/** * Check a resource-action using the authorization fields from the request. * * Otherwise, if the resource-actions is authorized, return ACCESS_OK. * * This function will set the DRUID_AUTHORIZATION_CHECKED attribute in the request. * * If this attribute is already set when this function is called, an exception is thrown. * * @param request HTTP request to be authorized * @param resourceAction A resource identifier and the action to be taken the resource. * @param authorizerMapper The singleton AuthorizerMapper instance * * @return ACCESS_OK or the failed Access object returned by the Authorizer that checked the request. */ public static Access authorizeResourceAction( final HttpServletRequest request, final ResourceAction resourceAction, final AuthorizerMapper authorizerMapper ) { return authorizeAllResourceActions( request, Collections.singletonList(resourceAction), authorizerMapper ); }
Access accessResult = AuthorizationUtils.authorizeResourceAction( req, new ResourceAction(
@GET @Produces(MediaType.APPLICATION_JSON) public Iterable<String> getDataSources(@Context final HttpServletRequest request) { Function<String, Iterable<ResourceAction>> raGenerator = datasourceName -> { return Collections.singletonList(AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR.apply(datasourceName)); }; return AuthorizationUtils.filterAuthorizedResources( request, getAllDataSources(), raGenerator, authorizerMapper ); }
final AuthenticationResult authenticationResult = authenticationResultFromRequest(request); final Iterable<ResType> filteredResources = filterAuthorizedResources( authenticationResult, resources,
Access access = authorizeAllResourceActions( authenticationResultFromRequest(request), resourceActions, authorizerMapper
public PlannerContext plan(HttpServletRequest req) throws SqlParseException, RelConversionException, ValidationException { synchronized (lock) { this.req = req; return plan(AuthorizationUtils.authenticationResultFromRequest(req)); } }
/** * Authorize the query. Will return an Access object denoting whether the query is authorized or not. * * @param req HTTP request object of the request. If provided, the auth-related fields in the HTTP request * will be automatically set. * * @return authorization result */ public Access authorize(HttpServletRequest req) { transition(State.INITIALIZED, State.AUTHORIZING); return doAuthorize( AuthorizationUtils.authenticationResultFromRequest(req), AuthorizationUtils.authorizeAllResourceActions( req, Iterables.transform( baseQuery.getDataSource().getNames(), AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR ), authorizerMapper ) ); }
final AuthenticationResult authenticationResult = AuthorizationUtils.authenticationResultFromRequest(request); AuthorizationUtils.filterAuthorizedResources( authenticationResult, entry.getValue(),
@GET @Path("/history") @Produces(MediaType.APPLICATION_JSON) public Response specGetAllHistory(@Context final HttpServletRequest req) { return asLeaderWithSupervisorManager( manager -> Response.ok( AuthorizationUtils.filterAuthorizedResources( req, manager.getSupervisorHistory(), SPEC_DATASOURCE_READ_RA_GENERATOR, authorizerMapper ) ).build() ); }
Access accessResult = AuthorizationUtils.authorizeResourceAction( req, new ResourceAction(
@DELETE @Path("{id}") @Produces(MediaType.APPLICATION_JSON) public Response cancelQuery(@PathParam("id") String queryId, @Context final HttpServletRequest req) { if (log.isDebugEnabled()) { log.debug("Received cancel request for query [%s]", queryId); } Set<String> datasources = queryManager.getQueryDatasources(queryId); if (datasources == null) { log.warn("QueryId [%s] not registered with QueryManager, cannot cancel", queryId); datasources = new TreeSet<>(); } Access authResult = AuthorizationUtils.authorizeAllResourceActions( req, Iterables.transform(datasources, AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR), authorizerMapper ); if (!authResult.isAllowed()) { throw new ForbiddenException(authResult.toString()); } queryManager.cancelQuery(queryId); return Response.status(Response.Status.ACCEPTED).build(); }
Access access = authorizeAllResourceActions( authenticationResultFromRequest(request), resourceActions, authorizerMapper
final AuthenticationResult authenticationResult = authenticationResultFromRequest(request); final Iterable<ResType> filteredResources = filterAuthorizedResources( authenticationResult, resources,
private Iterator<Entry<DataSegment, SegmentMetadataHolder>> getAuthorizedAvailableSegments( Iterator<Entry<DataSegment, SegmentMetadataHolder>> availableSegmentEntries, DataContext root ) { final AuthenticationResult authenticationResult = (AuthenticationResult) root.get(PlannerContext.DATA_CTX_AUTHENTICATION_RESULT); Function<Entry<DataSegment, SegmentMetadataHolder>, Iterable<ResourceAction>> raGenerator = segment -> Collections .singletonList(AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR.apply(segment.getKey().getDataSource())); final Iterable<Entry<DataSegment, SegmentMetadataHolder>> authorizedSegments = AuthorizationUtils.filterAuthorizedResources( authenticationResult, () -> availableSegmentEntries, raGenerator, authorizerMapper ); return authorizedSegments.iterator(); }
@Override public ContainerRequest filter(ContainerRequest request) { final ResourceAction resourceAction = new ResourceAction( new Resource(SECURITY_RESOURCE_NAME, ResourceType.CONFIG), getAction(request) ); final Access authResult = AuthorizationUtils.authorizeResourceAction( getReq(), resourceAction, getAuthorizerMapper() ); if (!authResult.isAllowed()) { throw new WebApplicationException( Response.status(Response.Status.FORBIDDEN) .entity(StringUtils.format("Access-Check-Result: %s", authResult.toString())) .build() ); } return request; } }
@POST @Consumes(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON) public Response specPost(final SupervisorSpec spec, @Context final HttpServletRequest req) { return asLeaderWithSupervisorManager( manager -> { Preconditions.checkArgument( spec.getDataSources() != null && spec.getDataSources().size() > 0, "No dataSources found to perform authorization checks" ); Access authResult = AuthorizationUtils.authorizeAllResourceActions( req, Iterables.transform(spec.getDataSources(), AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR), authorizerMapper ); if (!authResult.isAllowed()) { throw new ForbiddenException(authResult.toString()); } manager.createOrUpdateAndStartSupervisor(spec); return Response.ok(ImmutableMap.of("id", spec.getId())).build(); } ); }
/** * Authorize the query. Will return an Access object denoting whether the query is authorized or not. * * @param req HTTP request object of the request. If provided, the auth-related fields in the HTTP request * will be automatically set. * * @return authorization result */ public Access authorize(HttpServletRequest req) { transition(State.INITIALIZED, State.AUTHORIZING); return doAuthorize( AuthorizationUtils.authenticationResultFromRequest(req), AuthorizationUtils.authorizeAllResourceActions( req, Iterables.transform( baseQuery.getDataSource().getNames(), AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR ), authorizerMapper ) ); }
final AuthenticationResult authenticationResult = AuthorizationUtils.authenticationResultFromRequest(request); AuthorizationUtils.filterAuthorizedResources( authenticationResult, entry.getValue(),
private CloseableIterator<DataSegment> getAuthorizedPublishedSegments( JsonParserIterator<DataSegment> it, DataContext root ) { final AuthenticationResult authenticationResult = (AuthenticationResult) root.get(PlannerContext.DATA_CTX_AUTHENTICATION_RESULT); Function<DataSegment, Iterable<ResourceAction>> raGenerator = segment -> Collections.singletonList( AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR.apply(segment.getDataSource())); final Iterable<DataSegment> authorizedSegments = AuthorizationUtils.filterAuthorizedResources( authenticationResult, () -> it, raGenerator, authorizerMapper ); return wrap(authorizedSegments.iterator(), it); }
); Access authResult = AuthorizationUtils.authorizeResourceAction( req, resourceAction,