Skip to content

stackabletech/druid-opa-authorizer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

65 Commits

.github

.github

 
 

.mvn

.mvn

 
 

example

example

 
 

src/main

src/main

 
 

.gitignore

.gitignore

 
 

.markdownlint.yaml

.markdownlint.yaml

 
 

.yamllint.yaml

.yamllint.yaml

 
 

CHANGELOG.md

CHANGELOG.md

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

checkstyle.xml

checkstyle.xml

 
 

pom.xml

pom.xml

 
 

renovate.json

renovate.json

 
 

Repository files navigation

Apache Druid Open Policy Agent (OPA) Authorizer

An Apache Druid extension to request policy decisions from Open Policy Agent (OPA).

Supported Druid versions

This project was tested against these Druid versions:

  • 26.0.0
  • 27.0.0
  • 28.0.1

Building

This repository uses Maven and requires at least Java 11 to build:

    mvn clean package

The result of this is a JAR file in the target directory.

Installing

Copy the JAR file into the extensions directory of your Druid installation.

Configuration Settings

The OPA authorizer is created like so:

    druid.auth.authorizer.myOpaAuth.type=opa
    druid.auth.authorizer.myOpaAuth.opaUri=http://<host>:<port>/v1/data/my/druid/allow

Then the myOpaAuth authorizer needs to be referenced in your authenticator.

How to Write Your RegoRules

The authorizer will send a request to the uri specified in the config. The input will be:

    {
        authenticationResult: {
            identity: <String: user name>
            authorizerName: <String>
            authenticatedBy: <String>
            context: Map<String, Object>
        }
        action: <String: READ|WRITE>
        resource: {
            name: <String>
            type: <String>
        }
    }

For the details - especially the kind of resources - consult the Druid documentation on the Authentication and Authorization Model.

Inside your RegoRules, this snippet of data will be available as input. For the details on how to write RegoRule, have a look at the OPA documentation.

Example

For a simple example, have a look inside the example directory.

Troubleshooting

If you get 500 type errors it might be that the internal druid_system user doesn't have full permissions.

You can increase log output for the authorizer by adding this snippet to your log4j.xml:

    <Logger name="tech.stackable.druid.opaauthorizer.OpaAuthorizer" level="trace" additivity="false">
      <Appender-ref ref="Console"/>
    </Logger>

Development

How to add support for a new version

  1. Add a new profile and get the dependency version from the upstream Druid POM
  2. Add the new profile to the requireActiveProfile enforcer rule
  3. Update .github/workflows/maven.yml to include the new profile in CI
  4. Update README.md to name the newly supported version
  5. After the PR has been merged update the GitHub settings to require the new Druid version to pass

Release

To release this run the relevant GitHub Action which asks for various inputs. It will then create a release in GitHub and upload all artifacts.

About

Apache Druid Authorizer for OpenPolicyAgent

Resources

Readme

License

View license
Activity
Custom properties

Stars

5 stars

Watchers

8 watching

Forks

1 fork
Report repository

Releases

2 tags

Contributors 8

Languages