apache · jon-wei · Feb 5, 2018 · Feb 2, 2018
diff --git a/...sic-security/src/main/java/io/druid/security/basic/authentication/BasicHTTPEscalator.java b/...sic-security/src/main/java/io/druid/security/basic/authentication/BasicHTTPEscalator.java
@@ -22,21 +22,11 @@
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonTypeName;
-import com.google.common.base.Throwables;
 import com.metamx.http.client.CredentialedHttpClient;
 import com.metamx.http.client.HttpClient;
 import com.metamx.http.client.auth.BasicCredentials;
-import io.druid.java.util.common.StringUtils;
-import io.druid.security.basic.BasicAuthUtils;
 import io.druid.server.security.AuthenticationResult;
 import io.druid.server.security.Escalator;
-import org.eclipse.jetty.client.api.Authentication;
-import org.eclipse.jetty.client.api.ContentResponse;
-import org.eclipse.jetty.client.api.Request;
-import org.eclipse.jetty.util.Attributes;
-import org.jboss.netty.handler.codec.http.HttpHeaders;
-
-import java.net.URI;
 
 @JsonTypeName("basic")
 public class BasicHTTPEscalator implements Escalator
@@ -66,48 +56,6 @@ public HttpClient createEscalatedClient(HttpClient baseClient)
     );
   }
 
-  @Override
-  public org.eclipse.jetty.client.HttpClient createEscalatedJettyClient(org.eclipse.jetty.client.HttpClient baseClient)
-  {
-    baseClient.getAuthenticationStore().addAuthentication(new Authentication()
-    {
-      @Override
-      public boolean matches(String type, URI uri, String realm)
-      {
-        return true;
-      }
-
-      @Override
-      public Result authenticate(
-          final Request request, ContentResponse response, Authentication.HeaderInfo headerInfo, Attributes context
-      )
-      {
-        return new Result()
-        {
-          @Override
-          public URI getURI()
-          {
-            return request.getURI();
-          }
-
-          @Override
-          public void apply(Request request)
-          {
-            try {
-              final String unencodedCreds = StringUtils.format("%s:%s", internalClientUsername, internalClientPassword);
-              final String base64Creds = BasicAuthUtils.getEncodedCredentials(unencodedCreds);
-              request.getHeaders().add(HttpHeaders.Names.AUTHORIZATION, "Basic " + base64Creds);
-            }
-            catch (Throwable e) {
-              Throwables.propagate(e);
-            }
-          }
-        };
-      }
-    });
-    return baseClient;
-  }
-
   @Override
   public AuthenticationResult createEscalatedAuthenticationResult()
   {

diff --git a/...sions-core/druid-kerberos/src/main/java/io/druid/security/kerberos/KerberosEscalator.java b/...sions-core/druid-kerberos/src/main/java/io/druid/security/kerberos/KerberosEscalator.java
@@ -22,20 +22,10 @@
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonTypeName;
-import com.google.common.base.Throwables;
 import com.metamx.http.client.HttpClient;
 import io.druid.java.util.common.logger.Logger;
 import io.druid.server.security.AuthenticationResult;
 import io.druid.server.security.Escalator;
-import org.apache.hadoop.security.UserGroupInformation;
-import org.eclipse.jetty.client.api.Authentication;
-import org.eclipse.jetty.client.api.ContentResponse;
-import org.eclipse.jetty.client.api.Request;
-import org.eclipse.jetty.util.Attributes;
-import org.jboss.netty.handler.codec.http.HttpHeaders;
-
-import java.net.URI;
-import java.security.PrivilegedExceptionAction;
 
 @JsonTypeName("kerberos")
 public class KerberosEscalator implements Escalator
@@ -64,68 +54,6 @@ public HttpClient createEscalatedClient(HttpClient baseClient)
     return new KerberosHttpClient(baseClient, internalClientPrincipal, internalClientKeytab);
   }
 
-  @Override
-  public org.eclipse.jetty.client.HttpClient createEscalatedJettyClient(org.eclipse.jetty.client.HttpClient baseClient)
-  {
-    baseClient.getAuthenticationStore().addAuthentication(new Authentication()
-    {
-      @Override
-      public boolean matches(String type, URI uri, String realm)
-      {
-        return true;
-      }
-
-      @Override
-      public Result authenticate(
-          final Request request, ContentResponse response, Authentication.HeaderInfo headerInfo, Attributes context
-      )
-      {
-        return new Result()
-        {
-          @Override
-          public URI getURI()
-          {
-            return request.getURI();
-          }
-
-          @Override
-          public void apply(Request request)
-          {
-            try {
-              // No need to set cookies as they are handled by Jetty Http Client itself.
-              URI uri = request.getURI();
-              if (DruidKerberosUtil.needToSendCredentials(baseClient.getCookieStore(), uri)) {
-                log.debug(
-                    "No Auth Cookie found for URI[%s]. Existing Cookies[%s] Authenticating... ",
-                    uri,
-                    baseClient.getCookieStore().getCookies()
-                );
-                final String host = request.getHost();
-                DruidKerberosUtil.authenticateIfRequired(internalClientPrincipal, internalClientKeytab);
-                UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
-                String challenge = currentUser.doAs(new PrivilegedExceptionAction<String>()
-                {
-                  @Override
-                  public String run() throws Exception
-                  {
-                    return DruidKerberosUtil.kerberosChallenge(host);
-                  }
-                });
-                request.getHeaders().add(HttpHeaders.Names.AUTHORIZATION, "Negotiate " + challenge);
-              } else {
-                log.debug("Found Auth Cookie found for URI[%s].", uri);
-              }
-            }
-            catch (Throwable e) {
-              Throwables.propagate(e);
-            }
-          }
-        };
-      }
-    });
-    return baseClient;
-  }
-
   @Override
   public AuthenticationResult createEscalatedAuthenticationResult()
   {

diff --git a/server/src/main/java/io/druid/server/AsyncQueryForwardingServlet.java b/server/src/main/java/io/druid/server/AsyncQueryForwardingServlet.java
@@ -44,7 +44,6 @@
 import io.druid.server.router.QueryHostFinder;
 import io.druid.server.router.Router;
 import io.druid.server.security.AuthConfig;
-import io.druid.server.security.Escalator;
 import org.apache.http.client.utils.URIBuilder;
 import org.eclipse.jetty.client.HttpClient;
 import org.eclipse.jetty.client.api.Request;
@@ -112,7 +111,6 @@ private static void handleException(HttpServletResponse response, ObjectMapper o
   private final ServiceEmitter emitter;
   private final RequestLogger requestLogger;
   private final GenericQueryMetricsFactory queryMetricsFactory;
-  private final Escalator escalator;
 
   private HttpClient broadcastClient;
 
@@ -126,8 +124,7 @@ public AsyncQueryForwardingServlet(
       @Router DruidHttpClientConfig httpClientConfig,
       ServiceEmitter emitter,
       RequestLogger requestLogger,
-      GenericQueryMetricsFactory queryMetricsFactory,
-      Escalator escalator
+      GenericQueryMetricsFactory queryMetricsFactory
   )
   {
     this.warehouse = warehouse;
@@ -139,7 +136,6 @@ public AsyncQueryForwardingServlet(
     this.emitter = emitter;
     this.requestLogger = requestLogger;
     this.queryMetricsFactory = queryMetricsFactory;
-    this.escalator = escalator;
   }
 
   @Override
@@ -213,11 +209,14 @@ protected void service(HttpServletRequest request, HttpServletResponse response)
               );
             }
           };
-          broadcastClient
+
+          Request broadcastReq = broadcastClient
               .newRequest(rewriteURI(request, server.getScheme(), server.getHost()))
               .method(HttpMethod.DELETE)
-              .timeout(CANCELLATION_TIMEOUT_MILLIS, TimeUnit.MILLISECONDS)
-              .send(completeListener);
+              .timeout(CANCELLATION_TIMEOUT_MILLIS, TimeUnit.MILLISECONDS);
+
+          copyRequestHeaders(request, broadcastReq);
+          broadcastReq.send(completeListener);
         }
         interruptedQueryCount.incrementAndGet();
       }
@@ -347,7 +346,7 @@ protected static URI makeURI(String scheme, String host, String requestURI, Stri
   @Override
   protected HttpClient newHttpClient()
   {
-    return escalator.createEscalatedJettyClient(httpClientProvider.get());
+    return httpClientProvider.get();
   }
 
   @Override

diff --git a/server/src/main/java/io/druid/server/initialization/AuthorizerMapperModule.java b/server/src/main/java/io/druid/server/initialization/AuthorizerMapperModule.java
@@ -95,11 +95,20 @@ public AuthorizerMapper get()
 
       // Default is allow all
       if (authorizers == null) {
+        AllowAllAuthorizer allowAllAuthorizer = new AllowAllAuthorizer();
+        authorizerMap.put(AuthConfig.ALLOW_ALL_NAME, allowAllAuthorizer);
+
         return new AuthorizerMapper(null) {
           @Override
           public Authorizer getAuthorizer(String name)
           {
-            return new AllowAllAuthorizer();
+            return allowAllAuthorizer;
+          }
+
+          @Override
+          public Map<String, Authorizer> getAuthorizerMap()
+          {
+            return authorizerMap;
           }
         };
       }

diff --git a/server/src/main/java/io/druid/server/security/Escalator.java b/server/src/main/java/io/druid/server/security/Escalator.java
@@ -46,18 +46,6 @@ public interface Escalator
    */
   HttpClient createEscalatedClient(HttpClient baseClient);
 
-  /**
-   * Return a client that sends requests with the format/information necessary to authenticate successfully
-   * against this Authenticator's authentication scheme using the identity of the internal system user.
-   * <p>
-   * This HTTP client is used by the Druid Router node.
-   *
-   * @param baseClient Base Jetty HttpClient
-   *
-   * @return Jetty HttpClient that sends requests with the credentials of the internal system user
-   */
-  org.eclipse.jetty.client.HttpClient createEscalatedJettyClient(org.eclipse.jetty.client.HttpClient baseClient);
-
   /**
    * @return an AuthenticationResult representing the identity of the internal system user.
    */

diff --git a/server/src/main/java/io/druid/server/security/NoopEscalator.java b/server/src/main/java/io/druid/server/security/NoopEscalator.java
@@ -29,12 +29,6 @@ public HttpClient createEscalatedClient(HttpClient baseClient)
     return baseClient;
   }
 
-  @Override
-  public org.eclipse.jetty.client.HttpClient createEscalatedJettyClient(org.eclipse.jetty.client.HttpClient baseClient)
-  {
-    return baseClient;
-  }
-
   @Override
   public AuthenticationResult createEscalatedAuthenticationResult()
   {

diff --git a/server/src/test/java/io/druid/server/AsyncQueryForwardingServletTest.java b/server/src/test/java/io/druid/server/AsyncQueryForwardingServletTest.java
@@ -54,7 +54,6 @@
 import io.druid.server.security.AllowAllAuthorizer;
 import io.druid.server.security.Authorizer;
 import io.druid.server.security.AuthorizerMapper;
-import io.druid.server.security.NoopEscalator;
 import org.eclipse.jetty.client.HttpClient;
 import org.eclipse.jetty.server.Handler;
 import org.eclipse.jetty.server.Server;
@@ -252,8 +251,7 @@ public void log(RequestLogLine requestLogLine) throws IOException
                   // noop
                 }
               },
-              new DefaultGenericQueryMetricsFactory(jsonMapper),
-              new NoopEscalator()
+              new DefaultGenericQueryMetricsFactory(jsonMapper)
           )
           {
             @Override