You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2019/01/27 17:45:34 UTC
[GitHub] jacek-jablonski opened a new issue #6922: Authorizer is never
executed after passing from Authenticator
jacek-jablonski opened a new issue #6922: Authorizer is never executed after passing from Authenticator
URL: https://github.com/apache/incubator-druid/issues/6922
Hi,
I am developing OAuth security plugin for Druid. I've got some troubles getting Authorizer to work.
Here is my current security config:
```
#
# Authentication
#
druid.auth.allowUnauthenticatedHttpOptions=True
druid.auth.authenticatorChain=["oauth"]
druid.auth.authenticator.oauth.type=oauth
druid.auth.authenticator.oauth.oauthHost=***
druid.auth.authenticator.oauth.oauthClient=druid
druid.auth.authenticator.oauth.oauthSecret=***
druid.auth.authenticator.oauth.introspectionPath=/auth/oauth/check_token
druid.auth.authenticator.oauth.authorizerName=oauth
#
# Authorization
#
druid.auth.authorizers=["oauth"]
druid.auth.authorizer.oauth.type=oauth
```
Inside my Filter's class, I am sure that authorizerName gets passed to AuthenticationResult:
```
@Override
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException
...
log.debug("authorizer name: " + authorizerName); // here "authorizer name: oauth" is printed
AuthenticationResult authenticationResult = new AuthenticationResult(username, authorizerName, name, null);
servletRequest.setAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT, authenticationResult);
if (filterChain != null) {
filterChain.doFilter(servletRequest, servletResponse);
}
}
```
and my simple Authorizer that should deny all:
```
@JsonTypeName("oauth")
public class OAuthAuthorizer implements Authorizer
{
private static final Logger log = new Logger(OAuthAuthorizer.class);
@JsonCreator
public OAuthAuthorizer(
@JsonProperty("name") String name
)
{
log.debug("OAuth Authorizer created"); // this gets printed on startup
}
@Override
public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action)
{
Log.debug("authorize called"); // never gets called
if (authenticationResult == null) {
throw new IAE("WTF? authenticationResult should never be null.");
}
return new Access(false);
}
}
```
From above Authorizer code, Request should never get passed, but it does (authorize method is never called).
Even without any configuration regarding security (default AllowAllAuthenticator) in logs I can see:
```
io.druid.java.util.common.ISE: Request did not have an authorization check performed.
```
Do you have any clue what might cause this situation?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org