Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

set DRUID_AUTHORIZATION_CHECKED attribute for router endpoints #8026

Merged
merged 2 commits into from
Jul 9, 2019
Merged

set DRUID_AUTHORIZATION_CHECKED attribute for router endpoints #8026

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4e40df3
add state resource filter to router endpoints
pjain1 Jul 4, 2019
13e088e
add RouterResource to ResourceFilter test framework
pjain1 Jul 5, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions server/src/main/java/org/apache/druid/server/http/RouterResource.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,9 @@
package org.apache.druid.server.http;

import com.google.inject.Inject;
import com.sun.jersey.spi.container.ResourceFilters;
import org.apache.druid.client.selector.Server;
import org.apache.druid.server.http.security.StateResourceFilter;
import org.apache.druid.server.router.TieredBrokerHostSelector;

import javax.ws.rs.GET;
Expand All @@ -47,6 +49,7 @@ public RouterResource(TieredBrokerHostSelector tieredBrokerHostSelector)

@GET
@Path("/brokers")
@ResourceFilters(StateResourceFilter.class)
@Produces(MediaType.APPLICATION_JSON)
public Map<String, List<String>> getBrokers()
{
Expand Down
2 changes: 1 addition & 1 deletion server/src/main/java/org/apache/druid/server/security/AuthenticationUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ public static void addAuthenticationFilterChain(
}
}

public static void addNoopAuthorizationFilters(ServletContextHandler root, List<String> unsecuredPaths)
public static void addNoopAuthenticationAndAuthorizationFilters(ServletContextHandler root, List<String> unsecuredPaths)
{
for (String unsecuredPath : unsecuredPaths) {
root.addFilter(new FilterHolder(new UnsecuredResourceFilter()), unsecuredPath, null);
Expand Down
8 changes: 6 additions & 2 deletions server/src/main/java/org/apache/druid/server/security/UnsecuredResourceFilter.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,9 +47,13 @@ public void doFilter(ServletRequest servletRequest, ServletResponse servletRespo
// but the value doesn't matter since we skip authorization checks for requests that go through this filter
servletRequest.setAttribute(
AuthConfig.DRUID_AUTHENTICATION_RESULT,
new AuthenticationResult(AuthConfig.ALLOW_ALL_NAME, AuthConfig.ALLOW_ALL_NAME, AuthConfig.ALLOW_ALL_NAME, null)
new AuthenticationResult(
AuthConfig.ALLOW_ALL_NAME,
AuthConfig.ALLOW_ALL_NAME,
AuthConfig.ALLOW_ALL_NAME,
null
)
);

// This request will not go to an Authorizer, so we need to set this for PreResponseAuthorizationCheckFilter
servletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
servletRequest.setAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH, true);
Expand Down
8 changes: 4 additions & 4 deletions server/src/test/java/org/apache/druid/server/http/security/SecurityResourceFilterTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,7 @@
import org.apache.druid.server.http.HistoricalResource;
import org.apache.druid.server.http.IntervalsResource;
import org.apache.druid.server.http.MetadataResource;
import org.apache.druid.server.http.RouterResource;
import org.apache.druid.server.http.RulesResource;
import org.apache.druid.server.http.ServersResource;
import org.apache.druid.server.http.TiersResource;
Expand All @@ -46,14 +47,12 @@
import org.junit.runners.Parameterized;

import java.util.Collection;
import java.util.regex.Pattern;

@RunWith(Parameterized.class)
public class SecurityResourceFilterTest extends ResourceFilterTestHelper
{
private static final Pattern WORD = Pattern.compile("\\w+");

@Parameterized.Parameters
@Parameterized.Parameters(name = "{index}: requestPath={0}, requestMethod={1}, resourceFilter={2}")
public static Collection<Object[]> data()
{
return ImmutableList.copyOf(
Expand All @@ -71,7 +70,8 @@ public static Collection<Object[]> data()
getRequestPathsWithAuthorizer(CoordinatorDynamicConfigsResource.class),
getRequestPathsWithAuthorizer(QueryResource.class),
getRequestPathsWithAuthorizer(StatusResource.class),
getRequestPathsWithAuthorizer(BrokerQueryResource.class)
getRequestPathsWithAuthorizer(BrokerQueryResource.class),
getRequestPathsWithAuthorizer(RouterResource.class)
)
);
}
Expand Down
6 changes: 3 additions & 3 deletions services/src/main/java/org/apache/druid/cli/CliOverlord.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -379,9 +379,9 @@ public void initialize(Server server, Injector injector)

AuthenticationUtils.addSecuritySanityCheckFilter(root, jsonMapper);

// perform no-op authorization for these resources
AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
AuthenticationUtils.addNoopAuthorizationFilters(root, authConfig.getUnsecuredPaths());
// perform no-op authorization/authentication for these resources
AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, UNSECURED_PATHS);
AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, authConfig.getUnsecuredPaths());

final List<Authenticator> authenticators = authenticatorMapper.getAuthenticatorChain();
AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
Expand Down
8 changes: 4 additions & 4 deletions services/src/main/java/org/apache/druid/cli/CoordinatorJettyServerInitializer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,12 +101,12 @@ public void initialize(Server server, Injector injector)

AuthenticationUtils.addSecuritySanityCheckFilter(root, jsonMapper);

// perform no-op authorization for these resources
AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
AuthenticationUtils.addNoopAuthorizationFilters(root, authConfig.getUnsecuredPaths());
// perform no-op authorization/authentication for these resources
AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, UNSECURED_PATHS);
AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, authConfig.getUnsecuredPaths());

if (beOverlord) {
AuthenticationUtils.addNoopAuthorizationFilters(root, CliOverlord.UNSECURED_PATHS);
AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, CliOverlord.UNSECURED_PATHS);
}

List<Authenticator> authenticators = authenticatorMapper.getAuthenticatorChain();
Expand Down
6 changes: 3 additions & 3 deletions services/src/main/java/org/apache/druid/cli/MiddleManagerJettyServerInitializer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,9 +74,9 @@ public void initialize(Server server, Injector injector)

AuthenticationUtils.addSecuritySanityCheckFilter(root, jsonMapper);

// perform no-op authorization for these resources
AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
AuthenticationUtils.addNoopAuthorizationFilters(root, authConfig.getUnsecuredPaths());
// perform no-op authorization/authentication for these resources
AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, UNSECURED_PATHS);
AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, authConfig.getUnsecuredPaths());

final List<Authenticator> authenticators = authenticatorMapper.getAuthenticatorChain();
AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
Expand Down
4 changes: 2 additions & 2 deletions services/src/main/java/org/apache/druid/cli/QueryJettyServerInitializer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -96,8 +96,8 @@ public void initialize(Server server, Injector injector)
AuthenticationUtils.addSecuritySanityCheckFilter(root, jsonMapper);

// perform no-op authorization for these resources
AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
AuthenticationUtils.addNoopAuthorizationFilters(root, authConfig.getUnsecuredPaths());
AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, UNSECURED_PATHS);
AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, authConfig.getUnsecuredPaths());

List<Authenticator> authenticators = authenticatorMapper.getAuthenticatorChain();
AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
Expand Down
8 changes: 4 additions & 4 deletions services/src/main/java/org/apache/druid/cli/RouterJettyServerInitializer.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,12 +137,12 @@ public void initialize(Server server, Injector injector)

AuthenticationUtils.addSecuritySanityCheckFilter(root, jsonMapper);

// perform no-op authorization for these resources
AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
// perform no-op authorization/authentication for these resources
AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, UNSECURED_PATHS);
if (managementProxyConfig.isEnabled()) {
AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS_FOR_UI);
AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, UNSECURED_PATHS_FOR_UI);
}
AuthenticationUtils.addNoopAuthorizationFilters(root, authConfig.getUnsecuredPaths());
AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, authConfig.getUnsecuredPaths());

final List<Authenticator> authenticators = authenticatorMapper.getAuthenticatorChain();
AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
Expand Down