@Override public Response apply(SupervisorManager manager) { Preconditions.checkArgument( spec.getDataSources() != null && spec.getDataSources().size() > 0, "No dataSources found to perform authorization checks" ); Access authResult = AuthorizationUtils.authorizeAllResourceActions( req, Iterables.transform(spec.getDataSources(), AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR), authorizerMapper ); if (!authResult.isAllowed()) { throw new ForbiddenException(authResult.toString()); } manager.createOrUpdateAndStartSupervisor(spec); return Response.ok(ImmutableMap.of("id", spec.getId())).build(); } }
@Override public Access authorize( AuthenticationResult authenticationResult, Resource resource, Action action ) { if (authenticationResult == null) { throw new IAE("WTF? authenticationResult should never be null."); } Map<String, BasicAuthorizerUser> userMap = cacheManager.getUserMap(name); if (userMap == null) { throw new IAE("Could not load userMap for authorizer [%s]", name); } Map<String, BasicAuthorizerRole> roleMap = cacheManager.getRoleMap(name); if (roleMap == null) { throw new IAE("Could not load roleMap for authorizer [%s]", name); } BasicAuthorizerUser user = userMap.get(authenticationResult.getIdentity()); if (user == null) { return new Access(false); } for (String roleName : user.getRoles()) { BasicAuthorizerRole role = roleMap.get(roleName); for (BasicAuthorizerPermission permission : role.getPermissions()) { if (permissionCheck(resource, action, permission)) { return new Access(true); } } } return new Access(false); }
@DELETE @Path("/pendingSegments/{dataSource}") @Produces(MediaType.APPLICATION_JSON) public Response killPendingSegments( @PathParam("dataSource") String dataSource, @QueryParam("interval") String deleteIntervalString, @Context HttpServletRequest request ) { final Interval deleteInterval = Intervals.of(deleteIntervalString); // check auth for dataSource final Access authResult = AuthorizationUtils.authorizeAllResourceActions( request, ImmutableList.of( new ResourceAction(new Resource(dataSource, ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource(dataSource, ResourceType.DATASOURCE), Action.WRITE) ), authorizerMapper ); if (!authResult.isAllowed()) { throw new ForbiddenException(authResult.getMessage()); } if (taskMaster.isLeader()) { final int numDeleted = indexerMetadataStorageAdapter.deletePendingSegments(dataSource, deleteInterval); return Response.ok().entity(ImmutableMap.of("numDeleted", numDeleted)).build(); } else { return Response.status(Status.SERVICE_UNAVAILABLE).build(); } }
authorizerMapper ); if (!accessResult.isAllowed()) { return Response.status(403).build();
authorizerMapper ); if (!accessResult.isAllowed()) { return Response.status(403).build();
@DELETE @Path("{id}") @Produces(MediaType.APPLICATION_JSON) public Response cancelQuery(@PathParam("id") String queryId, @Context final HttpServletRequest req) { if (log.isDebugEnabled()) { log.debug("Received cancel request for query [%s]", queryId); } Set<String> datasources = queryManager.getQueryDatasources(queryId); if (datasources == null) { log.warn("QueryId [%s] not registered with QueryManager, cannot cancel", queryId); datasources = Sets.newTreeSet(); } Access authResult = AuthorizationUtils.authorizeAllResourceActions( req, Iterables.transform(datasources, AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR), authorizerMapper ); if (!authResult.isAllowed()) { throw new ForbiddenException(authResult.toString()); } queryManager.cancelQuery(queryId); return Response.status(Response.Status.ACCEPTED).build(); }
); request.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, access.isAllowed()); return access;
); if (!authResult.isAllowed()) { throw new ForbiddenException(authResult.getMessage());
@Override public ContainerRequest filter(ContainerRequest request) { final ResourceAction resourceAction = new ResourceAction( new Resource(SECURITY_RESOURCE_NAME, ResourceType.CONFIG), getAction(request) ); final Access authResult = AuthorizationUtils.authorizeResourceAction( getReq(), resourceAction, getAuthorizerMapper() ); if (!authResult.isAllowed()) { throw new WebApplicationException( Response.status(Response.Status.FORBIDDEN) .entity(StringUtils.format("Access-Check-Result: %s", authResult.toString())) .build() ); } return request; }
private Access doAuthorize(final AuthenticationResult authenticationResult, final Access authorizationResult) { if (!authorizationResult.isAllowed()) { // Not authorized; go straight to Jail, do not pass Go. transition(State.AUTHORIZING, State.UNAUTHORIZED); } else { transition(State.AUTHORIZING, State.AUTHORIZED); } this.authenticationResult = authenticationResult; final QueryMetrics queryMetrics = queryPlus.getQueryMetrics(); if (queryMetrics != null) { queryMetrics.identity(authenticationResult.getIdentity()); } return authorizationResult; }
/** * Authorizes action to be performed on this task's datasource * * @return authorization result */ private Access authorizationCheck(final HttpServletRequest req, Action action) { ResourceAction resourceAction = new ResourceAction( new Resource(dataSchema.getDataSource(), ResourceType.DATASOURCE), action ); Access access = AuthorizationUtils.authorizeResourceAction(req, resourceAction, authorizerMapper); if (!access.isAllowed()) { throw new ForbiddenException(access.toString()); } return access; }
if (!access.isAllowed()) { return false;
resourceAction.getAction() ); if (!access.isAllowed()) { return access; } else {
@Override public ContainerRequest filter(ContainerRequest request) { final ResourceAction resourceAction = new ResourceAction( new Resource("STATE", ResourceType.STATE), getAction(request) ); final Access authResult = AuthorizationUtils.authorizeResourceAction( getReq(), resourceAction, getAuthorizerMapper() ); if (!authResult.isAllowed()) { throw new ForbiddenException(authResult.toString()); } return request; }
if (!access.isAllowed()) { throw new ISE("Unauthorized");
@Override public ContainerRequest filter(ContainerRequest request) { final ResourceAction resourceAction = new ResourceAction( new Resource("CONFIG", ResourceType.CONFIG), getAction(request) ); final Access authResult = AuthorizationUtils.authorizeResourceAction( getReq(), resourceAction, getAuthorizerMapper() ); if (!authResult.isAllowed()) { throw new ForbiddenException(authResult.toString()); } return request; }
@Override public ContainerRequest filter(ContainerRequest request) { final ResourceAction resourceAction = new ResourceAction( new Resource(getRequestDatasourceName(request), ResourceType.DATASOURCE), getAction(request) ); final Access authResult = AuthorizationUtils.authorizeResourceAction( getReq(), resourceAction, getAuthorizerMapper() ); if (!authResult.isAllowed()) { throw new ForbiddenException(authResult.toString()); } return request; }