();
    contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult);
    authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap);
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertFalse(access.isAllowed());
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) HashMap(java.util.HashMap) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) ResourceAction(org.apache.druid.server.security.ResourceAction) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) Test(org.junit.Test)

Example 17 with ResourceAction

use of org.apache.druid.server.security.ResourceAction in project druid by druid-io.

the class BasicRoleBasedAuthorizerTest method testAuthMissingGroupMapping.

@Test
public void testAuthMissingGroupMapping() {
    BasicAuthorizerGroupMapping groupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "CN=unknown,*", null);
    updater.createGroupMapping(LDAP_AUTHORIZER_NAME, groupMapping);
    updater.createRole(LDAP_AUTHORIZER_NAME, "druidRole");
    updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
    List<ResourceAction> permissions = Arrays.asList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
    updater.setPermissions(LDAP_AUTHORIZER_NAME, "druidRole", permissions);
    Map<String, Object> contexMap = new HashMap<>();
    contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult);
    AuthenticationResult authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap);
    Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertFalse(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertFalse(access.isAllowed());
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) HashMap(java.util.HashMap) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) ResourceAction(org.apache.druid.server.security.ResourceAction) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) Test(org.junit.Test)

Example 18 with ResourceAction

use of org.apache.druid.server.security.ResourceAction in project druid by druid-io.

the class BasicRoleBasedAuthorizerTest method testAuthGroupMappingPatternLeftMask.

@Test
public void testAuthGroupMappingPatternLeftMask() {
    // Admin
    BasicAuthorizerGroupMapping adminGrroupMapping = new BasicAuthorizerGroupMapping("adminGrroupMapping", "*,CN=admin,OU=Platform,OU=Groupings,DC=corp,DC=apache,DC=org", null);
    updater.createGroupMapping(LDAP_AUTHORIZER_NAME, adminGrroupMapping);
    updater.createRole(LDAP_AUTHORIZER_NAME, "adminDruidRole");
    updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "adminGrroupMapping", "adminDruidRole");
    List<ResourceAction> adminPermissions = Arrays.asList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
    updater.setPermissions(LDAP_AUTHORIZER_NAME, "adminDruidRole", adminPermissions);
    // User
    BasicAuthorizerGroupMapping userGrroupMapping = new BasicAuthorizerGroupMapping("userGrroupMapping", "*,CN=user,OU=Druid,OU=Application,OU=Groupings,DC=corp,DC=apache,DC=org", null);
    updater.createGroupMapping(LDAP_AUTHORIZER_NAME, userGrroupMapping);
    updater.createRole(LDAP_AUTHORIZER_NAME, "userDruidRole");
    updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "userGrroupMapping", "userDruidRole");
    List<ResourceAction> userPermissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ));
    updater.setPermissions(LDAP_AUTHORIZER_NAME, "userDruidRole", userPermissions);
    Map<String, Object> contexMap = new HashMap<>();
    contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult);
    AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap);
    Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
    contexMap = new HashMap<>();
    contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult);
    authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap);
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.READ);
    Assert.assertFalse(access.isAllowed());
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) HashMap(java.util.HashMap) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) ResourceAction(org.apache.druid.server.security.ResourceAction) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) Test(org.junit.Test)

Example 19 with ResourceAction

use of org.apache.druid.server.security.ResourceAction in project druid by druid-io.

the class BasicRoleBasedAuthorizerTest method testAuthGroupMapping.

@Test
public void testAuthGroupMapping() {
    BasicAuthorizerGroupMapping groupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "CN=admin,OU=Platform,OU=Groupings,DC=corp,DC=apache,DC=org", null);
    updater.createGroupMapping(LDAP_AUTHORIZER_NAME, groupMapping);
    updater.createRole(LDAP_AUTHORIZER_NAME, "druidRole");
    updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
    List<ResourceAction> permissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE));
    updater.setPermissions(LDAP_AUTHORIZER_NAME, "druidRole", permissions);
    Map<String, Object> contexMap = new HashMap<>();
    contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult);
    AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap);
    Access access = ldapAuthorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertTrue(access.isAllowed());
    access = ldapAuthorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
    Assert.assertFalse(access.isAllowed());
}
Also used : BasicAuthorizerGroupMapping(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping) HashMap(java.util.HashMap) Resource(org.apache.druid.server.security.Resource) Access(org.apache.druid.server.security.Access) ResourceAction(org.apache.druid.server.security.ResourceAction) AuthenticationResult(org.apache.druid.server.security.AuthenticationResult) Test(org.junit.Test)

Example 20 with ResourceAction

use of org.apache.druid.server.security.ResourceAction in project druid by druid-io.

the class CoordinatorBasicAuthorizerResourceTest method testConcurrentUpdate.

@Test
public void testConcurrentUpdate() {
    final int testMultiple = 100;
    // setup a user and the roles
    Response response = resource.createUser(req, AUTHORIZER_NAME, "druid");
    Assert.assertEquals(200, response.getStatus());
    List<ResourceAction> perms = ImmutableList.of(new ResourceAction(new Resource("A", ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource("B", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("C", ResourceType.CONFIG), Action.WRITE));
    for (int i = 0; i < testMultiple; i++) {
        String roleName = "druidRole-" + i;
        response = resource.createRole(req, AUTHORIZER_NAME, roleName);
        Assert.assertEquals(200, response.getStatus());
        response = resource.setRolePermissions(req, AUTHORIZER_NAME, roleName, perms);
        Assert.assertEquals(200, response.getStatus());
    }
    ExecutorService exec = Execs.multiThreaded(testMultiple, "thread---");
    int[] responseCodesAssign = new int[testMultiple];
    // assign 'testMultiple' roles to the user concurrently
    List<Callable<Void>> addRoleCallables = new ArrayList<>();
    for (int i = 0; i < testMultiple; i++) {
        final int innerI = i;
        String roleName = "druidRole-" + i;
        addRoleCallables.add(() -> {
            Response response12 = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid", roleName);
            responseCodesAssign[innerI] = response12.getStatus();
            return null;
        });
    }
    try {
        List<Future<Void>> futures = exec.invokeAll(addRoleCallables);
        for (Future future : futures) {
            future.get();
        }
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
    // the API can return !200 if the update attempt fails by exhausting retries because of
    // too much contention from other conflicting requests, make sure that we don't get any successful requests
    // that didn't actually take effect
    Set<String> roleNames = getRoleNamesAssignedToUser("druid");
    for (int i = 0; i < testMultiple; i++) {
        String roleName = "druidRole-" + i;
        if (responseCodesAssign[i] == 200 && !roleNames.contains(roleName)) {
            Assert.fail(StringUtils.format("Got response status 200 for assigning role [%s] but user did not have role.", roleName));
        }
    }
    // Now unassign the roles concurrently
    List<Callable<Void>> removeRoleCallables = new ArrayList<>();
    int[] responseCodesRemove = new int[testMultiple];
    for (int i = 0; i < testMultiple; i++) {
        final int innerI = i;
        String roleName = "druidRole-" + i;
        removeRoleCallables.add(() -> {
            Response response1 = resource.unassignRoleFromUser(req, AUTHORIZER_NAME, "druid", roleName);
            responseCodesRemove[innerI] = response1.getStatus();
            return null;
        });
    }
    try {
        List<Future<Void>> futures = exec.invokeAll(removeRoleCallables);
        for (Future future : futures) {
            future.get();
        }
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
    roleNames = getRoleNamesAssignedToUser("druid");
    for (int i = 0; i < testMultiple; i++) {
        String roleName = "druidRole-" + i;
        if (responseCodesRemove[i] == 200 && roleNames.contains(roleName)) {
            Assert.fail(StringUtils.format("Got response status 200 for removing role [%s] but user still has role.", roleName));
        }
    }
}
Also used : BasicAuthorizerResource(org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResource) Resource(org.apache.druid.server.security.Resource) ArrayList(java.util.ArrayList) Callable(java.util.concurrent.Callable) ExpectedException(org.junit.rules.ExpectedException) Response(javax.ws.rs.core.Response) ExecutorService(java.util.concurrent.ExecutorService) Future(java.util.concurrent.Future) ResourceAction(org.apache.druid.server.security.ResourceAction) Test(org.junit.Test)

Aggregations

ResourceAction (org.apache.druid.server.security.ResourceAction)40 Resource (org.apache.druid.server.security.Resource)35 Test (org.junit.Test)22 Access (org.apache.druid.server.security.Access)19 ForbiddenException (org.apache.druid.server.security.ForbiddenException)13 HashMap (java.util.HashMap)8 Response (javax.ws.rs.core.Response)8 Path (javax.ws.rs.Path)6 Produces (javax.ws.rs.Produces)6 List (java.util.List)5 POST (javax.ws.rs.POST)5 WebApplicationException (javax.ws.rs.WebApplicationException)5 BasicAuthorizerGroupMapping (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)5 Inject (com.google.inject.Inject)4 Set (java.util.Set)4 Collectors (java.util.stream.Collectors)4 Nullable (javax.annotation.Nullable)4 HttpServletRequest (javax.servlet.http.HttpServletRequest)4 Consumes (javax.ws.rs.Consumes)4 DELETE (javax.ws.rs.DELETE)4
About Me
UseOf

Java Tutorials :

Simple Java RabbitMQ Example with Spring
Simple Springboot JPA Eclipeslink Example
Simple SpringBoot JPA Hibernate Example
Jackson JSON @JsonIgnore and @JsonIgnoreProperties Examples
Java Infinite recursion (StackOverflowError) Jackson solutions
Simple Java Jackson Serialize Objects to JSON and convert them back To Object
ElasticSearch 5 - Upload files using Java API in binary field Example
Java JAXB marshall unmarshall Examples from String and Stream
Java 8 forEach List and Map examples
ElasticSearch 5 Java API SearchRequestBuilder examples
Java ElasticSearch 5 examples with node index and mapping - running local
Convert String to int or Integer Java 8
Java 9 in action - JShell - Ubuntu
Java - removing invalid characters from a file name
Hello world!? or Hello Tutorial