You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2019/01/27 17:45:34 UTC

[GitHub] jacek-jablonski opened a new issue #6922: Authorizer is never executed after passing from Authenticator

jacek-jablonski opened a new issue #6922: Authorizer is never executed after passing from Authenticator
URL: https://github.com/apache/incubator-druid/issues/6922
 
 
   Hi,
   I am developing OAuth security plugin for Druid. I've got some troubles getting Authorizer to work.
   Here is my current security config:
   ```
   #
   # Authentication
   #
   druid.auth.allowUnauthenticatedHttpOptions=True
   druid.auth.authenticatorChain=["oauth"]
   druid.auth.authenticator.oauth.type=oauth
   druid.auth.authenticator.oauth.oauthHost=***
   druid.auth.authenticator.oauth.oauthClient=druid
   druid.auth.authenticator.oauth.oauthSecret=***
   druid.auth.authenticator.oauth.introspectionPath=/auth/oauth/check_token
   druid.auth.authenticator.oauth.authorizerName=oauth
   
   #
   # Authorization
   #
   druid.auth.authorizers=["oauth"]
   druid.auth.authorizer.oauth.type=oauth
   ```
   Inside my Filter's class, I am sure that authorizerName gets passed to AuthenticationResult:
   ```
   @Override
   public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException
   ...
       log.debug("authorizer name: " + authorizerName); // here "authorizer name: oauth" is printed
       AuthenticationResult authenticationResult = new AuthenticationResult(username, authorizerName, name, null);
       servletRequest.setAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT, authenticationResult);
   
       if (filterChain != null) {
         filterChain.doFilter(servletRequest, servletResponse);
       }
   }
   ```
   and my simple Authorizer that should deny all:
   ```
   @JsonTypeName("oauth")
   public class OAuthAuthorizer implements Authorizer
   {
     private static final Logger log = new Logger(OAuthAuthorizer.class);
   
     @JsonCreator
     public OAuthAuthorizer(
         @JsonProperty("name") String name
     )
     {
       log.debug("OAuth Authorizer created"); // this gets printed on startup
     }
   
     @Override
     public Access authorize(AuthenticationResult authenticationResult, Resource resource, Action action)
     {
       Log.debug("authorize called"); // never gets called
       if (authenticationResult == null) {
         throw new IAE("WTF? authenticationResult should never be null.");
       }
   
       return new Access(false);
     }
   }
   ```
   From above Authorizer code, Request should never get passed, but it does (authorize method is never called).
   Even without any configuration regarding security (default AllowAllAuthenticator) in logs I can see:
   ```
   io.druid.java.util.common.ISE: Request did not have an authorization check performed.
   ```
   Do you have any clue what might cause this situation?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org