Package org.apache.druid.server.security

Interface Authenticator

All Superinterfaces:
ServletFilterHolder
All Known Implementing Classes:
AllowAllAuthenticator, AnonymousAuthenticator, TrustedDomainAuthenticator
public interface Authenticator extends ServletFilterHolder

  • Method Summary

    Modifier and Type
    Method
    Description
    AuthenticationResult
    authenticateJDBCContext(Map<String,Object> context)
    Given a JDBC connection context, authenticate the identity represented by the information in the context.
    default void
    decorateProxyRequest(javax.servlet.http.HttpServletRequest clientRequest, javax.servlet.http.HttpServletResponse proxyResponse, org.eclipse.jetty.client.api.Request proxyRequest)
    This is used to add some Headers or Authentication token/results that can be used by down stream target host.
    String
    getAuthChallengeHeader()
    Return a WWW-Authenticate challenge scheme string appropriate for this Authenticator's authentication mechanism.
    javax.servlet.Filter
    getFilter()
    Create a Filter that performs authentication checks on incoming HTTP requests.

    Methods inherited from interface org.apache.druid.server.initialization.jetty.ServletFilterHolder

    getDispatcherType, getFilterClass, getInitParameters, getPath, getPaths

  • Method Details

    • getFilter

      javax.servlet.Filter getFilter()
      Create a Filter that performs authentication checks on incoming HTTP requests.

      If the authentication succeeds, the Filter should set the "Druid-Authentication-Result" attribute in the request, containing an AuthenticationResult that represents the authenticated identity of the requester, along with the name of the Authorizer instance that should authorize the request. An Authenticator may choose to add a Map<String, Object> context to the authentication result, containing additional information to be used by the Authorizer. The contents of this map are left for Authenticator/Authorizer implementors to decide.

      If the "Druid-Authentication-Result" attribute is already set (i.e., request has been authenticated by an earlier Filter), this Filter should skip any authentication checks and proceed to the next Filter.

      If a filter cannot recognize a request's format (e.g., the request does not have credentials compatible with a filter's authentication scheme), the filter should not send an error response, allowing other filters to handle the request. A challenge response will be sent if the filter chain is exhausted.

      If the authentication fails (i.e., a filter recognized the authentication scheme of a request, but the credentials failed to authenticate successfully) the Filter should send an error response, without needing to proceed to other filters in the chain..

      Specified by:
      getFilter in interface ServletFilterHolder
      Returns:
      Filter that authenticates HTTP requests

    • getAuthChallengeHeader

      @Nullable String getAuthChallengeHeader()
      Return a WWW-Authenticate challenge scheme string appropriate for this Authenticator's authentication mechanism.

      For example, a Basic HTTP implementation should return "Basic", while a Kerberos implementation would return "Negotiate". If this method returns null, no authentication scheme will be added for that Authenticator implementation.

      Returns:
      Authentication scheme

    • authenticateJDBCContext

      @Nullable AuthenticationResult authenticateJDBCContext(Map<String,Object> context)
      Given a JDBC connection context, authenticate the identity represented by the information in the context. This is used to secure JDBC access for Druid SQL.

      For example, a Basic HTTP auth implementation could read the "user" and "password" fields from the JDBC context.

      The expected contents of the context are left to the implementation.

      Parameters:
      context - JDBC connection context
      Returns:
      AuthenticationResult of the identity represented by the context is successfully authenticated, null if authentication failed

    • decorateProxyRequest

      default void decorateProxyRequest(javax.servlet.http.HttpServletRequest clientRequest, javax.servlet.http.HttpServletResponse proxyResponse, org.eclipse.jetty.client.api.Request proxyRequest)
      This is used to add some Headers or Authentication token/results that can be used by down stream target host. Such token can be used to authenticate the user down stream, in cases where to original credentials are not forwardable as is and therefore the need to attach some authentication tokens by the proxy.
      Parameters:
      clientRequest - original client request processed by the upstream chain of authenticator
      proxyResponse - proxy Response
      proxyRequest - actual proxy request targeted to a given broker