Example 26 with ResourceAction
use of org.apache.druid.server.security.ResourceAction in project druid by druid-io.
the class BasicAuthUtilsTest method testPermissionSerdeIsChillAboutUnknownEnumStuffs.
@Test
public void testPermissionSerdeIsChillAboutUnknownEnumStuffs() throws JsonProcessingException {
final String someRoleName = "some-role";
final String otherRoleName = "other-role";
final String thirdRoleName = "third-role";
final ResourceAction fooRead = new ResourceAction(new Resource("foo", ResourceType.DATASOURCE), Action.READ);
final ResourceAction barRead = new ResourceAction(new Resource("bar", ResourceType.DATASOURCE), Action.READ);
final ResourceAction customRead = new ResourceAction(new Resource("bar", "CUSTOM"), Action.READ);
final ObjectMapper mapper = TestHelper.makeJsonMapper();
mapper.registerModules(new BasicSecurityDruidModule().getJacksonModules());
Map<String, Object> rawMap = new HashMap<>();
rawMap.put(someRoleName, new BasicAuthorizerRole(someRoleName, BasicAuthorizerPermission.makePermissionList(ImmutableList.of(fooRead, barRead))));
// custom ResourceType
rawMap.put(otherRoleName, ImmutableMap.of("name", otherRoleName, "permissions", ImmutableList.of(ImmutableMap.of("resourceAction", fooRead, "resourceNamePattern", "foo"), ImmutableMap.of("resourceAction", customRead, "resourceNamePattern", "bar"))));
// bad Action
rawMap.put(thirdRoleName, ImmutableMap.of("name", thirdRoleName, "permissions", ImmutableList.of(ImmutableMap.of("resourceAction", ImmutableMap.of("resource", ImmutableMap.of("name", "some-view", "type", "VIEW"), "action", "READ"), "resourceNamePattern", "some-view"), ImmutableMap.of("resourceAction", ImmutableMap.of("resource", ImmutableMap.of("name", "foo", "type", "DATASOURCE"), "action", "UNKNOWN"), "resourceNamePattern", "some-view"))));
byte[] mapBytes = mapper.writeValueAsBytes(rawMap);
Map<String, BasicAuthorizerRole> roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap(mapper, mapBytes);
Assert.assertNotNull(roleMap);
Assert.assertEquals(3, roleMap.size());
Assert.assertTrue(roleMap.containsKey(someRoleName));
Assert.assertEquals(2, roleMap.get(someRoleName).getPermissions().size());
Assert.assertEquals(BasicAuthorizerPermission.makePermissionList(ImmutableList.of(fooRead, barRead)), roleMap.get(someRoleName).getPermissions());
// this one has custom resource type... this test is somewhat pointless, it made more sense when type was an enum
Assert.assertTrue(roleMap.containsKey(otherRoleName));
Assert.assertEquals(2, roleMap.get(otherRoleName).getPermissions().size());
Assert.assertEquals(BasicAuthorizerPermission.makePermissionList(ImmutableList.of(fooRead, customRead)), roleMap.get(otherRoleName).getPermissions());
// this one has an unknown Action, expect only 1 permission to deserialize correctly and failure ignored
Assert.assertTrue(roleMap.containsKey(thirdRoleName));
Assert.assertEquals(1, roleMap.get(thirdRoleName).getPermissions().size());
Assert.assertEquals(BasicAuthorizerPermission.makePermissionList(ImmutableList.of(new ResourceAction(new Resource("some-view", ResourceType.VIEW), Action.READ))), roleMap.get(thirdRoleName).getPermissions());
}
Also used :
HashMap(java.util.HashMap)
BasicSecurityDruidModule(org.apache.druid.security.basic.BasicSecurityDruidModule)
Resource(org.apache.druid.server.security.Resource)
BasicAuthorizerRole(org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole)
ObjectMapper(com.fasterxml.jackson.databind.ObjectMapper)
ResourceAction(org.apache.druid.server.security.ResourceAction)
Test(org.junit.Test)
Example 27 with ResourceAction
use of org.apache.druid.server.security.ResourceAction in project druid by druid-io.
the class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest method testAddPermissionToNonExistentRole.
@Test
public void testAddPermissionToNonExistentRole() {
expectedException.expect(BasicSecurityDBResourceException.class);
expectedException.expectMessage("Role [druidRole] does not exist.");
List<ResourceAction> permsToAdd = ImmutableList.of(new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE));
updater.setPermissions(AUTHORIZER_NAME, "druidRole", permsToAdd);
}
Also used :
Resource(org.apache.druid.server.security.Resource)
ResourceAction(org.apache.druid.server.security.ResourceAction)
Test(org.junit.Test)
Example 28 with ResourceAction
use of org.apache.druid.server.security.ResourceAction in project druid by druid-io.
the class ConfigResourceFilter method filter.
@Override
public ContainerRequest filter(ContainerRequest request) {
final ResourceAction resourceAction = new ResourceAction(new Resource("CONFIG", ResourceType.CONFIG), getAction(request));
final Access authResult = AuthorizationUtils.authorizeResourceAction(getReq(), resourceAction, getAuthorizerMapper());
if (!authResult.isAllowed()) {
throw new ForbiddenException(authResult.toString());
}
return request;
}
Also used :
ForbiddenException(org.apache.druid.server.security.ForbiddenException)
Resource(org.apache.druid.server.security.Resource)
Access(org.apache.druid.server.security.Access)
ResourceAction(org.apache.druid.server.security.ResourceAction)
Example 29 with ResourceAction
use of org.apache.druid.server.security.ResourceAction in project druid by druid-io.
the class DatasourceResourceFilter method filter.
@Override
public ContainerRequest filter(ContainerRequest request) {
final ResourceAction resourceAction = new ResourceAction(new Resource(getRequestDatasourceName(request), ResourceType.DATASOURCE), getAction(request));
final Access authResult = AuthorizationUtils.authorizeResourceAction(getReq(), resourceAction, getAuthorizerMapper());
if (!authResult.isAllowed()) {
throw new ForbiddenException(authResult.toString());
}
return request;
}
Also used :
ForbiddenException(org.apache.druid.server.security.ForbiddenException)
Resource(org.apache.druid.server.security.Resource)
Access(org.apache.druid.server.security.Access)
ResourceAction(org.apache.druid.server.security.ResourceAction)
Example 30 with ResourceAction
use of org.apache.druid.server.security.ResourceAction in project druid by druid-io.
the class ChatHandlers method authorizationCheck.
/**
* Check authorization for the given action and dataSource.
*
* @return authorization result
*/
public static Access authorizationCheck(HttpServletRequest req, Action action, String dataSource, AuthorizerMapper authorizerMapper) {
ResourceAction resourceAction = new ResourceAction(new Resource(dataSource, ResourceType.DATASOURCE), action);
Access access = AuthorizationUtils.authorizeResourceAction(req, resourceAction, authorizerMapper);
if (!access.isAllowed()) {
throw new ForbiddenException(access.toString());
}
return access;
}
Also used :
ForbiddenException(org.apache.druid.server.security.ForbiddenException)
Resource(org.apache.druid.server.security.Resource)
Access(org.apache.druid.server.security.Access)
ResourceAction(org.apache.druid.server.security.ResourceAction)
Aggregations
ResourceAction (org.apache.druid.server.security.ResourceAction)40
Resource (org.apache.druid.server.security.Resource)35
Test (org.junit.Test)22
Access (org.apache.druid.server.security.Access)19
ForbiddenException (org.apache.druid.server.security.ForbiddenException)13
HashMap (java.util.HashMap)8
Response (javax.ws.rs.core.Response)8
Path (javax.ws.rs.Path)6
Produces (javax.ws.rs.Produces)6
List (java.util.List)5
POST (javax.ws.rs.POST)5
WebApplicationException (javax.ws.rs.WebApplicationException)5
BasicAuthorizerGroupMapping (org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping)5
Inject (com.google.inject.Inject)4
Set (java.util.Set)4
Collectors (java.util.stream.Collectors)4
Nullable (javax.annotation.Nullable)4
HttpServletRequest (javax.servlet.http.HttpServletRequest)4
Consumes (javax.ws.rs.Consumes)4
DELETE (javax.ws.rs.DELETE)4
