/** * Check a resource-action using the authorization fields from the request. * * Otherwise, if the resource-actions is authorized, return ACCESS_OK. * * This function will set the DRUID_AUTHORIZATION_CHECKED attribute in the request. * * If this attribute is already set when this function is called, an exception is thrown. * * @param request HTTP request to be authorized * @param resourceAction A resource identifier and the action to be taken the resource. * @param authorizerMapper The singleton AuthorizerMapper instance * * @return ACCESS_OK or the failed Access object returned by the Authorizer that checked the request. */ public static Access authorizeResourceAction( final HttpServletRequest request, final ResourceAction resourceAction, final AuthorizerMapper authorizerMapper ) { return authorizeAllResourceActions( request, Lists.newArrayList(resourceAction), authorizerMapper ); }
@GET @Produces(MediaType.APPLICATION_JSON) public Iterable<String> getDataSources(@Context final HttpServletRequest request) { Function<String, Iterable<ResourceAction>> raGenerator = datasourceName -> { return Lists.newArrayList(AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR.apply(datasourceName)); }; return AuthorizationUtils.filterAuthorizedResources( request, getSegmentsForDatasources().keySet(), raGenerator, authorizerMapper ); }
Access access = authorizeAllResourceActions( authenticationResultFromRequest(request), resourceActions, authorizerMapper
final AuthenticationResult authenticationResult = authenticationResultFromRequest(request); final Iterable<ResType> filteredResources = filterAuthorizedResources( authenticationResult, resources,
Access accessResult = AuthorizationUtils.authorizeResourceAction( req, new ResourceAction(
Access accessResult = AuthorizationUtils.authorizeResourceAction( req, new ResourceAction(
final AuthenticationResult authenticationResult = AuthorizationUtils.authenticationResultFromRequest(request); AuthorizationUtils.filterAuthorizedResources( authenticationResult, entry.getValue(),
@Override public ContainerRequest filter(ContainerRequest request) { final ResourceAction resourceAction = new ResourceAction( new Resource(SECURITY_RESOURCE_NAME, ResourceType.CONFIG), getAction(request) ); final Access authResult = AuthorizationUtils.authorizeResourceAction( getReq(), resourceAction, getAuthorizerMapper() ); if (!authResult.isAllowed()) { throw new WebApplicationException( Response.status(Response.Status.FORBIDDEN) .entity(StringUtils.format("Access-Check-Result: %s", authResult.toString())) .build() ); } return request; }
@Override public Response apply(final SupervisorManager manager) { return Response.ok( AuthorizationUtils.filterAuthorizedResources( req, manager.getSupervisorHistory(), SPEC_DATASOURCE_READ_RA_GENERATOR, authorizerMapper ) ).build(); } }
@DELETE @Path("{id}") @Produces(MediaType.APPLICATION_JSON) public Response cancelQuery(@PathParam("id") String queryId, @Context final HttpServletRequest req) { if (log.isDebugEnabled()) { log.debug("Received cancel request for query [%s]", queryId); } Set<String> datasources = queryManager.getQueryDatasources(queryId); if (datasources == null) { log.warn("QueryId [%s] not registered with QueryManager, cannot cancel", queryId); datasources = Sets.newTreeSet(); } Access authResult = AuthorizationUtils.authorizeAllResourceActions( req, Iterables.transform(datasources, AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR), authorizerMapper ); if (!authResult.isAllowed()) { throw new ForbiddenException(authResult.toString()); } queryManager.cancelQuery(queryId); return Response.status(Response.Status.ACCEPTED).build(); }
/** * Authorize the query. Will return an Access object denoting whether the query is authorized or not. * * @param req HTTP request object of the request. If provided, the auth-related fields in the HTTP request * will be automatically set. * * @return authorization result */ public Access authorize(HttpServletRequest req) { transition(State.INITIALIZED, State.AUTHORIZING); return doAuthorize( AuthorizationUtils.authenticationResultFromRequest(req), AuthorizationUtils.authorizeAllResourceActions( req, Iterables.transform( queryPlus.getQuery().getDataSource().getNames(), AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR ), authorizerMapper ) ); }
); final Access authResult = AuthorizationUtils.authorizeResourceAction( getReq(), resourceAction,
@Override public Response apply(SupervisorManager manager) { Map<String, List<VersionedSupervisorSpec>> supervisorHistory = manager.getSupervisorHistory(); Iterable<VersionedSupervisorSpec> historyForId = supervisorHistory.get(id); if (historyForId != null) { final List<VersionedSupervisorSpec> authorizedHistoryForId = Lists.newArrayList( AuthorizationUtils.filterAuthorizedResources( req, historyForId, SPEC_DATASOURCE_READ_RA_GENERATOR, authorizerMapper ) ); if (authorizedHistoryForId.size() > 0) { return Response.ok(authorizedHistoryForId).build(); } } return Response.status(Response.Status.NOT_FOUND) .entity( ImmutableMap.of( "error", StringUtils.format("No history for [%s].", id) ) ) .build(); } }
@Override public Response apply(SupervisorManager manager) { Preconditions.checkArgument( spec.getDataSources() != null && spec.getDataSources().size() > 0, "No dataSources found to perform authorization checks" ); Access authResult = AuthorizationUtils.authorizeAllResourceActions( req, Iterables.transform(spec.getDataSources(), AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR), authorizerMapper ); if (!authResult.isAllowed()) { throw new ForbiddenException(authResult.toString()); } manager.createOrUpdateAndStartSupervisor(spec); return Response.ok(ImmutableMap.of("id", spec.getId())).build(); } }
); Access authResult = AuthorizationUtils.authorizeResourceAction( req, resourceAction,
private Set<String> filterAuthorizedSupervisorIds( final HttpServletRequest req, SupervisorManager manager, Collection<String> supervisorIds ) { Function<String, Iterable<ResourceAction>> raGenerator = supervisorId -> { Optional<SupervisorSpec> supervisorSpecOptional = manager.getSupervisorSpec(supervisorId); if (supervisorSpecOptional.isPresent()) { return Iterables.transform( supervisorSpecOptional.get().getDataSources(), AuthorizationUtils.DATASOURCE_WRITE_RA_GENERATOR ); } else { return null; } }; return Sets.newHashSet( AuthorizationUtils.filterAuthorizedResources( req, supervisorIds, raGenerator, authorizerMapper ) ); } }
@DELETE @Path("/pendingSegments/{dataSource}") @Produces(MediaType.APPLICATION_JSON) public Response killPendingSegments( @PathParam("dataSource") String dataSource, @QueryParam("interval") String deleteIntervalString, @Context HttpServletRequest request ) { final Interval deleteInterval = Intervals.of(deleteIntervalString); // check auth for dataSource final Access authResult = AuthorizationUtils.authorizeAllResourceActions( request, ImmutableList.of( new ResourceAction(new Resource(dataSource, ResourceType.DATASOURCE), Action.READ), new ResourceAction(new Resource(dataSource, ResourceType.DATASOURCE), Action.WRITE) ), authorizerMapper ); if (!authResult.isAllowed()) { throw new ForbiddenException(authResult.getMessage()); } if (taskMaster.isLeader()) { final int numDeleted = indexerMetadataStorageAdapter.deletePendingSegments(dataSource, deleteInterval); return Response.ok().entity(ImmutableMap.of("numDeleted", numDeleted)).build(); } else { return Response.status(Status.SERVICE_UNAVAILABLE).build(); } }
/** * Authorizes action to be performed on this task's datasource * * @return authorization result */ private Access authorizationCheck(final HttpServletRequest req, Action action) { ResourceAction resourceAction = new ResourceAction( new Resource(dataSchema.getDataSource(), ResourceType.DATASOURCE), action ); Access access = AuthorizationUtils.authorizeResourceAction(req, resourceAction, authorizerMapper); if (!access.isAllowed()) { throw new ForbiddenException(access.toString()); } return access; }
AuthorizationUtils.filterAuthorizedResources( req, dataSourceNamesPreAuth,
/** * Authorize the query. Will return an Access object denoting whether the query is authorized or not. * * @param authenticationResult authentication result indicating the identity of the requester * * @return authorization result */ public Access authorize(final AuthenticationResult authenticationResult) { transition(State.INITIALIZED, State.AUTHORIZING); return doAuthorize( authenticationResult, AuthorizationUtils.authorizeAllResourceActions( authenticationResult, Iterables.transform( queryPlus.getQuery().getDataSource().getNames(), AuthorizationUtils.DATASOURCE_READ_RA_GENERATOR ), authorizerMapper ) ); }