@Override public AuthenticationResult createEscalatedAuthenticationResult() { // if you found your self asking why the authenticatedBy field is set to null please read this: // https://github.com/druid-io/druid/pull/5706#discussion_r185940889 return new AuthenticationResult(internalClientUsername, authorizerName, null, null); } }
@Override public int hashCode() { return Objects.hash(getIdentity(), getAuthorizerName(), getAuthenticatedBy(), getContext()); } }
private Access doAuthorize(final AuthenticationResult authenticationResult, final Access authorizationResult) { if (!authorizationResult.isAllowed()) { // Not authorized; go straight to Jail, do not pass Go. transition(State.AUTHORIZING, State.UNAUTHORIZED); } else { transition(State.AUTHORIZING, State.AUTHORIZED); } this.authenticationResult = authenticationResult; final QueryMetrics queryMetrics = queryPlus.getQueryMetrics(); if (queryMetrics != null) { queryMetrics.identity(authenticationResult.getIdentity()); } return authorizationResult; }
final Authorizer authorizer = authorizerMapper.getAuthorizer(authenticationResult.getAuthorizerName()); if (authorizer == null) { throw new ISE("No authorizer found with name: [%s].", authenticationResult.getAuthorizerName());
if (authenticationResult != null && authenticationResult.getAuthenticatedBy() != null) { Authenticator authenticator = authenticatorMapper.getAuthenticatorMap() .get(authenticationResult.getAuthenticatedBy()); if (authenticator != null) { authenticator.decorateProxyRequest( ); } else { log.error("Can not find Authenticator with Name [%s]", authenticationResult.getAuthenticatedBy());
statsMap.put("success", success); if (authenticationResult != null) { statsMap.put("identity", authenticationResult.getIdentity());
final Authorizer authorizer = authorizerMapper.getAuthorizer(authenticationResult.getAuthorizerName()); if (authorizer == null) { throw new ISE("No authorizer found with name: [%s].", authenticationResult.getAuthorizerName());
@Override public boolean equals(Object o) { if (this == o) { return true; } if (o == null || getClass() != o.getClass()) { return false; } AuthenticationResult that = (AuthenticationResult) o; return Objects.equals(getIdentity(), that.getIdentity()) && Objects.equals(getAuthorizerName(), that.getAuthorizerName()) && Objects.equals(getAuthenticatedBy(), that.getAuthenticatedBy()) && Objects.equals(getContext(), that.getContext()); }
@Override public void doFilter( ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain ) throws IOException, ServletException { // PreResponseAuthorizationCheckFilter checks that this attribute is set, // but the value doesn't matter since we skip authorization checks for requests that go through this filter servletRequest.setAttribute( AuthConfig.DRUID_AUTHENTICATION_RESULT, new AuthenticationResult(AuthConfig.ALLOW_ALL_NAME, AuthConfig.ALLOW_ALL_NAME, AuthConfig.ALLOW_ALL_NAME, null) ); // This request will not go to an Authorizer, so we need to set this for PreResponseAuthorizationCheckFilter servletRequest.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true); filterChain.doFilter(servletRequest, servletResponse); }
@Override public Access authorize( AuthenticationResult authenticationResult, Resource resource, Action action ) { if (authenticationResult == null) { throw new IAE("WTF? authenticationResult should never be null."); } Map<String, BasicAuthorizerUser> userMap = cacheManager.getUserMap(name); if (userMap == null) { throw new IAE("Could not load userMap for authorizer [%s]", name); } Map<String, BasicAuthorizerRole> roleMap = cacheManager.getRoleMap(name); if (roleMap == null) { throw new IAE("Could not load roleMap for authorizer [%s]", name); } BasicAuthorizerUser user = userMap.get(authenticationResult.getIdentity()); if (user == null) { return new Access(false); } for (String roleName : user.getRoles()) { BasicAuthorizerRole role = roleMap.get(roleName); for (BasicAuthorizerPermission permission : role.getPermissions()) { if (permissionCheck(resource, action, permission)) { return new Access(true); } } } return new Access(false); }
@Override @Nullable public AuthenticationResult authenticateJDBCContext(Map<String, Object> context) { String user = (String) context.get("user"); String password = (String) context.get("password"); if (user == null || password == null) { return null; } if (checkCredentials(user, password.toCharArray())) { return new AuthenticationResult(user, authorizerName, name, null); } else { return null; } }
@Override public void doFilter( ServletRequest request, ServletResponse response, FilterChain chain ) throws IOException, ServletException { HttpServletRequest httpReq = (HttpServletRequest) request; // Druid itself doesn't explictly handle OPTIONS requests, no resource handler will authorize such requests. // so this filter catches all OPTIONS requests and authorizes them. if (HttpMethod.OPTIONS.equals(httpReq.getMethod())) { if (httpReq.getAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT) == null) { // If the request already had credentials and authenticated successfully, keep the authenticated identity. // Otherwise, allow the unauthenticated request. if (allowUnauthenticatedHttpOptions) { httpReq.setAttribute( AuthConfig.DRUID_AUTHENTICATION_RESULT, new AuthenticationResult(AuthConfig.ALLOW_ALL_NAME, AuthConfig.ALLOW_ALL_NAME, null, null) ); } else { ((HttpServletResponse) response).sendError(HttpServletResponse.SC_UNAUTHORIZED); } } httpReq.setAttribute(AuthConfig.DRUID_AUTHORIZATION_CHECKED, true); } chain.doFilter(request, response); }
AuthenticationResult authenticationResult = new AuthenticationResult(user, authorizerName, name, null); servletRequest.setAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT, authenticationResult); } else {