Single auth check for authorized resource filtering

indexing-service/src/main/java/io/druid/indexing/overlord/http/OverlordResource.java

@@ -365,24 +365,22 @@ public Collection<? extends TaskRunnerWorkItem> apply(TaskRunner taskRunner)
             // A bit roundabout, but works as a way of figuring out what tasks haven't been handed
             // off to the runner yet:
             final List<Task> allActiveTasks = taskStorageQueryAdapter.getActiveTasks();
-            final List<Task> activeTasks;
-            Function<Task, ResourceAction> raGenerator = new Function<Task, ResourceAction>()
-            {
-              @Override
-              public ResourceAction apply(Task input)
-              {
-                return new ResourceAction(
-                    new Resource(input.getDataSource(), ResourceType.DATASOURCE),
-                    Action.READ
-                );
-              }
+            Function<Task, Iterable<ResourceAction>> raGenerator = task -> {
+              return Lists.newArrayList(
+                  new ResourceAction(
+                      new Resource(task.getDataSource(), ResourceType.DATASOURCE),
+                      Action.READ
+                  )
+              );
             };
 
-            activeTasks = AuthorizationUtils.filterAuthorizedResources(
-                req,
-                allActiveTasks,
-                raGenerator,
-                authorizerMapper
+            final List<Task> activeTasks = Lists.newArrayList(
+                AuthorizationUtils.filterAuthorizedResources(
+                    req,
+                    allActiveTasks,
+                    raGenerator,
+                    authorizerMapper
+                )
             );
 
             final Set<String> runnersKnownTasks = Sets.newHashSet(
@@ -464,34 +462,32 @@ public Collection<? extends TaskRunnerWorkItem> apply(TaskRunner taskRunner)
   @Produces(MediaType.APPLICATION_JSON)
   public Response getCompleteTasks(@Context final HttpServletRequest req)
   {
-    final List<TaskStatus> recentlyFinishedTasks;
-    Function<TaskStatus, ResourceAction> raGenerator = new Function<TaskStatus, ResourceAction>()
-    {
-      @Override
-      public ResourceAction apply(TaskStatus input)
-      {
-        final String taskId = input.getId();
-        final Optional<Task> optionalTask = taskStorageQueryAdapter.getTask(taskId);
-        if (!optionalTask.isPresent()) {
-          throw new WebApplicationException(
-              Response.serverError().entity(
-                  StringUtils.format("No task information found for task with id: [%s]", taskId)
-              ).build()
-          );
-        }
-
-        return new ResourceAction(
-            new Resource(optionalTask.get().getDataSource(), ResourceType.DATASOURCE),
-            Action.READ
+    Function<TaskStatus, Iterable<ResourceAction>> raGenerator = taskStatus -> {
+      final String taskId = taskStatus.getId();
+      final Optional<Task> optionalTask = taskStorageQueryAdapter.getTask(taskId);
+      if (!optionalTask.isPresent()) {
+        throw new WebApplicationException(
+            Response.serverError().entity(
+                StringUtils.format("No task information found for task with id: [%s]", taskId)
+            ).build()
         );
       }
+
+      return Lists.newArrayList(
+          new ResourceAction(
+              new Resource(optionalTask.get().getDataSource(), ResourceType.DATASOURCE),
+              Action.READ
+          )
+      );
     };
 
-    recentlyFinishedTasks = AuthorizationUtils.filterAuthorizedResources(
-        req,
-        taskStorageQueryAdapter.getRecentlyFinishedTaskStatuses(),
-        raGenerator,
-        authorizerMapper
+    final List<TaskStatus> recentlyFinishedTasks = Lists.newArrayList(
+        AuthorizationUtils.filterAuthorizedResources(
+            req,
+            taskStorageQueryAdapter.getRecentlyFinishedTaskStatuses(),
+            raGenerator,
+            authorizerMapper
+        )
     );
 
     final List<TaskResponseObject> completeTasks = Lists.transform(
@@ -648,33 +644,32 @@ private Collection<? extends TaskRunnerWorkItem> securedTaskRunnerWorkItem(
       HttpServletRequest req
   )
   {
-    Function<TaskRunnerWorkItem, ResourceAction> raGenerator = new Function<TaskRunnerWorkItem, ResourceAction>()
-    {
-      @Override
-      public ResourceAction apply(TaskRunnerWorkItem input)
-      {
-        final String taskId = input.getTaskId();
-        final Optional<Task> optionalTask = taskStorageQueryAdapter.getTask(taskId);
-        if (!optionalTask.isPresent()) {
-          throw new WebApplicationException(
-              Response.serverError().entity(
-                  StringUtils.format("No task information found for task with id: [%s]", taskId)
-              ).build()
-          );
-        }
-
-        return new ResourceAction(
-            new Resource(optionalTask.get().getDataSource(), ResourceType.DATASOURCE),
-            Action.READ
+    Function<TaskRunnerWorkItem, Iterable<ResourceAction>> raGenerator = taskRunnerWorkItem -> {
+      final String taskId = taskRunnerWorkItem.getTaskId();
+      final Optional<Task> optionalTask = taskStorageQueryAdapter.getTask(taskId);
+      if (!optionalTask.isPresent()) {
+        throw new WebApplicationException(
+            Response.serverError().entity(
+                StringUtils.format("No task information found for task with id: [%s]", taskId)
+            ).build()
         );
       }
+
+      return Lists.newArrayList(
+          new ResourceAction(
+              new Resource(optionalTask.get().getDataSource(), ResourceType.DATASOURCE),
+              Action.READ
+          )
+      );
     };
 
-    return AuthorizationUtils.filterAuthorizedResources(
-        req,
-        collectionToFilter,
-        raGenerator,
-        authorizerMapper
+    return Lists.newArrayList(
+        AuthorizationUtils.filterAuthorizedResources(
+            req,
+            collectionToFilter,
+            raGenerator,
+            authorizerMapper
+        )
     );
   }
 

indexing-service/src/main/java/io/druid/indexing/overlord/supervisor/SupervisorResource.java

@@ -25,7 +25,6 @@
 import com.google.common.base.Predicate;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Iterables;
-import com.google.common.collect.Lists;
 import com.google.common.collect.Maps;
 import com.google.common.collect.Sets;
 import com.google.inject.Inject;
@@ -38,6 +37,7 @@
 import io.druid.server.security.AuthorizerMapper;
 import io.druid.server.security.AuthorizationUtils;
 import io.druid.server.security.ForbiddenException;
+import io.druid.server.security.ResourceAction;
 
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.Consumes;
@@ -49,6 +49,7 @@
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
+import java.util.Collection;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
@@ -119,36 +120,12 @@ public Response specGetAll(@Context final HttpServletRequest req)
           @Override
           public Response apply(final SupervisorManager manager)
           {
-            final Set<String> supervisorIds;
-            supervisorIds = Sets.newHashSet();
-            for (String supervisorId : manager.getSupervisorIds()) {
-              Optional<SupervisorSpec> supervisorSpecOptional = manager.getSupervisorSpec(supervisorId);
-              if (supervisorSpecOptional.isPresent()) {
-                Access accessResult = AuthorizationUtils.authorizeAllResourceActions(
-                    req,
-                    Iterables.transform(
-                        supervisorSpecOptional.get().getDataSources(),
-                        AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR
-                    ),
-                    authorizerMapper
-                );
-
-                if (accessResult.isAllowed()) {
-                  supervisorIds.add(supervisorId);
-                }
-              }
-            }
-
-            // If there were no supervisorIds, go ahead and authorize the request.
-            if (manager.getSupervisorIds().size() == 0) {
-              AuthorizationUtils.authorizeAllResourceActions(
-                  req,
-                  Lists.newArrayList(),
-                  authorizerMapper
-              );
-            }
-
-            return Response.ok(supervisorIds).build();
+            Set<String> authorizedSupervisorIds = filterAuthorizedSupervisorIds(
+                req,
+                manager,
+                manager.getSupervisorIds()
+            );
+            return Response.ok(authorizedSupervisorIds).build();
           }
         }
     );
@@ -239,27 +216,22 @@ public Response specGetAllHistory(@Context final HttpServletRequest req)
           @Override
           public Response apply(final SupervisorManager manager)
           {
-            final Map<String, List<VersionedSupervisorSpec>> supervisorHistory;
-            supervisorHistory = Maps.filterKeys(
-                manager.getSupervisorHistory(),
+            final Map<String, List<VersionedSupervisorSpec>> supervisorHistory = manager.getSupervisorHistory();
+
+            final Set<String> authorizedSupervisorIds = filterAuthorizedSupervisorIds(
+                req,
+                manager,
+                supervisorHistory.keySet()
+            );
+
+            final Map<String, List<VersionedSupervisorSpec>> authorizedSupervisorHistory = Maps.filterKeys(
+                supervisorHistory,
                 new Predicate<String>()
                 {
                   @Override
                   public boolean apply(String id)
                   {
-                    Optional<SupervisorSpec> supervisorSpecOptional = manager.getSupervisorSpec(id);
-                    if (!supervisorSpecOptional.isPresent()) {
-                      return false;
-                    }
-                    Access accessResult = AuthorizationUtils.authorizeAllResourceActions(
-                        req,
-                        Iterables.transform(
-                            supervisorSpecOptional.get().getDataSources(),
-                            AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR
-                        ),
-                        authorizerMapper
-                    );
-                    return accessResult.isAllowed();
+                    return authorizedSupervisorIds.contains(id);
                   }
                 }
             );
@@ -337,4 +309,32 @@ private Response asLeaderWithSupervisorManager(Function<SupervisorManager, Respo
       return Response.status(Response.Status.SERVICE_UNAVAILABLE).build();
     }
   }
+
+  private Set<String> filterAuthorizedSupervisorIds(
+      final HttpServletRequest req,
+      SupervisorManager manager,
+      Collection<String> supervisorIds
+  )
+  {
+    Function<String, Iterable<ResourceAction>> raGenerator = supervisorId -> {
+      Optional<SupervisorSpec> supervisorSpecOptional = manager.getSupervisorSpec(supervisorId);
+      if (supervisorSpecOptional.isPresent()) {
+        return Iterables.transform(
+            supervisorSpecOptional.get().getDataSources(),
+            AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR
+        );
+      } else {
+        return null;
+      }
+    };
+
+    return Sets.newHashSet(
+        AuthorizationUtils.filterAuthorizedResources(
+            req,
+            supervisorIds,
+            raGenerator,
+            authorizerMapper
+        )
+    );
+  }
 }

server/src/main/java/io/druid/server/ClientInfoResource.java

@@ -19,6 +19,7 @@
 
 package io.druid.server;
 
+import com.google.common.base.Function;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.Iterables;
 import com.google.common.collect.Lists;
@@ -43,6 +44,7 @@
 import io.druid.server.security.AuthConfig;
 import io.druid.server.security.AuthorizerMapper;
 import io.druid.server.security.AuthorizationUtils;
+import io.druid.server.security.ResourceAction;
 import io.druid.timeline.DataSegment;
 import io.druid.timeline.TimelineLookup;
 import io.druid.timeline.TimelineObjectHolder;
@@ -119,10 +121,14 @@ private Map<String, List<DataSegment>> getSegmentsForDatasources()
   @Produces(MediaType.APPLICATION_JSON)
   public Iterable<String> getDataSources(@Context final HttpServletRequest request)
   {
+    Function<String, Iterable<ResourceAction>> raGenerator = datasourceName -> {
+      return Lists.newArrayList(AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR.apply(datasourceName));
+    };
+
     return AuthorizationUtils.filterAuthorizedResources(
         request,
         getSegmentsForDatasources().keySet(),
-        AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR,
+        raGenerator,
         authorizerMapper
     );
   }

server/src/main/java/io/druid/server/http/MetadataResource.java

@@ -23,6 +23,7 @@
 import com.google.common.base.Predicate;
 import com.google.common.collect.Collections2;
 import com.google.common.collect.Iterables;
+import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
 import com.google.inject.Inject;
 import com.sun.jersey.spi.container.ResourceFilters;
@@ -33,6 +34,7 @@
 import io.druid.server.security.AuthConfig;
 import io.druid.server.security.AuthorizerMapper;
 import io.druid.server.security.AuthorizationUtils;
+import io.druid.server.security.ResourceAction;
 import io.druid.timeline.DataSegment;
 import org.joda.time.Interval;
 
@@ -102,15 +104,21 @@ public String apply(DruidDataSource input)
       );
     }
 
-    List<String> datasourceNamesList = AuthorizationUtils.filterAuthorizedResources(
-        req,
-        dataSourceNamesPreAuth,
-        AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR,
-        authorizerMapper
+    final Set<String> dataSourceNamesPostAuth = Sets.newTreeSet();
+    Function<String, Iterable<ResourceAction>> raGenerator = datasourceName -> {
+      return Lists.newArrayList(AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR.apply(datasourceName));
+    };
+
+    Iterables.addAll(
+        dataSourceNamesPostAuth,
+        AuthorizationUtils.filterAuthorizedResources(
+            req,
+            dataSourceNamesPreAuth,
+            raGenerator,
+            authorizerMapper
+        )
     );
 
-    final Set<String> dataSourceNamesPostAuth = Sets.newTreeSet(datasourceNamesList);
-
     // Cannot do both includeDisabled and full, let includeDisabled take priority
     // Always use dataSourceNamesPostAuth to determine the set of returned dataSources
     if (full != null && includeDisabled == null) {