use of org.apache.druid.server.security.ResourceAction in project druid by druid-io.
the class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest method testSetRolePermissions.
// role and permission tests
@Test
public void testSetRolePermissions() {
updater.createUser(AUTHORIZER_NAME, "druid");
updater.createRole(AUTHORIZER_NAME, "druidRole");
updater.assignUserRole(AUTHORIZER_NAME, "druid", "druidRole");
List<ResourceAction> permsToAdd = ImmutableList.of(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE));
updater.setPermissions(AUTHORIZER_NAME, "druidRole", permsToAdd);
Map<String, BasicAuthorizerUser> expectedUserMap = new HashMap<>(BASE_USER_MAP);
expectedUserMap.put("druid", new BasicAuthorizerUser("druid", ImmutableSet.of("druidRole")));
Map<String, BasicAuthorizerRole> expectedRoleMap = new HashMap<>(BASE_ROLE_MAP);
expectedRoleMap.put("druidRole", new BasicAuthorizerRole("druidRole", BasicAuthorizerPermission.makePermissionList(permsToAdd)));
Map<String, BasicAuthorizerUser> actualUserMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, updater.getCurrentUserMapBytes(AUTHORIZER_NAME));
Map<String, BasicAuthorizerRole> actualRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, updater.getCurrentRoleMapBytes(AUTHORIZER_NAME));
Assert.assertEquals(expectedUserMap, actualUserMap);
Assert.assertEquals(expectedRoleMap, actualRoleMap);
updater.setPermissions(AUTHORIZER_NAME, "druidRole", null);
expectedRoleMap.put("druidRole", new BasicAuthorizerRole("druidRole", null));
actualRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(objectMapper, updater.getCurrentRoleMapBytes(AUTHORIZER_NAME));
Assert.assertEquals(expectedUserMap, actualUserMap);
Assert.assertEquals(expectedRoleMap, actualRoleMap);
}
use of org.apache.druid.server.security.ResourceAction in project druid by druid-io.
the class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest method testAddBadPermission.
@Test
public void testAddBadPermission() {
expectedException.expect(BasicSecurityDBResourceException.class);
expectedException.expectMessage("Invalid permission, resource name regex[??????????] does not compile.");
updater.createRole(AUTHORIZER_NAME, "druidRole");
List<ResourceAction> permsToAdd = ImmutableList.of(new ResourceAction(new Resource("??????????", ResourceType.DATASOURCE), Action.WRITE));
updater.setPermissions(AUTHORIZER_NAME, "druidRole", permsToAdd);
}
use of org.apache.druid.server.security.ResourceAction in project druid by druid-io.
the class BasicRoleBasedAuthorizerTest method testAuth.
@Test
public void testAuth() {
updater.createUser(DB_AUTHORIZER_NAME, "druid");
updater.createRole(DB_AUTHORIZER_NAME, "druidRole");
updater.assignUserRole(DB_AUTHORIZER_NAME, "druid", "druidRole");
List<ResourceAction> permissions = Collections.singletonList(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE));
updater.setPermissions(DB_AUTHORIZER_NAME, "druidRole", permissions);
AuthenticationResult authenticationResult = new AuthenticationResult("druid", "druid", null, null);
Access access = authorizer.authorize(authenticationResult, new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertTrue(access.isAllowed());
access = authorizer.authorize(authenticationResult, new Resource("wrongResource", ResourceType.DATASOURCE), Action.WRITE);
Assert.assertFalse(access.isAllowed());
}
use of org.apache.druid.server.security.ResourceAction in project druid by druid-io.
the class CoordinatorBasicAuthorizerResourceTest method testUsersGroupMappingsRolesAndPerms.
@Test
public void testUsersGroupMappingsRolesAndPerms() {
Response response = resource.createUser(req, AUTHORIZER_NAME, "druid");
Assert.assertEquals(200, response.getStatus());
response = resource.createUser(req, AUTHORIZER_NAME, "druid2");
Assert.assertEquals(200, response.getStatus());
response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", new BasicAuthorizerGroupMapping("druidGroupMapping", "", new HashSet<>()));
Assert.assertEquals(200, response.getStatus());
response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", new BasicAuthorizerGroupMapping("druid2GroupMapping", "", new HashSet<>()));
Assert.assertEquals(200, response.getStatus());
response = resource.createRole(req, AUTHORIZER_NAME, "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.createRole(req, AUTHORIZER_NAME, "druidRole2");
Assert.assertEquals(200, response.getStatus());
List<ResourceAction> perms = ImmutableList.of(new ResourceAction(new Resource("A", ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource("B", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("C", ResourceType.CONFIG), Action.WRITE));
List<ResourceAction> perms2 = ImmutableList.of(new ResourceAction(new Resource("D", ResourceType.STATE), Action.READ), new ResourceAction(new Resource("E", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("F", ResourceType.CONFIG), Action.WRITE));
response = resource.setRolePermissions(req, AUTHORIZER_NAME, "druidRole", perms);
Assert.assertEquals(200, response.getStatus());
response = resource.setRolePermissions(req, AUTHORIZER_NAME, "druidRole2", perms2);
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid", "druidRole2");
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid2", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid2", "druidRole2");
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole2");
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "druidRole2");
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerRole expectedRole = new BasicAuthorizerRole("druidRole", BasicAuthorizerPermission.makePermissionList(perms));
BasicAuthorizerRole expectedRole2 = new BasicAuthorizerRole("druidRole2", BasicAuthorizerPermission.makePermissionList(perms2));
Set<BasicAuthorizerRole> expectedRoles = Sets.newHashSet(expectedRole, expectedRole2);
BasicAuthorizerUserFull expectedUserFull = new BasicAuthorizerUserFull("druid", expectedRoles);
response = resource.getUser(req, AUTHORIZER_NAME, "druid", "", null);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedUserFull, response.getEntity());
BasicAuthorizerUserFullSimplifiedPermissions expectedUserFullSimplifiedPermissions = new BasicAuthorizerUserFullSimplifiedPermissions("druid", BasicAuthorizerRoleSimplifiedPermissions.convertRoles(expectedRoles));
response = resource.getUser(req, AUTHORIZER_NAME, "druid", "", "");
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedUserFullSimplifiedPermissions, response.getEntity());
BasicAuthorizerUserFull expectedUserFull2 = new BasicAuthorizerUserFull("druid2", expectedRoles);
response = resource.getUser(req, AUTHORIZER_NAME, "druid2", "", null);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedUserFull2, response.getEntity());
BasicAuthorizerUserFullSimplifiedPermissions expectedUserFullSimplifiedPermissions2 = new BasicAuthorizerUserFullSimplifiedPermissions("druid2", BasicAuthorizerRoleSimplifiedPermissions.convertRoles(expectedRoles));
response = resource.getUser(req, AUTHORIZER_NAME, "druid2", "", "");
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedUserFullSimplifiedPermissions2, response.getEntity());
BasicAuthorizerGroupMappingFull expectedGroupMappingFull = new BasicAuthorizerGroupMappingFull("druidGroupMapping", "", expectedRoles);
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "");
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedGroupMappingFull, response.getEntity());
BasicAuthorizerGroupMappingFull expectedGroupMappingFull2 = new BasicAuthorizerGroupMappingFull("druid2GroupMapping", "", expectedRoles);
response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "");
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedGroupMappingFull2, response.getEntity());
Set<String> expectedUserSet = Sets.newHashSet("druid", "druid2");
Set<String> expectedGroupMappingSet = Sets.newHashSet("druidGroupMapping", "druid2GroupMapping");
BasicAuthorizerRoleFull expectedRoleFull = new BasicAuthorizerRoleFull("druidRole", expectedUserSet, expectedGroupMappingSet, BasicAuthorizerPermission.makePermissionList(perms));
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", "", null);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedRoleFull, response.getEntity());
BasicAuthorizerRoleSimplifiedPermissions expectedRoleSimplifiedPerms = new BasicAuthorizerRoleSimplifiedPermissions("druidRole", expectedUserSet, perms);
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", "", "");
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedRoleSimplifiedPerms, response.getEntity());
expectedRoleSimplifiedPerms = new BasicAuthorizerRoleSimplifiedPermissions("druidRole", null, perms);
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", null, "");
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedRoleSimplifiedPerms, response.getEntity());
BasicAuthorizerRoleFull expectedRoleFull2 = new BasicAuthorizerRoleFull("druidRole2", expectedUserSet, expectedGroupMappingSet, BasicAuthorizerPermission.makePermissionList(perms2));
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole2", "", null);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedRoleFull2, response.getEntity());
BasicAuthorizerRoleSimplifiedPermissions expectedRoleSimplifiedPerms2 = new BasicAuthorizerRoleSimplifiedPermissions("druidRole2", expectedUserSet, perms2);
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole2", "", "");
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedRoleSimplifiedPerms2, response.getEntity());
expectedRoleSimplifiedPerms2 = new BasicAuthorizerRoleSimplifiedPermissions("druidRole2", null, perms2);
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole2", null, "");
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedRoleSimplifiedPerms2, response.getEntity());
perms = ImmutableList.of(new ResourceAction(new Resource("A", ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource("C", ResourceType.CONFIG), Action.WRITE));
perms2 = ImmutableList.of(new ResourceAction(new Resource("E", ResourceType.DATASOURCE), Action.WRITE));
response = resource.setRolePermissions(req, AUTHORIZER_NAME, "druidRole", perms);
Assert.assertEquals(200, response.getStatus());
response = resource.setRolePermissions(req, AUTHORIZER_NAME, "druidRole2", perms2);
Assert.assertEquals(200, response.getStatus());
expectedRole = new BasicAuthorizerRole("druidRole", BasicAuthorizerPermission.makePermissionList(perms));
expectedRole2 = new BasicAuthorizerRole("druidRole2", BasicAuthorizerPermission.makePermissionList(perms2));
expectedRoles = Sets.newHashSet(expectedRole, expectedRole2);
expectedUserFull = new BasicAuthorizerUserFull("druid", expectedRoles);
expectedUserFull2 = new BasicAuthorizerUserFull("druid2", expectedRoles);
expectedUserFullSimplifiedPermissions = new BasicAuthorizerUserFullSimplifiedPermissions("druid", BasicAuthorizerRoleSimplifiedPermissions.convertRoles(expectedRoles));
expectedUserFullSimplifiedPermissions2 = new BasicAuthorizerUserFullSimplifiedPermissions("druid2", BasicAuthorizerRoleSimplifiedPermissions.convertRoles(expectedRoles));
response = resource.getUser(req, AUTHORIZER_NAME, "druid", "", null);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedUserFull, response.getEntity());
response = resource.getUser(req, AUTHORIZER_NAME, "druid", "", "");
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedUserFullSimplifiedPermissions, response.getEntity());
response = resource.getUser(req, AUTHORIZER_NAME, "druid2", "", null);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedUserFull2, response.getEntity());
response = resource.getUser(req, AUTHORIZER_NAME, "druid2", "", "");
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedUserFullSimplifiedPermissions2, response.getEntity());
response = resource.unassignRoleFromUser(req, AUTHORIZER_NAME, "druid", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.unassignRoleFromUser(req, AUTHORIZER_NAME, "druid2", "druidRole2");
Assert.assertEquals(200, response.getStatus());
response = resource.unassignRoleFromGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole");
Assert.assertEquals(200, response.getStatus());
response = resource.unassignRoleFromGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "druidRole2");
Assert.assertEquals(200, response.getStatus());
expectedUserFull = new BasicAuthorizerUserFull("druid", Sets.newHashSet(expectedRole2));
expectedUserFull2 = new BasicAuthorizerUserFull("druid2", Sets.newHashSet(expectedRole));
expectedRoleFull = new BasicAuthorizerRoleFull("druidRole", Sets.newHashSet("druid2"), Sets.newHashSet("druid2GroupMapping"), BasicAuthorizerPermission.makePermissionList(perms));
expectedRoleFull2 = new BasicAuthorizerRoleFull("druidRole2", Sets.newHashSet("druid"), Sets.newHashSet("druidGroupMapping"), BasicAuthorizerPermission.makePermissionList(perms2));
expectedUserFullSimplifiedPermissions = new BasicAuthorizerUserFullSimplifiedPermissions("druid", BasicAuthorizerRoleSimplifiedPermissions.convertRoles(expectedUserFull.getRoles()));
expectedUserFullSimplifiedPermissions2 = new BasicAuthorizerUserFullSimplifiedPermissions("druid2", BasicAuthorizerRoleSimplifiedPermissions.convertRoles(expectedUserFull2.getRoles()));
expectedRoleSimplifiedPerms = new BasicAuthorizerRoleSimplifiedPermissions(expectedRoleFull);
expectedRoleSimplifiedPerms2 = new BasicAuthorizerRoleSimplifiedPermissions(expectedRoleFull2);
response = resource.getUser(req, AUTHORIZER_NAME, "druid", "", null);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedUserFull, response.getEntity());
response = resource.getUser(req, AUTHORIZER_NAME, "druid", "", "");
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedUserFullSimplifiedPermissions, response.getEntity());
response = resource.getUser(req, AUTHORIZER_NAME, "druid2", "", null);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedUserFull2, response.getEntity());
response = resource.getUser(req, AUTHORIZER_NAME, "druid2", "", "");
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedUserFullSimplifiedPermissions2, response.getEntity());
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", "", null);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedRoleFull, response.getEntity());
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", "", "");
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedRoleSimplifiedPerms, response.getEntity());
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole2", "", null);
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedRoleFull2, response.getEntity());
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole2", "", "");
Assert.assertEquals(200, response.getStatus());
Assert.assertEquals(expectedRoleSimplifiedPerms2, response.getEntity());
}
use of org.apache.druid.server.security.ResourceAction in project druid by druid-io.
the class CoordinatorBasicAuthorizerResourceTest method testRolesAndPerms.
@Test
public void testRolesAndPerms() {
Response response = resource.createRole(req, AUTHORIZER_NAME, "druidRole");
Assert.assertEquals(200, response.getStatus());
List<ResourceAction> perms = ImmutableList.of(new ResourceAction(new Resource("A", ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource("B", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("C", ResourceType.CONFIG), Action.WRITE));
response = resource.setRolePermissions(req, AUTHORIZER_NAME, "druidRole", perms);
Assert.assertEquals(200, response.getStatus());
response = resource.setRolePermissions(req, AUTHORIZER_NAME, "wrongRole", perms);
Assert.assertEquals(400, response.getStatus());
Assert.assertEquals(errorMapWithMsg("Role [wrongRole] does not exist."), response.getEntity());
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", null, null);
Assert.assertEquals(200, response.getStatus());
BasicAuthorizerRole expectedRole = new BasicAuthorizerRole("druidRole", BasicAuthorizerPermission.makePermissionList(perms));
Assert.assertEquals(expectedRole, response.getEntity());
List<ResourceAction> newPerms = ImmutableList.of(new ResourceAction(new Resource("D", ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource("B", ResourceType.DATASOURCE), Action.WRITE), new ResourceAction(new Resource("F", ResourceType.CONFIG), Action.WRITE));
response = resource.setRolePermissions(req, AUTHORIZER_NAME, "druidRole", newPerms);
Assert.assertEquals(200, response.getStatus());
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", null, null);
Assert.assertEquals(200, response.getStatus());
expectedRole = new BasicAuthorizerRole("druidRole", BasicAuthorizerPermission.makePermissionList(newPerms));
Assert.assertEquals(expectedRole, response.getEntity());
response = resource.setRolePermissions(req, AUTHORIZER_NAME, "druidRole", null);
Assert.assertEquals(200, response.getStatus());
response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", null, null);
Assert.assertEquals(200, response.getStatus());
expectedRole = new BasicAuthorizerRole("druidRole", null);
Assert.assertEquals(expectedRole, response.getEntity());
}
Aggregations