diff --git a/docs/development/extensions-core/druid-basic-security.md b/docs/development/extensions-core/druid-basic-security.md index 03c2fa2c40ac..95b4c823561b 100644 --- a/docs/development/extensions-core/druid-basic-security.md +++ b/docs/development/extensions-core/druid-basic-security.md @@ -25,8 +25,8 @@ title: "Basic Security" This Apache Druid (incubating) extension adds: -- an Authenticator which supports [HTTP Basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) -- an Authorizer which implements basic role-based access control +- an Authenticator which supports [HTTP Basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication) using the Druid metadata store or LDAP as its credentials store +- an Authorizer which implements basic role-based access control for Druid metadata store or LDAP users and groups Make sure to [include](../../development/extensions.md#loading-extensions) `druid-basic-security` as an extension. @@ -34,7 +34,7 @@ Please see [Authentication and Authorization](../../design/auth.md) for more inf ## Configuration -The examples in the section will use "MyBasicAuthenticator" and "MyBasicAuthorizer" as names for the Authenticator and Authorizer. +The examples in the section will use "MyBasicMetadataAuthenticator", "MyBasicLDAPAuthenticator", "MyBasicMetadataAuthorizer", and "MyBasicLDAPAuthorizer" as names for the Authenticators and Authorizer. These properties are not tied to specific Authenticator or Authorizer instances. @@ -43,23 +43,27 @@ These configuration properties should be added to the common runtime properties ### Properties |Property|Description|Default|required| |--------|-----------|-------|--------| -|`druid.auth.basic.common.pollingPeriod`|Defines in milliseconds how often processes should poll the Coordinator for the current authenticator/authorizer database state.|60000|No| +|`druid.auth.basic.common.pollingPeriod`|Defines in milliseconds how often processes should poll the Coordinator for the current Druid metadata store authenticator/authorizer state.|60000|No| |`druid.auth.basic.common.maxRandomDelay`|Defines in milliseconds the amount of random delay to add to the pollingPeriod, to spread polling requests across time.|6000|No| -|`druid.auth.basic.common.maxSyncRetries`|Determines how many times a service will retry if the authentication/authorization database state sync with the Coordinator fails.|10|No| -|`druid.auth.basic.common.cacheDirectory`|If defined, snapshots of the basic Authenticator and Authorizer database caches will be stored on disk in this directory. If this property is defined, when a service is starting, it will attempt to initialize its caches from these on-disk snapshots, if the service is unable to initialize its state by communicating with the Coordinator.|null|No| +|`druid.auth.basic.common.maxSyncRetries`|Determines how many times a service will retry if the authentication/authorization Druid metadata store state sync with the Coordinator fails.|10|No| +|`druid.auth.basic.common.cacheDirectory`|If defined, snapshots of the basic Authenticator and Authorizer Druid metadata store caches will be stored on disk in this directory. If this property is defined, when a service is starting, it will attempt to initialize its caches from these on-disk snapshots, if the service is unable to initialize its state by communicating with the Coordinator.|null|No| -### Creating an Authenticator +### Creating an Authenticator that uses the Druid metadata store to lookup and validate credentials ``` -druid.auth.authenticatorChain=["MyBasicAuthenticator"] - -druid.auth.authenticator.MyBasicAuthenticator.type=basic -druid.auth.authenticator.MyBasicAuthenticator.initialAdminPassword=password1 -druid.auth.authenticator.MyBasicAuthenticator.initialInternalClientPassword=password2 -druid.auth.authenticator.MyBasicAuthenticator.authorizerName=MyBasicAuthorizer +druid.auth.authenticatorChain=["MyBasicMetadataAuthenticator"] + +druid.auth.authenticator.MyBasicMetadataAuthenticator.type=basic +druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword=password1 +druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword=password2 +druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type=metadata +druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure=false +druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName=MyBasicMetadataAuthorizer ``` To use the Basic authenticator, add an authenticator with type `basic` to the authenticatorChain. +The authenticator needs to also define a credentialsValidator with type 'metadata' or 'ldap'. +If credentialsValidator is not specified, type 'metadata' will be used as default. Configuration of the named authenticator is assigned through properties with the form: @@ -67,18 +71,41 @@ Configuration of the named authenticator is assigned through properties with the druid.auth.authenticator.. ``` -The configuration examples in the rest of this document will use "MyBasicAuthenticator" as the name of the authenticator being configured. +The authenticator configuration examples in the rest of this document will use "MyBasicMetadataAuthenticator" or "MyBasicLDAPAuthenticator" as the name of the authenticators being configured. -#### Properties +#### Properties for Druid metadata store user authentication +|Property|Description|Default|required| +|--------|-----------|-------|--------| +|`druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword`|Initial [Password Provider](../../operations/password-provider.md) for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will not affect its password.|null|No| +|`druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword`|Initial [Password Provider](../../operations/password-provider.md) for the default internal system user, used for internal process communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will not affect its password.|null|No| +|`druid.auth.authenticator.MyBasicMetadataAuthenticator.enableCacheNotifications`|If true, the Coordinator will notify Druid processes whenever a configuration change to this Authenticator occurs, allowing them to immediately update their state without waiting for polling.|true|No| +|`druid.auth.authenticator.MyBasicMetadataAuthenticator.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No| +|`druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialIterations`|Number of iterations to use for password hashing.|10000|No| +|`druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type`|The type of credentials store (metadata) to validate requests credentials.|metadata|No| +|`druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure`|If true and the request credential doesn't exists or isn't fully configured in the credentials store, the request will proceed to next Authenticator in the chain.|false|No| +|`druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName`|Authorizer that requests should be directed to|N/A|Yes| + +#### Properties for LDAP user authentication |Property|Description|Default|required| |--------|-----------|-------|--------| -|`druid.auth.authenticator.MyBasicAuthenticator.initialAdminPassword`|Initial [Password Provider](../../operations/password-provider.md) for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will not affect its password.|null|No| -|`druid.auth.authenticator.MyBasicAuthenticator.initialInternalClientPassword`|Initial [Password Provider](../../operations/password-provider.md) for the default internal system user, used for internal process communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will not affect its password.|null|No| -|`druid.auth.authenticator.MyBasicAuthenticator.enableCacheNotifications`|If true, the Coordinator will notify Druid processes whenever a configuration change to this Authenticator occurs, allowing them to immediately update their state without waiting for polling.|true|No| -|`druid.auth.authenticator.MyBasicAuthenticator.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No| -|`druid.auth.authenticator.MyBasicAuthenticator.credentialIterations`|Number of iterations to use for password hashing.|10000|No| -|`druid.auth.authenticator.MyBasicAuthenticator.authorizerName`|Authorizer that requests should be directed to|N/A|Yes| +|`druid.auth.authenticator.MyBasicLDAPAuthenticator.initialAdminPassword`|Initial [Password Provider](../../operations/password-provider.md) for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will not affect its password.|null|No| +|`druid.auth.authenticator.MyBasicLDAPAuthenticator.initialInternalClientPassword`|Initial [Password Provider](../../operations/password-provider.md) for the default internal system user, used for internal process communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will not affect its password.|null|No| +|`druid.auth.authenticator.MyBasicLDAPAuthenticator.enableCacheNotifications`|If true, the Coordinator will notify Druid processes whenever a configuration change to this Authenticator occurs, allowing them to immediately update their state without waiting for polling.|true|No| +|`druid.auth.authenticator.MyBasicLDAPAuthenticator.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No| +|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialIterations`|Number of iterations to use for password hashing.|10000|No| +|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.type`|The type of credentials store (ldap) to validate requests credentials.|metadata|No| +|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.url`|URL of the LDAP server.|null|Yes| +|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.bindUser`|LDAP bind user username.|null|Yes| +|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.bindPassword`|[Password Provider](../../operations/password-provider.md) LDAP bind user password.|null|Yes| +|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.baseDn`|The point from where the LDAP server will search for users.|null|Yes| +|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.userSearch`|The filter/expression to use for the search. For example, (&(sAMAccountName=%s)(objectClass=user))|null|Yes| +|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.userAttribute`|The attribute id identifying the attribute that will be returned as part of the search. For example, sAMAccountName. |null|Yes| +|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialVerifyDuration`|The duration in seconds for how long valid credentials are verifiable within the cache when not requested.|600|No| +|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialMaxDuration`|The max duration in seconds for valid credentials that can reside in cache regardless of how often they are requested.|3600|No| +|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialCacheSize`|The valid credentials cache size. The cache uses a LRU policy.|100|No| +|`druid.auth.authenticator.MyBasicLDAPAuthenticator.skipOnFailure`|If true and the request credential doesn't exists or isn't fully configured in the credentials store, the request will proceed to next Authenticator in the chain.|false|No| +|`druid.auth.authenticator.MyBasicLDAPAuthenticator.authorizerName`|Authorizer that requests should be directed to.|N/A|Yes| ### Creating an Escalator @@ -87,7 +114,7 @@ The configuration examples in the rest of this document will use "MyBasicAuthent druid.escalator.type=basic druid.escalator.internalClientUsername=druid_system druid.escalator.internalClientPassword=password2 -druid.escalator.authorizerName=MyBasicAuthorizer +druid.escalator.authorizerName=MyBasicMetadataAuthorizer ``` #### Properties @@ -100,24 +127,40 @@ druid.escalator.authorizerName=MyBasicAuthorizer ### Creating an Authorizer ``` -druid.auth.authorizers=["MyBasicAuthorizer"] +druid.auth.authorizers=["MyBasicMetadataAuthorizer"] -druid.auth.authorizer.MyBasicAuthorizer.type=basic +druid.auth.authorizer.MyBasicMetadataAuthorizer.type=basic ``` -To use the Basic authorizer, add an authenticator with type `basic` to the authorizers list. +To use the Basic authorizer, add an authorizer with type `basic` to the authorizers list. -Configuration of the named authenticator is assigned through properties with the form: +Configuration of the named authorizer is assigned through properties with the form: ``` druid.auth.authorizer.. ``` -#### Properties +The authorizer configuration examples in the rest of this document will use "MyBasicMetadataAuthorizer" or "MyBasicLDAPAuthorizer" as the name of the authenticators being configured. + +#### Properties for Druid metadata store user authorization |Property|Description|Default|required| |--------|-----------|-------|--------| -|`druid.auth.authorizer.MyBasicAuthorizer.enableCacheNotifications`|If true, the Coordinator will notify Druid processes whenever a configuration change to this Authorizer occurs, allowing them to immediately update their state without waiting for polling.|true|No| -|`druid.auth.authorizer.MyBasicAuthorizer.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No| +|`druid.auth.authorizer.MyBasicMetadataAuthorizer.enableCacheNotifications`|If true, the Coordinator will notify Druid processes whenever a configuration change to this Authorizer occurs, allowing them to immediately update their state without waiting for polling.|true|No| +|`druid.auth.authorizer.MyBasicMetadataAuthorizer.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No| +|`druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminUser`|The initial admin user with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned.|admin|No| +|`druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminRole`|The initial admin role to create if it doesn't already exists.|admin|No| +|`druid.auth.authorizer.MyBasicMetadataAuthorizer.roleProvider.type`|The type of role provider to authorize requests credentials.|metadata|No + +#### Properties for LDAP user authorization +|Property|Description|Default|required| +|--------|-----------|-------|--------| +|`druid.auth.authorizer.MyBasicLDAPAuthorizer.enableCacheNotifications`|If true, the Coordinator will notify Druid processes whenever a configuration change to this Authorizer occurs, allowing them to immediately update their state without waiting for polling.|true|No| +|`druid.auth.authorizer.MyBasicLDAPAuthorizer.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No| +|`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminUser`|The initial admin user with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned.|admin|No| +|`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminRole`|The initial admin role to create if it doesn't already exists.|admin|No| +|`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminGroupMapping`|The initial admin group mapping with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned. The name of this initial admin group mapping will be set to adminGroupMapping|null|No| +|`druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.type`|The type of role provider (ldap) to authorize requests credentials.|metadata|No +|`druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.groupFilters`|Array of LDAP group filters used to filter out the allowed set of groups returned from LDAP search. Filters can be begin with *, or end with ,* to provide configurational flexibility to limit or filter allowed set of groups available to LDAP Authorizer.|null|No| ## Usage @@ -157,7 +200,7 @@ Example request body: ##### Cache Load Status `GET(/druid-ext/basic-security/authentication/loadStatus)` -Return the current load status of the local caches of the authentication database. +Return the current load status of the local caches of the authentication Druid metadata store. #### Authorization API @@ -262,6 +305,30 @@ Create a new user with name {userName} `DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})` Delete the user with name {userName} +##### Group mapping Creation/Deletion +`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/groupmappings)` +Return a list of all group mappings. + +`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/groupmappings/{groupMappingName})` +Return the group mapping and role information of the group mapping with name {groupMappingName} + +`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/groupmappings/{groupMappingName})` +Create a new group mapping with name {groupMappingName} +Content: JSON group mapping object +Example request body: + +``` +{ + "name": "user", + "groupPattern": "CN=aaa,OU=aaa,OU=Groupings,DC=corp,DC=company,DC=com", + "roles": [ + "user" + ] +} +``` + +`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/groupmappings/{groupMappingName})` +Delete the group mapping with name {groupMappingName} #### Role Creation/Deletion `GET(/druid-ext/basic-security/authorization/db/{authorizerName}/roles)` @@ -297,7 +364,7 @@ This API supports the following flags: - `?full`: The output will contain an extra `users` list, containing the users that currently have this role. ```json -"users":["druid"] +{"users":["druid"]} ``` - `?simplifyPermissions`: The permissions in the output will contain only a list of `resourceAction` objects, without the extraneous `resourceNamePattern` field. The `users` field will be null when `?full` is not specified. @@ -336,6 +403,12 @@ Assign role {roleName} to user {userName}. `DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}/roles/{roleName})` Unassign role {roleName} from user {userName} +`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/groupmappings/{groupMappingName}/roles/{roleName})` +Assign role {roleName} to group mapping {groupMappingName}. + +`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/groupmappings/{groupMappingName}/roles/{roleName})` +Unassign role {roleName} from group mapping {groupMappingName} + #### Permissions `POST(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName}/permissions)` @@ -368,7 +441,7 @@ Please see [Defining permissions](#defining-permissions) for more details. ##### Cache Load Status `GET(/druid-ext/basic-security/authorization/loadStatus)` -Return the current load status of the local caches of the authorization database. +Return the current load status of the local caches of the authorization Druid metadata store. ## Default user accounts @@ -462,10 +535,10 @@ Queries on the [system schema tables](../../querying/sql.html#system-schema) req ## Configuration Propagation -To prevent excessive load on the Coordinator, the Authenticator and Authorizer user/role database state is cached on each Druid process. +To prevent excessive load on the Coordinator, the Authenticator and Authorizer user/role Druid metadata store state is cached on each Druid process. -Each process will periodically poll the Coordinator for the latest database state, controlled by the `druid.auth.basic.common.pollingPeriod` and `druid.auth.basic.common.maxRandomDelay` properties. +Each process will periodically poll the Coordinator for the latest Druid metadata store state, controlled by the `druid.auth.basic.common.pollingPeriod` and `druid.auth.basic.common.maxRandomDelay` properties. -When a configuration update occurs, the Coordinator can optionally notify each process with the updated database state. This behavior is controlled by the `enableCacheNotifications` and `cacheNotificationTimeout` properties on Authenticators and Authorizers. +When a configuration update occurs, the Coordinator can optionally notify each process with the updated Druid metadata store state. This behavior is controlled by the `enableCacheNotifications` and `cacheNotificationTimeout` properties on Authenticators and Authorizers. -Note that because of the caching, changes made to the user/role database may not be immediately reflected at each Druid process. +Note that because of the caching, changes made to the user/role Druid metadata store may not be immediately reflected at each Druid process. diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthDBConfig.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthDBConfig.java index 7e084cb63beb..9dd412f2c9a9 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthDBConfig.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthDBConfig.java @@ -27,23 +27,32 @@ public class BasicAuthDBConfig private final PasswordProvider initialAdminPassword; private final PasswordProvider initialInternalClientPassword; + private final String initialAdminUser; + private final String initialAdminRole; + private final String initialAdminGroupMapping; private final boolean enableCacheNotifications; private final long cacheNotificationTimeout; - private final int iterations; + private final int credentialIterations; public BasicAuthDBConfig( final PasswordProvider initialAdminPassword, final PasswordProvider initialInternalClientPassword, - final Boolean enableCacheNotifications, - final Long cacheNotificationTimeout, - final int iterations + final String initialAdminUser, + final String initialAdminRole, + final String initialAdminGroupMapping, + final boolean enableCacheNotifications, + final long cacheNotificationTimeout, + final int credentialIterations ) { this.initialAdminPassword = initialAdminPassword; this.initialInternalClientPassword = initialInternalClientPassword; + this.initialAdminUser = initialAdminUser; + this.initialAdminRole = initialAdminRole; + this.initialAdminGroupMapping = initialAdminGroupMapping; this.enableCacheNotifications = enableCacheNotifications; this.cacheNotificationTimeout = cacheNotificationTimeout; - this.iterations = iterations; + this.credentialIterations = credentialIterations; } public PasswordProvider getInitialAdminPassword() @@ -56,6 +65,21 @@ public PasswordProvider getInitialInternalClientPassword() return initialInternalClientPassword; } + public String getInitialAdminUser() + { + return initialAdminUser; + } + + public String getInitialAdminRole() + { + return initialAdminRole; + } + + public String getInitialAdminGroupMapping() + { + return initialAdminGroupMapping; + } + public boolean isEnableCacheNotifications() { return enableCacheNotifications; @@ -66,8 +90,8 @@ public long getCacheNotificationTimeout() return cacheNotificationTimeout; } - public int getIterations() + public int getCredentialIterations() { - return iterations; + return credentialIterations; } } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthLDAPConfig.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthLDAPConfig.java new file mode 100644 index 000000000000..2696fa076011 --- /dev/null +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthLDAPConfig.java @@ -0,0 +1,111 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.security.basic; + +import org.apache.druid.metadata.PasswordProvider; + +public class BasicAuthLDAPConfig +{ + private final String url; + private final String bindUser; + private final PasswordProvider bindPassword; + private final String baseDn; + private final String userSearch; + private final String userAttribute; + private final int credentialIterations; + private final Integer credentialVerifyDuration; + private final Integer credentialMaxDuration; + private final Integer credentialCacheSize; + + public BasicAuthLDAPConfig( + final String url, + final String bindUser, + final PasswordProvider bindPassword, + final String baseDn, + final String userSearch, + final String userAttribute, + final int credentialIterations, + final Integer credentialVerifyDuration, + final Integer credentialMaxDuration, + final Integer credentialCacheSize + ) + { + this.url = url; + this.bindUser = bindUser; + this.bindPassword = bindPassword; + this.baseDn = baseDn; + this.userSearch = userSearch; + this.userAttribute = userAttribute; + this.credentialIterations = credentialIterations; + this.credentialVerifyDuration = credentialVerifyDuration; + this.credentialMaxDuration = credentialMaxDuration; + this.credentialCacheSize = credentialCacheSize; + } + + public String getUrl() + { + return url; + } + + public String getBindUser() + { + return bindUser; + } + + public PasswordProvider getBindPassword() + { + return bindPassword; + } + + public String getBaseDn() + { + return baseDn; + } + + public String getUserSearch() + { + return userSearch; + } + + public String getUserAttribute() + { + return userAttribute; + } + + public int getCredentialIterations() + { + return credentialIterations; + } + + public Integer getCredentialVerifyDuration() + { + return credentialVerifyDuration; + } + + public Integer getCredentialMaxDuration() + { + return credentialMaxDuration; + } + + public Integer getCredentialCacheSize() + { + return credentialCacheSize; + } +} diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthSSLConfig.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthSSLConfig.java new file mode 100644 index 000000000000..4ff55cc8e2dc --- /dev/null +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthSSLConfig.java @@ -0,0 +1,181 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.security.basic; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import org.apache.druid.metadata.PasswordProvider; + +public class BasicAuthSSLConfig +{ + @JsonProperty + private String protocol; + + @JsonProperty + private String trustStoreType; + + @JsonProperty + private String trustStorePath; + + @JsonProperty + private String trustStoreAlgorithm; + + @JsonProperty("trustStorePassword") + private PasswordProvider trustStorePasswordProvider; + + @JsonProperty + private String keyStorePath; + + @JsonProperty + private String keyStoreType; + + @JsonProperty + private String certAlias; + + @JsonProperty("keyStorePassword") + private PasswordProvider keyStorePasswordProvider; + + @JsonProperty("keyManagerPassword") + private PasswordProvider keyManagerPasswordProvider; + + @JsonProperty + private String keyManagerFactoryAlgorithm; + + @JsonProperty + private Boolean validateHostnames; + + @JsonCreator + public BasicAuthSSLConfig( + @JsonProperty("protocol") String protocol, + @JsonProperty("trustStoreType") String trustStoreType, + @JsonProperty("trustStorePath") String trustStorePath, + @JsonProperty("trustStoreAlgorithm") String trustStoreAlgorithm, + @JsonProperty("trustStorePassword") PasswordProvider trustStorePasswordProvider, + @JsonProperty("keyStorePath") String keyStorePath, + @JsonProperty("keyStoreType") String keyStoreType, + @JsonProperty("certAlias") String certAlias, + @JsonProperty("keyStorePassword") PasswordProvider keyStorePasswordProvider, + @JsonProperty("keyManagerPassword") PasswordProvider keyManagerPasswordProvider, + @JsonProperty("keyManagerFactoryAlgorithm") String keyManagerFactoryAlgorithm, + @JsonProperty("validateHostnames") Boolean validateHostnames + ) + { + this.protocol = protocol; + this.trustStoreType = trustStoreType; + this.trustStorePath = trustStorePath; + this.trustStoreAlgorithm = trustStoreAlgorithm; + this.trustStorePasswordProvider = trustStorePasswordProvider; + this.keyStorePath = keyStorePath; + this.keyStoreType = keyStoreType; + this.certAlias = certAlias; + this.keyStorePasswordProvider = keyStorePasswordProvider; + this.keyManagerPasswordProvider = keyManagerPasswordProvider; + this.keyManagerFactoryAlgorithm = keyManagerFactoryAlgorithm; + this.validateHostnames = validateHostnames; + } + + @JsonProperty + public String getProtocol() + { + return protocol; + } + + @JsonProperty + public String getTrustStoreType() + { + return trustStoreType; + } + + @JsonProperty + public String getTrustStorePath() + { + return trustStorePath; + } + + @JsonProperty + public String getTrustStoreAlgorithm() + { + return trustStoreAlgorithm; + } + + @JsonProperty("trustStorePassword") + public PasswordProvider getTrustStorePasswordProvider() + { + return trustStorePasswordProvider; + } + + @JsonProperty + public String getKeyStorePath() + { + return keyStorePath; + } + + @JsonProperty + public String getKeyStoreType() + { + return keyStoreType; + } + + @JsonProperty + public String getCertAlias() + { + return certAlias; + } + + @JsonProperty("keyStorePassword") + public PasswordProvider getKeyStorePasswordProvider() + { + return keyStorePasswordProvider; + } + + @JsonProperty("keyManagerPassword") + public PasswordProvider getKeyManagerPasswordProvider() + { + return keyManagerPasswordProvider; + } + + @JsonProperty + public String getKeyManagerFactoryAlgorithm() + { + return keyManagerFactoryAlgorithm; + } + + @JsonProperty + public Boolean getValidateHostnames() + { + return validateHostnames; + } + + @Override + public String toString() + { + return "SSLClientConfig{" + + "protocol='" + protocol + '\'' + + ", trustStoreType='" + trustStoreType + '\'' + + ", trustStorePath='" + trustStorePath + '\'' + + ", trustStoreAlgorithm='" + trustStoreAlgorithm + '\'' + + ", keyStorePath='" + keyStorePath + '\'' + + ", keyStoreType='" + keyStoreType + '\'' + + ", certAlias='" + certAlias + '\'' + + ", keyManagerFactoryAlgorithm='" + keyManagerFactoryAlgorithm + '\'' + + ", validateHostnames='" + validateHostnames + '\'' + + '}'; + } +} diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthUtils.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthUtils.java index d66dc1ddbac1..21664d0659f2 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthUtils.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthUtils.java @@ -26,8 +26,10 @@ import org.apache.druid.java.util.common.StringUtils; import org.apache.druid.java.util.common.logger.Logger; import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser; +import org.apache.druid.security.basic.authorization.entity.GroupMappingAndRoleMap; import org.apache.druid.security.basic.authorization.entity.UserAndRoleMap; import javax.annotation.Nullable; @@ -48,7 +50,9 @@ public class BasicAuthUtils private static final Logger log = new Logger(BasicAuthUtils.class); private static final SecureRandom SECURE_RANDOM = new SecureRandom(); public static final String ADMIN_NAME = "admin"; + public static final String ADMIN_GROUP_MAPPING_NAME = "adminGroupMapping"; public static final String INTERNAL_USER_NAME = "druid_system"; + public static final String SEARCH_RESULT_CONTEXT_KEY = "searchResult"; // PBKDF2WithHmacSHA512 is chosen since it has built-in support in Java8. // Argon2 (https://github.com/p-h-c/phc-winner-argon2) is newer but the only presently @@ -57,6 +61,9 @@ public class BasicAuthUtils // 256-bit salt should be more than sufficient for uniqueness, expected user count is on the order of thousands. public static final int SALT_LENGTH = 32; public static final int DEFAULT_KEY_ITERATIONS = 10000; + public static final int DEFAULT_CREDENTIAL_VERIFY_DURATION_SECONDS = 600; + public static final int DEFAULT_CREDENTIAL_MAX_DURATION_SECONDS = 3600; + public static final int DEFAULT_CREDENTIAL_CACHE_SIZE = 100; public static final int KEY_LENGTH = 512; public static final String ALGORITHM = "PBKDF2WithHmacSHA512"; @@ -70,6 +77,11 @@ public class BasicAuthUtils { }; + public static final TypeReference AUTHORIZER_GROUP_MAPPING_MAP_TYPE_REFERENCE = + new TypeReference>() + { + }; + public static final TypeReference AUTHORIZER_ROLE_MAP_TYPE_REFERENCE = new TypeReference>() { @@ -80,6 +92,11 @@ public class BasicAuthUtils { }; + public static final TypeReference AUTHORIZER_GROUP_MAPPING_AND_ROLE_MAP_TYPE_REFERENCE = + new TypeReference() + { + }; + public static byte[] hashPassword(final char[] password, final byte[] salt, final int iterations) { try { @@ -155,7 +172,7 @@ public static Map deserializeAuthenticatorUserMa userMap = objectMapper.readValue(userMapBytes, AUTHENTICATOR_USER_MAP_TYPE_REFERENCE); } catch (IOException ioe) { - throw new RuntimeException(ioe); + throw new RuntimeException("Couldn't deserialize authenticator userMap!", ioe); } } return userMap; @@ -170,7 +187,7 @@ public static byte[] serializeAuthenticatorUserMap( return objectMapper.writeValueAsBytes(userMap); } catch (IOException ioe) { - throw new ISE(ioe, "WTF? Couldn't serialize userMap!"); + throw new ISE(ioe, "Couldn't serialize authenticator userMap!"); } } @@ -187,7 +204,7 @@ public static Map deserializeAuthorizerUserMap( userMap = objectMapper.readValue(userMapBytes, BasicAuthUtils.AUTHORIZER_USER_MAP_TYPE_REFERENCE); } catch (IOException ioe) { - throw new RuntimeException(ioe); + throw new RuntimeException("Couldn't deserialize authorizer userMap!", ioe); } } return userMap; @@ -199,7 +216,36 @@ public static byte[] serializeAuthorizerUserMap(ObjectMapper objectMapper, Map deserializeAuthorizerGroupMappingMap( + ObjectMapper objectMapper, + byte[] groupMappingMapBytes + ) + { + Map groupMappingMap; + if (groupMappingMapBytes == null) { + groupMappingMap = new HashMap<>(); + } else { + try { + groupMappingMap = objectMapper.readValue(groupMappingMapBytes, BasicAuthUtils.AUTHORIZER_GROUP_MAPPING_MAP_TYPE_REFERENCE); + } + catch (IOException ioe) { + throw new RuntimeException("Couldn't deserialize authorizer groupMappingMap!", ioe); + } + } + return groupMappingMap; + } + + public static byte[] serializeAuthorizerGroupMappingMap(ObjectMapper objectMapper, Map groupMappingMap) + { + try { + return objectMapper.writeValueAsBytes(groupMappingMap); + } + catch (IOException ioe) { + throw new ISE(ioe, "Couldn't serialize authorizer groupMappingMap!"); } } @@ -216,7 +262,7 @@ public static Map deserializeAuthorizerRoleMap( roleMap = objectMapper.readValue(roleMapBytes, BasicAuthUtils.AUTHORIZER_ROLE_MAP_TYPE_REFERENCE); } catch (IOException ioe) { - throw new RuntimeException(ioe); + throw new RuntimeException("Couldn't deserialize authorizer roleMap!", ioe); } } return roleMap; @@ -228,7 +274,7 @@ public static byte[] serializeAuthorizerRoleMap(ObjectMapper objectMapper, Map getJacksonModules() { @@ -209,7 +215,8 @@ public List getJacksonModules() new SimpleModule("BasicDruidSecurity").registerSubtypes( BasicHTTPAuthenticator.class, BasicHTTPEscalator.class, - BasicRoleBasedAuthorizer.class + BasicRoleBasedAuthorizer.class, + NettyHttpClient.class ) ); } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicSecuritySSLSocketFactory.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicSecuritySSLSocketFactory.java new file mode 100644 index 000000000000..56e3900ab685 --- /dev/null +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicSecuritySSLSocketFactory.java @@ -0,0 +1,123 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.security.basic; + +import com.google.inject.Inject; +import org.apache.druid.java.util.common.logger.Logger; +import org.apache.druid.server.security.TLSCertificateChecker; +import org.apache.druid.server.security.TLSUtils; + +import javax.net.SocketFactory; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLSocketFactory; +import java.io.IOException; +import java.net.InetAddress; +import java.net.Socket; + +public class BasicSecuritySSLSocketFactory extends SSLSocketFactory +{ + private static final Logger LOG = new Logger(BasicSecuritySSLSocketFactory.class); + private SSLSocketFactory sf; + + @Inject + private static BasicAuthSSLConfig basicAuthSSLConfig; + @Inject + private static TLSCertificateChecker certificateChecker; + + public BasicSecuritySSLSocketFactory() + { + SSLContext ctx = new TLSUtils.ClientSSLContextBuilder() + .setProtocol(basicAuthSSLConfig.getProtocol()) + .setTrustStoreType(basicAuthSSLConfig.getTrustStoreType()) + .setTrustStorePath(basicAuthSSLConfig.getTrustStorePath()) + .setTrustStoreAlgorithm(basicAuthSSLConfig.getTrustStoreAlgorithm()) + .setTrustStorePasswordProvider(basicAuthSSLConfig.getTrustStorePasswordProvider()) + .setKeyStoreType(basicAuthSSLConfig.getKeyStoreType()) + .setKeyStorePath(basicAuthSSLConfig.getKeyStorePath()) + .setKeyStoreAlgorithm(basicAuthSSLConfig.getKeyManagerFactoryAlgorithm()) + .setCertAlias(basicAuthSSLConfig.getCertAlias()) + .setKeyStorePasswordProvider(basicAuthSSLConfig.getKeyStorePasswordProvider()) + .setKeyManagerFactoryPasswordProvider(basicAuthSSLConfig.getKeyManagerPasswordProvider()) + .setValidateHostnames(basicAuthSSLConfig.getValidateHostnames()) + .setCertificateChecker(certificateChecker) + .build(); + + sf = ctx.getSocketFactory(); + } + + public static SocketFactory getDefault() + { + return new BasicSecuritySSLSocketFactory(); + } + + @Override + public String[] getDefaultCipherSuites() + { + return sf.getDefaultCipherSuites(); + } + + @Override + public String[] getSupportedCipherSuites() + { + return sf.getSupportedCipherSuites(); + } + + @Override + public Socket createSocket( + Socket s, + String host, + int port, + boolean autoClose) throws IOException + { + return sf.createSocket(s, host, port, autoClose); + } + + @Override + public Socket createSocket(String host, int port) throws IOException + { + return sf.createSocket(host, port); + } + + @Override + public Socket createSocket( + String host, + int port, + InetAddress localHost, + int localPort) throws IOException + { + return sf.createSocket(host, port, localHost, localPort); + } + + @Override + public Socket createSocket(InetAddress host, int port) throws IOException + { + return sf.createSocket(host, port); + } + + @Override + public Socket createSocket( + InetAddress address, + int port, + InetAddress localAddress, + int localPort) throws IOException + { + return sf.createSocket(address, port, localAddress, localPort); + } +} diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/CommonCacheNotifier.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/CommonCacheNotifier.java index 98de3833717b..4ae5ae887d86 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/CommonCacheNotifier.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/CommonCacheNotifier.java @@ -107,6 +107,7 @@ public void start() Pair update = updateQueue.take(); String authorizer = update.lhs; byte[] serializedMap = update.rhs; + BasicAuthDBConfig authorizerConfig = itemConfigMap.get(update.lhs); if (!authorizerConfig.isEnableCacheNotifications()) { continue; @@ -157,20 +158,23 @@ public void addUpdate(String updatedItemName, byte[] updatedItemData) ); } - private List> sendUpdate(String updatedAuthorizerPrefix, byte[] serializedUserMap) + private List> sendUpdate(String updatedAuthenticatorPrefix, byte[] serializedEntity) { List> futures = new ArrayList<>(); for (NodeType nodeType : NODE_TYPES) { DruidNodeDiscovery nodeDiscovery = discoveryProvider.getForNodeType(nodeType); Collection nodes = nodeDiscovery.getAllNodes(); for (DiscoveryDruidNode node : nodes) { - URL listenerURL = getListenerURL(node.getDruidNode(), baseUrl, updatedAuthorizerPrefix); + URL listenerURL = getListenerURL( + node.getDruidNode(), + StringUtils.format(baseUrl, StringUtils.urlEncode(updatedAuthenticatorPrefix)) + ); // best effort, if this fails, remote node will poll and pick up the update eventually Request req = new Request(HttpMethod.POST, listenerURL); - req.setContent(MediaType.APPLICATION_JSON, serializedUserMap); + req.setContent(MediaType.APPLICATION_JSON, serializedEntity); - BasicAuthDBConfig itemConfig = itemConfigMap.get(updatedAuthorizerPrefix); + BasicAuthDBConfig itemConfig = itemConfigMap.get(updatedAuthenticatorPrefix); ListenableFuture future = httpClient.go( req, @@ -183,18 +187,19 @@ private List> sendUpdate(String updatedAu return futures; } - private URL getListenerURL(DruidNode druidNode, String baseUrl, String itemName) + private URL getListenerURL(DruidNode druidNode, String baseUrl) { try { return new URL( druidNode.getServiceScheme(), druidNode.getHost(), druidNode.getPortToUse(), - StringUtils.format(baseUrl, StringUtils.urlEncode(itemName)) + baseUrl ); } catch (MalformedURLException mue) { - LOG.error(callerName + ":WTF? Malformed url for DruidNode[%s] and itemName[%s]", druidNode, itemName); + LOG.error(callerName + ":WTF? Malformed url for DruidNode[%s] and baseUrl[%s]", druidNode, baseUrl); + throw new RuntimeException(mue); } } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/BasicHTTPAuthenticator.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/BasicHTTPAuthenticator.java index 49d033896ff2..ee2a2ef990cf 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/BasicHTTPAuthenticator.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/BasicHTTPAuthenticator.java @@ -24,13 +24,14 @@ import com.fasterxml.jackson.annotation.JsonProperty; import com.fasterxml.jackson.annotation.JsonTypeName; import com.google.inject.Provider; -import org.apache.druid.java.util.common.IAE; +import org.apache.druid.java.util.common.logger.Logger; import org.apache.druid.metadata.PasswordProvider; import org.apache.druid.security.basic.BasicAuthDBConfig; import org.apache.druid.security.basic.BasicAuthUtils; +import org.apache.druid.security.basic.BasicSecurityAuthenticationException; import org.apache.druid.security.basic.authentication.db.cache.BasicAuthenticatorCacheManager; -import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials; -import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser; +import org.apache.druid.security.basic.authentication.validator.CredentialsValidator; +import org.apache.druid.security.basic.authentication.validator.MetadataStoreCredentialsValidator; import org.apache.druid.server.security.AuthConfig; import org.apache.druid.server.security.AuthenticationResult; import org.apache.druid.server.security.Authenticator; @@ -46,17 +47,20 @@ import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; -import java.util.Arrays; import java.util.EnumSet; +import java.util.Locale; import java.util.Map; @JsonTypeName("basic") public class BasicHTTPAuthenticator implements Authenticator { - private final Provider cacheManager; + private static final Logger LOG = new Logger(BasicHTTPAuthenticator.class); + private final String name; private final String authorizerName; private final BasicAuthDBConfig dbConfig; + private final CredentialsValidator credentialsValidator; + private final boolean skipOnFailure; @JsonCreator public BasicHTTPAuthenticator( @@ -67,7 +71,9 @@ public BasicHTTPAuthenticator( @JsonProperty("initialInternalClientPassword") PasswordProvider initialInternalClientPassword, @JsonProperty("enableCacheNotifications") Boolean enableCacheNotifications, @JsonProperty("cacheNotificationTimeout") Long cacheNotificationTimeout, - @JsonProperty("credentialIterations") Integer credentialIterations + @JsonProperty("credentialIterations") Integer credentialIterations, + @JsonProperty("skipOnFailure") Boolean skipOnFailure, + @JsonProperty("credentialsValidator") CredentialsValidator credentialsValidator ) { this.name = name; @@ -75,11 +81,19 @@ public BasicHTTPAuthenticator( this.dbConfig = new BasicAuthDBConfig( initialAdminPassword, initialInternalClientPassword, + null, + null, + null, enableCacheNotifications == null ? true : enableCacheNotifications, cacheNotificationTimeout == null ? BasicAuthDBConfig.DEFAULT_CACHE_NOTIFY_TIMEOUT_MS : cacheNotificationTimeout, credentialIterations == null ? BasicAuthUtils.DEFAULT_KEY_ITERATIONS : credentialIterations ); - this.cacheManager = cacheManager; + if (credentialsValidator == null) { + this.credentialsValidator = new MetadataStoreCredentialsValidator(cacheManager); + } else { + this.credentialsValidator = credentialsValidator; + } + this.skipOnFailure = skipOnFailure == null ? false : skipOnFailure; } @Override @@ -105,11 +119,7 @@ public AuthenticationResult authenticateJDBCContext(Map context) return null; } - if (checkCredentials(user, password.toCharArray())) { - return new AuthenticationResult(user, authorizerName, name, null); - } else { - return null; - } + return credentialsValidator.validateCredentials(name, authorizerName, user, password.toCharArray()); } @@ -165,8 +175,7 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo } // At this point, encodedUserSecret is not null, indicating that the request intends to perform - // Basic HTTP authentication. If any errors occur with the authentication, we send a 401 response immediately - // and do not proceed further down the filter chain. + // Basic HTTP authentication. String decodedUserSecret = BasicAuthUtils.decodeUserSecret(encodedUserSecret); if (decodedUserSecret == null) { // We recognized a Basic auth header, but could not decode the user secret. @@ -176,6 +185,7 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo String[] splits = decodedUserSecret.split(":"); if (splits.length != 2) { + // The decoded user secret is not of the right format httpResp.sendError(HttpServletResponse.SC_UNAUTHORIZED); return; } @@ -183,12 +193,34 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo String user = splits[0]; char[] password = splits[1].toCharArray(); - if (checkCredentials(user, password)) { - AuthenticationResult authenticationResult = new AuthenticationResult(user, authorizerName, name, null); - servletRequest.setAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT, authenticationResult); - filterChain.doFilter(servletRequest, servletResponse); - } else { - httpResp.sendError(HttpServletResponse.SC_UNAUTHORIZED); + // If any authentication error occurs we send a 401 response immediately and do not proceed further down the filter chain. + // If the authentication result is null and skipOnFailure property is false, we send a 401 response and do not proceed + // further down the filter chain. If the authentication result is null and skipOnFailure is true then move on to the next filter. + // Authentication results, for instance, can be null if a user doesn't exists within a user store + try { + AuthenticationResult authenticationResult = credentialsValidator.validateCredentials( + name, + authorizerName, + user, + password + ); + if (authenticationResult != null) { + servletRequest.setAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT, authenticationResult); + filterChain.doFilter(servletRequest, servletResponse); + } else { + if (skipOnFailure) { + LOG.info("Skipping failed authenticator %s ", name); + filterChain.doFilter(servletRequest, servletResponse); + } else { + httpResp.sendError(HttpServletResponse.SC_UNAUTHORIZED); + } + } + } + catch (BasicSecurityAuthenticationException ex) { + LOG.info("Exception authenticating user %s - %s", user, ex.getMessage()); + httpResp.sendError(HttpServletResponse.SC_UNAUTHORIZED, + String.format(Locale.getDefault(), + "User authentication failed username[%s].", user)); } } @@ -198,29 +230,4 @@ public void destroy() } } - - private boolean checkCredentials(String username, char[] password) - { - Map userMap = cacheManager.get().getUserMap(name); - if (userMap == null) { - throw new IAE("No userMap is available for authenticator: [%s]", name); - } - - BasicAuthenticatorUser user = userMap.get(username); - if (user == null) { - return false; - } - BasicAuthenticatorCredentials credentials = user.getCredentials(); - if (credentials == null) { - return false; - } - - byte[] recalculatedHash = BasicAuthUtils.hashPassword( - password, - credentials.getSalt(), - credentials.getIterations() - ); - - return Arrays.equals(recalculatedHash, credentials.getHash()); - } } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/BasicHTTPEscalator.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/BasicHTTPEscalator.java index dc84ab162f0c..5aa83dde4f10 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/BasicHTTPEscalator.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/BasicHTTPEscalator.java @@ -22,6 +22,7 @@ import com.fasterxml.jackson.annotation.JsonCreator; import com.fasterxml.jackson.annotation.JsonProperty; import com.fasterxml.jackson.annotation.JsonTypeName; +import org.apache.druid.java.util.common.logger.Logger; import org.apache.druid.java.util.http.client.CredentialedHttpClient; import org.apache.druid.java.util.http.client.HttpClient; import org.apache.druid.java.util.http.client.auth.BasicCredentials; @@ -32,6 +33,8 @@ @JsonTypeName("basic") public class BasicHTTPEscalator implements Escalator { + private static final Logger LOG = new Logger(BasicHTTPEscalator.class); + private final String internalClientUsername; private final PasswordProvider internalClientPassword; private final String authorizerName; @@ -51,6 +54,7 @@ public BasicHTTPEscalator( @Override public HttpClient createEscalatedClient(HttpClient baseClient) { + LOG.debug("----------- Creating escalated client"); return new CredentialedHttpClient( new BasicCredentials(internalClientUsername, internalClientPassword.getPassword()), baseClient @@ -60,6 +64,7 @@ public HttpClient createEscalatedClient(HttpClient baseClient) @Override public AuthenticationResult createEscalatedAuthenticationResult() { + LOG.debug("----------- Creating escalated authentication result. username: %s", this.internalClientUsername); // if you found your self asking why the authenticatedBy field is set to null please read this: // https://github.com/apache/incubator-druid/pull/5706#discussion_r185940889 return new AuthenticationResult(internalClientUsername, authorizerName, null, null); diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/LdapUserPrincipal.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/LdapUserPrincipal.java new file mode 100644 index 000000000000..cac753d719f8 --- /dev/null +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/LdapUserPrincipal.java @@ -0,0 +1,136 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.security.basic.authentication; + +import org.apache.druid.java.util.common.StringUtils; +import org.apache.druid.java.util.common.logger.Logger; +import org.apache.druid.security.basic.BasicAuthUtils; +import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials; + +import javax.naming.directory.SearchResult; +import java.security.Principal; +import java.time.Instant; +import java.util.Arrays; +import java.util.Objects; +import java.util.concurrent.atomic.AtomicReference; + +public class LdapUserPrincipal implements Principal +{ + private static final Logger LOG = new Logger(LdapUserPrincipal.class); + + private final String name; + private final BasicAuthenticatorCredentials credentials; + private final SearchResult searchResult; + private final Instant createdAt; + private final AtomicReference lastVerified = new AtomicReference<>(); + + public LdapUserPrincipal( + String name, + BasicAuthenticatorCredentials credentials, + SearchResult searchResult + ) + { + this(name, credentials, searchResult, Instant.now()); + } + + private LdapUserPrincipal( + String name, + BasicAuthenticatorCredentials credentials, + SearchResult searchResult, + Instant createdAt + ) + { + Objects.requireNonNull(name, "name is required"); + Objects.requireNonNull(credentials, "credentials is required"); + Objects.requireNonNull(searchResult, "searchResult is required"); + Objects.requireNonNull(createdAt, "createdAt is required"); + + this.name = name; + this.credentials = credentials; + this.searchResult = searchResult; + this.createdAt = createdAt; + this.lastVerified.set(createdAt); + } + + @Override + public String getName() + { + return this.name; + } + + public SearchResult getSearchResult() + { + return searchResult; + } + + public Instant getCreatedAt() + { + return createdAt; + } + + public Instant getLastVerified() + { + return lastVerified.get(); + } + + public boolean hasSameCredentials(char[] password) + { + byte[] recalculatedHash = BasicAuthUtils.hashPassword( + password, + this.credentials.getSalt(), + this.credentials.getIterations() + ); + if (Arrays.equals(recalculatedHash, credentials.getHash())) { + this.lastVerified.set(Instant.now()); + LOG.debug("Refereshing lastVerified principal user '%s'", this.name); + return true; + } else { + return false; + } + } + + public boolean isExpired(int duration, int maxDuration) + { + long now = System.currentTimeMillis(); + + long maxCutoff = now - (maxDuration * 1000L); + if (this.createdAt.toEpochMilli() < maxCutoff) { + long cutoff = now - (duration * 1000L); + if (this.lastVerified.get().toEpochMilli() < cutoff) { + return true; + } else { + return false; + } + } else { + return false; + } + } + + @Override + public String toString() + { + return StringUtils.format( + "LdapUserPrincipal[name=%s, searchResult=%s, createdAt=%s, lastVerified=%s]", + name, + searchResult, + createdAt, + lastVerified); + } +} diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/BasicAuthenticatorCacheManager.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/BasicAuthenticatorCacheManager.java index 70851058736a..f916950edce6 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/BasicAuthenticatorCacheManager.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/BasicAuthenticatorCacheManager.java @@ -30,12 +30,11 @@ public interface BasicAuthenticatorCacheManager { /** - * Update this cache manager's local state with fresh information pushed by the coordinator. - * + * Update this cache manager's local state of user map with fresh information pushed by the coordinator. * @param authenticatorPrefix The name of the authenticator this update applies to. * @param serializedUserMap The updated, serialized user map */ - void handleAuthenticatorUpdate(String authenticatorPrefix, byte[] serializedUserMap); + void handleAuthenticatorUserMapUpdate(String authenticatorPrefix, byte[] serializedUserMap); /** * Return the cache manager's local view of the user map for the authenticator named `authenticatorPrefix`. diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/BasicAuthenticatorCacheNotifier.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/BasicAuthenticatorCacheNotifier.java index 95a631a29218..1aad2be3684c 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/BasicAuthenticatorCacheNotifier.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/BasicAuthenticatorCacheNotifier.java @@ -30,5 +30,5 @@ public interface BasicAuthenticatorCacheNotifier * @param updatedAuthenticatorPrefix Name of authenticator being updated * @param updatedUserMap User map state */ - void addUpdate(String updatedAuthenticatorPrefix, byte[] updatedUserMap); + void addUserUpdate(String updatedAuthenticatorPrefix, byte[] updatedUserMap); } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/CoordinatorBasicAuthenticatorCacheNotifier.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/CoordinatorBasicAuthenticatorCacheNotifier.java index 465b76a3e7c6..1ee56341d3e7 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/CoordinatorBasicAuthenticatorCacheNotifier.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/CoordinatorBasicAuthenticatorCacheNotifier.java @@ -42,9 +42,8 @@ @ManageLifecycle public class CoordinatorBasicAuthenticatorCacheNotifier implements BasicAuthenticatorCacheNotifier { - private final LifecycleLock lifecycleLock = new LifecycleLock(); - private CommonCacheNotifier cacheNotifier; + private final CommonCacheNotifier userCacheNotifier; @Inject public CoordinatorBasicAuthenticatorCacheNotifier( @@ -53,7 +52,7 @@ public CoordinatorBasicAuthenticatorCacheNotifier( @EscalatedClient HttpClient httpClient ) { - cacheNotifier = new CommonCacheNotifier( + userCacheNotifier = new CommonCacheNotifier( initAuthenticatorConfigMap(authenticatorMapper), discoveryProvider, httpClient, @@ -66,11 +65,11 @@ public CoordinatorBasicAuthenticatorCacheNotifier( public void start() { if (!lifecycleLock.canStart()) { - throw new ISE("can't start."); + throw new ISE("Can't start."); } try { - cacheNotifier.start(); + userCacheNotifier.start(); lifecycleLock.started(); } finally { @@ -85,7 +84,7 @@ public void stop() return; } try { - cacheNotifier.stop(); + userCacheNotifier.stop(); } finally { lifecycleLock.exitStop(); @@ -93,10 +92,10 @@ public void stop() } @Override - public void addUpdate(String updatedAuthorizerPrefix, byte[] updatedUserMap) + public void addUserUpdate(String updatedAuthenticatorPrefix, byte[] updatedUserMap) { Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS)); - cacheNotifier.addUpdate(updatedAuthorizerPrefix, updatedUserMap); + userCacheNotifier.addUpdate(updatedAuthenticatorPrefix, updatedUserMap); } private Map initAuthenticatorConfigMap(AuthenticatorMapper mapper) diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/CoordinatorPollingBasicAuthenticatorCacheManager.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/CoordinatorPollingBasicAuthenticatorCacheManager.java index e61e4f639f15..cdfd8027c3be 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/CoordinatorPollingBasicAuthenticatorCacheManager.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/CoordinatorPollingBasicAuthenticatorCacheManager.java @@ -101,7 +101,7 @@ public void start() throw new ISE("can't start."); } - LOG.info("Starting DefaultBasicAuthenticatorCacheManager."); + LOG.info("Starting CoordinatorPollingBasicAuthenticatorCacheManager."); try { initUserMaps(); @@ -113,17 +113,17 @@ public void start() () -> { try { long randomDelay = ThreadLocalRandom.current().nextLong(0, commonCacheConfig.getMaxRandomDelay()); - LOG.debug("Inserting random polling delay of [%s] ms", randomDelay); + LOG.debug("Inserting cachedUserMaps random polling delay of [%s] ms", randomDelay); Thread.sleep(randomDelay); - LOG.debug("Scheduled cache poll is running"); + LOG.debug("Scheduled user cache poll is running"); for (String authenticatorPrefix : authenticatorPrefixes) { Map userMap = fetchUserMapFromCoordinator(authenticatorPrefix, false); if (userMap != null) { cachedUserMaps.put(authenticatorPrefix, userMap); } } - LOG.debug("Scheduled cache poll is done"); + LOG.debug("Scheduled user cache poll is done"); } catch (Throwable t) { LOG.makeAlert(t, "Error occured while polling for cachedUserMaps.").emit(); @@ -132,7 +132,7 @@ public void start() ); lifecycleLock.started(); - LOG.info("Started DefaultBasicAuthenticatorCacheManager."); + LOG.info("Started CoordinatorPollingBasicAuthenticatorCacheManager."); } finally { lifecycleLock.exitStart(); @@ -146,15 +146,15 @@ public void stop() throw new ISE("can't stop."); } - LOG.info("DefaultBasicAuthenticatorCacheManager is stopping."); + LOG.info("CoordinatorPollingBasicAuthenticatorCacheManager is stopping."); exec.shutdown(); - LOG.info("DefaultBasicAuthenticatorCacheManager is stopped."); + LOG.info("CoordinatorPollingBasicAuthenticatorCacheManager is stopped."); } @Override - public void handleAuthenticatorUpdate(String authenticatorPrefix, byte[] serializedUserMap) + public void handleAuthenticatorUserMapUpdate(String authenticatorPrefix, byte[] serializedUserMap) { - LOG.debug("Received cache update for authenticator [%s].", authenticatorPrefix); + LOG.debug("Received user cache update for authenticator [%s].", authenticatorPrefix); Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS)); try { cachedUserMaps.put( @@ -170,7 +170,7 @@ public void handleAuthenticatorUpdate(String authenticatorPrefix, byte[] seriali } } catch (Exception e) { - LOG.makeAlert(e, "WTF? Could not deserialize user map received from coordinator.").emit(); + LOG.makeAlert(e, "Could not deserialize user map received from coordinator.").emit(); } } @@ -279,6 +279,7 @@ private void initUserMaps() if (authenticator instanceof BasicHTTPAuthenticator) { String authenticatorName = entry.getKey(); authenticatorPrefixes.add(authenticatorName); + Map userMap = fetchUserMapFromCoordinator(authenticatorName, true); if (userMap != null) { cachedUserMaps.put(authenticatorName, userMap); diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/MetadataStoragePollingBasicAuthenticatorCacheManager.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/MetadataStoragePollingBasicAuthenticatorCacheManager.java index 1a9bfcc02adf..84021c12b5f3 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/MetadataStoragePollingBasicAuthenticatorCacheManager.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/MetadataStoragePollingBasicAuthenticatorCacheManager.java @@ -47,7 +47,7 @@ public MetadataStoragePollingBasicAuthenticatorCacheManager( } @Override - public void handleAuthenticatorUpdate(String authenticatorPrefix, byte[] serializedUserMap) + public void handleAuthenticatorUserMapUpdate(String authenticatorPrefix, byte[] serializedUserMap) { } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/NoopBasicAuthenticatorCacheNotifier.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/NoopBasicAuthenticatorCacheNotifier.java index ae827b20f631..66ed5115d0c5 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/NoopBasicAuthenticatorCacheNotifier.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/cache/NoopBasicAuthenticatorCacheNotifier.java @@ -26,8 +26,14 @@ */ public class NoopBasicAuthenticatorCacheNotifier implements BasicAuthenticatorCacheNotifier { + /** + * Send the user map state contained in updatedUserMap to all non-coordinator Druid services + * + * @param updatedAuthenticatorPrefix Name of authenticator being updated + * @param updatedUserMap User map state + */ @Override - public void addUpdate(String updatedAuthenticatorPrefix, byte[] updatedUserMap) + public void addUserUpdate(String updatedAuthenticatorPrefix, byte[] updatedUserMap) { // Do nothing as this is a noop implementation } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/updater/CoordinatorBasicAuthenticatorMetadataStorageUpdater.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/updater/CoordinatorBasicAuthenticatorMetadataStorageUpdater.java index ab6bb8ed292b..5ce09dca59fe 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/updater/CoordinatorBasicAuthenticatorMetadataStorageUpdater.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/updater/CoordinatorBasicAuthenticatorMetadataStorageUpdater.java @@ -173,7 +173,7 @@ public ScheduledExecutors.Signal call() return ScheduledExecutors.Signal.STOP; } try { - LOG.debug("Scheduled db poll is running"); + LOG.debug("Scheduled db userMap poll is running"); for (String authenticatorPrefix : authenticatorPrefixes) { byte[] userMapBytes = getCurrentUserMapBytes(authenticatorPrefix); @@ -185,7 +185,7 @@ public ScheduledExecutors.Signal call() cachedUserMaps.put(authenticatorPrefix, new BasicAuthenticatorUserMapBundle(userMap, userMapBytes)); } } - LOG.debug("Scheduled db poll is done"); + LOG.debug("Scheduled db userMap poll is done"); } catch (Throwable t) { LOG.makeAlert(t, "Error occured while polling for cachedUserMaps.").emit(); @@ -277,7 +277,7 @@ public void refreshAllNotification() { cachedUserMaps.forEach( (authenticatorName, userMapBundle) -> { - cacheNotifier.addUpdate(authenticatorName, userMapBundle.getSerializedUserMap()); + cacheNotifier.addUserUpdate(authenticatorName, userMapBundle.getSerializedUserMap()); } ); } @@ -287,40 +287,6 @@ private static String getPrefixedKeyColumn(String keyPrefix, String keyName) return StringUtils.format("basic_authentication_%s_%s", keyPrefix, keyName); } - private boolean tryUpdateUserMap( - String prefix, - Map userMap, - byte[] oldValue, - byte[] newValue - ) - { - try { - MetadataCASUpdate update = new MetadataCASUpdate( - connectorConfig.getConfigTable(), - MetadataStorageConnector.CONFIG_TABLE_KEY_COLUMN, - MetadataStorageConnector.CONFIG_TABLE_VALUE_COLUMN, - getPrefixedKeyColumn(prefix, USERS), - oldValue, - newValue - ); - - boolean succeeded = connector.compareAndSwap( - Collections.singletonList(update) - ); - - if (succeeded) { - cachedUserMaps.put(prefix, new BasicAuthenticatorUserMapBundle(userMap, newValue)); - cacheNotifier.addUpdate(prefix, newValue); - return true; - } else { - return false; - } - } - catch (Exception e) { - throw new RuntimeException(e); - } - } - private void createUserInternal(String prefix, String userName) { int attempts = 0; @@ -330,12 +296,7 @@ private void createUserInternal(String prefix, String userName) } else { attempts++; } - try { - Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY)); - } - catch (InterruptedException ie) { - throw new RuntimeException(ie); - } + updateRetryDelay(); } throw new ISE("Could not create user[%s] due to concurrent update contention.", userName); } @@ -349,16 +310,21 @@ private void deleteUserInternal(String prefix, String userName) } else { attempts++; } - try { - Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY)); - } - catch (InterruptedException ie) { - throw new RuntimeException(ie); - } + updateRetryDelay(); } throw new ISE("Could not delete user[%s] due to concurrent update contention.", userName); } + private void updateRetryDelay() + { + try { + Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY)); + } + catch (InterruptedException ie) { + throw new RuntimeException(ie); + } + } + private void setUserCredentialsInternal(String prefix, String userName, BasicAuthenticatorCredentialUpdate update) { BasicAuthenticatorCredentials credentials; @@ -371,7 +337,7 @@ private void setUserCredentialsInternal(String prefix, String userName, BasicAut credentials = new BasicAuthenticatorCredentials( new BasicAuthenticatorCredentialUpdate( update.getPassword(), - authenticator.getDbConfig().getIterations() + authenticator.getDbConfig().getCredentialIterations() ) ); } else { @@ -442,4 +408,38 @@ private boolean setUserCredentialOnce(String prefix, String userName, BasicAuthe byte[] newValue = BasicAuthUtils.serializeAuthenticatorUserMap(objectMapper, userMap); return tryUpdateUserMap(prefix, userMap, oldValue, newValue); } + + private boolean tryUpdateUserMap( + String prefix, + Map userMap, + byte[] oldValue, + byte[] newValue + ) + { + try { + MetadataCASUpdate update = new MetadataCASUpdate( + connectorConfig.getConfigTable(), + MetadataStorageConnector.CONFIG_TABLE_KEY_COLUMN, + MetadataStorageConnector.CONFIG_TABLE_VALUE_COLUMN, + getPrefixedKeyColumn(prefix, USERS), + oldValue, + newValue + ); + + boolean succeeded = connector.compareAndSwap( + Collections.singletonList(update) + ); + + if (succeeded) { + cachedUserMaps.put(prefix, new BasicAuthenticatorUserMapBundle(userMap, newValue)); + cacheNotifier.addUserUpdate(prefix, newValue); + return true; + } else { + return false; + } + } + catch (Exception e) { + throw new RuntimeException(e); + } + } } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/BasicAuthenticatorResource.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/BasicAuthenticatorResource.java index 5dc1493ac6b0..b14b4fab0caa 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/BasicAuthenticatorResource.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/BasicAuthenticatorResource.java @@ -211,7 +211,7 @@ public Response getCachedSerializedUserMap( } /** - * Listen for update notifications for the auth storage + * Listen for users update notifications for the auth storage */ @POST @Path("/listen/{authenticatorName}") @@ -224,6 +224,6 @@ public Response authenticatorUpdateListener( byte[] serializedUserMap ) { - return handler.authenticatorUpdateListener(authenticatorName, serializedUserMap); + return handler.authenticatorUserUpdateListener(authenticatorName, serializedUserMap); } } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/BasicAuthenticatorResourceHandler.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/BasicAuthenticatorResourceHandler.java index 35f0d4d405b3..d8b5799cf453 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/BasicAuthenticatorResourceHandler.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/BasicAuthenticatorResourceHandler.java @@ -46,7 +46,7 @@ public interface BasicAuthenticatorResourceHandler Response refreshAll(); // non-coordinator methods - Response authenticatorUpdateListener(String authenticatorName, byte[] serializedUserMap); + Response authenticatorUserUpdateListener(String authenticatorName, byte[] serializedUserMap); // common methods Response getLoadStatus(); diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/CoordinatorBasicAuthenticatorResourceHandler.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/CoordinatorBasicAuthenticatorResourceHandler.java index 714e3da4e723..615a71067ec9 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/CoordinatorBasicAuthenticatorResourceHandler.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/CoordinatorBasicAuthenticatorResourceHandler.java @@ -179,7 +179,7 @@ public Response refreshAll() } @Override - public Response authenticatorUpdateListener(String authenticatorName, byte[] serializedUserMap) + public Response authenticatorUserUpdateListener(String authenticatorName, byte[] serializedUserMap) { return Response.status(Response.Status.NOT_FOUND).build(); } @@ -189,9 +189,8 @@ public Response getLoadStatus() { Map loadStatus = new HashMap<>(); authenticatorMap.forEach( - (authenticatorName, authenticator) -> { - loadStatus.put(authenticatorName, storageUpdater.getCachedUserMap(authenticatorName) != null); - } + (authenticatorName, authenticator) -> + loadStatus.put(authenticatorName, storageUpdater.getCachedUserMap(authenticatorName) != null) ); return Response.ok(loadStatus).build(); } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/DefaultBasicAuthenticatorResourceHandler.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/DefaultBasicAuthenticatorResourceHandler.java index 4f196f719122..b9a6f611b974 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/DefaultBasicAuthenticatorResourceHandler.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/endpoint/DefaultBasicAuthenticatorResourceHandler.java @@ -109,11 +109,11 @@ public Response refreshAll() } @Override - public Response authenticatorUpdateListener(String authenticatorName, byte[] serializedUserMap) + public Response authenticatorUserUpdateListener(String authenticatorName, byte[] serializedUserMap) { final BasicHTTPAuthenticator authenticator = authenticatorMap.get(authenticatorName); if (authenticator == null) { - String errMsg = StringUtils.format("Received update for unknown authenticator[%s]", authenticatorName); + String errMsg = StringUtils.format("Received user update for unknown authenticator[%s]", authenticatorName); log.error(errMsg); return Response.status(Response.Status.BAD_REQUEST) .entity(ImmutableMap.of( @@ -123,7 +123,7 @@ public Response authenticatorUpdateListener(String authenticatorName, byte[] ser .build(); } - cacheManager.handleAuthenticatorUpdate(authenticatorName, serializedUserMap); + cacheManager.handleAuthenticatorUserMapUpdate(authenticatorName, serializedUserMap); return Response.ok().build(); } @@ -131,10 +131,8 @@ public Response authenticatorUpdateListener(String authenticatorName, byte[] ser public Response getLoadStatus() { Map loadStatus = new HashMap<>(); - authenticatorMap.forEach( - (authenticatorName, authenticator) -> { - loadStatus.put(authenticatorName, cacheManager.getUserMap(authenticatorName) != null); - } + authenticatorMap.forEach((authenticatorName, authenticator) -> + loadStatus.put(authenticatorName, cacheManager.getUserMap(authenticatorName) != null) ); return Response.ok(loadStatus).build(); } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/entity/BasicAuthenticatorCredentials.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/entity/BasicAuthenticatorCredentials.java index ac231af74dee..e31bb7ca0833 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/entity/BasicAuthenticatorCredentials.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/entity/BasicAuthenticatorCredentials.java @@ -77,7 +77,7 @@ public boolean equals(Object o) if (this == o) { return true; } - if (o == null || getClass() != o.getClass()) { + if (o == null || !getClass().equals(o.getClass())) { return false; } @@ -86,11 +86,8 @@ public boolean equals(Object o) if (getIterations() != that.getIterations()) { return false; } - if (!Arrays.equals(getSalt(), that.getSalt())) { - return false; - } - return Arrays.equals(getHash(), that.getHash()); + return Arrays.equals(getSalt(), that.getSalt()) && Arrays.equals(getHash(), that.getHash()); } @Override diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/entity/BasicAuthenticatorUser.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/entity/BasicAuthenticatorUser.java index 15603df7e55b..1969b2f7f475 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/entity/BasicAuthenticatorUser.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/entity/BasicAuthenticatorUser.java @@ -55,16 +55,14 @@ public boolean equals(Object o) if (this == o) { return true; } - if (o == null || getClass() != o.getClass()) { + if (o == null || !getClass().equals(o.getClass())) { return false; } BasicAuthenticatorUser that = (BasicAuthenticatorUser) o; - if (getName() != null ? !getName().equals(that.getName()) : that.getName() != null) { - return false; - } - return getCredentials() != null ? getCredentials().equals(that.getCredentials()) : that.getCredentials() == null; + return (getName() != null ? getName().equals(that.getName()) : that.getName() == null) + && (getCredentials() != null ? getCredentials().equals(that.getCredentials()) : that.getCredentials() == null); } @Override diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/validator/CredentialsValidator.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/validator/CredentialsValidator.java new file mode 100644 index 000000000000..8ea9016fc6b2 --- /dev/null +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/validator/CredentialsValidator.java @@ -0,0 +1,39 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.security.basic.authentication.validator; + +import com.fasterxml.jackson.annotation.JsonSubTypes; +import com.fasterxml.jackson.annotation.JsonTypeInfo; +import org.apache.druid.server.security.AuthenticationResult; + +@JsonTypeInfo(use = JsonTypeInfo.Id.NAME, property = "type", defaultImpl = MetadataStoreCredentialsValidator.class) +@JsonSubTypes(value = { + @JsonSubTypes.Type(name = "metadata", value = MetadataStoreCredentialsValidator.class), + @JsonSubTypes.Type(name = "ldap", value = LDAPCredentialsValidator.class), +}) +public interface CredentialsValidator +{ + AuthenticationResult validateCredentials( + String authenticatorName, + String authorizerName, + String username, + char[] password + ); +} diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/validator/LDAPCredentialsValidator.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/validator/LDAPCredentialsValidator.java new file mode 100644 index 000000000000..9f75d37a409b --- /dev/null +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/validator/LDAPCredentialsValidator.java @@ -0,0 +1,296 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.security.basic.authentication.validator; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeName; +import org.apache.druid.java.util.common.StringUtils; +import org.apache.druid.java.util.common.logger.Logger; +import org.apache.druid.metadata.PasswordProvider; +import org.apache.druid.security.basic.BasicAuthLDAPConfig; +import org.apache.druid.security.basic.BasicAuthUtils; +import org.apache.druid.security.basic.BasicSecurityAuthenticationException; +import org.apache.druid.security.basic.BasicSecuritySSLSocketFactory; +import org.apache.druid.security.basic.authentication.LdapUserPrincipal; +import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials; +import org.apache.druid.server.security.AuthenticationResult; + +import javax.annotation.Nullable; +import javax.naming.AuthenticationException; +import javax.naming.Context; +import javax.naming.NamingEnumeration; +import javax.naming.NamingException; +import javax.naming.directory.DirContext; +import javax.naming.directory.InitialDirContext; +import javax.naming.directory.SearchControls; +import javax.naming.directory.SearchResult; +import javax.naming.ldap.LdapName; +import java.util.HashMap; +import java.util.LinkedHashMap; +import java.util.Map; +import java.util.Properties; +import java.util.concurrent.locks.ReentrantLock; + +@JsonTypeName("ldap") +public class LDAPCredentialsValidator implements CredentialsValidator +{ + private static final Logger LOG = new Logger(LDAPCredentialsValidator.class); + private static final ReentrantLock LOCK = new ReentrantLock(); + + private final LruBlockCache cache; + + private final BasicAuthLDAPConfig ldapConfig; + + @JsonCreator + public LDAPCredentialsValidator( + @JsonProperty("url") String url, + @JsonProperty("bindUser") String bindUser, + @JsonProperty("bindPassword") PasswordProvider bindPassword, + @JsonProperty("baseDn") String baseDn, + @JsonProperty("userSearch") String userSearch, + @JsonProperty("userAttribute") String userAttribute, + @JsonProperty("credentialIterations") Integer credentialIterations, + @JsonProperty("credentialVerifyDuration") Integer credentialVerifyDuration, + @JsonProperty("credentialMaxDuration") Integer credentialMaxDuration, + @JsonProperty("credentialCacheSize") Integer credentialCacheSize + ) + { + this.ldapConfig = new BasicAuthLDAPConfig( + url, + bindUser, + bindPassword, + baseDn, + userSearch, + userAttribute, + credentialIterations == null ? BasicAuthUtils.DEFAULT_KEY_ITERATIONS : credentialIterations, + credentialVerifyDuration == null ? BasicAuthUtils.DEFAULT_CREDENTIAL_VERIFY_DURATION_SECONDS : credentialVerifyDuration, + credentialMaxDuration == null ? BasicAuthUtils.DEFAULT_CREDENTIAL_MAX_DURATION_SECONDS : credentialMaxDuration, + credentialCacheSize == null ? BasicAuthUtils.DEFAULT_CREDENTIAL_CACHE_SIZE : credentialCacheSize + ); + + this.cache = new LruBlockCache( + this.ldapConfig.getCredentialCacheSize(), + this.ldapConfig.getCredentialVerifyDuration(), + this.ldapConfig.getCredentialMaxDuration() + ); + } + + Properties bindProperties(BasicAuthLDAPConfig ldapConfig) + { + Properties properties = commonProperties(ldapConfig); + properties.put(Context.SECURITY_PRINCIPAL, ldapConfig.getBindUser()); + properties.put(Context.SECURITY_CREDENTIALS, ldapConfig.getBindPassword().getPassword()); + return properties; + } + + Properties userProperties(BasicAuthLDAPConfig ldapConfig, LdapName userDn, char[] password) + { + Properties properties = commonProperties(ldapConfig); + properties.put(Context.SECURITY_PRINCIPAL, userDn.toString()); + properties.put(Context.SECURITY_CREDENTIALS, String.valueOf(password)); + return properties; + } + + Properties commonProperties(BasicAuthLDAPConfig ldapConfig) + { + Properties properties = new Properties(); + properties.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory"); + properties.put(Context.PROVIDER_URL, ldapConfig.getUrl()); + properties.put(Context.SECURITY_AUTHENTICATION, "simple"); + if (StringUtils.toLowerCase(ldapConfig.getUrl()).startsWith("ldaps://")) { + properties.put(Context.SECURITY_PROTOCOL, "ssl"); + properties.put("java.naming.ldap.factory.socket", BasicSecuritySSLSocketFactory.class.getName()); + } + return properties; + } + + @Override + public AuthenticationResult validateCredentials( + String authenticatorName, + String authorizerName, + String username, + char[] password + ) + { + SearchResult userResult; + LdapName userDn; + Map contextMap = new HashMap<>(); + + LdapUserPrincipal principal = this.cache.getOrExpire(username); + if (principal != null && principal.hasSameCredentials(password)) { + contextMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, principal.getSearchResult()); + return new AuthenticationResult(username, authorizerName, authenticatorName, contextMap); + } else { + try { + InitialDirContext dirContext = new InitialDirContext(bindProperties(this.ldapConfig)); + try { + userResult = getLdapUserObject(this.ldapConfig, dirContext, username); + if (userResult == null) { + LOG.debug("User not found: %s", username); + return null; + } + userDn = new LdapName(userResult.getNameInNamespace()); + } + finally { + try { + dirContext.close(); + } + catch (Exception ignored) { + // ignored + } + } + } + catch (NamingException e) { + LOG.error(e, "Exception during user lookup"); + return null; + } + + if (!validatePassword(this.ldapConfig, userDn, password)) { + LOG.debug("Password incorrect for LDAP user %s", username); + throw new BasicSecurityAuthenticationException("User LDAP authentication failed username[%s].", userDn.toString()); + } + + byte[] salt = BasicAuthUtils.generateSalt(); + byte[] hash = BasicAuthUtils.hashPassword(password, salt, this.ldapConfig.getCredentialIterations()); + LdapUserPrincipal newPrincipal = new LdapUserPrincipal( + username, + new BasicAuthenticatorCredentials(salt, hash, this.ldapConfig.getCredentialIterations()), + userResult + ); + + this.cache.put(username, newPrincipal); + contextMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userResult); + return new AuthenticationResult(username, authorizerName, authenticatorName, contextMap); + } + } + + @Nullable + SearchResult getLdapUserObject(BasicAuthLDAPConfig ldapConfig, DirContext context, String username) + { + try { + SearchControls sc = new SearchControls(); + sc.setSearchScope(SearchControls.SUBTREE_SCOPE); + sc.setReturningAttributes(new String[] {ldapConfig.getUserAttribute(), "memberOf" }); + NamingEnumeration results = context.search( + ldapConfig.getBaseDn(), + StringUtils.format(ldapConfig.getUserSearch(), username), + sc); + try { + if (!results.hasMore()) { + return null; + } + return results.next(); + } + finally { + results.close(); + } + } + catch (NamingException e) { + LOG.debug(e, "Unable to find user '%s'", username); + return null; + } + } + + boolean validatePassword(BasicAuthLDAPConfig ldapConfig, LdapName userDn, char[] password) + { + InitialDirContext context = null; + + try { + context = new InitialDirContext(userProperties(ldapConfig, userDn, password)); + return true; + } + catch (AuthenticationException e) { + return false; + } + catch (NamingException e) { + LOG.error(e, "Exception during LDAP authentication username[%s]", userDn.toString()); + return false; + } + finally { + try { + if (context != null) { + context.close(); + } + } + catch (Exception ignored) { + LOG.warn("Exception closing LDAP context"); + // ignored + } + } + } + + private static class LruBlockCache extends LinkedHashMap + { + private static final long serialVersionUID = 7509410739092012261L; + + private final int cacheSize; + private final int duration; + private final int maxDuration; + + public LruBlockCache(int cacheSize, int duration, int maxDuration) + { + super(16, 0.75f, true); + this.cacheSize = cacheSize; + this.duration = duration; + this.maxDuration = maxDuration; + } + + @Override + protected boolean removeEldestEntry(Map.Entry eldest) + { + return size() > cacheSize; + } + + @Nullable + LdapUserPrincipal getOrExpire(String identity) + { + try { + LOCK.lock(); + LdapUserPrincipal principal = get(identity); + if (principal != null) { + if (principal.isExpired(duration, maxDuration)) { + remove(identity); + return null; + } else { + return principal; + } + } else { + return null; + } + } + finally { + LOCK.unlock(); + } + } + + @Override + public LdapUserPrincipal put(String key, LdapUserPrincipal value) + { + try { + LOCK.lock(); + return super.put(key, value); + } + finally { + LOCK.unlock(); + } + } + } +} diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/validator/MetadataStoreCredentialsValidator.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/validator/MetadataStoreCredentialsValidator.java new file mode 100644 index 000000000000..9f86f0d50a39 --- /dev/null +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/validator/MetadataStoreCredentialsValidator.java @@ -0,0 +1,89 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.security.basic.authentication.validator; + +import com.fasterxml.jackson.annotation.JacksonInject; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonTypeName; +import com.google.inject.Provider; +import org.apache.druid.java.util.common.IAE; +import org.apache.druid.java.util.common.logger.Logger; +import org.apache.druid.security.basic.BasicAuthUtils; +import org.apache.druid.security.basic.BasicSecurityAuthenticationException; +import org.apache.druid.security.basic.authentication.db.cache.BasicAuthenticatorCacheManager; +import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials; +import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser; +import org.apache.druid.server.security.AuthenticationResult; + +import javax.annotation.Nullable; +import java.util.Arrays; +import java.util.Map; + +@JsonTypeName("metadata") +public class MetadataStoreCredentialsValidator implements CredentialsValidator +{ + private static final Logger LOG = new Logger(MetadataStoreCredentialsValidator.class); + private final Provider cacheManager; + + @JsonCreator + public MetadataStoreCredentialsValidator( + @JacksonInject Provider cacheManager + ) + { + this.cacheManager = cacheManager; + } + + @Override + @Nullable + public AuthenticationResult validateCredentials( + String authenticatorName, + String authorizerName, + String username, + char[] password + ) + { + Map userMap = cacheManager.get().getUserMap(authenticatorName); + if (userMap == null) { + throw new IAE("No userMap is available for authenticator with prefix: [%s]", authenticatorName); + } + + BasicAuthenticatorUser user = userMap.get(username); + if (user == null) { + return null; + } + BasicAuthenticatorCredentials credentials = user.getCredentials(); + if (credentials == null) { + return null; + } + + byte[] recalculatedHash = BasicAuthUtils.hashPassword( + password, + credentials.getSalt(), + credentials.getIterations() + ); + + if (Arrays.equals(recalculatedHash, credentials.getHash())) { + return new AuthenticationResult(username, authorizerName, authenticatorName, null); + } else { + LOG.debug("Password incorrect for metadata store user %s", username); + throw new BasicSecurityAuthenticationException("User metadata store authentication failed username[%s].", username); + } + } +} diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/BasicRoleBasedAuthorizer.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/BasicRoleBasedAuthorizer.java index 8e88ca9efe8b..f307b9ea029e 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/BasicRoleBasedAuthorizer.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/BasicRoleBasedAuthorizer.java @@ -28,71 +28,80 @@ import org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheManager; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerPermission; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole; -import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser; import org.apache.druid.server.security.Access; import org.apache.druid.server.security.Action; import org.apache.druid.server.security.AuthenticationResult; import org.apache.druid.server.security.Authorizer; import org.apache.druid.server.security.Resource; +import java.util.HashSet; import java.util.Map; +import java.util.Set; import java.util.regex.Matcher; import java.util.regex.Pattern; @JsonTypeName("basic") public class BasicRoleBasedAuthorizer implements Authorizer { - private final BasicAuthorizerCacheManager cacheManager; private final String name; private final BasicAuthDBConfig dbConfig; - + private final RoleProvider roleProvider; @JsonCreator public BasicRoleBasedAuthorizer( @JacksonInject BasicAuthorizerCacheManager cacheManager, @JsonProperty("name") String name, + @JsonProperty("initialAdminUser") String initialAdminUser, + @JsonProperty("initialAdminRole") String initialAdminRole, + @JsonProperty("initialAdminGroupMapping") String initialAdminGroupMapping, @JsonProperty("enableCacheNotifications") Boolean enableCacheNotifications, - @JsonProperty("cacheNotificationTimeout") Long cacheNotificationTimeout + @JsonProperty("cacheNotificationTimeout") Long cacheNotificationTimeout, + @JsonProperty("roleProvider") RoleProvider roleProvider ) { this.name = name; - this.cacheManager = cacheManager; this.dbConfig = new BasicAuthDBConfig( null, null, + initialAdminUser, + initialAdminRole, + initialAdminGroupMapping, enableCacheNotifications == null ? true : enableCacheNotifications, cacheNotificationTimeout == null ? BasicAuthDBConfig.DEFAULT_CACHE_NOTIFY_TIMEOUT_MS : cacheNotificationTimeout, 0 ); + if (roleProvider == null) { + this.roleProvider = new MetadataStoreRoleProvider(cacheManager); + } else { + this.roleProvider = roleProvider; + } } @Override + @SuppressWarnings("unchecked") public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action) { if (authenticationResult == null) { - throw new IAE("WTF? authenticationResult should never be null."); + throw new IAE("authenticationResult is null where it should never be."); } - Map userMap = cacheManager.getUserMap(name); - if (userMap == null) { - throw new IAE("Could not load userMap for authorizer [%s]", name); - } + Set roleNames = new HashSet<>(roleProvider.getRoles(name, authenticationResult)); + Map roleMap = roleProvider.getRoleMap(name); - Map roleMap = cacheManager.getRoleMap(name); + if (roleNames.isEmpty()) { + return new Access(false); + } if (roleMap == null) { throw new IAE("Could not load roleMap for authorizer [%s]", name); } - BasicAuthorizerUser user = userMap.get(authenticationResult.getIdentity()); - if (user == null) { - return new Access(false); - } - - for (String roleName : user.getRoles()) { + for (String roleName : roleNames) { BasicAuthorizerRole role = roleMap.get(roleName); - for (BasicAuthorizerPermission permission : role.getPermissions()) { - if (permissionCheck(resource, action, permission)) { - return new Access(true); + if (role != null) { + for (BasicAuthorizerPermission permission : role.getPermissions()) { + if (permissionCheck(resource, action, permission)) { + return new Access(true); + } } } } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/LDAPRoleProvider.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/LDAPRoleProvider.java new file mode 100644 index 000000000000..95ffa229cf3e --- /dev/null +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/LDAPRoleProvider.java @@ -0,0 +1,224 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.security.basic.authorization; + +import com.fasterxml.jackson.annotation.JacksonInject; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeName; +import com.google.common.annotations.VisibleForTesting; +import org.apache.druid.java.util.common.IAE; +import org.apache.druid.java.util.common.RE; +import org.apache.druid.java.util.common.StringUtils; +import org.apache.druid.java.util.common.logger.Logger; +import org.apache.druid.security.basic.BasicAuthUtils; +import org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheManager; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser; +import org.apache.druid.server.security.AuthenticationResult; + +import javax.naming.InvalidNameException; +import javax.naming.NamingException; +import javax.naming.directory.Attribute; +import javax.naming.directory.SearchResult; +import javax.naming.ldap.LdapName; +import java.util.Arrays; +import java.util.HashSet; +import java.util.Locale; +import java.util.Map; +import java.util.Optional; +import java.util.Set; +import java.util.TreeSet; + +@JsonTypeName("ldap") +public class LDAPRoleProvider implements RoleProvider +{ + private static final Logger LOG = new Logger(LDAPRoleProvider.class); + + private final BasicAuthorizerCacheManager cacheManager; + private final String[] groupFilters; + + @JsonCreator + public LDAPRoleProvider( + @JacksonInject BasicAuthorizerCacheManager cacheManager, + @JsonProperty("groupFilters") String[] groupFilters + ) + { + this.cacheManager = cacheManager; + this.groupFilters = groupFilters; + } + + @Override + public Set getRoles(String authorizerPrefix, AuthenticationResult authenticationResult) + { + Set roleNames = new HashSet<>(); + Map groupMappingMap = cacheManager.getGroupMappingMap(authorizerPrefix); + if (groupMappingMap == null) { + throw new IAE("Could not load groupMappingMap for authorizer [%s]", authorizerPrefix); + } + Map userMap = cacheManager.getUserMap(authorizerPrefix); + if (userMap == null) { + throw new IAE("Could not load userMap for authorizer [%s]", authorizerPrefix); + } + + // Get the groups assigned to the LDAP user + SearchResult searchResult = Optional.ofNullable(authenticationResult.getContext()) + .map(contextMap -> contextMap.get(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY)) + .map(p -> { + if (p instanceof SearchResult) { + return (SearchResult) p; + } else { + return null; + } + }) + .orElse(null); + if (searchResult != null) { + try { + Set groupNamesFromLdap = getGroupsFromLdap(searchResult); + if (groupNamesFromLdap.isEmpty()) { + LOG.debug("User %s is not mapped to any groups", authenticationResult.getIdentity()); + } else { + // Get the roles mapped to LDAP groups from the metastore. + // This allows us to authorize groups LDAP user belongs + roleNames.addAll(getRoles(groupMappingMap, groupNamesFromLdap)); + } + } + catch (NamingException e) { + LOG.error(e, "Exception in looking up groups for user %s", authenticationResult.getIdentity()); + } + } + + // Get the roles assigned to LDAP user from the metastore. + // This allow us to authorize LDAP users regardless of whether they belong to any groups or not in LDAP. + BasicAuthorizerUser user = userMap.get(authenticationResult.getIdentity()); + if (user != null) { + roleNames.addAll(user.getRoles()); + } + + return roleNames; + } + + @Override + public Map getRoleMap(String authorizerPrefix) + { + return cacheManager.getRoleMap(authorizerPrefix); + } + + @VisibleForTesting + public Set getRoles(Map groupMappingMap, Set groupNamesFromLdap) + { + Set roles = new HashSet<>(); + + if (groupMappingMap.size() == 0) { + return roles; + } + + for (LdapName groupName : groupNamesFromLdap) { + for (Map.Entry groupMappingEntry : groupMappingMap.entrySet()) { + BasicAuthorizerGroupMapping groupMapping = groupMappingEntry.getValue(); + String mask = groupMapping.getGroupPattern(); + try { + if (mask.startsWith("*,")) { + LdapName ln = new LdapName(mask.substring(2)); + if (groupName.startsWith(ln)) { + roles.addAll(groupMapping.getRoles()); + } + } else if (mask.endsWith(",*")) { + LdapName ln = new LdapName(mask.substring(0, mask.length() - 2)); + if (groupName.endsWith(ln)) { + roles.addAll(groupMapping.getRoles()); + } + } else { + LdapName ln = new LdapName(mask); + if (groupName.equals(ln)) { + roles.addAll(groupMapping.getRoles()); + } + } + } + catch (InvalidNameException e) { + throw new RuntimeException(String.format(Locale.getDefault(), + "Configuration problem - Invalid groupMapping '%s'", mask)); + } + } + } + return roles; + } + + Set getGroupsFromLdap(SearchResult userResult) throws NamingException + { + Set groups = new TreeSet<>(); + + Attribute memberOf = userResult.getAttributes().get("memberOf"); + if (memberOf == null) { + LOG.debug("No memberOf attributes"); + return groups; // not part of any groups + } + + for (int i = 0; i < memberOf.size(); i++) { + String memberDn = memberOf.get(i).toString(); + LdapName ln; + try { + ln = new LdapName(memberDn); + } + catch (InvalidNameException e) { + LOG.debug("Invalid LDAP name: %s", memberDn); + continue; + } + if (this.groupFilters != null) { + if (allowedLdapGroup(ln, new TreeSet<>(Arrays.asList(this.groupFilters)))) { + groups.add(ln); + } + } else { + groups.add(ln); + } + } + return groups; + } + + boolean allowedLdapGroup(LdapName groupName, Set groupFilters) + { + for (String filter : groupFilters) { + try { + if (filter.startsWith("*,")) { + LdapName ln = new LdapName(filter.substring(2)); + if (groupName.startsWith(ln)) { + return true; + } + } else if (filter.endsWith(",*")) { + LdapName ln = new LdapName(filter.substring(0, filter.length() - 2)); + if (groupName.endsWith(ln)) { + return true; + } + } else { + LOG.debug("Attempting exact filter %s", filter); + LdapName ln = new LdapName(filter); + if (groupName.equals(ln)) { + return true; + } + } + } + catch (InvalidNameException e) { + throw new RE(StringUtils.format("Configuration problem - Invalid groupFilter '%s'", filter)); + } + } + return false; + } +} diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/MetadataStoreRoleProvider.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/MetadataStoreRoleProvider.java new file mode 100644 index 000000000000..7dc05ccc8c80 --- /dev/null +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/MetadataStoreRoleProvider.java @@ -0,0 +1,72 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.security.basic.authorization; + +import com.fasterxml.jackson.annotation.JacksonInject; +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonTypeName; +import org.apache.druid.java.util.common.IAE; +import org.apache.druid.java.util.common.logger.Logger; +import org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheManager; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser; +import org.apache.druid.server.security.AuthenticationResult; + +import java.util.HashSet; +import java.util.Map; +import java.util.Set; + +@JsonTypeName("metadata") +public class MetadataStoreRoleProvider implements RoleProvider +{ + private static final Logger LOG = new Logger(MetadataStoreRoleProvider.class); + private final BasicAuthorizerCacheManager cacheManager; + + @JsonCreator + public MetadataStoreRoleProvider( + @JacksonInject BasicAuthorizerCacheManager cacheManager + ) + { + this.cacheManager = cacheManager; + } + + @Override + public Set getRoles(String authorizerPrefix, AuthenticationResult authenticationResult) + { + Set roleNames = new HashSet<>(); + + Map userMap = cacheManager.getUserMap(authorizerPrefix); + if (userMap == null) { + throw new IAE("Could not load userMap for authorizer [%s]", authorizerPrefix); + } + + BasicAuthorizerUser user = userMap.get(authenticationResult.getIdentity()); + if (user != null) { + roleNames.addAll(user.getRoles()); + } + return roleNames; + } + + @Override + public Map getRoleMap(String authorizerPrefix) + { + return cacheManager.getRoleMap(authorizerPrefix); + } +} diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/RoleProvider.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/RoleProvider.java new file mode 100644 index 000000000000..1e8b9bf4351a --- /dev/null +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/RoleProvider.java @@ -0,0 +1,39 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.security.basic.authorization; + +import com.fasterxml.jackson.annotation.JsonSubTypes; +import com.fasterxml.jackson.annotation.JsonTypeInfo; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole; +import org.apache.druid.server.security.AuthenticationResult; + +import java.util.Map; +import java.util.Set; + +@JsonTypeInfo(use = JsonTypeInfo.Id.NAME, property = "type", defaultImpl = MetadataStoreRoleProvider.class) +@JsonSubTypes(value = { + @JsonSubTypes.Type(name = "metadata", value = MetadataStoreRoleProvider.class), + @JsonSubTypes.Type(name = "ldap", value = LDAPRoleProvider.class), +}) +public interface RoleProvider +{ + Set getRoles(String authorizerPrefix, AuthenticationResult authenticationResult); + Map getRoleMap(String authorizerPrefix); +} diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/BasicAuthorizerCacheManager.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/BasicAuthorizerCacheManager.java index ca2a0b9da7fa..7515d782f49a 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/BasicAuthorizerCacheManager.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/BasicAuthorizerCacheManager.java @@ -19,6 +19,7 @@ package org.apache.druid.security.basic.authorization.db.cache; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser; @@ -32,11 +33,18 @@ public interface BasicAuthorizerCacheManager { /** * Update this cache manager's local state with fresh information pushed by the coordinator. - * * @param authorizerPrefix The name of the authorizer this update applies to. * @param serializedUserAndRoleMap The updated, serialized user and role maps */ - void handleAuthorizerUpdate(String authorizerPrefix, byte[] serializedUserAndRoleMap); + void handleAuthorizerUserUpdate(String authorizerPrefix, byte[] serializedUserAndRoleMap); + + /** + * Update this cache manager's local state with fresh information pushed by the coordinator. + * @param authorizerPrefix The name of the authorizer this update applies to. + * @param serializedGroupMappingAndRoleMap The updated, serialized group and role maps + * */ + void handleAuthorizerGroupMappingUpdate(String authorizerPrefix, byte[] serializedGroupMappingAndRoleMap); + /** * Return the cache manager's local view of the user map for the authorizer named `authorizerPrefix`. @@ -53,4 +61,20 @@ public interface BasicAuthorizerCacheManager * @return Role map */ Map getRoleMap(String authorizerPrefix); + + /** + * Return the cache manager's local view of the groupMapping map for the authorizer named `authorizerPrefix`. + * + * @param authorizerPrefix The name of the authorizer + * @return GroupMapping map + */ + Map getGroupMappingMap(String authorizerPrefix); + + /** + * Return the cache manager's local view of the groupMapping-role map for the authorizer named `authorizerPrefix`. + * + * @param authorizerPrefix The name of the authorizer + * @return Role map + */ + Map getGroupMappingRoleMap(String authorizerPrefix); } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/BasicAuthorizerCacheNotifier.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/BasicAuthorizerCacheNotifier.java index 455f636e5ba1..e655e3bcc32c 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/BasicAuthorizerCacheNotifier.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/BasicAuthorizerCacheNotifier.java @@ -26,9 +26,15 @@ public interface BasicAuthorizerCacheNotifier { /** * Send the user map state contained in updatedUserMap to all non-coordinator Druid services - * - * @param authorizerPrefix Name of authorizer being updated + * @param authorizerPrefix Name of authorizer being updated * @param userAndRoleMap User/role map state */ - void addUpdate(String authorizerPrefix, byte[] userAndRoleMap); + void addUpdateUser(String authorizerPrefix, byte[] userAndRoleMap); + + /** + * Send the groupMapping map state contained in updatedGroupMappingMap to all non-coordinator Druid services + * @param authorizerPrefix Name of authorizer being updated + * @param groupMappingAndRoleMap Group/role map state + */ + void addUpdateGroupMapping(String authorizerPrefix, byte[] groupMappingAndRoleMap); } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/CoordinatorBasicAuthorizerCacheNotifier.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/CoordinatorBasicAuthorizerCacheNotifier.java index 85c1a1caedc3..328facf17a74 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/CoordinatorBasicAuthorizerCacheNotifier.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/CoordinatorBasicAuthorizerCacheNotifier.java @@ -44,7 +44,8 @@ public class CoordinatorBasicAuthorizerCacheNotifier implements BasicAuthorizerC { private final LifecycleLock lifecycleLock = new LifecycleLock(); - private CommonCacheNotifier cacheNotifier; + private final CommonCacheNotifier cacheUserNotifier; + private final CommonCacheNotifier cacheGroupMappingNotifier; @Inject public CoordinatorBasicAuthorizerCacheNotifier( @@ -53,11 +54,18 @@ public CoordinatorBasicAuthorizerCacheNotifier( @EscalatedClient HttpClient httpClient ) { - cacheNotifier = new CommonCacheNotifier( + cacheUserNotifier = new CommonCacheNotifier( getAuthorizerConfigMap(authorizerMapper), discoveryProvider, httpClient, - "/druid-ext/basic-security/authorization/listen/%s", + "/druid-ext/basic-security/authorization/listen/users/%s", + "CoordinatorBasicAuthorizerCacheNotifier" + ); + cacheGroupMappingNotifier = new CommonCacheNotifier( + getAuthorizerConfigMap(authorizerMapper), + discoveryProvider, + httpClient, + "/druid-ext/basic-security/authorization/listen/groupMappings/%s", "CoordinatorBasicAuthorizerCacheNotifier" ); } @@ -70,7 +78,8 @@ public void start() } try { - cacheNotifier.start(); + cacheUserNotifier.start(); + cacheGroupMappingNotifier.start(); lifecycleLock.started(); } finally { @@ -85,7 +94,8 @@ public void stop() return; } try { - cacheNotifier.stop(); + cacheUserNotifier.stop(); + cacheGroupMappingNotifier.stop(); } finally { lifecycleLock.exitStop(); @@ -93,10 +103,17 @@ public void stop() } @Override - public void addUpdate(String updatedAuthorizerPrefix, byte[] updatedUserMap) + public void addUpdateUser(String updatedAuthorizerPrefix, byte[] userAndRoleMap) + { + Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS)); + cacheUserNotifier.addUpdate(updatedAuthorizerPrefix, userAndRoleMap); + } + + @Override + public void addUpdateGroupMapping(String updatedAuthorizerPrefix, byte[] groupMappingAndRoleMap) { Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS)); - cacheNotifier.addUpdate(updatedAuthorizerPrefix, updatedUserMap); + cacheGroupMappingNotifier.addUpdate(updatedAuthorizerPrefix, groupMappingAndRoleMap); } private Map getAuthorizerConfigMap(AuthorizerMapper mapper) diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/CoordinatorPollingBasicAuthorizerCacheManager.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/CoordinatorPollingBasicAuthorizerCacheManager.java index 65c9ba37279e..d458d977a490 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/CoordinatorPollingBasicAuthorizerCacheManager.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/CoordinatorPollingBasicAuthorizerCacheManager.java @@ -43,8 +43,10 @@ import org.apache.druid.security.basic.BasicAuthCommonCacheConfig; import org.apache.druid.security.basic.BasicAuthUtils; import org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser; +import org.apache.druid.security.basic.authorization.entity.GroupMappingAndRoleMap; import org.apache.druid.security.basic.authorization.entity.UserAndRoleMap; import org.apache.druid.server.security.Authorizer; import org.apache.druid.server.security.AuthorizerMapper; @@ -69,6 +71,8 @@ public class CoordinatorPollingBasicAuthorizerCacheManager implements BasicAutho private final ConcurrentHashMap> cachedUserMaps; private final ConcurrentHashMap> cachedRoleMaps; + private final ConcurrentHashMap> cachedGroupMappingMaps; + private final ConcurrentHashMap> cachedGroupMappingRoleMaps; private final Set authorizerPrefixes; private final Injector injector; @@ -92,6 +96,8 @@ public CoordinatorPollingBasicAuthorizerCacheManager( this.objectMapper = objectMapper; this.cachedUserMaps = new ConcurrentHashMap<>(); this.cachedRoleMaps = new ConcurrentHashMap<>(); + this.cachedGroupMappingMaps = new ConcurrentHashMap<>(); + this.cachedGroupMappingRoleMaps = new ConcurrentHashMap<>(); this.authorizerPrefixes = new HashSet<>(); this.druidLeaderClient = druidLeaderClient; } @@ -118,7 +124,7 @@ public void start() LOG.debug("Inserting random polling delay of [%s] ms", randomDelay); Thread.sleep(randomDelay); - LOG.debug("Scheduled cache poll is running"); + LOG.debug("Scheduled userMap cache poll is running"); for (String authorizerPrefix : authorizerPrefixes) { UserAndRoleMap userAndRoleMap = fetchUserAndRoleMapFromCoordinator(authorizerPrefix, false); if (userAndRoleMap != null) { @@ -126,7 +132,7 @@ public void start() cachedRoleMaps.put(authorizerPrefix, userAndRoleMap.getRoleMap()); } } - LOG.debug("Scheduled cache poll is done"); + LOG.debug("Scheduled userMap cache poll is done"); } catch (Throwable t) { LOG.makeAlert(t, "Error occured while polling for cachedUserMaps.").emit(); @@ -134,6 +140,32 @@ public void start() } ); + ScheduledExecutors.scheduleWithFixedDelay( + exec, + new Duration(commonCacheConfig.getPollingPeriod()), + new Duration(commonCacheConfig.getPollingPeriod()), + () -> { + try { + long randomDelay = ThreadLocalRandom.current().nextLong(0, commonCacheConfig.getMaxRandomDelay()); + LOG.debug("Inserting random polling delay of [%s] ms", randomDelay); + Thread.sleep(randomDelay); + + LOG.debug("Scheduled groupMappingMap cache poll is running"); + for (String authorizerPrefix : authorizerPrefixes) { + GroupMappingAndRoleMap groupMappingAndRoleMap = fetchGroupAndRoleMapFromCoordinator(authorizerPrefix, false); + if (groupMappingAndRoleMap != null) { + cachedGroupMappingMaps.put(authorizerPrefix, groupMappingAndRoleMap.getGroupMappingMap()); + cachedGroupMappingRoleMaps.put(authorizerPrefix, groupMappingAndRoleMap.getRoleMap()); + } + } + LOG.debug("Scheduled groupMappingMap cache poll is done"); + } + catch (Throwable t) { + LOG.makeAlert(t, "Error occured while polling for cachedGroupMappingMaps.").emit(); + } + } + ); + lifecycleLock.started(); LOG.info("Started CoordinatorPollingBasicAuthorizerCacheManager."); } @@ -155,9 +187,9 @@ public void stop() } @Override - public void handleAuthorizerUpdate(String authorizerPrefix, byte[] serializedUserAndRoleMap) + public void handleAuthorizerUserUpdate(String authorizerPrefix, byte[] serializedUserAndRoleMap) { - LOG.debug("Received cache update for authorizer [%s].", authorizerPrefix); + LOG.debug("Received userMap cache update for authorizer [%s].", authorizerPrefix); Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS)); try { UserAndRoleMap userAndRoleMap = objectMapper.readValue( @@ -169,7 +201,7 @@ public void handleAuthorizerUpdate(String authorizerPrefix, byte[] serializedUse cachedRoleMaps.put(authorizerPrefix, userAndRoleMap.getRoleMap()); if (commonCacheConfig.getCacheDirectory() != null) { - writeMapToDisk(authorizerPrefix, serializedUserAndRoleMap); + writeUserMapToDisk(authorizerPrefix, serializedUserAndRoleMap); } } catch (Exception e) { @@ -177,6 +209,29 @@ public void handleAuthorizerUpdate(String authorizerPrefix, byte[] serializedUse } } + @Override + public void handleAuthorizerGroupMappingUpdate(String authorizerPrefix, byte[] serializedGroupMappingAndRoleMap) + { + LOG.debug("Received groupMappingMap cache update for authorizer [%s].", authorizerPrefix); + Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS)); + try { + GroupMappingAndRoleMap groupMappingAndRoleMap = objectMapper.readValue( + serializedGroupMappingAndRoleMap, + BasicAuthUtils.AUTHORIZER_GROUP_MAPPING_AND_ROLE_MAP_TYPE_REFERENCE + ); + + cachedGroupMappingMaps.put(authorizerPrefix, groupMappingAndRoleMap.getGroupMappingMap()); + cachedGroupMappingRoleMaps.put(authorizerPrefix, groupMappingAndRoleMap.getRoleMap()); + + if (commonCacheConfig.getCacheDirectory() != null) { + writeGroupMappingMapToDisk(authorizerPrefix, serializedGroupMappingAndRoleMap); + } + } + catch (Exception e) { + LOG.makeAlert(e, "Could not deserialize groupMapping/role map received from coordinator.").emit(); + } + } + @Override public Map getUserMap(String authorizerPrefix) { @@ -189,9 +244,26 @@ public Map getRoleMap(String authorizerPrefix) return cachedRoleMaps.get(authorizerPrefix); } + @Override + public Map getGroupMappingMap(String authorizerPrefix) + { + return cachedGroupMappingMaps.get(authorizerPrefix); + } + + @Override + public Map getGroupMappingRoleMap(String authorizerPrefix) + { + return cachedGroupMappingRoleMaps.get(authorizerPrefix); + } + private String getUserRoleMapFilename(String prefix) { - return StringUtils.format("%s.authorizer.cache", prefix); + return StringUtils.format("%s.authorizer.userRole.cache", prefix); + } + + private String getGroupMappingRoleMapFilename(String prefix) + { + return StringUtils.format("%s.authorizer.groupMappingRole.cache", prefix); } @Nullable @@ -207,7 +279,20 @@ private UserAndRoleMap loadUserAndRoleMapFromDisk(String prefix) throws IOExcept ); } - private void writeMapToDisk(String prefix, byte[] userMapBytes) throws IOException + @Nullable + private GroupMappingAndRoleMap loadGroupMappingAndRoleMapFromDisk(String prefix) throws IOException + { + File groupMappingAndRoleMapFile = new File(commonCacheConfig.getCacheDirectory(), getGroupMappingRoleMapFilename(prefix)); + if (!groupMappingAndRoleMapFile.exists()) { + return null; + } + return objectMapper.readValue( + groupMappingAndRoleMapFile, + BasicAuthUtils.AUTHORIZER_GROUP_MAPPING_AND_ROLE_MAP_TYPE_REFERENCE + ); + } + + private void writeUserMapToDisk(String prefix, byte[] userMapBytes) throws IOException { File cacheDir = new File(commonCacheConfig.getCacheDirectory()); cacheDir.mkdirs(); @@ -221,13 +306,27 @@ private void writeMapToDisk(String prefix, byte[] userMapBytes) throws IOExcepti ); } + private void writeGroupMappingMapToDisk(String prefix, byte[] groupMappingBytes) throws IOException + { + File cacheDir = new File(commonCacheConfig.getCacheDirectory()); + cacheDir.mkdirs(); + File groupMapFile = new File(commonCacheConfig.getCacheDirectory(), getGroupMappingRoleMapFilename(prefix)); + FileUtils.writeAtomically( + groupMapFile, + out -> { + out.write(groupMappingBytes); + return null; + } + ); + } + @Nullable private UserAndRoleMap fetchUserAndRoleMapFromCoordinator(String prefix, boolean isInit) { try { return RetryUtils.retry( () -> { - return tryFetchMapsFromCoordinator(prefix); + return tryFetchUserMapsFromCoordinator(prefix); }, e -> true, commonCacheConfig.getMaxSyncRetries() @@ -252,7 +351,38 @@ private UserAndRoleMap fetchUserAndRoleMapFromCoordinator(String prefix, boolean } } - private UserAndRoleMap tryFetchMapsFromCoordinator( + @Nullable + private GroupMappingAndRoleMap fetchGroupAndRoleMapFromCoordinator(String prefix, boolean isInit) + { + try { + return RetryUtils.retry( + () -> { + return tryFetchGroupMappingMapsFromCoordinator(prefix); + }, + e -> true, + commonCacheConfig.getMaxSyncRetries() + ); + } + catch (Exception e) { + LOG.makeAlert(e, "Encountered exception while fetching group and role map for authorizer [%s]", prefix).emit(); + if (isInit) { + if (commonCacheConfig.getCacheDirectory() != null) { + try { + LOG.info("Attempting to load group map snapshot from disk."); + return loadGroupMappingAndRoleMapFromDisk(prefix); + } + catch (Exception e2) { + e2.addSuppressed(e); + LOG.makeAlert(e2, "Encountered exception while loading group-role map snapshot for authorizer [%s]", prefix) + .emit(); + } + } + } + return null; + } + } + + private UserAndRoleMap tryFetchUserMapsFromCoordinator( String prefix ) throws Exception { @@ -271,11 +401,35 @@ private UserAndRoleMap tryFetchMapsFromCoordinator( BasicAuthUtils.AUTHORIZER_USER_AND_ROLE_MAP_TYPE_REFERENCE ); if (userAndRoleMap != null && commonCacheConfig.getCacheDirectory() != null) { - writeMapToDisk(prefix, userRoleMapBytes); + writeUserMapToDisk(prefix, userRoleMapBytes); } return userAndRoleMap; } + private GroupMappingAndRoleMap tryFetchGroupMappingMapsFromCoordinator( + String prefix + ) throws Exception + { + Request req = druidLeaderClient.makeRequest( + HttpMethod.GET, + StringUtils.format("/druid-ext/basic-security/authorization/db/%s/cachedSerializedGroupMappingMap", prefix) + ); + BytesFullResponseHolder responseHolder = druidLeaderClient.go( + req, + new BytesFullResponseHandler() + ); + byte[] groupRoleMapBytes = responseHolder.getContent(); + + GroupMappingAndRoleMap groupMappingAndRoleMap = objectMapper.readValue( + groupRoleMapBytes, + BasicAuthUtils.AUTHORIZER_GROUP_MAPPING_AND_ROLE_MAP_TYPE_REFERENCE + ); + if (groupMappingAndRoleMap != null && commonCacheConfig.getCacheDirectory() != null) { + writeGroupMappingMapToDisk(prefix, groupRoleMapBytes); + } + return groupMappingAndRoleMap; + } + private void initUserMaps() { AuthorizerMapper authorizerMapper = injector.getInstance(AuthorizerMapper.class); @@ -289,11 +443,18 @@ private void initUserMaps() if (authorizer instanceof BasicRoleBasedAuthorizer) { String authorizerName = entry.getKey(); authorizerPrefixes.add(authorizerName); + UserAndRoleMap userAndRoleMap = fetchUserAndRoleMapFromCoordinator(authorizerName, true); if (userAndRoleMap != null) { cachedUserMaps.put(authorizerName, userAndRoleMap.getUserMap()); cachedRoleMaps.put(authorizerName, userAndRoleMap.getRoleMap()); } + + GroupMappingAndRoleMap groupMappingAndRoleMap = fetchGroupAndRoleMapFromCoordinator(authorizerName, true); + if (groupMappingAndRoleMap != null) { + cachedGroupMappingMaps.put(authorizerName, groupMappingAndRoleMap.getGroupMappingMap()); + cachedGroupMappingRoleMaps.put(authorizerName, groupMappingAndRoleMap.getRoleMap()); + } } } } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/MetadataStoragePollingBasicAuthorizerCacheManager.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/MetadataStoragePollingBasicAuthorizerCacheManager.java index 2c2c38587077..075b40ecadd1 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/MetadataStoragePollingBasicAuthorizerCacheManager.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/MetadataStoragePollingBasicAuthorizerCacheManager.java @@ -21,6 +21,7 @@ import com.google.inject.Inject; import org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser; @@ -39,7 +40,13 @@ public MetadataStoragePollingBasicAuthorizerCacheManager( } @Override - public void handleAuthorizerUpdate(String authorizerPrefix, byte[] serializedUserAndRoleMap) + public void handleAuthorizerUserUpdate(String authorizerPrefix, byte[] serializedUserAndRoleMap) + { + + } + + @Override + public void handleAuthorizerGroupMappingUpdate(String authorizerPrefix, byte[] serializedGroupMappingAndRoleMap) { } @@ -55,4 +62,16 @@ public Map getRoleMap(String authorizerPrefix) { return storageUpdater.getCachedRoleMap(authorizerPrefix); } + + @Override + public Map getGroupMappingMap(String authorizerPrefix) + { + return storageUpdater.getCachedGroupMappingMap(authorizerPrefix); + } + + @Override + public Map getGroupMappingRoleMap(String authorizerPrefix) + { + return getRoleMap(authorizerPrefix); + } } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/NoopBasicAuthorizerCacheNotifier.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/NoopBasicAuthorizerCacheNotifier.java index 1df596e51ab1..66d1f50aa78f 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/NoopBasicAuthorizerCacheNotifier.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/cache/NoopBasicAuthorizerCacheNotifier.java @@ -26,8 +26,26 @@ */ public class NoopBasicAuthorizerCacheNotifier implements BasicAuthorizerCacheNotifier { + /** + * Send the user map state contained in updatedUserMap to all non-coordinator Druid services + * + * @param authorizerPrefix Name of authorizer being updated + * @param userAndRoleMap User/role map state + */ @Override - public void addUpdate(String authorizerPrefix, byte[] userAndRoleMap) + public void addUpdateUser(String authorizerPrefix, byte[] userAndRoleMap) + { + // Do nothing as this is a noop implementation + } + + /** + * Send the groupMapping map state contained in updatedGroupMappingMap to all non-coordinator Druid services + * + * @param authorizerPrefix Name of authorizer being updated + * @param groupMappingAndRoleMap Group/role map state + */ + @Override + public void addUpdateGroupMapping(String authorizerPrefix, byte[] groupMappingAndRoleMap) { // Do nothing as this is a noop implementation } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/updater/BasicAuthorizerMetadataStorageUpdater.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/updater/BasicAuthorizerMetadataStorageUpdater.java index 0cfb394f12eb..e47830bc6c0f 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/updater/BasicAuthorizerMetadataStorageUpdater.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/updater/BasicAuthorizerMetadataStorageUpdater.java @@ -19,6 +19,7 @@ package org.apache.druid.security.basic.authorization.db.updater; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser; import org.apache.druid.server.security.ResourceAction; @@ -38,22 +39,34 @@ public interface BasicAuthorizerMetadataStorageUpdater void deleteUser(String prefix, String userName); + void createGroupMapping(String prefix, BasicAuthorizerGroupMapping groupMapping); + + void deleteGroupMapping(String prefix, String groupMappingName); + void createRole(String prefix, String roleName); void deleteRole(String prefix, String roleName); - void assignRole(String prefix, String userName, String roleName); + void assignUserRole(String prefix, String userName, String roleName); + + void unassignUserRole(String prefix, String userName, String roleName); - void unassignRole(String prefix, String userName, String roleName); + void assignGroupMappingRole(String prefix, String groupMappingName, String roleName); + + void unassignGroupMappingRole(String prefix, String groupMappingName, String roleName); void setPermissions(String prefix, String roleName, List permissions); Map getCachedUserMap(String prefix); + Map getCachedGroupMappingMap(String prefix); + Map getCachedRoleMap(String prefix); byte[] getCurrentUserMapBytes(String prefix); + byte[] getCurrentGroupMappingMapBytes(String prefix); + byte[] getCurrentRoleMapBytes(String prefix); void refreshAllNotification(); diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/updater/CoordinatorBasicAuthorizerMetadataStorageUpdater.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/updater/CoordinatorBasicAuthorizerMetadataStorageUpdater.java index e2b5849aad3e..01f409adf8ce 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/updater/CoordinatorBasicAuthorizerMetadataStorageUpdater.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/updater/CoordinatorBasicAuthorizerMetadataStorageUpdater.java @@ -38,15 +38,19 @@ import org.apache.druid.metadata.MetadataStorageConnector; import org.apache.druid.metadata.MetadataStorageTablesConfig; import org.apache.druid.security.basic.BasicAuthCommonCacheConfig; +import org.apache.druid.security.basic.BasicAuthDBConfig; import org.apache.druid.security.basic.BasicAuthUtils; import org.apache.druid.security.basic.BasicSecurityDBResourceException; import org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer; import org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheNotifier; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingMapBundle; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerPermission; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleMapBundle; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserMapBundle; +import org.apache.druid.security.basic.authorization.entity.GroupMappingAndRoleMap; import org.apache.druid.security.basic.authorization.entity.UserAndRoleMap; import org.apache.druid.server.security.Action; import org.apache.druid.server.security.Authorizer; @@ -56,14 +60,15 @@ import org.apache.druid.server.security.ResourceType; import org.joda.time.Duration; +import javax.annotation.Nonnull; import javax.annotation.Nullable; import java.io.IOException; import java.util.ArrayList; +import java.util.Collections; import java.util.HashSet; import java.util.List; import java.util.Map; import java.util.Set; -import java.util.concurrent.Callable; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.ScheduledExecutorService; import java.util.concurrent.ThreadLocalRandom; @@ -78,6 +83,7 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu private static final long UPDATE_RETRY_DELAY = 1000; private static final String USERS = "users"; + private static final String GROUP_MAPPINGS = "groupMappings"; private static final String ROLES = "roles"; public static final List SUPERUSER_PERMISSIONS = makeSuperUserPermissions(); @@ -91,6 +97,7 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdater implements BasicAu private final int numRetries = 5; private final Map cachedUserMaps; + private final Map cachedGroupMappingMaps; private final Map cachedRoleMaps; private final Set authorizerNames; @@ -118,6 +125,7 @@ public CoordinatorBasicAuthorizerMetadataStorageUpdater( this.objectMapper = objectMapper; this.cacheNotifier = cacheNotifier; this.cachedUserMaps = new ConcurrentHashMap<>(); + this.cachedGroupMappingMaps = new ConcurrentHashMap<>(); this.cachedRoleMaps = new ConcurrentHashMap<>(); this.authorizerNames = new HashSet<>(); } @@ -138,6 +146,8 @@ public void start() for (Map.Entry entry : authorizerMapper.getAuthorizerMap().entrySet()) { Authorizer authorizer = entry.getValue(); if (authorizer instanceof BasicRoleBasedAuthorizer) { + BasicRoleBasedAuthorizer basicRoleBasedAuthorizer = (BasicRoleBasedAuthorizer) authorizer; + BasicAuthDBConfig dbConfig = basicRoleBasedAuthorizer.getDbConfig(); String authorizerName = entry.getKey(); authorizerNames.add(authorizerName); @@ -148,6 +158,13 @@ public void start() ); cachedUserMaps.put(authorizerName, new BasicAuthorizerUserMapBundle(userMap, userMapBytes)); + byte[] groupMappingMapBytes = getCurrentGroupMappingMapBytes(authorizerName); + Map groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap( + objectMapper, + groupMappingMapBytes + ); + cachedGroupMappingMaps.put(authorizerName, new BasicAuthorizerGroupMappingMapBundle(groupMappingMap, groupMappingMapBytes)); + byte[] roleMapBytes = getCurrentRoleMapBytes(authorizerName); Map roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap( objectMapper, @@ -155,7 +172,11 @@ public void start() ); cachedRoleMaps.put(authorizerName, new BasicAuthorizerRoleMapBundle(roleMap, roleMapBytes)); - initSuperusers(authorizerName, userMap, roleMap); + initSuperUsersAndGroupMapping(authorizerName, userMap, roleMap, groupMappingMap, + dbConfig.getInitialAdminUser(), + dbConfig.getInitialAdminRole(), + dbConfig.getInitialAdminGroupMapping() + ); } } @@ -163,47 +184,53 @@ public void start() exec, new Duration(commonCacheConfig.getPollingPeriod()), new Duration(commonCacheConfig.getPollingPeriod()), - new Callable() - { - @Override - public ScheduledExecutors.Signal call() - { - if (stopped) { - return ScheduledExecutors.Signal.STOP; - } - try { - LOG.debug("Scheduled db poll is running"); - for (String authorizerName : authorizerNames) { - - byte[] userMapBytes = getCurrentUserMapBytes(authorizerName); - Map userMap = BasicAuthUtils.deserializeAuthorizerUserMap( - objectMapper, - userMapBytes - ); - if (userMapBytes != null) { - synchronized (cachedUserMaps) { - cachedUserMaps.put(authorizerName, new BasicAuthorizerUserMapBundle(userMap, userMapBytes)); - } + () -> { + if (stopped) { + return ScheduledExecutors.Signal.STOP; + } + try { + LOG.debug("Scheduled db poll is running"); + for (String authorizerName : authorizerNames) { + + byte[] userMapBytes = getCurrentUserMapBytes(authorizerName); + Map userMap = BasicAuthUtils.deserializeAuthorizerUserMap( + objectMapper, + userMapBytes + ); + if (userMapBytes != null) { + synchronized (cachedUserMaps) { + cachedUserMaps.put(authorizerName, new BasicAuthorizerUserMapBundle(userMap, userMapBytes)); } + } - byte[] roleMapBytes = getCurrentRoleMapBytes(authorizerName); - Map roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap( - objectMapper, - roleMapBytes - ); - if (roleMapBytes != null) { - synchronized (cachedUserMaps) { - cachedRoleMaps.put(authorizerName, new BasicAuthorizerRoleMapBundle(roleMap, roleMapBytes)); - } + byte[] groupMappingMapBytes = getCurrentGroupMappingMapBytes(authorizerName); + Map groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap( + objectMapper, + groupMappingMapBytes + ); + if (groupMappingMapBytes != null) { + synchronized (cachedGroupMappingMaps) { + cachedGroupMappingMaps.put(authorizerName, new BasicAuthorizerGroupMappingMapBundle(groupMappingMap, groupMappingMapBytes)); + } + } + + byte[] roleMapBytes = getCurrentRoleMapBytes(authorizerName); + Map roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap( + objectMapper, + roleMapBytes + ); + if (roleMapBytes != null) { + synchronized (cachedRoleMaps) { + cachedRoleMaps.put(authorizerName, new BasicAuthorizerRoleMapBundle(roleMap, roleMapBytes)); } } - LOG.debug("Scheduled db poll is done"); - } - catch (Throwable t) { - LOG.makeAlert(t, "Error occured while polling for cachedUserMaps.").emit(); } - return ScheduledExecutors.Signal.REPEAT; + LOG.debug("Scheduled db poll is done"); + } + catch (Throwable t) { + LOG.makeAlert(t, "Error occured while polling for cachedUserMaps, cachedGroupMappingMaps, cachedRoleMaps.").emit(); } + return ScheduledExecutors.Signal.REPEAT; } ); @@ -239,7 +266,69 @@ private boolean tryUpdateUserMap( byte[] newUserMapValue ) { - return tryUpdateUserAndRoleMap(prefix, userMap, oldUserMapValue, newUserMapValue, null, null, null); + try { + List updates = new ArrayList<>(); + if (userMap != null) { + updates.add( + createMetadataCASUpdate(prefix, oldUserMapValue, newUserMapValue, USERS) + ); + + boolean succeeded = connector.compareAndSwap(updates); + if (succeeded) { + cachedUserMaps.put(prefix, new BasicAuthorizerUserMapBundle(userMap, newUserMapValue)); + + byte[] serializedUserAndRoleMap = getCurrentUserAndRoleMapSerialized(prefix); + cacheNotifier.addUpdateUser(prefix, serializedUserAndRoleMap); + + return true; + } else { + return false; + } + } + return false; + } + catch (Exception e) { + throw new RuntimeException(e); + } + } + + private boolean tryUpdateGroupMappingMap( + String prefix, + Map groupMappingMap, + byte[] oldGroupMappingMapValue, + byte[] newGroupMappingMapValue + ) + { + try { + List updates = new ArrayList<>(); + if (groupMappingMap != null) { + updates.add( + createMetadataCASUpdate(prefix, oldGroupMappingMapValue, newGroupMappingMapValue, GROUP_MAPPINGS) + ); + + + boolean succeeded = connector.compareAndSwap(updates); + if (succeeded) { + cachedGroupMappingMaps.put(prefix, + new BasicAuthorizerGroupMappingMapBundle( + groupMappingMap, + newGroupMappingMapValue + ) + ); + + byte[] serializedGroupMappingAndRoleMap = getCurrentGroupMappingAndRoleMapSerialized(prefix); + cacheNotifier.addUpdateGroupMapping(prefix, serializedGroupMappingAndRoleMap); + + return true; + } else { + return false; + } + } + return false; + } + catch (Exception e) { + throw new RuntimeException(e); + } } private boolean tryUpdateRoleMap( @@ -249,7 +338,33 @@ private boolean tryUpdateRoleMap( byte[] newRoleMapValue ) { - return tryUpdateUserAndRoleMap(prefix, null, null, null, roleMap, oldRoleMapValue, newRoleMapValue); + try { + List updates = new ArrayList<>(); + if (roleMap != null) { + updates.add( + createMetadataCASUpdate(prefix, oldRoleMapValue, newRoleMapValue, ROLES) + ); + + boolean succeeded = connector.compareAndSwap(updates); + if (succeeded) { + + cachedRoleMaps.put(prefix, new BasicAuthorizerRoleMapBundle(roleMap, newRoleMapValue)); + + byte[] serializedUserAndRoleMap = getCurrentUserAndRoleMapSerialized(prefix); + cacheNotifier.addUpdateUser(prefix, serializedUserAndRoleMap); + byte[] serializedGroupMappingAndRoleMap = getCurrentGroupMappingAndRoleMapSerialized(prefix); + cacheNotifier.addUpdateGroupMapping(prefix, serializedGroupMappingAndRoleMap); + + return true; + } else { + return false; + } + } + return false; + } + catch (Exception e) { + throw new RuntimeException(e); + } } private boolean tryUpdateUserAndRoleMap( @@ -264,55 +379,91 @@ private boolean tryUpdateUserAndRoleMap( { try { List updates = new ArrayList<>(); - if (userMap != null) { + if (userMap != null && roleMap != null) { updates.add( - new MetadataCASUpdate( - connectorConfig.getConfigTable(), - MetadataStorageConnector.CONFIG_TABLE_KEY_COLUMN, - MetadataStorageConnector.CONFIG_TABLE_VALUE_COLUMN, - getPrefixedKeyColumn(prefix, USERS), - oldUserMapValue, - newUserMapValue - ) + createMetadataCASUpdate(prefix, oldUserMapValue, newUserMapValue, USERS) ); + updates.add( + createMetadataCASUpdate(prefix, oldRoleMapValue, newRoleMapValue, ROLES) + ); + + boolean succeeded = connector.compareAndSwap(updates); + if (succeeded) { + cachedUserMaps.put(prefix, new BasicAuthorizerUserMapBundle(userMap, newUserMapValue)); + cachedRoleMaps.put(prefix, new BasicAuthorizerRoleMapBundle(roleMap, newRoleMapValue)); + + byte[] serializedUserAndRoleMap = getCurrentUserAndRoleMapSerialized(prefix); + cacheNotifier.addUpdateUser(prefix, serializedUserAndRoleMap); + + return true; + } else { + return false; + } } + } + catch (Exception e) { + throw new RuntimeException(e); + } + return false; + } - if (roleMap != null) { + private boolean tryUpdateGroupMappingAndRoleMap( + String prefix, + Map groupMappingMap, + byte[] oldGroupMappingMapValue, + byte[] newGroupMappingMapValue, + Map roleMap, + byte[] oldRoleMapValue, + byte[] newRoleMapValue + ) + { + try { + List updates = new ArrayList<>(); + if (groupMappingMap != null && roleMap != null) { updates.add( - new MetadataCASUpdate( - connectorConfig.getConfigTable(), - MetadataStorageConnector.CONFIG_TABLE_KEY_COLUMN, - MetadataStorageConnector.CONFIG_TABLE_VALUE_COLUMN, - getPrefixedKeyColumn(prefix, ROLES), - oldRoleMapValue, - newRoleMapValue - ) + createMetadataCASUpdate(prefix, oldGroupMappingMapValue, newGroupMappingMapValue, GROUP_MAPPINGS) + ); + updates.add( + createMetadataCASUpdate(prefix, oldRoleMapValue, newRoleMapValue, ROLES) ); } boolean succeeded = connector.compareAndSwap(updates); if (succeeded) { - if (userMap != null) { - cachedUserMaps.put(prefix, new BasicAuthorizerUserMapBundle(userMap, newUserMapValue)); - } - if (roleMap != null) { - cachedRoleMaps.put(prefix, new BasicAuthorizerRoleMapBundle(roleMap, newRoleMapValue)); - } + cachedGroupMappingMaps.put(prefix, new BasicAuthorizerGroupMappingMapBundle(groupMappingMap, newGroupMappingMapValue)); + cachedRoleMaps.put(prefix, new BasicAuthorizerRoleMapBundle(roleMap, newRoleMapValue)); - byte[] serializedUserAndRoleMap = getCurrentUserAndRoleMapSerialized(prefix); - cacheNotifier.addUpdate(prefix, serializedUserAndRoleMap); + byte[] serializedGroupMappingAndRoleMap = getCurrentGroupMappingAndRoleMapSerialized(prefix); + cacheNotifier.addUpdateGroupMapping(prefix, serializedGroupMappingAndRoleMap); return true; } else { return false; } - } catch (Exception e) { throw new RuntimeException(e); } } + @Nonnull + private MetadataCASUpdate createMetadataCASUpdate( + String prefix, + byte[] oldValue, + byte[] newValue, + String columnName + ) + { + return new MetadataCASUpdate( + connectorConfig.getConfigTable(), + MetadataStorageConnector.CONFIG_TABLE_KEY_COLUMN, + MetadataStorageConnector.CONFIG_TABLE_VALUE_COLUMN, + getPrefixedKeyColumn(prefix, columnName), + oldValue, + newValue + ); + } + @Override public void createUser(String prefix, String userName) { @@ -327,6 +478,21 @@ public void deleteUser(String prefix, String userName) deleteUserInternal(prefix, userName); } + @Override + public void createGroupMapping(String prefix, BasicAuthorizerGroupMapping groupMapping) + { + Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS)); + createGroupMappingInternal(prefix, groupMapping); + + } + + @Override + public void deleteGroupMapping(String prefix, String groupMappingName) + { + Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS)); + deleteGroupMappingInternal(prefix, groupMappingName); + } + @Override public void createRole(String prefix, String roleName) { @@ -342,17 +508,31 @@ public void deleteRole(String prefix, String roleName) } @Override - public void assignRole(String prefix, String userName, String roleName) + public void assignUserRole(String prefix, String userName, String roleName) { Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS)); - assignRoleInternal(prefix, userName, roleName); + assignUserRoleInternal(prefix, userName, roleName); } @Override - public void unassignRole(String prefix, String userName, String roleName) + public void unassignUserRole(String prefix, String userName, String roleName) { Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS)); - unassignRoleInternal(prefix, userName, roleName); + unassignUserRoleInternal(prefix, userName, roleName); + } + + @Override + public void assignGroupMappingRole(String prefix, String groupMappingName, String roleName) + { + Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS)); + assignGroupMappingRoleInternal(prefix, groupMappingName, roleName); + } + + @Override + public void unassignGroupMappingRole(String prefix, String groupMappingName, String roleName) + { + Preconditions.checkState(lifecycleLock.awaitStarted(1, TimeUnit.MILLISECONDS)); + unassignGroupMappingRoleInternal(prefix, groupMappingName, roleName); } @Override @@ -370,6 +550,13 @@ public Map getCachedUserMap(String prefix) return userMapBundle == null ? null : userMapBundle.getUserMap(); } + @Override + public Map getCachedGroupMappingMap(String prefix) + { + BasicAuthorizerGroupMappingMapBundle groupMapBundle = cachedGroupMappingMaps.get(prefix); + return groupMapBundle == null ? null : groupMapBundle.getGroupMappingMap(); + } + @Override @Nullable public Map getCachedRoleMap(String prefix) @@ -389,6 +576,17 @@ public byte[] getCurrentUserMapBytes(String prefix) ); } + @Override + public byte[] getCurrentGroupMappingMapBytes(String prefix) + { + return connector.lookup( + connectorConfig.getConfigTable(), + MetadataStorageConnector.CONFIG_TABLE_KEY_COLUMN, + MetadataStorageConnector.CONFIG_TABLE_VALUE_COLUMN, + getPrefixedKeyColumn(prefix, GROUP_MAPPINGS) + ); + } + @Override public byte[] getCurrentRoleMapBytes(String prefix) { @@ -407,7 +605,10 @@ public void refreshAllNotification() (authorizerName) -> { try { byte[] serializedUserAndRoleMap = getCurrentUserAndRoleMapSerialized(authorizerName); - cacheNotifier.addUpdate(authorizerName, serializedUserAndRoleMap); + cacheNotifier.addUpdateUser(authorizerName, serializedUserAndRoleMap); + + byte[] serializeGroupAndRoleMap = getCurrentGroupMappingAndRoleMapSerialized(authorizerName); + cacheNotifier.addUpdateGroupMapping(authorizerName, serializeGroupAndRoleMap); } catch (IOException ioe) { throw new RuntimeException(ioe); @@ -429,6 +630,19 @@ private byte[] getCurrentUserAndRoleMapSerialized(String prefix) throws IOExcept return objectMapper.writeValueAsBytes(userAndRoleMap); } + private byte[] getCurrentGroupMappingAndRoleMapSerialized(String prefix) throws IOException + { + BasicAuthorizerGroupMappingMapBundle groupMappingMapBundle = cachedGroupMappingMaps.get(prefix); + BasicAuthorizerRoleMapBundle roleMapBundle = cachedRoleMaps.get(prefix); + + GroupMappingAndRoleMap groupMappingAndRoleMap = new GroupMappingAndRoleMap( + groupMappingMapBundle == null ? null : groupMappingMapBundle.getGroupMappingMap(), + roleMapBundle == null ? null : roleMapBundle.getRoleMap() + ); + + return objectMapper.writeValueAsBytes(groupMappingAndRoleMap); + } + private void createUserInternal(String prefix, String userName) { int attempts = 0; @@ -445,7 +659,7 @@ private void createUserInternal(String prefix, String userName) throw new RuntimeException(ie); } } - throw new ISE("Could not create user[%s] due to concurrent update contention.", userName); + throw new ISE("Could not create user [%s] due to concurrent update contention.", userName); } private void deleteUserInternal(String prefix, String userName) @@ -464,7 +678,45 @@ private void deleteUserInternal(String prefix, String userName) throw new RuntimeException(ie); } } - throw new ISE("Could not delete user[%s] due to concurrent update contention.", userName); + throw new ISE("Could not delete user [%s] due to concurrent update contention.", userName); + } + + private void createGroupMappingInternal(String prefix, BasicAuthorizerGroupMapping groupMapping) + { + int attempts = 0; + while (attempts < numRetries) { + if (createGroupMappingOnce(prefix, groupMapping)) { + return; + } else { + attempts++; + } + try { + Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY)); + } + catch (InterruptedException ie) { + throw new RuntimeException(ie); + } + } + throw new ISE("Could not create group mapping [%s] due to concurrent update contention.", groupMapping); + } + + private void deleteGroupMappingInternal(String prefix, String groupMappingName) + { + int attempts = 0; + while (attempts < numRetries) { + if (deleteGroupMappingOnce(prefix, groupMappingName)) { + return; + } else { + attempts++; + } + try { + Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY)); + } + catch (InterruptedException ie) { + throw new RuntimeException(ie); + } + } + throw new ISE("Could not delete group mapping [%s] due to concurrent update contention.", groupMappingName); } private void createRoleInternal(String prefix, String roleName) @@ -483,7 +735,7 @@ private void createRoleInternal(String prefix, String roleName) throw new RuntimeException(ie); } } - throw new ISE("Could not create role[%s] due to concurrent update contention.", roleName); + throw new ISE("Could not create role [%s] due to concurrent update contention.", roleName); } private void deleteRoleInternal(String prefix, String roleName) @@ -502,14 +754,14 @@ private void deleteRoleInternal(String prefix, String roleName) throw new RuntimeException(ie); } } - throw new ISE("Could not delete role[%s] due to concurrent update contention.", roleName); + throw new ISE("Could not delete role [%s] due to concurrent update contention.", roleName); } - private void assignRoleInternal(String prefix, String userName, String roleName) + private void assignUserRoleInternal(String prefix, String userName, String roleName) { int attempts = 0; while (attempts < numRetries) { - if (assignRoleOnce(prefix, userName, roleName)) { + if (assignUserRoleOnce(prefix, userName, roleName)) { return; } else { attempts++; @@ -521,14 +773,14 @@ private void assignRoleInternal(String prefix, String userName, String roleName) throw new RuntimeException(ie); } } - throw new ISE("Could not assign role[%s] to user[%s] due to concurrent update contention.", roleName, userName); + throw new ISE("Could not assign role [%s] to user [%s] due to concurrent update contention.", roleName, userName); } - private void unassignRoleInternal(String prefix, String userName, String roleName) + private void unassignUserRoleInternal(String prefix, String userName, String roleName) { int attempts = 0; while (attempts < numRetries) { - if (unassignRoleOnce(prefix, userName, roleName)) { + if (unassignUserRoleOnce(prefix, userName, roleName)) { return; } else { attempts++; @@ -540,7 +792,50 @@ private void unassignRoleInternal(String prefix, String userName, String roleNam throw new RuntimeException(ie); } } - throw new ISE("Could not unassign role[%s] from user[%s] due to concurrent update contention.", roleName, userName); + throw new ISE("Could not unassign role [%s] from user [%s] due to concurrent update contention.", roleName, userName); + } + + private void assignGroupMappingRoleInternal(String prefix, String groupMappingName, String roleName) + { + int attempts = 0; + while (attempts < numRetries) { + if (assignGroupMappingRoleOnce(prefix, groupMappingName, roleName)) { + return; + } else { + attempts++; + } + try { + Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY)); + } + catch (InterruptedException ie) { + throw new RuntimeException(ie); + } + } + throw new ISE("Could not assign role [%s] to group mapping [%s] due to concurrent update contention.", + roleName, + groupMappingName + ); + } + + private void unassignGroupMappingRoleInternal(String prefix, String groupMappingName, String roleName) + { + int attempts = 0; + while (attempts < numRetries) { + if (unassignGroupMappingRoleOnce(prefix, groupMappingName, roleName)) { + return; + } else { + attempts++; + } + try { + Thread.sleep(ThreadLocalRandom.current().nextLong(UPDATE_RETRY_DELAY)); + } + catch (InterruptedException ie) { + throw new RuntimeException(ie); + } + } + throw new ISE("Could not unassign role [%s] from group mapping [%s] due to concurrent update contention.", roleName, + groupMappingName + ); } private void setPermissionsInternal(String prefix, String roleName, List permissions) @@ -559,35 +854,61 @@ private void setPermissionsInternal(String prefix, String roleName, List userMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, oldValue); - if (userMap.get(userName) != null) { - throw new BasicSecurityDBResourceException("User [%s] already exists.", userName); + if (userMap.get(userName) == null) { + throw new BasicSecurityDBResourceException("User [%s] does not exist.", userName); } else { - userMap.put(userName, new BasicAuthorizerUser(userName, null)); + userMap.remove(userName); } byte[] newValue = BasicAuthUtils.serializeAuthorizerUserMap(objectMapper, userMap); return tryUpdateUserMap(prefix, userMap, oldValue, newValue); } - private boolean deleteUserOnce(String prefix, String userName) + private boolean createUserOnce(String prefix, String userName) { byte[] oldValue = getCurrentUserMapBytes(prefix); Map userMap = BasicAuthUtils.deserializeAuthorizerUserMap(objectMapper, oldValue); - if (userMap.get(userName) == null) { - throw new BasicSecurityDBResourceException("User [%s] does not exist.", userName); + if (userMap.get(userName) != null) { + throw new BasicSecurityDBResourceException("User [%s] already exists.", userName); } else { - userMap.remove(userName); + userMap.put(userName, new BasicAuthorizerUser(userName, null)); } byte[] newValue = BasicAuthUtils.serializeAuthorizerUserMap(objectMapper, userMap); return tryUpdateUserMap(prefix, userMap, oldValue, newValue); } + private boolean deleteGroupMappingOnce(String prefix, String groupMappingName) + { + byte[] oldValue = getCurrentGroupMappingMapBytes(prefix); + Map groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, oldValue); + if (groupMappingMap.get(groupMappingName) == null) { + throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", groupMappingName); + } else { + groupMappingMap.remove(groupMappingName); + } + byte[] newValue = BasicAuthUtils.serializeAuthorizerGroupMappingMap(objectMapper, groupMappingMap); + return tryUpdateGroupMappingMap(prefix, groupMappingMap, oldValue, newValue); + } + + private boolean createGroupMappingOnce(String prefix, BasicAuthorizerGroupMapping groupMapping) + { + byte[] oldValue = getCurrentGroupMappingMapBytes(prefix); + Map groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap(objectMapper, oldValue); + if (groupMappingMap.get(groupMapping.getName()) != null) { + throw new BasicSecurityDBResourceException("Group mapping [%s] already exists.", groupMapping.getName()); + } else { + groupMappingMap.put(groupMapping.getName(), groupMapping); + } + byte[] newValue = BasicAuthUtils.serializeAuthorizerGroupMappingMap(objectMapper, groupMappingMap); + return tryUpdateGroupMappingMap(prefix, groupMappingMap, oldValue, newValue); + } + private boolean createRoleOnce(String prefix, String roleName) { byte[] oldValue = getCurrentRoleMapBytes(prefix); @@ -623,16 +944,31 @@ private boolean deleteRoleOnce(String prefix, String roleName) user.getRoles().remove(roleName); } byte[] newUserMapValue = BasicAuthUtils.serializeAuthorizerUserMap(objectMapper, userMap); + + byte[] oldGroupMapValue = getCurrentGroupMappingMapBytes(prefix); + Map groupMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap( + objectMapper, + oldGroupMapValue + ); + for (BasicAuthorizerGroupMapping group : groupMap.values()) { + group.getRoles().remove(roleName); + } + byte[] newGroupMapValue = BasicAuthUtils.serializeAuthorizerGroupMappingMap(objectMapper, groupMap); + byte[] newRoleMapValue = BasicAuthUtils.serializeAuthorizerRoleMap(objectMapper, roleMap); return tryUpdateUserAndRoleMap( prefix, userMap, oldUserMapValue, newUserMapValue, roleMap, oldRoleMapValue, newRoleMapValue + ) && tryUpdateGroupMappingAndRoleMap( + prefix, + groupMap, oldGroupMapValue, newGroupMapValue, + roleMap, newRoleMapValue, newRoleMapValue ); } - private boolean assignRoleOnce(String prefix, String userName, String roleName) + private boolean assignUserRoleOnce(String prefix, String userName, String roleName) { byte[] oldRoleMapValue = getCurrentRoleMapBytes(prefix); Map roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap( @@ -668,7 +1004,7 @@ private boolean assignRoleOnce(String prefix, String userName, String roleName) ); } - private boolean unassignRoleOnce(String prefix, String userName, String roleName) + private boolean unassignUserRoleOnce(String prefix, String userName, String roleName) { byte[] oldRoleMapValue = getCurrentRoleMapBytes(prefix); Map roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap( @@ -704,6 +1040,78 @@ private boolean unassignRoleOnce(String prefix, String userName, String roleName ); } + private boolean assignGroupMappingRoleOnce(String prefix, String groupMappingName, String roleName) + { + byte[] oldRoleMapValue = getCurrentRoleMapBytes(prefix); + Map roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap( + objectMapper, + oldRoleMapValue + ); + if (roleMap.get(roleName) == null) { + throw new BasicSecurityDBResourceException("Role [%s] does not exist.", roleName); + } + + byte[] oldGroupMappingMapValue = getCurrentGroupMappingMapBytes(prefix); + Map groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap( + objectMapper, + oldGroupMappingMapValue + ); + BasicAuthorizerGroupMapping groupMapping = groupMappingMap.get(groupMappingName); + if (groupMappingMap.get(groupMappingName) == null) { + throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", groupMappingName); + } + + if (groupMapping.getRoles().contains(roleName)) { + throw new BasicSecurityDBResourceException("Group mapping [%s] already has role [%s].", groupMappingName, roleName); + } + + groupMapping.getRoles().add(roleName); + byte[] newGroupMapValue = BasicAuthUtils.serializeAuthorizerGroupMappingMap(objectMapper, groupMappingMap); + + // Role map is unchanged, but submit as an update to ensure that the table didn't change (e.g., role deleted) + return tryUpdateGroupMappingAndRoleMap( + prefix, + groupMappingMap, oldGroupMappingMapValue, newGroupMapValue, + roleMap, oldRoleMapValue, oldRoleMapValue + ); + } + + private boolean unassignGroupMappingRoleOnce(String prefix, String groupMappingName, String roleName) + { + byte[] oldRoleMapValue = getCurrentRoleMapBytes(prefix); + Map roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap( + objectMapper, + oldRoleMapValue + ); + if (roleMap.get(roleName) == null) { + throw new BasicSecurityDBResourceException("Role [%s] does not exist.", roleName); + } + + byte[] oldGroupMappingMapValue = getCurrentGroupMappingMapBytes(prefix); + Map groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap( + objectMapper, + oldGroupMappingMapValue + ); + BasicAuthorizerGroupMapping groupMapping = groupMappingMap.get(groupMappingName); + if (groupMappingMap.get(groupMappingName) == null) { + throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", groupMappingName); + } + + if (!groupMapping.getRoles().contains(roleName)) { + throw new BasicSecurityDBResourceException("Group mapping [%s] does not have role [%s].", groupMappingName, roleName); + } + + groupMapping.getRoles().remove(roleName); + byte[] newGroupMapValue = BasicAuthUtils.serializeAuthorizerGroupMappingMap(objectMapper, groupMappingMap); + + // Role map is unchanged, but submit as an update to ensure that the table didn't change (e.g., role deleted) + return tryUpdateGroupMappingAndRoleMap( + prefix, + groupMappingMap, oldGroupMappingMapValue, newGroupMapValue, + roleMap, oldRoleMapValue, oldRoleMapValue + ); + } + private boolean setPermissionsOnce(String prefix, String roleName, List permissions) { byte[] oldRoleMapValue = getCurrentRoleMapBytes(prefix); @@ -723,10 +1131,14 @@ private boolean setPermissionsOnce(String prefix, String roleName, List userMap, - Map roleMap + Map roleMap, + Map groupMappingMap, + String initialAdminUser, + String initialAdminRole, + String initialAdminGroupMapping ) { if (!roleMap.containsKey(BasicAuthUtils.ADMIN_NAME)) { @@ -739,14 +1151,38 @@ private void initSuperusers( setPermissionsInternal(authorizerName, BasicAuthUtils.INTERNAL_USER_NAME, SUPERUSER_PERMISSIONS); } + if (!userMap.containsKey(BasicAuthUtils.ADMIN_NAME)) { + createUserInternal(authorizerName, BasicAuthUtils.ADMIN_NAME); + assignUserRoleInternal(authorizerName, BasicAuthUtils.ADMIN_NAME, BasicAuthUtils.ADMIN_NAME); + } + if (!userMap.containsKey(BasicAuthUtils.INTERNAL_USER_NAME)) { createUserInternal(authorizerName, BasicAuthUtils.INTERNAL_USER_NAME); - assignRoleInternal(authorizerName, BasicAuthUtils.INTERNAL_USER_NAME, BasicAuthUtils.INTERNAL_USER_NAME); + assignUserRoleInternal(authorizerName, BasicAuthUtils.INTERNAL_USER_NAME, BasicAuthUtils.INTERNAL_USER_NAME); } - if (!userMap.containsKey(BasicAuthUtils.ADMIN_NAME)) { - createUserInternal(authorizerName, BasicAuthUtils.ADMIN_NAME); - assignRoleInternal(authorizerName, BasicAuthUtils.ADMIN_NAME, BasicAuthUtils.ADMIN_NAME); + if (initialAdminRole != null + && !(initialAdminRole.equals(BasicAuthUtils.ADMIN_NAME) || initialAdminRole.equals(BasicAuthUtils.INTERNAL_USER_NAME)) + && !roleMap.containsKey(initialAdminRole)) { + createRoleInternal(authorizerName, initialAdminRole); + setPermissionsInternal(authorizerName, initialAdminRole, SUPERUSER_PERMISSIONS); + } + + if (initialAdminUser != null + && !(initialAdminUser.equals(BasicAuthUtils.ADMIN_NAME) || initialAdminUser.equals(BasicAuthUtils.INTERNAL_USER_NAME)) + && !userMap.containsKey(initialAdminUser)) { + createUserInternal(authorizerName, initialAdminUser); + assignUserRoleInternal(authorizerName, initialAdminUser, initialAdminRole == null ? BasicAuthUtils.ADMIN_NAME : initialAdminRole); + } + + if (initialAdminGroupMapping != null && !groupMappingMap.containsKey(BasicAuthUtils.ADMIN_GROUP_MAPPING_NAME)) { + BasicAuthorizerGroupMapping groupMapping = + new BasicAuthorizerGroupMapping( + BasicAuthUtils.ADMIN_GROUP_MAPPING_NAME, + initialAdminGroupMapping, + new HashSet<>(Collections.singletonList(initialAdminRole == null ? BasicAuthUtils.ADMIN_NAME : initialAdminRole)) + ); + createGroupMappingInternal(authorizerName, groupMapping); } } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/updater/NoopBasicAuthorizerMetadataStorageUpdater.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/updater/NoopBasicAuthorizerMetadataStorageUpdater.java index 5ef2de904121..c9d1f052f5e4 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/updater/NoopBasicAuthorizerMetadataStorageUpdater.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/updater/NoopBasicAuthorizerMetadataStorageUpdater.java @@ -19,6 +19,7 @@ package org.apache.druid.security.basic.authorization.db.updater; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser; import org.apache.druid.server.security.ResourceAction; @@ -43,6 +44,16 @@ public void deleteUser(String prefix, String userName) { } + @Override + public void createGroupMapping(String prefix, BasicAuthorizerGroupMapping groupMapping) + { + } + + @Override + public void deleteGroupMapping(String prefix, String groupMappingName) + { + } + @Override public void createRole(String prefix, String roleName) { @@ -54,12 +65,22 @@ public void deleteRole(String prefix, String roleName) } @Override - public void assignRole(String prefix, String userName, String roleName) + public void assignUserRole(String prefix, String userName, String roleName) + { + } + + @Override + public void unassignUserRole(String prefix, String userName, String roleName) + { + } + + @Override + public void assignGroupMappingRole(String prefix, String groupMappingName, String roleName) { } @Override - public void unassignRole(String prefix, String userName, String roleName) + public void unassignGroupMappingRole(String prefix, String groupMappingName, String roleName) { } @@ -74,6 +95,12 @@ public Map getCachedUserMap(String prefix) return Collections.emptyMap(); } + @Override + public Map getCachedGroupMappingMap(String prefix) + { + return Collections.emptyMap(); + } + @Override public Map getCachedRoleMap(String prefix) { @@ -92,6 +119,12 @@ public byte[] getCurrentRoleMapBytes(String prefix) return new byte[0]; } + @Override + public byte[] getCurrentGroupMappingMapBytes(String prefix) + { + return new byte[0]; + } + @Override public void refreshAllNotification() { diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/BasicAuthorizerResource.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/BasicAuthorizerResource.java index 99a112602c8b..0e70e5a3dcd3 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/BasicAuthorizerResource.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/BasicAuthorizerResource.java @@ -24,6 +24,7 @@ import com.sun.jersey.spi.container.ResourceFilters; import org.apache.druid.guice.LazySingleton; import org.apache.druid.security.basic.BasicSecurityResourceFilter; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping; import org.apache.druid.server.security.ResourceAction; import javax.servlet.http.HttpServletRequest; @@ -44,7 +45,7 @@ @LazySingleton public class BasicAuthorizerResource { - private BasicAuthorizerResourceHandler resourceHandler; + private final BasicAuthorizerResourceHandler resourceHandler; @Inject public BasicAuthorizerResource( @@ -108,6 +109,24 @@ public Response getAllUsers( return resourceHandler.getAllUsers(authorizerName); } + /** + * @param req HTTP request + * + * @return List of all groupMappings + */ + @GET + @Path("/db/{authorizerName}/groupMappings") + @Produces(MediaType.APPLICATION_JSON) + @Consumes(MediaType.APPLICATION_JSON) + @ResourceFilters(BasicSecurityResourceFilter.class) + public Response getAllGroupMappings( + @Context HttpServletRequest req, + @PathParam("authorizerName") final String authorizerName + ) + { + return resourceHandler.getAllGroupMappings(authorizerName); + } + /** * @param req HTTP request * @param userName Name of user to retrieve information about @@ -130,6 +149,27 @@ public Response getUser( return resourceHandler.getUser(authorizerName, userName, full != null, simplifyPermissions != null); } + /** + * @param req HTTP request + * @param groupMappingName Name of groupMapping to retrieve information about + * + * @return Name, groupPattern, roles, and permissions of the groupMapping with groupMappingName, 400 error response if groupMapping doesn't exist + */ + @GET + @Path("/db/{authorizerName}/groupMappings/{groupMappingName}") + @Produces(MediaType.APPLICATION_JSON) + @Consumes(MediaType.APPLICATION_JSON) + @ResourceFilters(BasicSecurityResourceFilter.class) + public Response getGroupMapping( + @Context HttpServletRequest req, + @PathParam("authorizerName") final String authorizerName, + @PathParam("groupMappingName") final String groupMappingName, + @QueryParam("full") String full + ) + { + return resourceHandler.getGroupMapping(authorizerName, groupMappingName, full != null); + } + /** * Create a new user with name userName * @@ -174,6 +214,54 @@ public Response deleteUser( return resourceHandler.deleteUser(authorizerName, userName); } + /** + * Create a new groupMapping with name groupMappingName + * + * @param req HTTP request + * @param groupMappingName Name to assign the new groupMapping + * + * @return OK response, or 400 error response if groupMapping already exists + */ + @POST + @Path("/db/{authorizerName}/groupMappings/{groupMappingName}") + @Produces(MediaType.APPLICATION_JSON) + @Consumes(MediaType.APPLICATION_JSON) + @ResourceFilters(BasicSecurityResourceFilter.class) + public Response createGroupMapping( + @Context HttpServletRequest req, + @PathParam("authorizerName") final String authorizerName, + @PathParam("groupMappingName") String groupMappingName, + BasicAuthorizerGroupMapping groupMapping + ) + { + return resourceHandler.createGroupMapping( + authorizerName, + new BasicAuthorizerGroupMapping(groupMappingName, groupMapping.getGroupPattern(), groupMapping.getRoles()) + ); + } + + /** + * Delete a groupMapping with name groupMappingName + * + * @param req HTTP request + * @param groupMappingName Name of groupMapping to delete + * + * @return OK response, or 400 error response if groupMapping doesn't exist + */ + @DELETE + @Path("/db/{authorizerName}/groupMappings/{groupMappingName}") + @Produces(MediaType.APPLICATION_JSON) + @Consumes(MediaType.APPLICATION_JSON) + @ResourceFilters(BasicSecurityResourceFilter.class) + public Response deleteGroupMapping( + @Context HttpServletRequest req, + @PathParam("authorizerName") final String authorizerName, + @PathParam("groupMappingName") String groupMappingName + ) + { + return resourceHandler.deleteGroupMapping(authorizerName, groupMappingName); + } + /** * @param req HTTP request * @@ -198,7 +286,7 @@ public Response getAllRoles( * @param req HTTP request * @param roleName Name of role * - * @return Role name, users with role, and permissions of role. 400 error if role doesn't exist. + * @return Role name, users with role, groupMappings with role, and permissions of role. 400 error if role doesn't exist. */ @GET @Path("/db/{authorizerName}/roles/{roleName}") @@ -308,6 +396,54 @@ public Response unassignRoleFromUser( return resourceHandler.unassignRoleFromUser(authorizerName, userName, roleName); } + /** + * Assign a role to a groupMapping. + * + * @param req HTTP request + * @param groupMappingName Name of groupMapping + * @param roleName Name of role + * + * @return OK response. 400 error if groupMapping/role don't exist, or if groupMapping already has the role + */ + @POST + @Path("/db/{authorizerName}/groupMappings/{groupMappingName}/roles/{roleName}") + @Produces(MediaType.APPLICATION_JSON) + @Consumes(MediaType.APPLICATION_JSON) + @ResourceFilters(BasicSecurityResourceFilter.class) + public Response assignRoleToGroupMapping( + @Context HttpServletRequest req, + @PathParam("authorizerName") final String authorizerName, + @PathParam("groupMappingName") String groupMappingName, + @PathParam("roleName") String roleName + ) + { + return resourceHandler.assignRoleToGroupMapping(authorizerName, groupMappingName, roleName); + } + + /** + * Remove a role from a groupMapping. + * + * @param req HTTP request + * @param groupMappingName Name of groupMapping + * @param roleName Name of role + * + * @return OK response. 400 error if groupMapping/role don't exist, or if groupMapping does not have the role. + */ + @DELETE + @Path("/db/{authorizerName}/groupMappings/{groupMappingName}/roles/{roleName}") + @Produces(MediaType.APPLICATION_JSON) + @Consumes(MediaType.APPLICATION_JSON) + @ResourceFilters(BasicSecurityResourceFilter.class) + public Response unassignRoleFromGroupMapping( + @Context HttpServletRequest req, + @PathParam("authorizerName") final String authorizerName, + @PathParam("groupMappingName") String groupMappingName, + @PathParam("roleName") String roleName + ) + { + return resourceHandler.unassignRoleFromGroupMapping(authorizerName, groupMappingName, roleName); + } + /** * Set the permissions of a role. This replaces the previous permissions of the role. * @@ -332,6 +468,28 @@ public Response setRolePermissions( return resourceHandler.setRolePermissions(authorizerName, roleName, permissions); } + /** + * Get the permissions of a role. + * + * @param req HTTP request + * @param roleName Name of role + * + * @return OK response. 400 error if role doesn't exist. + */ + @GET + @Path("/db/{authorizerName}/roles/{roleName}/permissions") + @Produces(MediaType.APPLICATION_JSON) + @Consumes(MediaType.APPLICATION_JSON) + @ResourceFilters(BasicSecurityResourceFilter.class) + public Response getRolePermissions( + @Context HttpServletRequest req, + @PathParam("authorizerName") final String authorizerName, + @PathParam("roleName") String roleName + ) + { + return resourceHandler.getRolePermissions(authorizerName, roleName); + } + /** * @param req HTTP request * @@ -347,24 +505,79 @@ public Response getCachedSerializedUserMap( @PathParam("authorizerName") final String authorizerName ) { - return resourceHandler.getCachedMaps(authorizerName); + return resourceHandler.getCachedUserMaps(authorizerName); + } + + /** + * @param req HTTP request + * + * @return serialized groupMapping map + */ + @GET + @Path("/db/{authorizerName}/cachedSerializedGroupMappingMap") + @Produces(SmileMediaTypes.APPLICATION_JACKSON_SMILE) + @Consumes(MediaType.APPLICATION_JSON) + @ResourceFilters(BasicSecurityResourceFilter.class) + public Response getCachedSerializedGroupMap( + @Context HttpServletRequest req, + @PathParam("authorizerName") final String authorizerName + ) + { + return resourceHandler.getCachedGroupMappingMaps(authorizerName); } /** - * Listen for update notifications for the auth storage + * Listen for update notifications for the user auth storage + * @deprecated path /listen/{authorizerName} is to replaced by /listen/users/{authorizerName} + * use {@link #authorizerUserUpdateListener(HttpServletRequest, String, byte[])} instead */ @POST @Path("/listen/{authorizerName}") @Produces(MediaType.APPLICATION_JSON) @Consumes(MediaType.APPLICATION_JSON) @ResourceFilters(BasicSecurityResourceFilter.class) + @Deprecated public Response authorizerUpdateListener( @Context HttpServletRequest req, @PathParam("authorizerName") final String authorizerName, byte[] serializedUserAndRoleMap ) { - return resourceHandler.authorizerUpdateListener(authorizerName, serializedUserAndRoleMap); + return resourceHandler.authorizerUserUpdateListener(authorizerName, serializedUserAndRoleMap); + } + + /** + * Listen for update notifications for the user auth storage + */ + @POST + @Path("/listen/users/{authorizerName}") + @Produces(MediaType.APPLICATION_JSON) + @Consumes(MediaType.APPLICATION_JSON) + @ResourceFilters(BasicSecurityResourceFilter.class) + public Response authorizerUserUpdateListener( + @Context HttpServletRequest req, + @PathParam("authorizerName") final String authorizerName, + byte[] serializedUserAndRoleMap + ) + { + return resourceHandler.authorizerUserUpdateListener(authorizerName, serializedUserAndRoleMap); + } + + /** + * Listen for update notifications for the groupMapping auth storage + */ + @POST + @Path("/listen/groupMappings/{authorizerName}") + @Produces(MediaType.APPLICATION_JSON) + @Consumes(MediaType.APPLICATION_JSON) + @ResourceFilters(BasicSecurityResourceFilter.class) + public Response authorizerGroupMappingUpdateListener( + @Context HttpServletRequest req, + @PathParam("authorizerName") final String authorizerName, + byte[] serializedGroupMappingAndRoleMap + ) + { + return resourceHandler.authorizerGroupMappingUpdateListener(authorizerName, serializedGroupMappingAndRoleMap); } } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/BasicAuthorizerResourceHandler.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/BasicAuthorizerResourceHandler.java index 214da87c4c18..0b307cff8ae1 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/BasicAuthorizerResourceHandler.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/BasicAuthorizerResourceHandler.java @@ -19,6 +19,7 @@ package org.apache.druid.security.basic.authorization.endpoint; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping; import org.apache.druid.server.security.ResourceAction; import javax.ws.rs.core.Response; @@ -34,12 +35,20 @@ public interface BasicAuthorizerResourceHandler // coordinator methods Response getAllUsers(String authorizerName); + Response getAllGroupMappings(String authorizerName); + Response getUser(String authorizerName, String userName, boolean isFull, boolean simplifyPermissions); + Response getGroupMapping(String authorizerName, String groupMappingName, boolean isFull); + Response createUser(String authorizerName, String userName); + Response createGroupMapping(String authorizerName, BasicAuthorizerGroupMapping groupMapping); + Response deleteUser(String authorizerName, String userName); + Response deleteGroupMapping(String authorizerName, String groupMappingName); + Response getAllRoles(String authorizerName); Response getRole(String authorizerName, String roleName, boolean isFull, boolean simplifyPermissions); @@ -50,16 +59,26 @@ public interface BasicAuthorizerResourceHandler Response assignRoleToUser(String authorizerName, String userName, String roleName); + Response assignRoleToGroupMapping(String authorizerName, String groupMappingName, String roleName); + Response unassignRoleFromUser(String authorizerName, String userName, String roleName); + Response unassignRoleFromGroupMapping(String authorizerName, String groupMappingName, String roleName); + Response setRolePermissions(String authorizerName, String roleName, List permissions); - Response getCachedMaps(String authorizerName); + Response getRolePermissions(String authorizerName, String roleName); + + Response getCachedUserMaps(String authorizerName); + + Response getCachedGroupMappingMaps(String authorizerName); Response refreshAll(); // non-coordinator methods - Response authorizerUpdateListener(String authorizerName, byte[] serializedUserAndRoleMap); + Response authorizerUserUpdateListener(String authorizerName, byte[] serializedUserAndRoleMap); + + Response authorizerGroupMappingUpdateListener(String authorizerName, byte[] serializedGroupMappingAndRoleMap); // common Response getLoadStatus(); diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/CoordinatorBasicAuthorizerResourceHandler.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/CoordinatorBasicAuthorizerResourceHandler.java index 3a3cd139d525..13ef116067b3 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/CoordinatorBasicAuthorizerResourceHandler.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/CoordinatorBasicAuthorizerResourceHandler.java @@ -29,12 +29,15 @@ import org.apache.druid.security.basic.BasicSecurityDBResourceException; import org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer; import org.apache.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingFull; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleFull; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleSimplifiedPermissions; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFull; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserFullSimplifiedPermissions; +import org.apache.druid.security.basic.authorization.entity.GroupMappingAndRoleMap; import org.apache.druid.security.basic.authorization.entity.UserAndRoleMap; import org.apache.druid.server.security.Authorizer; import org.apache.druid.server.security.AuthorizerMapper; @@ -93,6 +96,21 @@ public Response getAllUsers(String authorizerName) return Response.ok(userMap.keySet()).build(); } + @Override + public Response getAllGroupMappings(String authorizerName) + { + final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName); + if (authorizer == null) { + return makeResponseForAuthorizerNotFound(authorizerName); + } + + Map groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap( + objectMapper, + storageUpdater.getCurrentGroupMappingMapBytes(authorizerName) + ); + return Response.ok(groupMappingMap.keySet()).build(); + } + @Override public Response getUser(String authorizerName, String userName, boolean isFull, boolean simplifyPermissions) { @@ -108,6 +126,21 @@ public Response getUser(String authorizerName, String userName, boolean isFull, } } + @Override + public Response getGroupMapping(String authorizerName, String groupMappingName, boolean isFull) + { + final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName); + if (authorizer == null) { + return makeResponseForAuthorizerNotFound(authorizerName); + } + + if (isFull) { + return getGroupMappingFull(authorizerName, groupMappingName); + } else { + return getGroupMappingSimple(authorizerName, groupMappingName); + } + } + @Override public Response createUser(String authorizerName, String userName) { @@ -125,6 +158,23 @@ public Response createUser(String authorizerName, String userName) } } + @Override + public Response createGroupMapping(String authorizerName, BasicAuthorizerGroupMapping groupMapping) + { + final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName); + if (authorizer == null) { + return makeResponseForAuthorizerNotFound(authorizerName); + } + + try { + storageUpdater.createGroupMapping(authorizerName, groupMapping); + return Response.ok().build(); + } + catch (BasicSecurityDBResourceException cfe) { + return makeResponseForBasicSecurityDBResourceException(cfe); + } + } + @Override public Response deleteUser(String authorizerName, String userName) { @@ -142,6 +192,23 @@ public Response deleteUser(String authorizerName, String userName) } } + @Override + public Response deleteGroupMapping(String authorizerName, String groupMappingName) + { + final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName); + if (authorizer == null) { + return makeResponseForAuthorizerNotFound(authorizerName); + } + + try { + storageUpdater.deleteGroupMapping(authorizerName, groupMappingName); + return Response.ok().build(); + } + catch (BasicSecurityDBResourceException cfe) { + return makeResponseForBasicSecurityDBResourceException(cfe); + } + } + @Override public Response getAllRoles(String authorizerName) { @@ -216,7 +283,24 @@ public Response assignRoleToUser(String authorizerName, String userName, String } try { - storageUpdater.assignRole(authorizerName, userName, roleName); + storageUpdater.assignUserRole(authorizerName, userName, roleName); + return Response.ok().build(); + } + catch (BasicSecurityDBResourceException cfe) { + return makeResponseForBasicSecurityDBResourceException(cfe); + } + } + + @Override + public Response assignRoleToGroupMapping(String authorizerName, String groupMappingName, String roleName) + { + final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName); + if (authorizer == null) { + return makeResponseForAuthorizerNotFound(authorizerName); + } + + try { + storageUpdater.assignGroupMappingRole(authorizerName, groupMappingName, roleName); return Response.ok().build(); } catch (BasicSecurityDBResourceException cfe) { @@ -233,7 +317,24 @@ public Response unassignRoleFromUser(String authorizerName, String userName, Str } try { - storageUpdater.unassignRole(authorizerName, userName, roleName); + storageUpdater.unassignUserRole(authorizerName, userName, roleName); + return Response.ok().build(); + } + catch (BasicSecurityDBResourceException cfe) { + return makeResponseForBasicSecurityDBResourceException(cfe); + } + } + + @Override + public Response unassignRoleFromGroupMapping(String authorizerName, String groupMappingName, String roleName) + { + final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName); + if (authorizer == null) { + return makeResponseForAuthorizerNotFound(authorizerName); + } + + try { + storageUpdater.unassignGroupMappingRole(authorizerName, groupMappingName, roleName); return Response.ok().build(); } catch (BasicSecurityDBResourceException cfe) { @@ -259,7 +360,18 @@ public Response setRolePermissions(String authorizerName, String roleName, List< } @Override - public Response getCachedMaps(String authorizerName) + public Response getRolePermissions(String authorizerName, String roleName) + { + final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName); + if (authorizer == null) { + return makeResponseForAuthorizerNotFound(authorizerName); + } + + return getPermissions(authorizerName, roleName); + } + + @Override + public Response getCachedUserMaps(String authorizerName) { final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName); if (authorizer == null) { @@ -274,6 +386,21 @@ public Response getCachedMaps(String authorizerName) return Response.ok(userAndRoleMap).build(); } + @Override + public Response getCachedGroupMappingMaps(String authorizerName) + { + final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName); + if (authorizer == null) { + return makeResponseForAuthorizerNotFound(authorizerName); + } + GroupMappingAndRoleMap groupMappingAndRoleMap = new GroupMappingAndRoleMap( + storageUpdater.getCachedGroupMappingMap(authorizerName), + storageUpdater.getCachedRoleMap(authorizerName) + ); + + return Response.ok(groupMappingAndRoleMap).build(); + } + @Override public Response refreshAll() { @@ -282,7 +409,13 @@ public Response refreshAll() } @Override - public Response authorizerUpdateListener(String authorizerName, byte[] serializedUserAndRoleMap) + public Response authorizerUserUpdateListener(String authorizerName, byte[] serializedUserAndRoleMap) + { + return Response.status(Response.Status.NOT_FOUND).build(); + } + + @Override + public Response authorizerGroupMappingUpdateListener(String authorizerName, byte[] serializedGroupMappingAndRoleMap) { return Response.status(Response.Status.NOT_FOUND).build(); } @@ -293,7 +426,9 @@ public Response getLoadStatus() Map loadStatus = new HashMap<>(); authorizerMap.forEach( (authorizerName, authorizer) -> { - loadStatus.put(authorizerName, storageUpdater.getCachedUserMap(authorizerName) != null); + loadStatus.put(authorizerName, storageUpdater.getCachedUserMap(authorizerName) != null && + storageUpdater.getCachedGroupMappingMap(authorizerName) != null && + storageUpdater.getCachedRoleMap(authorizerName) != null); } ); return Response.ok(loadStatus).build(); @@ -344,17 +479,17 @@ private Response getUserFull(String authorizerName, String userName, boolean sim storageUpdater.getCurrentUserMapBytes(authorizerName) ); - Map roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap( - objectMapper, - storageUpdater.getCurrentRoleMapBytes(authorizerName) - ); - try { BasicAuthorizerUser user = userMap.get(userName); if (user == null) { throw new BasicSecurityDBResourceException("User [%s] does not exist.", userName); } + Map roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap( + objectMapper, + storageUpdater.getCurrentRoleMapBytes(authorizerName) + ); + if (simplifyPermissions) { Set roles = getRolesForUserWithSimplifiedPermissions(user, roleMap); BasicAuthorizerUserFullSimplifiedPermissions fullUser = new BasicAuthorizerUserFullSimplifiedPermissions( @@ -412,6 +547,60 @@ private Set getRolesForUser( return roles; } + private Response getGroupMappingSimple(String authorizerName, String groupMappingName) + { + Map groupMappings = BasicAuthUtils.deserializeAuthorizerGroupMappingMap( + objectMapper, + storageUpdater.getCurrentGroupMappingMapBytes(authorizerName) + ); + + try { + BasicAuthorizerGroupMapping groupMapping = groupMappings.get(groupMappingName); + if (groupMapping == null) { + throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", groupMappingName); + } + return Response.ok(groupMapping).build(); + } + catch (BasicSecurityDBResourceException e) { + return makeResponseForBasicSecurityDBResourceException(e); + } + } + + private Response getGroupMappingFull(String authorizerName, String groupMappingName) + { + Map groupMappings = BasicAuthUtils.deserializeAuthorizerGroupMappingMap( + objectMapper, + storageUpdater.getCurrentGroupMappingMapBytes(authorizerName) + ); + + try { + BasicAuthorizerGroupMapping groupMapping = groupMappings.get(groupMappingName); + if (groupMapping == null) { + throw new BasicSecurityDBResourceException("Group mapping [%s] does not exist.", groupMappingName); + } + + Map roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap( + objectMapper, + storageUpdater.getCurrentRoleMapBytes(authorizerName) + ); + + Set roles = new HashSet<>(); + for (String roleName : groupMapping.getRoles()) { + BasicAuthorizerRole role = roleMap.get(roleName); + if (role == null) { + log.error("Group mapping [%s] had role [%s], but role was not found.", groupMappingName, roleName); + } else { + roles.add(role); + } + } + + BasicAuthorizerGroupMappingFull fullGroup = new BasicAuthorizerGroupMappingFull(groupMapping.getName(), groupMapping.getGroupPattern(), roles); + return Response.ok(fullGroup).build(); + } + catch (BasicSecurityDBResourceException e) { + return makeResponseForBasicSecurityDBResourceException(e); + } + } private Response getRoleSimple(String authorizerName, String roleName, boolean simplifyPermissions) { @@ -444,29 +633,42 @@ private Response getRoleFull(String authorizerName, String roleName, boolean sim storageUpdater.getCurrentRoleMapBytes(authorizerName) ); - Map userMap = BasicAuthUtils.deserializeAuthorizerUserMap( - objectMapper, - storageUpdater.getCurrentUserMapBytes(authorizerName) - ); - - Set users = new HashSet<>(); - for (BasicAuthorizerUser user : userMap.values()) { - if (user.getRoles().contains(roleName)) { - users.add(user.getName()); - } - } - try { BasicAuthorizerRole role = roleMap.get(roleName); if (role == null) { throw new BasicSecurityDBResourceException("Role [%s] does not exist.", roleName); } + + Map userMap = BasicAuthUtils.deserializeAuthorizerUserMap( + objectMapper, + storageUpdater.getCurrentUserMapBytes(authorizerName) + ); + + Map groupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap( + objectMapper, + storageUpdater.getCurrentGroupMappingMapBytes(authorizerName) + ); + + Set users = new HashSet<>(); + for (BasicAuthorizerUser user : userMap.values()) { + if (user.getRoles().contains(roleName)) { + users.add(user.getName()); + } + } + + Set groupMappings = new HashSet<>(); + for (BasicAuthorizerGroupMapping group : groupMappingMap.values()) { + if (group.getRoles().contains(roleName)) { + groupMappings.add(group.getName()); + } + } if (simplifyPermissions) { return Response.ok(new BasicAuthorizerRoleSimplifiedPermissions(role, users)).build(); } else { BasicAuthorizerRoleFull roleFull = new BasicAuthorizerRoleFull( roleName, users, + groupMappings, role.getPermissions() ); return Response.ok(roleFull).build(); @@ -476,4 +678,23 @@ private Response getRoleFull(String authorizerName, String roleName, boolean sim return makeResponseForBasicSecurityDBResourceException(e); } } + + private Response getPermissions(String authorizerName, String roleName) + { + Map roleMap = BasicAuthUtils.deserializeAuthorizerRoleMap( + objectMapper, + storageUpdater.getCurrentRoleMapBytes(authorizerName) + ); + + try { + BasicAuthorizerRole role = roleMap.get(roleName); + if (role == null) { + throw new BasicSecurityDBResourceException("Role [%s] does not exist.", roleName); + } + return Response.ok(role.getPermissions()).build(); + } + catch (BasicSecurityDBResourceException e) { + return makeResponseForBasicSecurityDBResourceException(e); + } + } } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/DefaultBasicAuthorizerResourceHandler.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/DefaultBasicAuthorizerResourceHandler.java index e6c663bce562..4e57d62eb377 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/DefaultBasicAuthorizerResourceHandler.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/DefaultBasicAuthorizerResourceHandler.java @@ -25,6 +25,7 @@ import org.apache.druid.java.util.common.logger.Logger; import org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer; import org.apache.druid.security.basic.authorization.db.cache.BasicAuthorizerCacheManager; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping; import org.apache.druid.server.security.Authorizer; import org.apache.druid.server.security.AuthorizerMapper; import org.apache.druid.server.security.ResourceAction; @@ -69,24 +70,49 @@ public Response getAllUsers(String authorizerName) return NOT_FOUND_RESPONSE; } + @Override + public Response getAllGroupMappings(String authorizerName) + { + return NOT_FOUND_RESPONSE; + } + + @Override public Response getUser(String authorizerName, String userName, boolean isFull, boolean simplifyPermissions) { return NOT_FOUND_RESPONSE; } + @Override + public Response getGroupMapping(String authorizerName, String groupMappingName, boolean isFull) + { + return NOT_FOUND_RESPONSE; + } + @Override public Response createUser(String authorizerName, String userName) { return NOT_FOUND_RESPONSE; } + @Override + public Response createGroupMapping(String authorizerName, BasicAuthorizerGroupMapping groupMapping) + { + return NOT_FOUND_RESPONSE; + } + @Override public Response deleteUser(String authorizerName, String userName) { return NOT_FOUND_RESPONSE; } + @Override + public Response deleteGroupMapping(String authorizerName, String groupMappingName) + { + return NOT_FOUND_RESPONSE; + } + @Override public Response getAllRoles(String authorizerName) { @@ -117,12 +143,24 @@ public Response assignRoleToUser(String authorizerName, String userName, String return NOT_FOUND_RESPONSE; } + @Override + public Response assignRoleToGroupMapping(String authorizerName, String groupMappingName, String roleName) + { + return NOT_FOUND_RESPONSE; + } + @Override public Response unassignRoleFromUser(String authorizerName, String userName, String roleName) { return NOT_FOUND_RESPONSE; } + @Override + public Response unassignRoleFromGroupMapping(String authorizerName, String groupMappingName, String roleName) + { + return NOT_FOUND_RESPONSE; + } + @Override public Response setRolePermissions(String authorizerName, String roleName, List permissions) { @@ -130,7 +168,19 @@ public Response setRolePermissions(String authorizerName, String roleName, List< } @Override - public Response getCachedMaps(String authorizerName) + public Response getRolePermissions(String authorizerName, String roleName) + { + return NOT_FOUND_RESPONSE; + } + + @Override + public Response getCachedUserMaps(String authorizerName) + { + return NOT_FOUND_RESPONSE; + } + + @Override + public Response getCachedGroupMappingMaps(String authorizerName) { return NOT_FOUND_RESPONSE; } @@ -142,7 +192,26 @@ public Response refreshAll() } @Override - public Response authorizerUpdateListener(String authorizerName, byte[] serializedUserAndRoleMap) + public Response authorizerUserUpdateListener(String authorizerName, byte[] serializedUserAndRoleMap) + { + final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName); + if (authorizer == null) { + String errMsg = StringUtils.format("Received update for unknown authorizer[%s]", authorizerName); + log.error(errMsg); + return Response.status(Response.Status.BAD_REQUEST) + .entity(ImmutableMap.of( + "error", + StringUtils.format(errMsg) + )) + .build(); + } + + cacheManager.handleAuthorizerUserUpdate(authorizerName, serializedUserAndRoleMap); + return Response.ok().build(); + } + + @Override + public Response authorizerGroupMappingUpdateListener(String authorizerName, byte[] serializedGroupMappingAndRoleMap) { final BasicRoleBasedAuthorizer authorizer = authorizerMap.get(authorizerName); if (authorizer == null) { @@ -156,7 +225,7 @@ public Response authorizerUpdateListener(String authorizerName, byte[] serialize .build(); } - cacheManager.handleAuthorizerUpdate(authorizerName, serializedUserAndRoleMap); + cacheManager.handleAuthorizerGroupMappingUpdate(authorizerName, serializedGroupMappingAndRoleMap); return Response.ok().build(); } @@ -166,7 +235,10 @@ public Response getLoadStatus() Map loadStatus = new HashMap<>(); authorizerMap.forEach( (authorizerName, authorizer) -> { - loadStatus.put(authorizerName, cacheManager.getUserMap(authorizerName) != null); + loadStatus.put(authorizerName, cacheManager.getUserMap(authorizerName) != null && + cacheManager.getRoleMap(authorizerName) != null && + cacheManager.getGroupMappingMap(authorizerName) != null && + cacheManager.getGroupMappingRoleMap(authorizerName) != null); } ); return Response.ok(loadStatus).build(); diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerGroupMapping.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerGroupMapping.java new file mode 100644 index 000000000000..9c036ce6005b --- /dev/null +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerGroupMapping.java @@ -0,0 +1,97 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.security.basic.authorization.entity; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; + +import java.util.HashSet; +import java.util.Set; + +public class BasicAuthorizerGroupMapping +{ + private final String name; + private final String groupPattern; + private final Set roles; + + @JsonCreator + public BasicAuthorizerGroupMapping( + @JsonProperty("name") String name, + @JsonProperty("groupPattern") String groupPattern, + @JsonProperty("roles") Set roles + ) + { + this.name = name; + this.groupPattern = groupPattern; + this.roles = roles == null ? new HashSet<>() : roles; + } + + @JsonProperty + public String getName() + { + return name; + } + + @JsonProperty + public String getGroupPattern() + { + return groupPattern; + } + + @JsonProperty + public Set getRoles() + { + return roles; + } + + @Override + public boolean equals(Object o) + { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + + BasicAuthorizerGroupMapping that = (BasicAuthorizerGroupMapping) o; + + if (getName() != null ? !getName().equals(that.getName()) : that.getName() != null) { + return false; + } + + if (getGroupPattern() != null ? !getGroupPattern().equals(that.getGroupPattern()) : that.getGroupPattern() != null) { + return false; + } + + return getRoles() != null ? getRoles().equals(that.getRoles()) : that.getRoles() == null; + + } + + @Override + public int hashCode() + { + int result = getName() != null ? getName().hashCode() : 0; + result = 31 * result + + (getGroupPattern() != null ? getGroupPattern().hashCode() : 0) + + (getRoles() != null ? getRoles().hashCode() : 0); + return result; + } +} diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerGroupMappingFull.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerGroupMappingFull.java new file mode 100644 index 000000000000..2c5896e4e62f --- /dev/null +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerGroupMappingFull.java @@ -0,0 +1,96 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.security.basic.authorization.entity; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; + +import java.util.HashSet; +import java.util.Set; + +public class BasicAuthorizerGroupMappingFull +{ + private final String name; + private final String groupPattern; + private final Set roles; + + @JsonCreator + public BasicAuthorizerGroupMappingFull( + @JsonProperty("name") String name, + @JsonProperty("groupPattern") String groupPattern, + @JsonProperty("roles") Set roles + ) + { + this.name = name; + this.groupPattern = groupPattern; + this.roles = roles == null ? new HashSet<>() : roles; + } + + @JsonProperty + public String getName() + { + return name; + } + + private String getGroupPattern() + { + return groupPattern; + } + + @JsonProperty + public Set getRoles() + { + return roles; + } + + @Override + public boolean equals(Object o) + { + if (this == o) { + return true; + } + if (o == null || getClass() != o.getClass()) { + return false; + } + + BasicAuthorizerGroupMappingFull that = (BasicAuthorizerGroupMappingFull) o; + + if (getName() != null ? !getName().equals(that.getName()) : that.getName() != null) { + return false; + } + + if (getGroupPattern() != null ? !getGroupPattern().equals(that.getGroupPattern()) : that.getGroupPattern() != null) { + return false; + } + + return getRoles() != null ? getRoles().equals(that.getRoles()) : that.getRoles() == null; + + } + + @Override + public int hashCode() + { + int result = getName() != null ? getName().hashCode() : 0; + result = 31 * result + + (getGroupPattern() != null ? getGroupPattern().hashCode() : 0) + + (getRoles() != null ? getRoles().hashCode() : 0); + return result; + } +} diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerGroupMappingMapBundle.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerGroupMappingMapBundle.java new file mode 100644 index 000000000000..71af4bab678d --- /dev/null +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerGroupMappingMapBundle.java @@ -0,0 +1,53 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.security.basic.authorization.entity; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; + +import java.util.Map; + +public class BasicAuthorizerGroupMappingMapBundle +{ + private final Map groupMappingMap; + private final byte[] serializedGroupMappingMap; + + @JsonCreator + public BasicAuthorizerGroupMappingMapBundle( + @JsonProperty("groupMappingMap") Map groupMappingMap, + @JsonProperty("serializedGroupMappingMap") byte[] serializedGroupMappingMap + ) + { + this.groupMappingMap = groupMappingMap; + this.serializedGroupMappingMap = serializedGroupMappingMap; + } + + @JsonProperty + public Map getGroupMappingMap() + { + return groupMappingMap; + } + + @JsonProperty + public byte[] getSerializedGroupMappingMap() + { + return serializedGroupMappingMap; + } +} diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerPermission.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerPermission.java index 87ace84b08c7..8efddac96f42 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerPermission.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerPermission.java @@ -44,7 +44,7 @@ public BasicAuthorizerPermission( this.resourceNamePattern = resourceNamePattern; } - public BasicAuthorizerPermission( + private BasicAuthorizerPermission( ResourceAction resourceAction ) { diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerRoleFull.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerRoleFull.java index 178682981af6..ad8403ef6407 100644 --- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerRoleFull.java +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/BasicAuthorizerRoleFull.java @@ -34,17 +34,20 @@ public class BasicAuthorizerRoleFull { private final String name; private final Set users; + private final Set groups; private final List permissions; @JsonCreator public BasicAuthorizerRoleFull( @JsonProperty("name") String name, @JsonProperty("users") Set users, + @JsonProperty("groups") Set groups, @JsonProperty("permissions") List permissions ) { this.name = name; this.users = users; + this.groups = groups; this.permissions = permissions == null ? new ArrayList<>() : permissions; } @@ -66,6 +69,12 @@ public Set getUsers() return users; } + @JsonProperty + public Set getGroups() + { + return groups; + } + @Override public boolean equals(Object o) { @@ -84,6 +93,9 @@ public boolean equals(Object o) if (getUsers() != null ? !getUsers().equals(that.getUsers()) : that.getUsers() != null) { return false; } + if (getGroups() != null ? !getGroups().equals(that.getGroups()) : that.getGroups() != null) { + return false; + } return getPermissions() != null ? getPermissions().equals(that.getPermissions()) : that.getPermissions() == null; } @@ -93,6 +105,7 @@ public int hashCode() { int result = getName() != null ? getName().hashCode() : 0; result = 31 * result + (getUsers() != null ? getUsers().hashCode() : 0); + result = 31 * result + (getGroups() != null ? getGroups().hashCode() : 0); result = 31 * result + (getPermissions() != null ? getPermissions().hashCode() : 0); return result; } diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/GroupMappingAndRoleMap.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/GroupMappingAndRoleMap.java new file mode 100644 index 000000000000..1ac9f65190da --- /dev/null +++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/entity/GroupMappingAndRoleMap.java @@ -0,0 +1,56 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.security.basic.authorization.entity; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; + +import java.util.Map; + +public class GroupMappingAndRoleMap +{ + @JsonProperty + private Map groupMappingMap; + + @JsonProperty + private Map roleMap; + + @JsonCreator + public GroupMappingAndRoleMap( + @JsonProperty("groupMappingMap") Map groupMappingMap, + @JsonProperty("roleMap") Map roleMap + ) + { + this.groupMappingMap = groupMappingMap; + this.roleMap = roleMap; + } + + @JsonProperty + public Map getGroupMappingMap() + { + return groupMappingMap; + } + + @JsonProperty + public Map getRoleMap() + { + return roleMap; + } +} diff --git a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/BasicHTTPAuthenticatorTest.java b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/BasicHTTPAuthenticatorTest.java index 07134973e09d..52c6356d0bf4 100644 --- a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/BasicHTTPAuthenticatorTest.java +++ b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/BasicHTTPAuthenticatorTest.java @@ -24,11 +24,13 @@ import com.google.inject.util.Providers; import org.apache.druid.java.util.common.StringUtils; import org.apache.druid.metadata.DefaultPasswordProvider; +import org.apache.druid.security.basic.BasicSecurityAuthenticationException; import org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator; import org.apache.druid.security.basic.authentication.db.cache.BasicAuthenticatorCacheManager; import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate; import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials; import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser; +import org.apache.druid.security.basic.authentication.validator.CredentialsValidator; import org.apache.druid.server.security.AuthConfig; import org.apache.druid.server.security.AuthenticationResult; import org.easymock.EasyMock; @@ -52,7 +54,7 @@ public class BasicHTTPAuthenticatorTest new BasicAuthenticatorCacheManager() { @Override - public void handleAuthenticatorUpdate(String authenticatorPrefix, byte[] serializedUserMap) + public void handleAuthenticatorUserMapUpdate(String authenticatorPrefix, byte[] serializedUserMap) { } @@ -74,10 +76,12 @@ public Map getUserMap(String authenticatorPrefix new DefaultPasswordProvider("a"), new DefaultPasswordProvider("a"), false, - null, + null, null, + false, null ); + @Test public void testGoodPassword() throws IOException, ServletException { @@ -107,6 +111,58 @@ public void testGoodPassword() throws IOException, ServletException EasyMock.verify(req, resp, filterChain); } + @Test + public void testGoodPasswordWithValidator() throws IOException, ServletException + { + CredentialsValidator validator = EasyMock.createMock(CredentialsValidator.class); + BasicHTTPAuthenticator authenticatorWithValidator = new BasicHTTPAuthenticator( + CACHE_MANAGER_PROVIDER, + "basic", + "basic", + null, + null, + false, + null, null, + false, + validator + ); + + String header = StringUtils.utf8Base64("userA:helloworld"); + header = StringUtils.format("Basic %s", header); + + EasyMock + .expect( + validator.validateCredentials(EasyMock.eq("basic"), EasyMock.eq("basic"), EasyMock.eq("userA"), EasyMock.aryEq("helloworld".toCharArray())) + ) + .andReturn( + new AuthenticationResult("userA", "basic", "basic", null) + ) + .times(1); + EasyMock.replay(validator); + + HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class); + EasyMock.expect(req.getHeader("Authorization")).andReturn(header); + req.setAttribute( + AuthConfig.DRUID_AUTHENTICATION_RESULT, + new AuthenticationResult("userA", "basic", "basic", null) + ); + EasyMock.expectLastCall().times(1); + EasyMock.replay(req); + + HttpServletResponse resp = EasyMock.createMock(HttpServletResponse.class); + EasyMock.replay(resp); + + FilterChain filterChain = EasyMock.createMock(FilterChain.class); + filterChain.doFilter(req, resp); + EasyMock.expectLastCall().times(1); + EasyMock.replay(filterChain); + + Filter authenticatorFilter = authenticatorWithValidator.getFilter(); + authenticatorFilter.doFilter(req, resp, filterChain); + + EasyMock.verify(req, resp, validator, filterChain); + } + @Test public void testBadPassword() throws IOException, ServletException { @@ -118,7 +174,7 @@ public void testBadPassword() throws IOException, ServletException EasyMock.replay(req); HttpServletResponse resp = EasyMock.createMock(HttpServletResponse.class); - resp.sendError(HttpServletResponse.SC_UNAUTHORIZED); + resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User authentication failed username[userA]."); EasyMock.expectLastCall().times(1); EasyMock.replay(resp); @@ -131,6 +187,53 @@ public void testBadPassword() throws IOException, ServletException EasyMock.verify(req, resp, filterChain); } + @Test + public void testBadPasswordWithSkipOnFailureValidator() throws IOException, ServletException + { + CredentialsValidator validator = EasyMock.createMock(CredentialsValidator.class); + BasicHTTPAuthenticator authenticatorWithValidator = new BasicHTTPAuthenticator( + CACHE_MANAGER_PROVIDER, + "basic", + "basic", + null, + null, + false, + null, null, + true, + validator + ); + String header = StringUtils.utf8Base64("userA:badpassword"); + header = StringUtils.format("Basic %s", header); + + EasyMock + .expect( + validator.validateCredentials(EasyMock.eq("basic"), EasyMock.eq("basic"), EasyMock.eq("userA"), EasyMock.aryEq("badpassword".toCharArray())) + ) + .andThrow( + new BasicSecurityAuthenticationException("User authentication failed username[%s].", "userA") + ) + .times(1); + EasyMock.replay(validator); + + HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class); + EasyMock.expect(req.getHeader("Authorization")).andReturn(header); + EasyMock.replay(req); + + HttpServletResponse resp = EasyMock.createMock(HttpServletResponse.class); + resp.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User authentication failed username[userA]."); + EasyMock.expectLastCall().times(1); + EasyMock.replay(resp); + + // Authentication filter should not move on to the next filter in the chain + FilterChain filterChain = EasyMock.createMock(FilterChain.class); + EasyMock.replay(filterChain); + + Filter authenticatorFilter = authenticatorWithValidator.getFilter(); + authenticatorFilter.doFilter(req, resp, filterChain); + + EasyMock.verify(req, resp, validator, filterChain); + } + @Test public void testUnknownUser() throws IOException, ServletException { @@ -155,6 +258,51 @@ public void testUnknownUser() throws IOException, ServletException EasyMock.verify(req, resp, filterChain); } + @Test + public void testUnknownUserWithSkipOnFailure() throws IOException, ServletException + { + CredentialsValidator validator = EasyMock.createMock(CredentialsValidator.class); + BasicHTTPAuthenticator authenticatorWithSkipOnFailure = new BasicHTTPAuthenticator( + CACHE_MANAGER_PROVIDER, + "basic", + "basic", + null, + null, + false, + null, null, + true, + validator + ); + String header = StringUtils.utf8Base64("userB:helloworld"); + header = StringUtils.format("Basic %s", header); + + HttpServletRequest req = EasyMock.createMock(HttpServletRequest.class); + EasyMock.expect(req.getHeader("Authorization")).andReturn(header); + EasyMock.replay(req); + + EasyMock + .expect( + validator.validateCredentials(EasyMock.eq("basic"), EasyMock.eq("basic"), EasyMock.eq("userB"), EasyMock.aryEq("helloworld".toCharArray())) + ) + .andReturn(null) + .times(1); + EasyMock.replay(validator); + + HttpServletResponse resp = EasyMock.createMock(HttpServletResponse.class); + EasyMock.replay(resp); + + // Authentication filter should move on to the next filter in the chain without sending a response + FilterChain filterChain = EasyMock.createMock(FilterChain.class); + filterChain.doFilter(req, resp); + EasyMock.expectLastCall().times(1); + EasyMock.replay(filterChain); + + Filter authenticatorFilter = authenticatorWithSkipOnFailure.getFilter(); + authenticatorFilter.doFilter(req, resp, filterChain); + + EasyMock.verify(req, resp, validator, filterChain); + } + @Test public void testRecognizedButMalformedBasicAuthHeader() throws IOException, ServletException { diff --git a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/CoordinatorBasicAuthenticatorMetadataStorageUpdaterTest.java b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/CoordinatorBasicAuthenticatorMetadataStorageUpdaterTest.java index de566573a311..256a415597cc 100644 --- a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/CoordinatorBasicAuthenticatorMetadataStorageUpdaterTest.java +++ b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/CoordinatorBasicAuthenticatorMetadataStorageUpdaterTest.java @@ -45,14 +45,13 @@ public class CoordinatorBasicAuthenticatorMetadataStorageUpdaterTest { private static final String AUTHENTICATOR_NAME = "test"; + @Rule public ExpectedException expectedException = ExpectedException.none(); @Rule public final TestDerbyConnector.DerbyConnectorRule derbyConnectorRule = new TestDerbyConnector.DerbyConnectorRule(); - private TestDerbyConnector connector; - private MetadataStorageTablesConfig tablesConfig; private CoordinatorBasicAuthenticatorMetadataStorageUpdater updater; private ObjectMapper objectMapper; @@ -60,10 +59,9 @@ public class CoordinatorBasicAuthenticatorMetadataStorageUpdaterTest public void setUp() { objectMapper = new ObjectMapper(new SmileFactory()); - connector = derbyConnectorRule.getConnector(); - tablesConfig = derbyConnectorRule.metadataTablesConfigSupplier().get(); + TestDerbyConnector connector = derbyConnectorRule.getConnector(); + MetadataStorageTablesConfig tablesConfig = derbyConnectorRule.metadataTablesConfigSupplier().get(); connector.createConfigTable(); - updater = new CoordinatorBasicAuthenticatorMetadataStorageUpdater( new AuthenticatorMapper( ImmutableMap.of( @@ -76,6 +74,8 @@ public void setUp() null, null, null, + null, + false, null ) ) @@ -100,16 +100,24 @@ public void tearDown() @Test public void createUser() { - updater.createUser(AUTHENTICATOR_NAME, "druid"); Map expectedUserMap = ImmutableMap.of( "druid", new BasicAuthenticatorUser("druid", null) ); + byte[] expectedSerializeUserMap = BasicAuthUtils.serializeAuthenticatorUserMap(objectMapper, expectedUserMap); + + updater.createUser(AUTHENTICATOR_NAME, "druid"); + Assert.assertArrayEquals(expectedSerializeUserMap, updater.getCurrentUserMapBytes(AUTHENTICATOR_NAME)); + Map actualUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap( objectMapper, updater.getCurrentUserMapBytes(AUTHENTICATOR_NAME) ); Assert.assertEquals(expectedUserMap, actualUserMap); + // Validate cache user map methods + Assert.assertEquals(expectedUserMap, updater.getCachedUserMap(AUTHENTICATOR_NAME)); + Assert.assertArrayEquals(expectedSerializeUserMap, updater.getCachedSerializedUserMap(AUTHENTICATOR_NAME)); + // create duplicate should fail expectedException.expect(BasicSecurityDBResourceException.class); expectedException.expectMessage("User [druid] already exists."); @@ -119,15 +127,24 @@ public void createUser() @Test public void deleteUser() { + Map expectedUserMap = ImmutableMap.of(); + byte[] expectedSerializeUserMap = BasicAuthUtils.serializeAuthenticatorUserMap(objectMapper, expectedUserMap); + updater.createUser(AUTHENTICATOR_NAME, "druid"); updater.deleteUser(AUTHENTICATOR_NAME, "druid"); - Map expectedUserMap = ImmutableMap.of(); + + Assert.assertArrayEquals(expectedSerializeUserMap, updater.getCurrentUserMapBytes(AUTHENTICATOR_NAME)); + Map actualUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap( objectMapper, updater.getCurrentUserMapBytes(AUTHENTICATOR_NAME) ); Assert.assertEquals(expectedUserMap, actualUserMap); + // Validate cache user map methods + Assert.assertEquals(expectedUserMap, updater.getCachedUserMap(AUTHENTICATOR_NAME)); + Assert.assertArrayEquals(expectedSerializeUserMap, updater.getCachedSerializedUserMap(AUTHENTICATOR_NAME)); + // delete non-existent user should fail expectedException.expect(BasicSecurityDBResourceException.class); expectedException.expectMessage("User [druid] does not exist."); @@ -153,6 +170,14 @@ public void setCredentials() ); Assert.assertArrayEquals(credentials.getHash(), recalculatedHash); - } + // Validate cache user map methods + Map expectedUserMap = ImmutableMap.of( + "druid", new BasicAuthenticatorUser("druid", credentials) + ); + byte[] expectedSerializeUserMap = BasicAuthUtils.serializeAuthenticatorUserMap(objectMapper, expectedUserMap); + Assert.assertArrayEquals(expectedSerializeUserMap, updater.getCurrentUserMapBytes(AUTHENTICATOR_NAME)); + Assert.assertEquals(expectedUserMap, updater.getCachedUserMap(AUTHENTICATOR_NAME)); + Assert.assertArrayEquals(expectedSerializeUserMap, updater.getCachedSerializedUserMap(AUTHENTICATOR_NAME)); + } } diff --git a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/CoordinatorBasicAuthenticatorResourceTest.java b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/CoordinatorBasicAuthenticatorResourceTest.java index dff71e376de0..cce1b2402c7a 100644 --- a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/CoordinatorBasicAuthenticatorResourceTest.java +++ b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/CoordinatorBasicAuthenticatorResourceTest.java @@ -53,6 +53,7 @@ public class CoordinatorBasicAuthenticatorResourceTest { private static final String AUTHENTICATOR_NAME = "test"; private static final String AUTHENTICATOR_NAME2 = "test2"; + private static final String AUTHENTICATOR_NAME_LDAP = "testLdap"; @Rule public ExpectedException expectedException = ExpectedException.none(); @@ -60,19 +61,19 @@ public class CoordinatorBasicAuthenticatorResourceTest @Rule public final TestDerbyConnector.DerbyConnectorRule derbyConnectorRule = new TestDerbyConnector.DerbyConnectorRule(); - private TestDerbyConnector connector; - private MetadataStorageTablesConfig tablesConfig; private BasicAuthenticatorResource resource; private CoordinatorBasicAuthenticatorMetadataStorageUpdater storageUpdater; private HttpServletRequest req; + private ObjectMapper objectMapper; @Before public void setUp() { req = EasyMock.createStrictMock(HttpServletRequest.class); - connector = derbyConnectorRule.getConnector(); - tablesConfig = derbyConnectorRule.metadataTablesConfigSupplier().get(); + objectMapper = new ObjectMapper(new SmileFactory()); + TestDerbyConnector connector = derbyConnectorRule.getConnector(); + MetadataStorageTablesConfig tablesConfig = derbyConnectorRule.metadataTablesConfigSupplier().get(); connector.createConfigTable(); ObjectMapper objectMapper = new ObjectMapper(new SmileFactory()); @@ -83,22 +84,39 @@ public void setUp() new BasicHTTPAuthenticator( null, AUTHENTICATOR_NAME, - "test", + null, new DefaultPasswordProvider("druid"), new DefaultPasswordProvider("druid"), null, null, + null, + false, null ), AUTHENTICATOR_NAME2, new BasicHTTPAuthenticator( null, AUTHENTICATOR_NAME2, - "test", + null, + new DefaultPasswordProvider("druid"), + new DefaultPasswordProvider("druid"), + null, + null, + null, + false, + null + ), + AUTHENTICATOR_NAME_LDAP, + new BasicHTTPAuthenticator( + null, + AUTHENTICATOR_NAME2, + null, new DefaultPasswordProvider("druid"), new DefaultPasswordProvider("druid"), null, null, + null, + false, null ) ) @@ -164,10 +182,26 @@ public void testGetAllUsers() response = resource.getAllUsers(req, AUTHENTICATOR_NAME); Assert.assertEquals(200, response.getStatus()); Assert.assertEquals(expectedUsers, response.getEntity()); + + // Verify cached user map is also getting updated + response = resource.getCachedSerializedUserMap(req, AUTHENTICATOR_NAME); + Assert.assertEquals(200, response.getStatus()); + Assert.assertTrue(response.getEntity() instanceof byte[]); + Map cachedUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, (byte[]) response.getEntity()); + Assert.assertNotNull(cachedUserMap.get(BasicAuthUtils.ADMIN_NAME)); + Assert.assertEquals(cachedUserMap.get(BasicAuthUtils.ADMIN_NAME).getName(), BasicAuthUtils.ADMIN_NAME); + Assert.assertNotNull(cachedUserMap.get(BasicAuthUtils.INTERNAL_USER_NAME)); + Assert.assertEquals(cachedUserMap.get(BasicAuthUtils.ADMIN_NAME).getName(), BasicAuthUtils.ADMIN_NAME); + Assert.assertNotNull(cachedUserMap.get("druid")); + Assert.assertEquals(cachedUserMap.get("druid").getName(), "druid"); + Assert.assertNotNull(cachedUserMap.get("druid2")); + Assert.assertEquals(cachedUserMap.get("druid2").getName(), "druid2"); + Assert.assertNotNull(cachedUserMap.get("druid3")); + Assert.assertEquals(cachedUserMap.get("druid3").getName(), "druid3"); } @Test - public void testSeparateDatabaseTables() + public void testGetAllUsersSeparateDatabaseTables() { Response response = resource.getAllUsers(req, AUTHENTICATOR_NAME); Assert.assertEquals(200, response.getStatus()); @@ -201,9 +235,43 @@ public void testSeparateDatabaseTables() Assert.assertEquals(200, response.getStatus()); Assert.assertEquals(expectedUsers, response.getEntity()); + // Verify cached user map for AUTHENTICATOR_NAME authenticator is also getting updated + response = resource.getCachedSerializedUserMap(req, AUTHENTICATOR_NAME); + Assert.assertEquals(200, response.getStatus()); + Assert.assertTrue(response.getEntity() instanceof byte[]); + + Map cachedUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, (byte[]) response.getEntity()); + Assert.assertNotNull(cachedUserMap.get(BasicAuthUtils.ADMIN_NAME)); + Assert.assertEquals(cachedUserMap.get(BasicAuthUtils.ADMIN_NAME).getName(), BasicAuthUtils.ADMIN_NAME); + Assert.assertNotNull(cachedUserMap.get(BasicAuthUtils.INTERNAL_USER_NAME)); + Assert.assertEquals(cachedUserMap.get(BasicAuthUtils.ADMIN_NAME).getName(), BasicAuthUtils.ADMIN_NAME); + Assert.assertNotNull(cachedUserMap.get("druid")); + Assert.assertEquals(cachedUserMap.get("druid").getName(), "druid"); + Assert.assertNotNull(cachedUserMap.get("druid2")); + Assert.assertEquals(cachedUserMap.get("druid2").getName(), "druid2"); + Assert.assertNotNull(cachedUserMap.get("druid3")); + Assert.assertEquals(cachedUserMap.get("druid3").getName(), "druid3"); + response = resource.getAllUsers(req, AUTHENTICATOR_NAME2); Assert.assertEquals(200, response.getStatus()); Assert.assertEquals(expectedUsers2, response.getEntity()); + + // Verify cached user map for each AUTHENTICATOR_NAME2 is also getting updated + response = resource.getCachedSerializedUserMap(req, AUTHENTICATOR_NAME2); + Assert.assertEquals(200, response.getStatus()); + Assert.assertTrue(response.getEntity() instanceof byte[]); + + cachedUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, (byte[]) response.getEntity()); + Assert.assertNotNull(cachedUserMap.get(BasicAuthUtils.ADMIN_NAME)); + Assert.assertEquals(cachedUserMap.get(BasicAuthUtils.ADMIN_NAME).getName(), BasicAuthUtils.ADMIN_NAME); + Assert.assertNotNull(cachedUserMap.get(BasicAuthUtils.INTERNAL_USER_NAME)); + Assert.assertEquals(cachedUserMap.get(BasicAuthUtils.ADMIN_NAME).getName(), BasicAuthUtils.ADMIN_NAME); + Assert.assertNotNull(cachedUserMap.get("druid4")); + Assert.assertEquals(cachedUserMap.get("druid4").getName(), "druid4"); + Assert.assertNotNull(cachedUserMap.get("druid5")); + Assert.assertEquals(cachedUserMap.get("druid5").getName(), "druid5"); + Assert.assertNotNull(cachedUserMap.get("druid6")); + Assert.assertEquals(cachedUserMap.get("druid6").getName(), "druid6"); } @Test @@ -220,6 +288,13 @@ public void testCreateDeleteUser() response = resource.deleteUser(req, AUTHENTICATOR_NAME, "druid"); Assert.assertEquals(200, response.getStatus()); + response = resource.getCachedSerializedUserMap(req, AUTHENTICATOR_NAME); + Assert.assertEquals(200, response.getStatus()); + Assert.assertTrue(response.getEntity() instanceof byte[]); + Map cachedUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, (byte[]) response.getEntity()); + Assert.assertNotNull(cachedUserMap); + Assert.assertNull(cachedUserMap.get("druid")); + response = resource.deleteUser(req, AUTHENTICATOR_NAME, "druid"); Assert.assertEquals(400, response.getStatus()); Assert.assertEquals(errorMapWithMsg("User [druid] does not exist."), response.getEntity()); @@ -263,6 +338,29 @@ public void testUserCredentials() ); Assert.assertArrayEquals(recalculatedHash, hash); + response = resource.getCachedSerializedUserMap(req, AUTHENTICATOR_NAME); + Assert.assertEquals(200, response.getStatus()); + Assert.assertTrue(response.getEntity() instanceof byte[]); + Map cachedUserMap = BasicAuthUtils.deserializeAuthenticatorUserMap(objectMapper, (byte[]) response.getEntity()); + Assert.assertNotNull(cachedUserMap); + Assert.assertNotNull(cachedUserMap.get("druid")); + Assert.assertEquals("druid", cachedUserMap.get("druid").getName()); + BasicAuthenticatorCredentials cachedUserCredentials = cachedUserMap.get("druid").getCredentials(); + + salt = cachedUserCredentials.getSalt(); + hash = cachedUserCredentials.getHash(); + iterations = cachedUserCredentials.getIterations(); + Assert.assertEquals(BasicAuthUtils.SALT_LENGTH, salt.length); + Assert.assertEquals(BasicAuthUtils.KEY_LENGTH / 8, hash.length); + Assert.assertEquals(BasicAuthUtils.DEFAULT_KEY_ITERATIONS, iterations); + + recalculatedHash = BasicAuthUtils.hashPassword( + "helloworld".toCharArray(), + salt, + iterations + ); + Assert.assertArrayEquals(recalculatedHash, hash); + response = resource.deleteUser(req, AUTHENTICATOR_NAME, "druid"); Assert.assertEquals(200, response.getStatus()); @@ -284,5 +382,4 @@ private static Map errorMapWithMsg(String errorMsg) { return ImmutableMap.of("error", errorMsg); } - } diff --git a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/NoopBasicAuthenticatorCacheNotifier.java b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/NoopBasicAuthenticatorCacheNotifier.java index 7c03264bf4c0..2c064f596342 100644 --- a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/NoopBasicAuthenticatorCacheNotifier.java +++ b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/NoopBasicAuthenticatorCacheNotifier.java @@ -24,8 +24,8 @@ public class NoopBasicAuthenticatorCacheNotifier implements BasicAuthenticatorCacheNotifier { @Override - public void addUpdate(String updatedAuthenticatorPrefix, byte[] updatedUserMap) + public void addUserUpdate(String updatedAuthenticatorPrefix, byte[] updatedUserMap) { - + // Do nothing as this is a noop implementation } } diff --git a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/validator/DBCredentialsValidatorTest.java b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/validator/DBCredentialsValidatorTest.java new file mode 100644 index 000000000000..b8e49426ce9d --- /dev/null +++ b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/validator/DBCredentialsValidatorTest.java @@ -0,0 +1,149 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.security.authentication.validator; + +import com.google.common.collect.ImmutableMap; +import com.google.inject.Provider; +import com.google.inject.util.Providers; +import org.apache.druid.java.util.common.IAE; +import org.apache.druid.security.basic.BasicSecurityAuthenticationException; +import org.apache.druid.security.basic.authentication.db.cache.BasicAuthenticatorCacheManager; +import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate; +import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentials; +import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorUser; +import org.apache.druid.security.basic.authentication.validator.MetadataStoreCredentialsValidator; +import org.apache.druid.server.security.AuthenticationResult; +import org.easymock.EasyMock; +import org.junit.Assert; +import org.junit.Rule; +import org.junit.Test; +import org.junit.rules.ExpectedException; + +import java.util.Map; + +public class DBCredentialsValidatorTest +{ + + @Rule + public ExpectedException expectedException = ExpectedException.none(); + + private static BasicAuthenticatorCredentials USER_A_CREDENTIALS = new BasicAuthenticatorCredentials( + new BasicAuthenticatorCredentialUpdate("helloworld", 20) + ); + + private static Provider CACHE_MANAGER_PROVIDER = Providers.of( + new BasicAuthenticatorCacheManager() + { + @Override + public void handleAuthenticatorUserMapUpdate(String authenticatorPrefix, byte[] serializedUserMap) + { + + } + + @Override + public Map getUserMap(String authenticatorPrefix) + { + return ImmutableMap.of( + "userA", new BasicAuthenticatorUser("userA", USER_A_CREDENTIALS), + "userB", new BasicAuthenticatorUser("userB", null) + ); + } + } + ); + + private static MetadataStoreCredentialsValidator validator = new MetadataStoreCredentialsValidator(CACHE_MANAGER_PROVIDER); + + + + @Test + public void validateBadAuthenticator() + { + String authenticatorName = "notbasic"; + String authorizerName = "basic"; + String username = "userA"; + String password = "helloworld"; + + BasicAuthenticatorCacheManager cacheManager = EasyMock.createMock(BasicAuthenticatorCacheManager.class); + EasyMock.expect(cacheManager.getUserMap(authenticatorName)).andReturn(null).times(1); + EasyMock.replay(cacheManager); + + MetadataStoreCredentialsValidator validator = new MetadataStoreCredentialsValidator(Providers.of(cacheManager)); + + expectedException.expect(IAE.class); + expectedException.expectMessage("No userMap is available for authenticator with prefix: [notbasic]"); + validator.validateCredentials(authenticatorName, authorizerName, username, password.toCharArray()); + + EasyMock.verify(cacheManager); + } + + @Test + public void validateMissingCredentials() + { + String authenticatorName = "basic"; + String authorizerName = "basic"; + String username = "userB"; + String password = "helloworld"; + + AuthenticationResult result = validator.validateCredentials(authenticatorName, authorizerName, username, password.toCharArray()); + Assert.assertNull(result); + } + + @Test + public void validateMissingUser() + { + String authenticatorName = "basic"; + String authorizerName = "basic"; + String username = "userC"; + String password = "helloworld"; + + AuthenticationResult result = validator.validateCredentials(authenticatorName, authorizerName, username, password.toCharArray()); + Assert.assertNull(result); + } + + @Test + public void validateGoodCredentials() + { + String authenticatorName = "basic"; + String authorizerName = "basic"; + String username = "userA"; + String password = "helloworld"; + + AuthenticationResult result = validator.validateCredentials(authenticatorName, authorizerName, username, password.toCharArray()); + + Assert.assertNotNull(result); + Assert.assertEquals(username, result.getIdentity()); + Assert.assertEquals(authenticatorName, result.getAuthenticatedBy()); + Assert.assertEquals(authorizerName, result.getAuthorizerName()); + Assert.assertNull(result.getContext()); + } + + @Test + public void validateBadCredentials() + { + String authenticatorName = "basic"; + String authorizerName = "basic"; + String username = "userA"; + String password = "badpassword"; + + expectedException.expect(BasicSecurityAuthenticationException.class); + expectedException.expectMessage("User metadata store authentication failed username[userA]."); + validator.validateCredentials(authenticatorName, authorizerName, username, password.toCharArray()); + } +} diff --git a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authorization/BasicRoleBasedAuthorizerTest.java b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authorization/BasicRoleBasedAuthorizerTest.java index 53ef10bf74d2..acdb0ab9dd5b 100644 --- a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authorization/BasicRoleBasedAuthorizerTest.java +++ b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authorization/BasicRoleBasedAuthorizerTest.java @@ -25,9 +25,13 @@ import org.apache.druid.metadata.MetadataStorageTablesConfig; import org.apache.druid.metadata.TestDerbyConnector; import org.apache.druid.security.basic.BasicAuthCommonCacheConfig; +import org.apache.druid.security.basic.BasicAuthUtils; import org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer; +import org.apache.druid.security.basic.authorization.LDAPRoleProvider; +import org.apache.druid.security.basic.authorization.MetadataStoreRoleProvider; import org.apache.druid.security.basic.authorization.db.cache.MetadataStoragePollingBasicAuthorizerCacheManager; import org.apache.druid.security.basic.authorization.db.updater.CoordinatorBasicAuthorizerMetadataStorageUpdater; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping; import org.apache.druid.server.security.Access; import org.apache.druid.server.security.Action; import org.apache.druid.server.security.AuthenticationResult; @@ -41,37 +45,75 @@ import org.junit.Rule; import org.junit.Test; +import javax.naming.directory.BasicAttribute; +import javax.naming.directory.BasicAttributes; +import javax.naming.directory.SearchResult; +import java.util.Arrays; import java.util.Collections; +import java.util.HashMap; import java.util.List; +import java.util.Map; public class BasicRoleBasedAuthorizerTest { - private static final String AUTHORIZER_NAME = "test"; + private static final String DB_AUTHORIZER_NAME = "metadata"; + private static final String LDAP_AUTHORIZER_NAME = "ldap"; @Rule public final TestDerbyConnector.DerbyConnectorRule derbyConnectorRule = new TestDerbyConnector.DerbyConnectorRule(); private BasicRoleBasedAuthorizer authorizer; - private TestDerbyConnector connector; - private MetadataStorageTablesConfig tablesConfig; + private BasicRoleBasedAuthorizer ldapAuthorizer; + private CoordinatorBasicAuthorizerMetadataStorageUpdater updater; + private String[] groupFilters = { + "*,OU=Druid,OU=Application,OU=Groupings,DC=corp,DC=apache,DC=org", + "*,OU=Platform,OU=Groupings,DC=corp,DC=apache,DC=org" + }; + + private SearchResult userSearchResult; + private SearchResult adminSearchResult; @Before public void setUp() { - connector = derbyConnectorRule.getConnector(); - tablesConfig = derbyConnectorRule.metadataTablesConfigSupplier().get(); + TestDerbyConnector connector = derbyConnectorRule.getConnector(); + MetadataStorageTablesConfig tablesConfig = derbyConnectorRule.metadataTablesConfigSupplier().get(); connector.createConfigTable(); + BasicAttributes userAttrs = new BasicAttributes(true); + userAttrs.put(new BasicAttribute("sAMAccountName", "druiduser")); + userAttrs.put(new BasicAttribute("memberOf", "CN=user,OU=Druid,OU=Application,OU=Groupings,DC=corp,DC=apache,DC=org")); + + BasicAttributes adminAttrs = new BasicAttributes(true); + adminAttrs.put(new BasicAttribute("sAMAccountName", "druidadmin")); + adminAttrs.put(new BasicAttribute("memberOf", "CN=admin,OU=Platform,OU=Groupings,DC=corp,DC=apache,DC=org")); + + userSearchResult = new SearchResult("CN=1234,OU=Employees,OU=People", null, userAttrs); + adminSearchResult = new SearchResult("CN=9876,OU=Employees,OU=People", null, adminAttrs); + updater = new CoordinatorBasicAuthorizerMetadataStorageUpdater( new AuthorizerMapper( ImmutableMap.of( - AUTHORIZER_NAME, + DB_AUTHORIZER_NAME, new BasicRoleBasedAuthorizer( null, - AUTHORIZER_NAME, + DB_AUTHORIZER_NAME, + null, + null, + null, null, + null, + new MetadataStoreRoleProvider(null) + ), + LDAP_AUTHORIZER_NAME, + new BasicRoleBasedAuthorizer( + null, + LDAP_AUTHORIZER_NAME, + null, null, - null + null, null, + null, + new LDAPRoleProvider(null, groupFilters) ) ) ), @@ -86,12 +128,23 @@ public void setUp() updater.start(); authorizer = new BasicRoleBasedAuthorizer( - new MetadataStoragePollingBasicAuthorizerCacheManager( - updater - ), - AUTHORIZER_NAME, null, - null + DB_AUTHORIZER_NAME, + null, + null, + null, null, + null, + new MetadataStoreRoleProvider(new MetadataStoragePollingBasicAuthorizerCacheManager(updater)) + ); + + ldapAuthorizer = new BasicRoleBasedAuthorizer( + null, + LDAP_AUTHORIZER_NAME, + null, + null, + null, null, + null, + new LDAPRoleProvider(new MetadataStoragePollingBasicAuthorizerCacheManager(updater), groupFilters) ); } @@ -103,15 +156,15 @@ public void tearDown() @Test public void testAuth() { - updater.createUser(AUTHORIZER_NAME, "druid"); - updater.createRole(AUTHORIZER_NAME, "druidRole"); - updater.assignRole(AUTHORIZER_NAME, "druid", "druidRole"); + updater.createUser(DB_AUTHORIZER_NAME, "druid"); + updater.createRole(DB_AUTHORIZER_NAME, "druidRole"); + updater.assignUserRole(DB_AUTHORIZER_NAME, "druid", "druidRole"); List permissions = Collections.singletonList( new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE) ); - updater.setPermissions(AUTHORIZER_NAME, "druidRole", permissions); + updater.setPermissions(DB_AUTHORIZER_NAME, "druidRole", permissions); AuthenticationResult authenticationResult = new AuthenticationResult("druid", "druid", null, null); @@ -129,4 +182,242 @@ public void testAuth() ); Assert.assertFalse(access.isAllowed()); } + + @Test + public void testAuthGroupMapping() + { + BasicAuthorizerGroupMapping groupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "CN=admin,OU=Platform,OU=Groupings,DC=corp,DC=apache,DC=org", null); + updater.createGroupMapping(LDAP_AUTHORIZER_NAME, groupMapping); + updater.createRole(LDAP_AUTHORIZER_NAME, "druidRole"); + updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "druidGroupMapping", "druidRole"); + + List permissions = Collections.singletonList( + new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE) + ); + + updater.setPermissions(LDAP_AUTHORIZER_NAME, "druidRole", permissions); + + Map contexMap = new HashMap<>(); + contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult); + + AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap); + + Access access = ldapAuthorizer.authorize( + authenticationResult, + new Resource("testResource", ResourceType.DATASOURCE), + Action.WRITE + ); + Assert.assertTrue(access.isAllowed()); + + access = ldapAuthorizer.authorize( + authenticationResult, + new Resource("wrongResource", ResourceType.DATASOURCE), + Action.WRITE + ); + Assert.assertFalse(access.isAllowed()); + } + @Test + public void testAuthGroupMappingPatternRightMask() + { + //Admin + BasicAuthorizerGroupMapping adminGrroupMapping = new BasicAuthorizerGroupMapping("adminGrroupMapping", "CN=admin,*", null); + updater.createGroupMapping(LDAP_AUTHORIZER_NAME, adminGrroupMapping); + updater.createRole(LDAP_AUTHORIZER_NAME, "adminDruidRole"); + updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "adminGrroupMapping", "adminDruidRole"); + List adminPermissions = Arrays.asList( + new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE), + new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ) + ); + updater.setPermissions(LDAP_AUTHORIZER_NAME, "adminDruidRole", adminPermissions); + + //User + BasicAuthorizerGroupMapping userGrroupMapping = new BasicAuthorizerGroupMapping("userGrroupMapping", "CN=user,*", null); + updater.createGroupMapping(LDAP_AUTHORIZER_NAME, userGrroupMapping); + updater.createRole(LDAP_AUTHORIZER_NAME, "userDruidRole"); + updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "userGrroupMapping", "userDruidRole"); + + List userPermissions = Collections.singletonList( + new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ) + ); + + updater.setPermissions(LDAP_AUTHORIZER_NAME, "userDruidRole", userPermissions); + + Map contexMap = new HashMap<>(); + + contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult); + AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap); + + Access access = ldapAuthorizer.authorize( + authenticationResult, + new Resource("testResource", ResourceType.DATASOURCE), + Action.READ + ); + Assert.assertTrue(access.isAllowed()); + + access = ldapAuthorizer.authorize( + authenticationResult, + new Resource("testResource", ResourceType.DATASOURCE), + Action.WRITE + ); + Assert.assertTrue(access.isAllowed()); + + access = ldapAuthorizer.authorize( + authenticationResult, + new Resource("wrongResource", ResourceType.DATASOURCE), + Action.WRITE + ); + Assert.assertFalse(access.isAllowed()); + + contexMap = new HashMap<>(); + contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult); + authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap); + + access = ldapAuthorizer.authorize( + authenticationResult, + new Resource("testResource", ResourceType.DATASOURCE), + Action.WRITE + ); + Assert.assertFalse(access.isAllowed()); + + access = ldapAuthorizer.authorize( + authenticationResult, + new Resource("testResource", ResourceType.DATASOURCE), + Action.READ + ); + Assert.assertTrue(access.isAllowed()); + + access = ldapAuthorizer.authorize( + authenticationResult, + new Resource("wrongResource", ResourceType.DATASOURCE), + Action.READ + ); + Assert.assertFalse(access.isAllowed()); + } + + @Test + public void testAuthGroupMappingPatternLeftMask() + { + //Admin + BasicAuthorizerGroupMapping adminGrroupMapping = new BasicAuthorizerGroupMapping("adminGrroupMapping", "*,CN=admin,OU=Platform,OU=Groupings,DC=corp,DC=apache,DC=org", null); + updater.createGroupMapping(LDAP_AUTHORIZER_NAME, adminGrroupMapping); + updater.createRole(LDAP_AUTHORIZER_NAME, "adminDruidRole"); + updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "adminGrroupMapping", "adminDruidRole"); + List adminPermissions = Arrays.asList( + new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE), + new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ) + ); + updater.setPermissions(LDAP_AUTHORIZER_NAME, "adminDruidRole", adminPermissions); + + //User + BasicAuthorizerGroupMapping userGrroupMapping = new BasicAuthorizerGroupMapping("userGrroupMapping", "*,CN=user,OU=Druid,OU=Application,OU=Groupings,DC=corp,DC=apache,DC=org", null); + updater.createGroupMapping(LDAP_AUTHORIZER_NAME, userGrroupMapping); + updater.createRole(LDAP_AUTHORIZER_NAME, "userDruidRole"); + updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "userGrroupMapping", "userDruidRole"); + + List userPermissions = Collections.singletonList( + new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ) + ); + + updater.setPermissions(LDAP_AUTHORIZER_NAME, "userDruidRole", userPermissions); + + Map contexMap = new HashMap<>(); + + contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, adminSearchResult); + AuthenticationResult authenticationResult = new AuthenticationResult("druidadmin", "druid", null, contexMap); + + Access access = ldapAuthorizer.authorize( + authenticationResult, + new Resource("testResource", ResourceType.DATASOURCE), + Action.READ + ); + Assert.assertTrue(access.isAllowed()); + + access = ldapAuthorizer.authorize( + authenticationResult, + new Resource("testResource", ResourceType.DATASOURCE), + Action.WRITE + ); + Assert.assertTrue(access.isAllowed()); + + access = ldapAuthorizer.authorize( + authenticationResult, + new Resource("wrongResource", ResourceType.DATASOURCE), + Action.WRITE + ); + Assert.assertFalse(access.isAllowed()); + + contexMap = new HashMap<>(); + contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult); + authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap); + + access = ldapAuthorizer.authorize( + authenticationResult, + new Resource("testResource", ResourceType.DATASOURCE), + Action.WRITE + ); + Assert.assertFalse(access.isAllowed()); + + access = ldapAuthorizer.authorize( + authenticationResult, + new Resource("testResource", ResourceType.DATASOURCE), + Action.READ + ); + Assert.assertTrue(access.isAllowed()); + + access = ldapAuthorizer.authorize( + authenticationResult, + new Resource("wrongResource", ResourceType.DATASOURCE), + Action.READ + ); + Assert.assertFalse(access.isAllowed()); + } + + @Test + public void testAuthMissingGroupMapping() + { + BasicAuthorizerGroupMapping groupMapping = new BasicAuthorizerGroupMapping("druidGroupMapping", "CN=unknown,*", null); + updater.createGroupMapping(LDAP_AUTHORIZER_NAME, groupMapping); + updater.createRole(LDAP_AUTHORIZER_NAME, "druidRole"); + updater.assignGroupMappingRole(LDAP_AUTHORIZER_NAME, "druidGroupMapping", "druidRole"); + + List permissions = Arrays.asList( + new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.WRITE), + new ResourceAction(new Resource("testResource", ResourceType.DATASOURCE), Action.READ) + ); + + updater.setPermissions(LDAP_AUTHORIZER_NAME, "druidRole", permissions); + + Map contexMap = new HashMap<>(); + contexMap.put(BasicAuthUtils.SEARCH_RESULT_CONTEXT_KEY, userSearchResult); + + AuthenticationResult authenticationResult = new AuthenticationResult("druiduser", "druid", null, contexMap); + + Access access = ldapAuthorizer.authorize( + authenticationResult, + new Resource("testResource", ResourceType.DATASOURCE), + Action.WRITE + ); + Assert.assertFalse(access.isAllowed()); + + access = ldapAuthorizer.authorize( + authenticationResult, + new Resource("testResource", ResourceType.DATASOURCE), + Action.READ + ); + Assert.assertFalse(access.isAllowed()); + + access = ldapAuthorizer.authorize( + authenticationResult, + new Resource("wrongResource", ResourceType.DATASOURCE), + Action.WRITE + ); + Assert.assertFalse(access.isAllowed()); + + access = ldapAuthorizer.authorize( + authenticationResult, + new Resource("wrongResource", ResourceType.DATASOURCE), + Action.READ + ); + Assert.assertFalse(access.isAllowed()); + } } diff --git a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authorization/CoordinatorBasicAuthorizerMetadataStorageUpdaterTest.java b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authorization/CoordinatorBasicAuthorizerMetadataStorageUpdaterTest.java index 5b565e177a9b..7a322acce6e0 100644 --- a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authorization/CoordinatorBasicAuthorizerMetadataStorageUpdaterTest.java +++ b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authorization/CoordinatorBasicAuthorizerMetadataStorageUpdaterTest.java @@ -31,6 +31,7 @@ import org.apache.druid.security.basic.BasicSecurityDBResourceException; import org.apache.druid.security.basic.authorization.BasicRoleBasedAuthorizer; import org.apache.druid.security.basic.authorization.db.updater.CoordinatorBasicAuthorizerMetadataStorageUpdater; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerPermission; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUser; @@ -80,8 +81,6 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest @Rule public final TestDerbyConnector.DerbyConnectorRule derbyConnectorRule = new TestDerbyConnector.DerbyConnectorRule(); - private TestDerbyConnector connector; - private MetadataStorageTablesConfig tablesConfig; private CoordinatorBasicAuthorizerMetadataStorageUpdater updater; private ObjectMapper objectMapper; @@ -89,8 +88,8 @@ public class CoordinatorBasicAuthorizerMetadataStorageUpdaterTest public void setUp() { objectMapper = new ObjectMapper(new SmileFactory()); - connector = derbyConnectorRule.getConnector(); - tablesConfig = derbyConnectorRule.metadataTablesConfigSupplier().get(); + TestDerbyConnector connector = derbyConnectorRule.getConnector(); + MetadataStorageTablesConfig tablesConfig = derbyConnectorRule.metadataTablesConfigSupplier().get(); connector.createConfigTable(); updater = new CoordinatorBasicAuthorizerMetadataStorageUpdater( @@ -101,6 +100,10 @@ public void setUp() null, AUTHORIZER_NAME, null, + null, + null, + null, + null, null ) ) @@ -138,6 +141,27 @@ public void testCreateDeleteUser() Assert.assertEquals(expectedUserMap, actualUserMap); } + @Test + public void testCreateDeleteGroupMapping() + { + updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", null)); + Map expectedGroupMappingMap = new HashMap<>(); + expectedGroupMappingMap.put("druid", new BasicAuthorizerGroupMapping("druid", "CN=test", null)); + Map actualGroupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap( + objectMapper, + updater.getCurrentGroupMappingMapBytes(AUTHORIZER_NAME) + ); + Assert.assertEquals(expectedGroupMappingMap, actualGroupMappingMap); + + updater.deleteGroupMapping(AUTHORIZER_NAME, "druid"); + expectedGroupMappingMap.remove("druid"); + actualGroupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap( + objectMapper, + updater.getCurrentGroupMappingMapBytes(AUTHORIZER_NAME) + ); + Assert.assertEquals(expectedGroupMappingMap, actualGroupMappingMap); + } + @Test public void testDeleteNonExistentUser() { @@ -146,6 +170,15 @@ public void testDeleteNonExistentUser() updater.deleteUser(AUTHORIZER_NAME, "druid"); } + @Test + public void testDeleteNonExistentGroupMapping() + { + expectedException.expect(BasicSecurityDBResourceException.class); + expectedException.expectMessage("Group mapping [druid] does not exist."); + updater.deleteGroupMapping(AUTHORIZER_NAME, "druid"); + } + + @Test public void testCreateDuplicateUser() { @@ -155,6 +188,14 @@ public void testCreateDuplicateUser() updater.createUser(AUTHORIZER_NAME, "druid"); } + @Test + public void testCreateDuplicateGroupMapping() + { + expectedException.expect(BasicSecurityDBResourceException.class); + expectedException.expectMessage("Group mapping [druid] already exists."); + updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", null)); + updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", null)); + } // role tests @Test public void testCreateDeleteRole() @@ -194,13 +235,13 @@ public void testCreateDuplicateRole() updater.createRole(AUTHORIZER_NAME, "druid"); } - // role and user tests + // role, user, and group mapping tests @Test - public void testAddAndRemoveRole() + public void testAddAndRemoveRoleToUser() { updater.createUser(AUTHORIZER_NAME, "druid"); updater.createRole(AUTHORIZER_NAME, "druidRole"); - updater.assignRole(AUTHORIZER_NAME, "druid", "druidRole"); + updater.assignUserRole(AUTHORIZER_NAME, "druid", "druidRole"); Map expectedUserMap = new HashMap<>(BASE_USER_MAP); expectedUserMap.put("druid", new BasicAuthorizerUser("druid", ImmutableSet.of("druidRole"))); @@ -221,7 +262,7 @@ public void testAddAndRemoveRole() Assert.assertEquals(expectedUserMap, actualUserMap); Assert.assertEquals(expectedRoleMap, actualRoleMap); - updater.unassignRole(AUTHORIZER_NAME, "druid", "druidRole"); + updater.unassignUserRole(AUTHORIZER_NAME, "druid", "druidRole"); expectedUserMap.put("druid", new BasicAuthorizerUser("druid", ImmutableSet.of())); actualUserMap = BasicAuthUtils.deserializeAuthorizerUserMap( objectMapper, @@ -232,13 +273,60 @@ public void testAddAndRemoveRole() Assert.assertEquals(expectedRoleMap, actualRoleMap); } + // role, user, and group mapping tests + @Test + public void testAddAndRemoveRoleToGroupMapping() + { + updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", null)); + updater.createRole(AUTHORIZER_NAME, "druidRole"); + updater.assignGroupMappingRole(AUTHORIZER_NAME, "druid", "druidRole"); + + Map expectedGroupMappingMap = new HashMap<>(); + expectedGroupMappingMap.put("druid", new BasicAuthorizerGroupMapping("druid", "CN=test", ImmutableSet.of("druidRole"))); + + Map expectedRoleMap = new HashMap<>(BASE_ROLE_MAP); + expectedRoleMap.put("druidRole", new BasicAuthorizerRole("druidRole", ImmutableList.of())); + + Map actualGroupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap( + objectMapper, + updater.getCurrentGroupMappingMapBytes(AUTHORIZER_NAME) + ); + + Map actualRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap( + objectMapper, + updater.getCurrentRoleMapBytes(AUTHORIZER_NAME) + ); + + Assert.assertEquals(expectedGroupMappingMap, actualGroupMappingMap); + Assert.assertEquals(expectedRoleMap, actualRoleMap); + + updater.unassignGroupMappingRole(AUTHORIZER_NAME, "druid", "druidRole"); + expectedGroupMappingMap.put("druid", new BasicAuthorizerGroupMapping("druid", "CN=test", ImmutableSet.of())); + actualGroupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap( + objectMapper, + updater.getCurrentGroupMappingMapBytes(AUTHORIZER_NAME) + ); + + Assert.assertEquals(expectedGroupMappingMap, actualGroupMappingMap); + Assert.assertEquals(expectedRoleMap, actualRoleMap); + } + @Test public void testAddRoleToNonExistentUser() { expectedException.expect(BasicSecurityDBResourceException.class); expectedException.expectMessage("User [nonUser] does not exist."); updater.createRole(AUTHORIZER_NAME, "druid"); - updater.assignRole(AUTHORIZER_NAME, "nonUser", "druid"); + updater.assignUserRole(AUTHORIZER_NAME, "nonUser", "druid"); + } + + @Test + public void testAddRoleToNonExistentGroupMapping() + { + expectedException.expect(BasicSecurityDBResourceException.class); + expectedException.expectMessage("Group mapping [nonUser] does not exist."); + updater.createRole(AUTHORIZER_NAME, "druid"); + updater.assignGroupMappingRole(AUTHORIZER_NAME, "nonUser", "druid"); } @Test @@ -247,7 +335,16 @@ public void testAddNonexistentRoleToUser() expectedException.expect(BasicSecurityDBResourceException.class); expectedException.expectMessage("Role [nonRole] does not exist."); updater.createUser(AUTHORIZER_NAME, "druid"); - updater.assignRole(AUTHORIZER_NAME, "druid", "nonRole"); + updater.assignUserRole(AUTHORIZER_NAME, "druid", "nonRole"); + } + + @Test + public void testAddNonexistentRoleToGroupMapping() + { + expectedException.expect(BasicSecurityDBResourceException.class); + expectedException.expectMessage("Role [nonRole] does not exist."); + updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", null)); + updater.assignGroupMappingRole(AUTHORIZER_NAME, "druid", "nonRole"); } @Test @@ -257,12 +354,33 @@ public void testAddExistingRoleToUserFails() expectedException.expectMessage("User [druid] already has role [druidRole]."); updater.createUser(AUTHORIZER_NAME, "druid"); updater.createRole(AUTHORIZER_NAME, "druidRole"); - updater.assignRole(AUTHORIZER_NAME, "druid", "druidRole"); - updater.assignRole(AUTHORIZER_NAME, "druid", "druidRole"); + updater.assignUserRole(AUTHORIZER_NAME, "druid", "druidRole"); + updater.assignUserRole(AUTHORIZER_NAME, "druid", "druidRole"); + } + + @Test + public void testAddExistingRoleToGroupMappingFails() + { + expectedException.expect(BasicSecurityDBResourceException.class); + expectedException.expectMessage("Group mapping [druid] already has role [druidRole]."); + updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", null)); + updater.createRole(AUTHORIZER_NAME, "druidRole"); + updater.assignGroupMappingRole(AUTHORIZER_NAME, "druid", "druidRole"); + updater.assignGroupMappingRole(AUTHORIZER_NAME, "druid", "druidRole"); + } + + @Test + public void testAddExistingRoleToGroupMappingWithRoleFails() + { + expectedException.expect(BasicSecurityDBResourceException.class); + expectedException.expectMessage("Group mapping [druid] already has role [druidRole]."); + updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", ImmutableSet.of("druidRole"))); + updater.createRole(AUTHORIZER_NAME, "druidRole"); + updater.assignGroupMappingRole(AUTHORIZER_NAME, "druid", "druidRole"); } @Test - public void testUnassignInvalidRoleAssignmentFails() + public void testUnassignInvalidRoleAssignmentToUserFails() { expectedException.expect(BasicSecurityDBResourceException.class); expectedException.expectMessage("User [druid] does not have role [druidRole]."); @@ -289,16 +407,49 @@ public void testUnassignInvalidRoleAssignmentFails() Assert.assertEquals(expectedUserMap, actualUserMap); Assert.assertEquals(expectedRoleMap, actualRoleMap); - updater.unassignRole(AUTHORIZER_NAME, "druid", "druidRole"); + updater.unassignUserRole(AUTHORIZER_NAME, "druid", "druidRole"); } + @Test + public void testUnassignInvalidRoleAssignmentToGroupMappingFails() + { + expectedException.expect(BasicSecurityDBResourceException.class); + expectedException.expectMessage("Group mapping [druid] does not have role [druidRole]."); + + + updater.createGroupMapping(AUTHORIZER_NAME, new BasicAuthorizerGroupMapping("druid", "CN=test", null)); + updater.createRole(AUTHORIZER_NAME, "druidRole"); + + Map expectedGroupMappingMap = new HashMap<>(); + expectedGroupMappingMap.put("druid", new BasicAuthorizerGroupMapping("druid", "CN=test", null)); + + Map expectedRoleMap = new HashMap<>(BASE_ROLE_MAP); + expectedRoleMap.put("druidRole", new BasicAuthorizerRole("druidRole", ImmutableList.of())); + + Map actualGroupMappingMap = BasicAuthUtils.deserializeAuthorizerGroupMappingMap( + objectMapper, + updater.getCurrentGroupMappingMapBytes(AUTHORIZER_NAME) + ); + + Map actualRoleMap = BasicAuthUtils.deserializeAuthorizerRoleMap( + objectMapper, + updater.getCurrentRoleMapBytes(AUTHORIZER_NAME) + ); + + Assert.assertEquals(expectedGroupMappingMap, actualGroupMappingMap); + Assert.assertEquals(expectedRoleMap, actualRoleMap); + + updater.unassignGroupMappingRole(AUTHORIZER_NAME, "druid", "druidRole"); + } + + // role and permission tests @Test public void testSetRolePermissions() { updater.createUser(AUTHORIZER_NAME, "druid"); updater.createRole(AUTHORIZER_NAME, "druidRole"); - updater.assignRole(AUTHORIZER_NAME, "druid", "druidRole"); + updater.assignUserRole(AUTHORIZER_NAME, "druid", "druidRole"); List permsToAdd = ImmutableList.of( new ResourceAction( diff --git a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authorization/CoordinatorBasicAuthorizerResourceTest.java b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authorization/CoordinatorBasicAuthorizerResourceTest.java index f93cc0024df0..bdaf8e6a917a 100644 --- a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authorization/CoordinatorBasicAuthorizerResourceTest.java +++ b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authorization/CoordinatorBasicAuthorizerResourceTest.java @@ -35,6 +35,8 @@ import org.apache.druid.security.basic.authorization.db.updater.CoordinatorBasicAuthorizerMetadataStorageUpdater; import org.apache.druid.security.basic.authorization.endpoint.BasicAuthorizerResource; import org.apache.druid.security.basic.authorization.endpoint.CoordinatorBasicAuthorizerResourceHandler; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMapping; +import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerGroupMappingFull; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerPermission; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRole; import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerRoleFull; @@ -70,6 +72,7 @@ public class CoordinatorBasicAuthorizerResourceTest { private static final String AUTHORIZER_NAME = "test"; private static final String AUTHORIZER_NAME2 = "test2"; + private static final String AUTHORIZER_NAME3 = "test3"; @Rule public ExpectedException expectedException = ExpectedException.none(); @@ -99,6 +102,10 @@ public void setUp() null, AUTHORIZER_NAME, null, + null, + null, + null, + null, null ), AUTHORIZER_NAME2, @@ -106,6 +113,21 @@ public void setUp() null, AUTHORIZER_NAME2, null, + null, + null, + null, + null, + null + ), + AUTHORIZER_NAME3, + new BasicRoleBasedAuthorizer( + null, + AUTHORIZER_NAME3, + null, + null, + "adminGroupMapping", + null, + null, null ) ) @@ -148,13 +170,47 @@ public void testSeparateDatabaseTables() response.getEntity() ); + response = resource.getAllUsers(req, AUTHORIZER_NAME2); + Assert.assertEquals(200, response.getStatus()); + Assert.assertEquals( + ImmutableSet.of(BasicAuthUtils.ADMIN_NAME, BasicAuthUtils.INTERNAL_USER_NAME), + response.getEntity() + ); + + response = resource.getAllGroupMappings(req, AUTHORIZER_NAME); + Assert.assertEquals(200, response.getStatus()); + Assert.assertEquals( + ImmutableSet.of(), + response.getEntity() + ); + + response = resource.getAllGroupMappings(req, AUTHORIZER_NAME2); + Assert.assertEquals(200, response.getStatus()); + Assert.assertEquals( + ImmutableSet.of(), + response.getEntity() + ); + + response = resource.getAllGroupMappings(req, AUTHORIZER_NAME3); + Assert.assertEquals(200, response.getStatus()); + Assert.assertEquals( + ImmutableSet.of("adminGroupMapping"), + response.getEntity() + ); + resource.createUser(req, AUTHORIZER_NAME, "druid"); resource.createUser(req, AUTHORIZER_NAME, "druid2"); resource.createUser(req, AUTHORIZER_NAME, "druid3"); + resource.createGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", new BasicAuthorizerGroupMapping("druidGroupMapping", "", new HashSet<>())); + resource.createGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", new BasicAuthorizerGroupMapping("druid2GroupMapping", "", new HashSet<>())); + resource.createGroupMapping(req, AUTHORIZER_NAME, "druid3GroupMapping", new BasicAuthorizerGroupMapping("druid3GroupMapping", "", new HashSet<>())); resource.createUser(req, AUTHORIZER_NAME2, "druid4"); resource.createUser(req, AUTHORIZER_NAME2, "druid5"); resource.createUser(req, AUTHORIZER_NAME2, "druid6"); + resource.createGroupMapping(req, AUTHORIZER_NAME2, "druid4GroupMapping", new BasicAuthorizerGroupMapping("druid4GroupMapping", "", new HashSet<>())); + resource.createGroupMapping(req, AUTHORIZER_NAME2, "druid5GroupMapping", new BasicAuthorizerGroupMapping("druid5GroupMapping", "", new HashSet<>())); + resource.createGroupMapping(req, AUTHORIZER_NAME2, "druid6GroupMapping", new BasicAuthorizerGroupMapping("druid6GroupMapping", "", new HashSet<>())); Set expectedUsers = ImmutableSet.of( BasicAuthUtils.ADMIN_NAME, @@ -179,6 +235,26 @@ public void testSeparateDatabaseTables() response = resource.getAllUsers(req, AUTHORIZER_NAME2); Assert.assertEquals(200, response.getStatus()); Assert.assertEquals(expectedUsers2, response.getEntity()); + + Set expectedGroupMappings = ImmutableSet.of( + "druidGroupMapping", + "druid2GroupMapping", + "druid3GroupMapping" + ); + + Set expectedGroupMappings2 = ImmutableSet.of( + "druid4GroupMapping", + "druid5GroupMapping", + "druid6GroupMapping" + ); + + response = resource.getAllGroupMappings(req, AUTHORIZER_NAME); + Assert.assertEquals(200, response.getStatus()); + Assert.assertEquals(expectedGroupMappings, response.getEntity()); + + response = resource.getAllGroupMappings(req, AUTHORIZER_NAME2); + Assert.assertEquals(200, response.getStatus()); + Assert.assertEquals(expectedGroupMappings2, response.getEntity()); } @Test @@ -219,6 +295,31 @@ public void testGetAllUsers() Assert.assertEquals(expectedUsers, response.getEntity()); } + @Test + public void testGetAllGroupMappings() + { + Response response = resource.getAllGroupMappings(req, AUTHORIZER_NAME); + Assert.assertEquals(200, response.getStatus()); + Assert.assertEquals( + ImmutableSet.of(), + response.getEntity() + ); + + resource.createGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", new BasicAuthorizerGroupMapping("druidGroupMapping", "", new HashSet<>())); + resource.createGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", new BasicAuthorizerGroupMapping("druid2GroupMapping", "", new HashSet<>())); + resource.createGroupMapping(req, AUTHORIZER_NAME, "druid3GroupMapping", new BasicAuthorizerGroupMapping("druid3GroupMapping", "", new HashSet<>())); + + Set expectedGroupMappings = ImmutableSet.of( + "druidGroupMapping", + "druid2GroupMapping", + "druid3GroupMapping" + ); + + response = resource.getAllGroupMappings(req, AUTHORIZER_NAME); + Assert.assertEquals(200, response.getStatus()); + Assert.assertEquals(expectedGroupMappings, response.getEntity()); + } + @Test public void testGetAllRoles() { @@ -273,6 +374,33 @@ public void testCreateDeleteUser() Assert.assertEquals(errorMapWithMsg("User [druid] does not exist."), response.getEntity()); } + @Test + public void testCreateDeleteGroupMapping() + { + Response response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", new BasicAuthorizerGroupMapping("druidGroupMapping", "", new HashSet<>())); + Assert.assertEquals(200, response.getStatus()); + + response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", null); + Assert.assertEquals(200, response.getStatus()); + + BasicAuthorizerGroupMapping expectedGroupMapping = new BasicAuthorizerGroupMapping( + "druidGroupMapping", + "", ImmutableSet.of() + ); + Assert.assertEquals(expectedGroupMapping, response.getEntity()); + + response = resource.deleteGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping"); + Assert.assertEquals(200, response.getStatus()); + + response = resource.deleteGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping"); + Assert.assertEquals(400, response.getStatus()); + Assert.assertEquals(errorMapWithMsg("Group mapping [druidGroupMapping] does not exist."), response.getEntity()); + + response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", null); + Assert.assertEquals(400, response.getStatus()); + Assert.assertEquals(errorMapWithMsg("Group mapping [druidGroupMapping] does not exist."), response.getEntity()); + } + @Test public void testCreateDeleteRole() { @@ -298,7 +426,7 @@ public void testCreateDeleteRole() } @Test - public void testRoleAssignment() + public void testUserRoleAssignment() { Response response = resource.createRole(req, AUTHORIZER_NAME, "druidRole"); Assert.assertEquals(200, response.getStatus()); @@ -339,6 +467,48 @@ public void testRoleAssignment() Assert.assertEquals(expectedRole, response.getEntity()); } + @Test + public void testGroupMappingRoleAssignment() + { + Response response = resource.createRole(req, AUTHORIZER_NAME, "druidRole"); + Assert.assertEquals(200, response.getStatus()); + + response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", new BasicAuthorizerGroupMapping("druidGroupMapping", "", new HashSet<>())); + Assert.assertEquals(200, response.getStatus()); + + response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole"); + Assert.assertEquals(200, response.getStatus()); + + response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", null); + Assert.assertEquals(200, response.getStatus()); + + BasicAuthorizerGroupMapping expectedGroupMapping = new BasicAuthorizerGroupMapping( + "druidGroupMapping", + "", ImmutableSet.of("druidRole") + ); + Assert.assertEquals(expectedGroupMapping, response.getEntity()); + + response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", null, null); + Assert.assertEquals(200, response.getStatus()); + BasicAuthorizerRole expectedRole = new BasicAuthorizerRole("druidRole", ImmutableList.of()); + Assert.assertEquals(expectedRole, response.getEntity()); + + response = resource.unassignRoleFromGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole"); + Assert.assertEquals(200, response.getStatus()); + + response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", null); + Assert.assertEquals(200, response.getStatus()); + expectedGroupMapping = new BasicAuthorizerGroupMapping( + "druidGroupMapping", + "", ImmutableSet.of() + ); + Assert.assertEquals(expectedGroupMapping, response.getEntity()); + + response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", null, null); + Assert.assertEquals(200, response.getStatus()); + Assert.assertEquals(expectedRole, response.getEntity()); + } + @Test public void testDeleteAssignedRole() { @@ -357,6 +527,18 @@ public void testDeleteAssignedRole() response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid2", "druidRole"); Assert.assertEquals(200, response.getStatus()); + response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", new BasicAuthorizerGroupMapping("druidGroupMapping", "", new HashSet<>())); + Assert.assertEquals(200, response.getStatus()); + + response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", new BasicAuthorizerGroupMapping("druid2GroupMapping", "", new HashSet<>())); + Assert.assertEquals(200, response.getStatus()); + + response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole"); + Assert.assertEquals(200, response.getStatus()); + + response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "druidRole"); + Assert.assertEquals(200, response.getStatus()); + response = resource.getUser(req, AUTHORIZER_NAME, "druid", null, null); Assert.assertEquals(200, response.getStatus()); BasicAuthorizerUser expectedUser = new BasicAuthorizerUser( @@ -373,6 +555,22 @@ public void testDeleteAssignedRole() ); Assert.assertEquals(expectedUser2, response.getEntity()); + response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", null); + Assert.assertEquals(200, response.getStatus()); + BasicAuthorizerGroupMapping expectedGroupMapping = new BasicAuthorizerGroupMapping( + "druidGroupMapping", + "", ImmutableSet.of("druidRole") + ); + Assert.assertEquals(expectedGroupMapping, response.getEntity()); + + response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", null); + Assert.assertEquals(200, response.getStatus()); + BasicAuthorizerGroupMapping expectedGroupMapping2 = new BasicAuthorizerGroupMapping( + "druid2GroupMapping", + "", ImmutableSet.of("druidRole") + ); + Assert.assertEquals(expectedGroupMapping2, response.getEntity()); + response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", null, null); Assert.assertEquals(200, response.getStatus()); BasicAuthorizerRole expectedRole = new BasicAuthorizerRole("druidRole", ImmutableList.of()); @@ -396,6 +594,22 @@ public void testDeleteAssignedRole() ImmutableSet.of() ); Assert.assertEquals(expectedUser2, response.getEntity()); + + response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", null); + Assert.assertEquals(200, response.getStatus()); + expectedGroupMapping = new BasicAuthorizerGroupMapping( + "druidGroupMapping", + "", ImmutableSet.of() + ); + Assert.assertEquals(expectedGroupMapping, response.getEntity()); + + response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", null); + Assert.assertEquals(200, response.getStatus()); + expectedGroupMapping2 = new BasicAuthorizerGroupMapping( + "druid2GroupMapping", + "", ImmutableSet.of() + ); + Assert.assertEquals(expectedGroupMapping2, response.getEntity()); } @Test @@ -446,7 +660,7 @@ public void testRolesAndPerms() } @Test - public void testUsersRolesAndPerms() + public void testUsersGroupMappingsRolesAndPerms() { Response response = resource.createUser(req, AUTHORIZER_NAME, "druid"); Assert.assertEquals(200, response.getStatus()); @@ -454,6 +668,12 @@ public void testUsersRolesAndPerms() response = resource.createUser(req, AUTHORIZER_NAME, "druid2"); Assert.assertEquals(200, response.getStatus()); + response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", new BasicAuthorizerGroupMapping("druidGroupMapping", "", new HashSet<>())); + Assert.assertEquals(200, response.getStatus()); + + response = resource.createGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", new BasicAuthorizerGroupMapping("druid2GroupMapping", "", new HashSet<>())); + Assert.assertEquals(200, response.getStatus()); + response = resource.createRole(req, AUTHORIZER_NAME, "druidRole"); Assert.assertEquals(200, response.getStatus()); @@ -490,6 +710,18 @@ public void testUsersRolesAndPerms() response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid2", "druidRole2"); Assert.assertEquals(200, response.getStatus()); + response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole"); + Assert.assertEquals(200, response.getStatus()); + + response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole2"); + Assert.assertEquals(200, response.getStatus()); + + response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "druidRole"); + Assert.assertEquals(200, response.getStatus()); + + response = resource.assignRoleToGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "druidRole2"); + Assert.assertEquals(200, response.getStatus()); + BasicAuthorizerRole expectedRole = new BasicAuthorizerRole("druidRole", BasicAuthorizerPermission.makePermissionList(perms)); BasicAuthorizerRole expectedRole2 = new BasicAuthorizerRole("druidRole2", BasicAuthorizerPermission.makePermissionList(perms2)); Set expectedRoles = Sets.newHashSet(expectedRole, expectedRole2); @@ -520,10 +752,22 @@ public void testUsersRolesAndPerms() Assert.assertEquals(200, response.getStatus()); Assert.assertEquals(expectedUserFullSimplifiedPermissions2, response.getEntity()); + BasicAuthorizerGroupMappingFull expectedGroupMappingFull = new BasicAuthorizerGroupMappingFull("druidGroupMapping", "", expectedRoles); + response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", ""); + Assert.assertEquals(200, response.getStatus()); + Assert.assertEquals(expectedGroupMappingFull, response.getEntity()); + + BasicAuthorizerGroupMappingFull expectedGroupMappingFull2 = new BasicAuthorizerGroupMappingFull("druid2GroupMapping", "", expectedRoles); + response = resource.getGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", ""); + Assert.assertEquals(200, response.getStatus()); + Assert.assertEquals(expectedGroupMappingFull2, response.getEntity()); + Set expectedUserSet = Sets.newHashSet("druid", "druid2"); + Set expectedGroupMappingSet = Sets.newHashSet("druidGroupMapping", "druid2GroupMapping"); BasicAuthorizerRoleFull expectedRoleFull = new BasicAuthorizerRoleFull( "druidRole", expectedUserSet, + expectedGroupMappingSet, BasicAuthorizerPermission.makePermissionList(perms) ); response = resource.getRole(req, AUTHORIZER_NAME, "druidRole", "", null); @@ -549,6 +793,7 @@ public void testUsersRolesAndPerms() BasicAuthorizerRoleFull expectedRoleFull2 = new BasicAuthorizerRoleFull( "druidRole2", expectedUserSet, + expectedGroupMappingSet, BasicAuthorizerPermission.makePermissionList(perms2) ); response = resource.getRole(req, AUTHORIZER_NAME, "druidRole2", "", null); @@ -620,16 +865,24 @@ public void testUsersRolesAndPerms() response = resource.unassignRoleFromUser(req, AUTHORIZER_NAME, "druid2", "druidRole2"); Assert.assertEquals(200, response.getStatus()); + response = resource.unassignRoleFromGroupMapping(req, AUTHORIZER_NAME, "druidGroupMapping", "druidRole"); + Assert.assertEquals(200, response.getStatus()); + + response = resource.unassignRoleFromGroupMapping(req, AUTHORIZER_NAME, "druid2GroupMapping", "druidRole2"); + Assert.assertEquals(200, response.getStatus()); + expectedUserFull = new BasicAuthorizerUserFull("druid", Sets.newHashSet(expectedRole2)); expectedUserFull2 = new BasicAuthorizerUserFull("druid2", Sets.newHashSet(expectedRole)); expectedRoleFull = new BasicAuthorizerRoleFull( "druidRole", Sets.newHashSet("druid2"), + Sets.newHashSet("druid2GroupMapping"), BasicAuthorizerPermission.makePermissionList(perms) ); expectedRoleFull2 = new BasicAuthorizerRoleFull( "druidRole2", Sets.newHashSet("druid"), + Sets.newHashSet("druidGroupMapping"), BasicAuthorizerPermission.makePermissionList(perms2) ); expectedUserFullSimplifiedPermissions = new BasicAuthorizerUserFullSimplifiedPermissions( @@ -705,15 +958,10 @@ public void testConcurrentUpdate() final int innerI = i; String roleName = "druidRole-" + i; addRoleCallables.add( - new Callable() - { - @Override - public Void call() throws Exception - { - Response response = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid", roleName); - responseCodesAssign[innerI] = response.getStatus(); - return null; - } + () -> { + Response response12 = resource.assignRoleToUser(req, AUTHORIZER_NAME, "druid", roleName); + responseCodesAssign[innerI] = response12.getStatus(); + return null; } ); } @@ -748,15 +996,10 @@ public Void call() throws Exception final int innerI = i; String roleName = "druidRole-" + i; removeRoleCallables.add( - new Callable() - { - @Override - public Void call() throws Exception - { - Response response = resource.unassignRoleFromUser(req, AUTHORIZER_NAME, "druid", roleName); - responseCodesRemove[innerI] = response.getStatus(); - return null; - } + () -> { + Response response1 = resource.unassignRoleFromUser(req, AUTHORIZER_NAME, "druid", roleName); + responseCodesRemove[innerI] = response1.getStatus(); + return null; } ); } diff --git a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authorization/NoopBasicAuthorizerCacheNotifier.java b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authorization/NoopBasicAuthorizerCacheNotifier.java index 2f0ff42f67ee..9d7552952152 100644 --- a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authorization/NoopBasicAuthorizerCacheNotifier.java +++ b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authorization/NoopBasicAuthorizerCacheNotifier.java @@ -24,7 +24,13 @@ public class NoopBasicAuthorizerCacheNotifier implements BasicAuthorizerCacheNotifier { @Override - public void addUpdate(String authorizerPrefix, byte[] userAndRoleMap) + public void addUpdateUser(String authorizerPrefix, byte[] userAndRoleMap) + { + + } + + @Override + public void addUpdateGroupMapping(String authorizerPrefix, byte[] groupMappingAndRoleMap) { } diff --git a/integration-tests/src/test/java/org/apache/druid/tests/security/ITBasicAuthConfigurationTest.java b/integration-tests/src/test/java/org/apache/druid/tests/security/ITBasicAuthConfigurationTest.java index cb33706fe081..7d9b864264df 100644 --- a/integration-tests/src/test/java/org/apache/druid/tests/security/ITBasicAuthConfigurationTest.java +++ b/integration-tests/src/test/java/org/apache/druid/tests/security/ITBasicAuthConfigurationTest.java @@ -467,7 +467,7 @@ public void testAuthConfiguration() throws Exception LOG.info("Testing Avatica query on broker with incorrect credentials."); testAvaticaAuthFailure(brokerUrl); - + LOG.info("Testing Avatica query on router with incorrect credentials."); testAvaticaAuthFailure(routerUrl); @@ -526,7 +526,7 @@ private void testAvaticaAuthFailure(String url) throws Exception catch (AvaticaSqlException ase) { Assert.assertEquals( ase.getErrorMessage(), - "Error while executing SQL \"SELECT * FROM INFORMATION_SCHEMA.COLUMNS\": Remote driver error: ForbiddenException: Authentication failed." + "Error while executing SQL \"SELECT * FROM INFORMATION_SCHEMA.COLUMNS\": Remote driver error: BasicSecurityAuthenticationException: User metadata store authentication failed username[admin]." ); return; } diff --git a/website/.spelling b/website/.spelling index 3167f85d1f3f..927a7fb4c517 100644 --- a/website/.spelling +++ b/website/.spelling @@ -569,6 +569,18 @@ authorizerName druid_system pollingPeriod roleName +LDAP +ldap +MyBasicMetadataAuthenticator +MyBasicLDAPAuthenticator +MyBasicMetadataAuthorizer +MyBasicLDAPAuthorizer +credentialsValidator +sAMAccountName +objectClass +initialAdminRole +adminGroupMapping +groupMappingName - ../docs/development/extensions-core/druid-kerberos.md 8Kb HttpComponents