You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by cw...@apache.org on 2019/07/24 02:26:00 UTC
[incubator-druid] 07/14: set DRUID_AUTHORIZATION_CHECKED attribute
for router endpoints (#8026)
This is an automated email from the ASF dual-hosted git repository.
cwylie pushed a commit to branch 0.15.1-incubating
in repository https://gitbox.apache.org/repos/asf/incubator-druid.git
commit 79ae3d4761397d2b825d0cc72f24f700cdc2855e
Author: Parag Jain <pj...@users.noreply.github.com>
AuthorDate: Tue Jul 9 13:21:36 2019 +0530
set DRUID_AUTHORIZATION_CHECKED attribute for router endpoints (#8026)
* add state resource filter to router endpoints
* add RouterResource to ResourceFilter test framework
---
.../main/java/org/apache/druid/server/http/RouterResource.java | 3 +++
.../org/apache/druid/server/security/AuthenticationUtils.java | 2 +-
.../org/apache/druid/server/security/UnsecuredResourceFilter.java | 8 ++++++--
.../druid/server/http/security/SecurityResourceFilterTest.java | 8 ++++----
services/src/main/java/org/apache/druid/cli/CliOverlord.java | 6 +++---
.../org/apache/druid/cli/CoordinatorJettyServerInitializer.java | 8 ++++----
.../org/apache/druid/cli/MiddleManagerJettyServerInitializer.java | 6 +++---
.../java/org/apache/druid/cli/QueryJettyServerInitializer.java | 4 ++--
.../java/org/apache/druid/cli/RouterJettyServerInitializer.java | 8 ++++----
9 files changed, 30 insertions(+), 23 deletions(-)
diff --git a/server/src/main/java/org/apache/druid/server/http/RouterResource.java b/server/src/main/java/org/apache/druid/server/http/RouterResource.java
index df30855..20da9af 100644
--- a/server/src/main/java/org/apache/druid/server/http/RouterResource.java
+++ b/server/src/main/java/org/apache/druid/server/http/RouterResource.java
@@ -20,7 +20,9 @@
package org.apache.druid.server.http;
import com.google.inject.Inject;
+import com.sun.jersey.spi.container.ResourceFilters;
import org.apache.druid.client.selector.Server;
+import org.apache.druid.server.http.security.StateResourceFilter;
import org.apache.druid.server.router.TieredBrokerHostSelector;
import javax.ws.rs.GET;
@@ -47,6 +49,7 @@ public class RouterResource
@GET
@Path("/brokers")
+ @ResourceFilters(StateResourceFilter.class)
@Produces(MediaType.APPLICATION_JSON)
public Map<String, List<String>> getBrokers()
{
diff --git a/server/src/main/java/org/apache/druid/server/security/AuthenticationUtils.java b/server/src/main/java/org/apache/druid/server/security/AuthenticationUtils.java
index a9438cd..924f23e 100644
--- a/server/src/main/java/org/apache/druid/server/security/AuthenticationUtils.java
+++ b/server/src/main/java/org/apache/druid/server/security/AuthenticationUtils.java
@@ -57,7 +57,7 @@ public class AuthenticationUtils
}
}
- public static void addNoopAuthorizationFilters(ServletContextHandler root, List<String> unsecuredPaths)
+ public static void addNoopAuthenticationAndAuthorizationFilters(ServletContextHandler root, List<String> unsecuredPaths)
{
for (String unsecuredPath : unsecuredPaths) {
root.addFilter(new FilterHolder(new UnsecuredResourceFilter()), unsecuredPath, null);
diff --git a/server/src/main/java/org/apache/druid/server/security/UnsecuredResourceFilter.java b/server/src/main/java/org/apache/druid/server/security/UnsecuredResourceFilter.java
index 6f79771..0d73ba2 100644
--- a/server/src/main/java/org/apache/druid/server/security/UnsecuredResourceFilter.java
+++ b/server/src/main/java/org/apache/druid/server/security/UnsecuredResourceFilter.java
@@ -47,9 +47,13 @@ public class UnsecuredResourceFilter implements Filter
// but the value doesn't matter since we skip authorization checks for requests that go through this filter
servletRequest.setAttribute(
AuthConfig.DRUID_AUTHENTICATION_RESULT,
- new AuthenticationResult(AuthConfig.ALLOW_ALL_NAME, AuthConfig.ALLOW_ALL_NAME, AuthConfig.ALLOW_ALL_NAME, null)
+ new AuthenticationResult(
+ AuthConfig.ALLOW_ALL_NAME,
+ AuthConfig.ALLOW_ALL_NAME,
+ AuthConfig.ALLOW_ALL_NAME,
+ null
+ )
);
-
// This request will not go to an Authorizer, so we need to set this for PreResponseAuthorizationCheckFilter
servletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true);
servletRequest.setAttribute(AuthConfig.DRUID_ALLOW_UNSECURED_PATH, true);
diff --git a/server/src/test/java/org/apache/druid/server/http/security/SecurityResourceFilterTest.java b/server/src/test/java/org/apache/druid/server/http/security/SecurityResourceFilterTest.java
index c3de4c8..30a1c76 100644
--- a/server/src/test/java/org/apache/druid/server/http/security/SecurityResourceFilterTest.java
+++ b/server/src/test/java/org/apache/druid/server/http/security/SecurityResourceFilterTest.java
@@ -34,6 +34,7 @@ import org.apache.druid.server.http.DataSourcesResource;
import org.apache.druid.server.http.HistoricalResource;
import org.apache.druid.server.http.IntervalsResource;
import org.apache.druid.server.http.MetadataResource;
+import org.apache.druid.server.http.RouterResource;
import org.apache.druid.server.http.RulesResource;
import org.apache.druid.server.http.ServersResource;
import org.apache.druid.server.http.TiersResource;
@@ -46,14 +47,12 @@ import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import java.util.Collection;
-import java.util.regex.Pattern;
@RunWith(Parameterized.class)
public class SecurityResourceFilterTest extends ResourceFilterTestHelper
{
- private static final Pattern WORD = Pattern.compile("\\w+");
- @Parameterized.Parameters
+ @Parameterized.Parameters(name = "{index}: requestPath={0}, requestMethod={1}, resourceFilter={2}")
public static Collection<Object[]> data()
{
return ImmutableList.copyOf(
@@ -71,7 +70,8 @@ public class SecurityResourceFilterTest extends ResourceFilterTestHelper
getRequestPathsWithAuthorizer(CoordinatorDynamicConfigsResource.class),
getRequestPathsWithAuthorizer(QueryResource.class),
getRequestPathsWithAuthorizer(StatusResource.class),
- getRequestPathsWithAuthorizer(BrokerQueryResource.class)
+ getRequestPathsWithAuthorizer(BrokerQueryResource.class),
+ getRequestPathsWithAuthorizer(RouterResource.class)
)
);
}
diff --git a/services/src/main/java/org/apache/druid/cli/CliOverlord.java b/services/src/main/java/org/apache/druid/cli/CliOverlord.java
index c11031f..e70ff4e2 100644
--- a/services/src/main/java/org/apache/druid/cli/CliOverlord.java
+++ b/services/src/main/java/org/apache/druid/cli/CliOverlord.java
@@ -375,9 +375,9 @@ public class CliOverlord extends ServerRunnable
AuthenticationUtils.addSecuritySanityCheckFilter(root, jsonMapper);
- // perform no-op authorization for these resources
- AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
- AuthenticationUtils.addNoopAuthorizationFilters(root, authConfig.getUnsecuredPaths());
+ // perform no-op authorization/authentication for these resources
+ AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, UNSECURED_PATHS);
+ AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, authConfig.getUnsecuredPaths());
final List<Authenticator> authenticators = authenticatorMapper.getAuthenticatorChain();
AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
diff --git a/services/src/main/java/org/apache/druid/cli/CoordinatorJettyServerInitializer.java b/services/src/main/java/org/apache/druid/cli/CoordinatorJettyServerInitializer.java
index 91064f5..9cad393 100644
--- a/services/src/main/java/org/apache/druid/cli/CoordinatorJettyServerInitializer.java
+++ b/services/src/main/java/org/apache/druid/cli/CoordinatorJettyServerInitializer.java
@@ -101,12 +101,12 @@ class CoordinatorJettyServerInitializer implements JettyServerInitializer
AuthenticationUtils.addSecuritySanityCheckFilter(root, jsonMapper);
- // perform no-op authorization for these resources
- AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
- AuthenticationUtils.addNoopAuthorizationFilters(root, authConfig.getUnsecuredPaths());
+ // perform no-op authorization/authentication for these resources
+ AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, UNSECURED_PATHS);
+ AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, authConfig.getUnsecuredPaths());
if (beOverlord) {
- AuthenticationUtils.addNoopAuthorizationFilters(root, CliOverlord.UNSECURED_PATHS);
+ AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, CliOverlord.UNSECURED_PATHS);
}
List<Authenticator> authenticators = authenticatorMapper.getAuthenticatorChain();
diff --git a/services/src/main/java/org/apache/druid/cli/MiddleManagerJettyServerInitializer.java b/services/src/main/java/org/apache/druid/cli/MiddleManagerJettyServerInitializer.java
index b544f3b..1cb3782 100644
--- a/services/src/main/java/org/apache/druid/cli/MiddleManagerJettyServerInitializer.java
+++ b/services/src/main/java/org/apache/druid/cli/MiddleManagerJettyServerInitializer.java
@@ -74,9 +74,9 @@ class MiddleManagerJettyServerInitializer implements JettyServerInitializer
AuthenticationUtils.addSecuritySanityCheckFilter(root, jsonMapper);
- // perform no-op authorization for these resources
- AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
- AuthenticationUtils.addNoopAuthorizationFilters(root, authConfig.getUnsecuredPaths());
+ // perform no-op authorization/authentication for these resources
+ AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, UNSECURED_PATHS);
+ AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, authConfig.getUnsecuredPaths());
final List<Authenticator> authenticators = authenticatorMapper.getAuthenticatorChain();
AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
diff --git a/services/src/main/java/org/apache/druid/cli/QueryJettyServerInitializer.java b/services/src/main/java/org/apache/druid/cli/QueryJettyServerInitializer.java
index 2c92602..9282ca3 100644
--- a/services/src/main/java/org/apache/druid/cli/QueryJettyServerInitializer.java
+++ b/services/src/main/java/org/apache/druid/cli/QueryJettyServerInitializer.java
@@ -96,8 +96,8 @@ public class QueryJettyServerInitializer implements JettyServerInitializer
AuthenticationUtils.addSecuritySanityCheckFilter(root, jsonMapper);
// perform no-op authorization for these resources
- AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
- AuthenticationUtils.addNoopAuthorizationFilters(root, authConfig.getUnsecuredPaths());
+ AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, UNSECURED_PATHS);
+ AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, authConfig.getUnsecuredPaths());
List<Authenticator> authenticators = authenticatorMapper.getAuthenticatorChain();
AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
diff --git a/services/src/main/java/org/apache/druid/cli/RouterJettyServerInitializer.java b/services/src/main/java/org/apache/druid/cli/RouterJettyServerInitializer.java
index 596dba9..9fb2a61 100644
--- a/services/src/main/java/org/apache/druid/cli/RouterJettyServerInitializer.java
+++ b/services/src/main/java/org/apache/druid/cli/RouterJettyServerInitializer.java
@@ -137,12 +137,12 @@ public class RouterJettyServerInitializer implements JettyServerInitializer
AuthenticationUtils.addSecuritySanityCheckFilter(root, jsonMapper);
- // perform no-op authorization for these resources
- AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS);
+ // perform no-op authorization/authentication for these resources
+ AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, UNSECURED_PATHS);
if (managementProxyConfig.isEnabled()) {
- AuthenticationUtils.addNoopAuthorizationFilters(root, UNSECURED_PATHS_FOR_UI);
+ AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, UNSECURED_PATHS_FOR_UI);
}
- AuthenticationUtils.addNoopAuthorizationFilters(root, authConfig.getUnsecuredPaths());
+ AuthenticationUtils.addNoopAuthenticationAndAuthorizationFilters(root, authConfig.getUnsecuredPaths());
final List<Authenticator> authenticators = authenticatorMapper.getAuthenticatorChain();
AuthenticationUtils.addAuthenticationFilterChain(root, authenticators);
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org