apache · jon-wei · Apr 12, 2018 · Apr 12, 2018
diff --git a/docs/content/configuration/auth.md b/docs/content/configuration/auth.md
@@ -10,7 +10,6 @@ layout: doc_page
 |`druid.escalator.type`|String|Type of the Escalator that should be used for internal Druid communications. This Escalator must use an authentication scheme that is supported by an Authenticator in `druid.auth.authenticationChain`.|"noop"|no|
 |`druid.auth.authorizers`|JSON List of Strings|List of Authorizer type names |["allowAll"]|no|
 |`druid.auth.unsecuredPaths`| List of Strings|List of paths for which security checks will not be performed. All requests to these paths will be allowed.|[]|no|
-|`druid.auth.disableHttpOptionsAuthentication`|Boolean|If true, skip authentication checks for HTTP OPTIONS requests. Note that disabling authentication checks for OPTIONS requests will allow unauthenticated users to determine what Druid endpoints are valid, and this may leak sensitive information (for example, the `/druid/indexer/v1//task/{taskid}` endpoint on the Overlord and `/druid/coordinator/v1/datasources` endpoints on the Coordinator contain resource names), so the authentication checks should not be disabled unless truly necessary. |false|no|
 
 ## Enabling Authentication/Authorization
 

diff --git a/integration-tests/src/test/java/io/druid/tests/security/ITBasicAuthConfigurationTest.java b/integration-tests/src/test/java/io/druid/tests/security/ITBasicAuthConfigurationTest.java
@@ -224,18 +224,6 @@ public void testAuthConfiguration() throws Exception
 
     LOG.info("Testing Avatica query on router with incorrect credentials.");
     testAvaticaAuthFailure(routerUrl);
-
-    LOG.info("Checking OPTIONS requests on services...");
-    testOptionsRequests(adminClient);
-  }
-
-  private void testOptionsRequests(HttpClient httpClient)
-  {
-    makeRequest(httpClient, HttpMethod.OPTIONS, config.getCoordinatorUrl() + "/status", null);
-    makeRequest(httpClient, HttpMethod.OPTIONS, config.getIndexerUrl() + "/status", null);
-    makeRequest(httpClient, HttpMethod.OPTIONS, config.getBrokerUrl() + "/status", null);
-    makeRequest(httpClient, HttpMethod.OPTIONS, config.getHistoricalUrl() + "/status", null);
-    makeRequest(httpClient, HttpMethod.OPTIONS, config.getRouterUrl() + "/status", null);
   }
 
   private void checkUnsecuredCoordinatorLoadQueuePath(HttpClient client)

diff --git a/server/src/main/java/io/druid/server/security/AllowOptionsResourceFilter.java b/server/src/main/java/io/druid/server/security/AllowOptionsResourceFilter.java
diff --git a/server/src/main/java/io/druid/server/security/AuthConfig.java b/server/src/main/java/io/druid/server/security/AuthConfig.java
@@ -44,23 +44,19 @@ public class AuthConfig
 
   public AuthConfig()
   {
-    this(null, null, null, null);
+    this(null, null, null);
   }
 
   @JsonCreator
   public AuthConfig(
       @JsonProperty("authenticatorChain") List<String> authenticationChain,
       @JsonProperty("authorizers") List<String> authorizers,
-      @JsonProperty("unsecuredPaths") List<String> unsecuredPaths,
-      @JsonProperty("disableHttpOptionsAuthentication") Boolean disableHttpOptionsAuthentication
+      @JsonProperty("unsecuredPaths") List<String> unsecuredPaths
   )
   {
     this.authenticatorChain = authenticationChain;
     this.authorizers = authorizers;
     this.unsecuredPaths = unsecuredPaths == null ? Collections.emptyList() : unsecuredPaths;
-    this.disableHttpOptionsAuthentication = disableHttpOptionsAuthentication == null
-                                            ? false
-                                            : disableHttpOptionsAuthentication;
   }
 
   @JsonProperty
@@ -72,9 +68,6 @@ public AuthConfig(
   @JsonProperty
   private final List<String> unsecuredPaths;
 
-  @JsonProperty
-  private final boolean disableHttpOptionsAuthentication;
-
   public List<String> getAuthenticatorChain()
   {
     return authenticatorChain;
@@ -90,9 +83,14 @@ public List<String> getUnsecuredPaths()
     return unsecuredPaths;
   }
 
-  public boolean isDisableHttpOptionsAuthentication()
+  @Override
+  public String toString()
   {
-    return disableHttpOptionsAuthentication;
+    return "AuthConfig{" +
+           "authenticatorChain='" + authenticatorChain + '\'' +
+           ", authorizers='" + authorizers + '\'' +
+           ", unsecuredPaths='" + unsecuredPaths + '\'' +
+           '}';
   }
 
   @Override
@@ -105,31 +103,14 @@ public boolean equals(Object o)
       return false;
     }
     AuthConfig that = (AuthConfig) o;
-    return isDisableHttpOptionsAuthentication() == that.isDisableHttpOptionsAuthentication() &&
-           Objects.equals(getAuthenticatorChain(), that.getAuthenticatorChain()) &&
-           Objects.equals(getAuthorizers(), that.getAuthorizers()) &&
-           Objects.equals(getUnsecuredPaths(), that.getUnsecuredPaths());
+    return Objects.equals(authenticatorChain, that.authenticatorChain) &&
+           Objects.equals(authorizers, that.authorizers) &&
+           Objects.equals(unsecuredPaths, that.unsecuredPaths);
   }
 
   @Override
   public int hashCode()
   {
-    return Objects.hash(
-        getAuthenticatorChain(),
-        getAuthorizers(),
-        getUnsecuredPaths(),
-        isDisableHttpOptionsAuthentication()
-    );
-  }
-
-  @Override
-  public String toString()
-  {
-    return "AuthConfig{" +
-           "authenticatorChain=" + authenticatorChain +
-           ", authorizers=" + authorizers +
-           ", unsecuredPaths=" + unsecuredPaths +
-           ", disableHttpOptionsAuthentication=" + disableHttpOptionsAuthentication +
-           '}';
+    return Objects.hash(authenticatorChain, authorizers, unsecuredPaths);
   }
 }
diff --git a/server/src/main/java/io/druid/server/security/AuthenticationUtils.java b/server/src/main/java/io/druid/server/security/AuthenticationUtils.java
@@ -27,16 +27,6 @@
 
 public class AuthenticationUtils
 {
-  public static void addAllowOptionsFilter(ServletContextHandler root, boolean disableHttpOptionsAuthentication)
-  {
-    FilterHolder holder = new FilterHolder(new AllowOptionsResourceFilter(disableHttpOptionsAuthentication));
-    root.addFilter(
-        holder,
-        "/*",
-        null
-    );
-  }
-
   public static void addAuthenticationFilterChain(
       ServletContextHandler root,
       List<Authenticator> authenticators

diff --git a/services/src/main/java/io/druid/cli/CliOverlord.java b/services/src/main/java/io/druid/cli/CliOverlord.java
@@ -344,8 +344,6 @@ public void initialize(Server server, Injector injector)
       AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
       AuthenticationUtils.addNoopAuthorizationFilters(root, authConfig.getUnsecuredPaths());
 
-      AuthenticationUtils.addAllowOptionsFilter(root, authConfig.isDisableHttpOptionsAuthentication());
-
       authenticators = authenticatorMapper.getAuthenticatorChain();
       AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
 

diff --git a/services/src/main/java/io/druid/cli/CoordinatorJettyServerInitializer.java b/services/src/main/java/io/druid/cli/CoordinatorJettyServerInitializer.java
@@ -125,13 +125,12 @@ public void initialize(Server server, Injector injector)
       AuthenticationUtils.addNoopAuthorizationFilters(root, CliOverlord.UNSECURED_PATHS);
     }
 
-    AuthenticationUtils.addAllowOptionsFilter(root, authConfig.isDisableHttpOptionsAuthentication());
-
     authenticators = authenticatorMapper.getAuthenticatorChain();
     AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
 
     JettyServerInitUtils.addExtensionFilters(root, injector);
 
+
     // Check that requests were authorized before sending responses
     AuthenticationUtils.addPreResponseAuthorizationCheckFilter(
         root,

diff --git a/services/src/main/java/io/druid/cli/MiddleManagerJettyServerInitializer.java b/services/src/main/java/io/druid/cli/MiddleManagerJettyServerInitializer.java
@@ -78,11 +78,10 @@ public void initialize(Server server, Injector injector)
     AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
     AuthenticationUtils.addNoopAuthorizationFilters(root, authConfig.getUnsecuredPaths());
 
-    AuthenticationUtils.addAllowOptionsFilter(root, authConfig.isDisableHttpOptionsAuthentication());
-
     authenticators = authenticatorMapper.getAuthenticatorChain();
     AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
 
+
     JettyServerInitUtils.addExtensionFilters(root, injector);
 
     // Check that requests were authorized before sending responses

diff --git a/services/src/main/java/io/druid/cli/QueryJettyServerInitializer.java b/services/src/main/java/io/druid/cli/QueryJettyServerInitializer.java
@@ -102,8 +102,6 @@ public void initialize(Server server, Injector injector)
     AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
     AuthenticationUtils.addNoopAuthorizationFilters(root, authConfig.getUnsecuredPaths());
 
-    AuthenticationUtils.addAllowOptionsFilter(root, authConfig.isDisableHttpOptionsAuthentication());
-
     authenticators = authenticatorMapper.getAuthenticatorChain();
     AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
 

diff --git a/services/src/main/java/io/druid/cli/RouterJettyServerInitializer.java b/services/src/main/java/io/druid/cli/RouterJettyServerInitializer.java
@@ -111,8 +111,6 @@ public void initialize(Server server, Injector injector)
     AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
     AuthenticationUtils.addNoopAuthorizationFilters(root, authConfig.getUnsecuredPaths());
 
-    AuthenticationUtils.addAllowOptionsFilter(root, authConfig.isDisableHttpOptionsAuthentication());
-
     final List<Authenticator> authenticators = authenticatorMapper.getAuthenticatorChain();
     AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);