Allow for Input source security in native task layer

[zachjsh]

Fixes #13837.

Description

This change allows for input source type security in the native task layer.

To enable this feature, the user must set the following property to true:

druid.auth.enableInputSourceSecurity=true

The default value for this property is false, which will continue the existing functionality of needing authorization to write to the respective datasource.

When this config is enabled, the users will be required to be authorized for the following resource action, in addition to write permission on the respective datasource.

new ResourceAction(new Resource(ResourceType.EXTERNAL, {INPUT_SOURCE_TYPE}, Action.READ

where {INPUT_SOURCE_TYPE} is the type of the input source being used;, http, inline, s3, etc..

Only tasks that provide a non-default implementation of the getInputSourceResources method can be submitted when config druid.auth.enableInputSourceSecurity=true is set. Otherwise, a 400 error will be thrown.

This PR has:

• been self-reviewed.
  • using the concurrency checklist (Remove this item if the PR doesn't have any relation to concurrency.)
• added documentation for new or modified features or behaviors.
• a release note entry in the PR description.
• added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
• added or updated version, license, or notice information in licenses.yaml
• added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
• added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
• added integration tests.
• been tested in a test Druid cluster.

[paul-rogers]

This code appears again and again. Can it be promoted to a base class?

[zachjsh]

These task definitions are a little brittle, think this would be a little risky to do at this time.

[paul-rogers]

Would be good to add a comment explaining why we return a set, not a single key. Also, see the note above regarding null vs. and empty set.

[gianm]

It's better here to return a Set<Resource> rather than Set<String>. It makes it clearer that this is used for security purposes, since Resource is a security-specific thing.

[zachjsh]

ResourceAction isn't available to InputSources at the moment. I can add a dependency. Ok to do this? Not sure if it will create a dependency cycle

[zachjsh]

I tried this and unfortunately it added a cyclic dependency

[paul-rogers]

Move to the base class since all input sources supported thus far have only one type. (The catalog and table function stuff depend on this fact.)

[paul-rogers]

Perhaps add comments to explain these method. Especially the usesFirehose() method: I gather that firehose doesn't fit into the input security model? Why not? An explanation will help future readers.

[zachjsh]

added comments

[gianm]

Just looked at the interfaces for this particular review. (InputSource, Task, and SupervisorSpec)

[gianm]

It's better here to return a Set<Resource> rather than Set<String>. It makes it clearer that this is used for security purposes, since Resource is a security-specific thing.

[gianm]

Similar to the comment on InputSource: it's better for this to be Set<Resource>, so it's clear it's security-related. Method name would be getInputSourceResources() in that case.

[zachjsh]

Good suggestion, fixed.

[gianm]

We should change this to what callers care about. The caller isn't interested in whether a task uses firehoses: it's interested in whether the getInputSourceTypes method can be used for authorization. (Consider a case where a task doesn't use firehoses, but still also doesn't support input source authorization.)

The default is also problematic: security stuff must always fail-secure. Doing return false here fails insecure: it means that a task that doesn't implement any of this stuff would be allowed. So we should flip that. Putting these together: I'd consider changing this to boolean canUseInputSourceTypeAuthorization() and having the default be return false.

Or, another option would be eliminating this method, and having getInputSourceTypes() (or getInputSourceResources()) throw an exception if the task doesn't support input source authorization. The default implementation would need to throw that exception.

(Same comment for Task, btw.)

[zachjsh]

Good suggestion, fixed.

[paul-rogers]

LGTM