/** * Check a resource-action using the authorization fields from the request. * * Otherwise, if the resource-actions is authorized, return ACCESS_OK. * * This function will set the DRUID_AUTHORIZATION_CHECKED attribute in the request. * * If this attribute is already set when this function is called, an exception is thrown. * * @param request HTTP request to be authorized * @param resourceAction A resource identifier and the action to be taken the resource. * @param authorizerMapper The singleton AuthorizerMapper instance * * @return ACCESS_OK or the failed Access object returned by the Authorizer that checked the request. */ public static Access authorizeResourceAction( final HttpServletRequest request, final ResourceAction resourceAction, final AuthorizerMapper authorizerMapper ) { return authorizeAllResourceActions( request, Collections.singletonList(resourceAction), authorizerMapper ); }
Access access = authorizeAllResourceActions( authenticationResultFromRequest(request), resourceActions,
@DELETE @Path("{id}") @Produces(MediaType.APPLICATION_JSON) public Response cancelQuery(@PathParam("id") String queryId, @Context final HttpServletRequest req) { if (log.isDebugEnabled()) { log.debug("Received cancel request for query [%s]", queryId); } Set<String> datasources = queryManager.getQueryDatasources(queryId); if (datasources == null) { log.warn("QueryId [%s] not registered with QueryManager, cannot cancel", queryId); datasources = new TreeSet<>(); } Access authResult = AuthorizationUtils.authorizeAllResourceActions( req, Iterables.transform(datasources, AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR), authorizerMapper ); if (!authResult.isAllowed()) { throw new ForbiddenException(authResult.toString()); } queryManager.cancelQuery(queryId); return Response.status(Response.Status.ACCEPTED).build(); }
@POST @Consumes(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON) public Response specPost(final SupervisorSpec spec, @Context final HttpServletRequest req) { return asLeaderWithSupervisorManager( manager -> { Preconditions.checkArgument( spec.getDataSources() != null && spec.getDataSources().size() > 0, "No dataSources found to perform authorization checks" ); Access authResult = AuthorizationUtils.authorizeAllResourceActions( req, Iterables.transform(spec.getDataSources(), AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR), authorizerMapper ); if (!authResult.isAllowed()) { throw new ForbiddenException(authResult.toString()); } manager.createOrUpdateAndStartSupervisor(spec); return Response.ok(ImmutableMap.of("id", spec.getId())).build(); } ); }
@DELETE @Path("/pendingSegments/{dataSource}") @Produces(MediaType.APPLICATION_JSON) public Response killPendingSegments( @PathParam("dataSource") String dataSource, @QueryParam("interval") String deleteIntervalString, @Context HttpServletRequest request ) { final Interval deleteInterval = Intervals.of(deleteIntervalString); // check auth for dataSource final Access authResult = AuthorizationUtils.authorizeAllResourceActions( request, ImmutableList.of( new ResourceAction(new Resource(dataSource, ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource(dataSource, ResourceType.DATASOURCE), Action.WRITE) ), authorizerMapper ); if (!authResult.isAllowed()) { throw new ForbiddenException(authResult.getMessage()); } if (taskMaster.isLeader()) { final int numDeleted = indexerMetadataStorageAdapter.deletePendingSegments(dataSource, deleteInterval); return Response.ok().entity(ImmutableMap.of("numDeleted", numDeleted)).build(); } else { return Response.status(Status.SERVICE_UNAVAILABLE).build(); } }
/** * Authorize the query. Will return an Access object denoting whether the query is authorized or not. * * @param authenticationResult authentication result indicating the identity of the requester * * @return authorization result */ public Access authorize(final AuthenticationResult authenticationResult) { transition(State.INITIALIZED, State.AUTHORIZING); return doAuthorize( authenticationResult, AuthorizationUtils.authorizeAllResourceActions( authenticationResult, Iterables.transform( baseQuery.getDataSource().getNames(), AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR ), authorizerMapper ) ); }
public Access authorize() { synchronized (lock) { transition(State.PLANNED, State.AUTHORIZING); if (req != null) { return doAuthorize( AuthorizationUtils.authorizeAllResourceActions( req, Iterables.transform( plannerResult.datasourceNames(), AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR ), plannerFactory.getAuthorizerMapper() ) ); } return doAuthorize( AuthorizationUtils.authorizeAllResourceActions( plannerContext.getAuthenticationResult(), Iterables.transform(plannerResult.datasourceNames(), AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR), plannerFactory.getAuthorizerMapper() ) ); } }
/** * Authorize the query. Will return an Access object denoting whether the query is authorized or not. * * @param req HTTP request object of the request. If provided, the auth-related fields in the HTTP request * will be automatically set. * * @return authorization result */ public Access authorize(HttpServletRequest req) { transition(State.INITIALIZED, State.AUTHORIZING); return doAuthorize( AuthorizationUtils.authenticationResultFromRequest(req), AuthorizationUtils.authorizeAllResourceActions( req, Iterables.transform( baseQuery.getDataSource().getNames(), AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR ), authorizerMapper ) ); }
AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR; Access authResult = AuthorizationUtils.authorizeAllResourceActions( getReq(), Iterables.transform(spec.getDataSources(), resourceActionFunction),
@Override public Enumerable<Object[]> scan(DataContext root) { final List<ImmutableDruidServer> druidServers = serverView.getDruidServers(); final AuthenticationResult authenticationResult = (AuthenticationResult) root.get(PlannerContext.DATA_CTX_AUTHENTICATION_RESULT); final Access access = AuthorizationUtils.authorizeAllResourceActions( authenticationResult, Collections.singletonList(new ResourceAction(new Resource("STATE", ResourceType.STATE), Action.READ)), authorizerMapper ); if (!access.isAllowed()) { throw new ForbiddenException("Insufficient permission to view servers :" + access); } final FluentIterable<Object[]> results = FluentIterable .from(druidServers) .transform(val -> new Object[]{ val.getHost(), extractHost(val.getHost()), (long) extractPort(val.getHostAndPort()), (long) extractPort(val.getHostAndTlsPort()), toStringOrNull(val.getType()), val.getTier(), val.getCurrSize(), val.getMaxSize() }); return Linq4j.asEnumerable(results); } }
/** * Check a resource-action using the authorization fields from the request. * * Otherwise, if the resource-actions is authorized, return ACCESS_OK. * * This function will set the DRUID_AUTHORIZATION_CHECKED attribute in the request. * * If this attribute is already set when this function is called, an exception is thrown. * * @param request HTTP request to be authorized * @param resourceAction A resource identifier and the action to be taken the resource. * @param authorizerMapper The singleton AuthorizerMapper instance * * @return ACCESS_OK or the failed Access object returned by the Authorizer that checked the request. */ public static Access authorizeResourceAction( final HttpServletRequest request, final ResourceAction resourceAction, final AuthorizerMapper authorizerMapper ) { return authorizeAllResourceActions( request, Collections.singletonList(resourceAction), authorizerMapper ); }
(AuthenticationResult) req.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT) ); return AuthorizationUtils.authorizeAllResourceActions( req, Iterables.transform(datasourceNames, AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR), } else { plannerContext.setAuthenticationResult(authenticationResult); return AuthorizationUtils.authorizeAllResourceActions( authenticationResult, Iterables.transform(datasourceNames, AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR),
@DELETE @Path("{id}") @Produces(MediaType.APPLICATION_JSON) public Response cancelQuery(@PathParam("id") String queryId, @Context final HttpServletRequest req) { if (log.isDebugEnabled()) { log.debug("Received cancel request for query [%s]", queryId); } Set<String> datasources = queryManager.getQueryDatasources(queryId); if (datasources == null) { log.warn("QueryId [%s] not registered with QueryManager, cannot cancel", queryId); datasources = Sets.newTreeSet(); } Access authResult = AuthorizationUtils.authorizeAllResourceActions( req, Iterables.transform(datasources, AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR), authorizerMapper ); if (!authResult.isAllowed()) { throw new ForbiddenException(authResult.toString()); } queryManager.cancelQuery(queryId); return Response.status(Response.Status.ACCEPTED).build(); }
Access access = authorizeAllResourceActions( authenticationResultFromRequest(request), resourceActions,
@POST @Consumes(MediaType.APPLICATION_JSON) @Produces(MediaType.APPLICATION_JSON) public Response specPost(final SupervisorSpec spec, @Context final HttpServletRequest req) { return asLeaderWithSupervisorManager( manager -> { Preconditions.checkArgument( spec.getDataSources() != null && spec.getDataSources().size() > 0, "No dataSources found to perform authorization checks" ); Access authResult = AuthorizationUtils.authorizeAllResourceActions( req, Iterables.transform(spec.getDataSources(), AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR), authorizerMapper ); if (!authResult.isAllowed()) { throw new ForbiddenException(authResult.toString()); } manager.createOrUpdateAndStartSupervisor(spec); return Response.ok(ImmutableMap.of("id", spec.getId())).build(); } ); }
@DELETE @Path("/pendingSegments/{dataSource}") @Produces(MediaType.APPLICATION_JSON) public Response killPendingSegments( @PathParam("dataSource") String dataSource, @QueryParam("interval") String deleteIntervalString, @Context HttpServletRequest request ) { final Interval deleteInterval = Intervals.of(deleteIntervalString); // check auth for dataSource final Access authResult = AuthorizationUtils.authorizeAllResourceActions( request, ImmutableList.of( new ResourceAction(new Resource(dataSource, ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource(dataSource, ResourceType.DATASOURCE), Action.WRITE) ), authorizerMapper ); if (!authResult.isAllowed()) { throw new ForbiddenException(authResult.getMessage()); } if (taskMaster.isLeader()) { final int numDeleted = indexerMetadataStorageAdapter.deletePendingSegments(dataSource, deleteInterval); return Response.ok().entity(ImmutableMap.of("numDeleted", numDeleted)).build(); } else { return Response.status(Status.SERVICE_UNAVAILABLE).build(); } }
/** * Authorize the query. Will return an Access object denoting whether the query is authorized or not. * * @param authenticationResult authentication result indicating the identity of the requester * * @return authorization result */ public Access authorize(final AuthenticationResult authenticationResult) { transition(State.INITIALIZED, State.AUTHORIZING); return doAuthorize( authenticationResult, AuthorizationUtils.authorizeAllResourceActions( authenticationResult, Iterables.transform( baseQuery.getDataSource().getNames(), AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR ), authorizerMapper ) ); }
/** * Authorize the query. Will return an Access object denoting whether the query is authorized or not. * * @param req HTTP request object of the request. If provided, the auth-related fields in the HTTP request * will be automatically set. * * @return authorization result */ public Access authorize(HttpServletRequest req) { transition(State.INITIALIZED, State.AUTHORIZING); return doAuthorize( AuthorizationUtils.authenticationResultFromRequest(req), AuthorizationUtils.authorizeAllResourceActions( req, Iterables.transform( baseQuery.getDataSource().getNames(), AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR ), authorizerMapper ) ); }
AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR; Access authResult = AuthorizationUtils.authorizeAllResourceActions( getReq(), Iterables.transform(spec.getDataSources(), resourceActionFunction),
@Override public Enumerable<Object[]> scan(DataContext root) { final List<ImmutableDruidServer> druidServers = serverView.getDruidServers(); final AuthenticationResult authenticationResult = (AuthenticationResult) root.get(PlannerContext.DATA_CTX_AUTHENTICATION_RESULT); final Access access = AuthorizationUtils.authorizeAllResourceActions( authenticationResult, Collections.singletonList(new ResourceAction(new Resource("STATE", ResourceType.STATE), Action.READ)), authorizerMapper ); if (!access.isAllowed()) { throw new ForbiddenException("Insufficient permission to view servers :" + access.toString()); } final FluentIterable<Object[]> results = FluentIterable .from(druidServers) .transform(val -> new Object[]{ val.getHost(), val.getHost().split(":")[0], val.getHostAndPort() == null ? -1 : val.getHostAndPort().split(":")[1], val.getHostAndTlsPort() == null ? -1 : val.getHostAndTlsPort().split(":")[1], val.getType(), val.getTier(), val.getCurrSize(), val.getMaxSize() }); return Linq4j.asEnumerable(results); } }