Package org.apache.druid.server.security

Class AuthorizationUtils

java.lang.Object
org.apache.druid.server.security.AuthorizationUtils
public class AuthorizationUtils extends Object
Static utility functions for performing authorization checks.

  • Field Details

    • DATASOURCE_READ_RA_GENERATOR

      public static final com.google.common.base.Function<String,ResourceAction> DATASOURCE_READ_RA_GENERATOR
      Function for the common pattern of generating a resource-action for reading from a datasource, using the datasource name.

    • DATASOURCE_WRITE_RA_GENERATOR

      public static final com.google.common.base.Function<String,ResourceAction> DATASOURCE_WRITE_RA_GENERATOR
      Function for the common pattern of generating a resource-action for reading from a datasource, using the datasource name.

  • Constructor Details

    • AuthorizationUtils

      public AuthorizationUtils()

  • Method Details

    • authorizeResourceAction

      public static AuthorizationResult authorizeResourceAction(javax.servlet.http.HttpServletRequest request, ResourceAction resourceAction, AuthorizerMapper authorizerMapper)
      Performs authorization check on a single resource-action based on the authentication fields from the request.

      This function will set the DRUID_AUTHORIZATION_CHECKED attribute in the request. If this attribute is already set when this function is called, an exception is thrown.

      Parameters:
      request - HTTP request to be authorized
      resourceAction - A resource identifier and the action to be taken the resource.
      authorizerMapper - The singleton AuthorizerMapper instance
      Returns:
      AuthorizationResult containing allow/deny access to the resource action, along with policy restrictions.

    • verifyUnrestrictedAccessToDatasource

      public static void verifyUnrestrictedAccessToDatasource(javax.servlet.http.HttpServletRequest req, String datasource, AuthorizerMapper authorizerMapper)
      Verifies that the user has unrestricted access to perform the required action on the given datasource.
      Throws:
      ForbiddenException - if the user does not have unrestricted access to perform the required action on the given datasource.

    • authenticationResultFromRequest

      public static AuthenticationResult authenticationResultFromRequest(javax.servlet.http.HttpServletRequest request)
      Returns the authentication information for a request.
      Parameters:
      request - http request
      Returns:
      authentication result
      Throws:
      IllegalStateException - if the request was not authenticated

    • getAuthenticatedIdentity

      @Nullable public static String getAuthenticatedIdentity(javax.servlet.http.HttpServletRequest request)
      Extracts the identity from the authentication result if set as an atrribute of this request.

    • buildAuditInfo

      public static AuditInfo buildAuditInfo(javax.servlet.http.HttpServletRequest request)
      Builds an AuditInfo for the given request by extracting the following from it:

    • buildRequestInfo

      public static RequestInfo buildRequestInfo(String service, javax.servlet.http.HttpServletRequest request)
      Builds a RequestInfo object that can be used for auditing purposes.

    • authorizeAllResourceActions

      public static AuthorizationResult authorizeAllResourceActions(AuthenticationResult authenticationResult, Iterable<ResourceAction> resourceActions, AuthorizerMapper authorizerMapper)
      Performs authorization check on a list of resource-actions based on the authenticationResult.

      If one of the resource-actions denys access, returns deny access immediately.

      Parameters:
      authenticationResult - Authentication result representing identity of requester
      resourceActions - An Iterable of resource-actions to authorize
      Returns:
      AuthorizationResult containing allow/deny access to the resource actions, along with policy restrictions.

    • authorizeAllResourceActions

      public static AuthorizationResult authorizeAllResourceActions(javax.servlet.http.HttpServletRequest request, Iterable<ResourceAction> resourceActions, AuthorizerMapper authorizerMapper)
      Performs authorization check on a list of resource-actions based on the authentication fields from the request.

      If one of the resource-actions denys access, returns deny access immediately.

      This function will set the DRUID_AUTHORIZATION_CHECKED attribute in the request. If this attribute is already set when this function is called, an exception is thrown.

      Parameters:
      request - HTTP request to be authorized
      resourceActions - An Iterable of resource-actions to authorize
      Returns:
      AuthorizationResult containing allow/deny access to the resource actions, along with policy restrictions.

    • setRequestAuthorizationAttributeIfNeeded

      public static void setRequestAuthorizationAttributeIfNeeded(javax.servlet.http.HttpServletRequest request)
      Sets the AuthConfig.DRUID_AUTHORIZATION_CHECKED attribute in the HttpServletRequest to true. This method is generally used when no ResourceAction need to be checked for the API. If resources are present, users should call authorizeAllResourceActions(HttpServletRequest, Iterable, AuthorizerMapper)

    • filterAuthorizedResources

      public static <ResType> Iterable<ResType> filterAuthorizedResources(javax.servlet.http.HttpServletRequest request, Iterable<ResType> resources, com.google.common.base.Function<? super ResType,Iterable<ResourceAction>> resourceActionGenerator, AuthorizerMapper authorizerMapper)
      Return an iterable of authorized resources, by filtering the input resources with authorization checks based on the authentication fields from the request. This method does:
    • For every resource, resourceActionGenerator generates an Iterable of ResourceAction or null.
    • If null, continue with next resource. If any resource-action in the iterable has deny-access, continue with next resource. Only when every resource-action has allow-access, add the resource to the result.

      • This function will set the DRUID_AUTHORIZATION_CHECKED attribute in the request. If this attribute is already set when this function is called, an exception is thrown.

      Parameters:
      request - HTTP request to be authorized
      resources - resources to be processed into resource-actions
      resourceActionGenerator - Function that creates an iterable of resource-actions from a resource
      authorizerMapper - authorizer mapper
      Returns:
      Iterable containing resources that were authorized

    • filterAuthorizedResources

      public static <ResType> Iterable<ResType> filterAuthorizedResources(AuthenticationResult authenticationResult, Iterable<ResType> resources, com.google.common.base.Function<? super ResType,Iterable<ResourceAction>> resourceActionGenerator, AuthorizerMapper authorizerMapper)
      Return an iterable of authorized resources, by filtering the input resources with authorization checks based on authenticationResult. This method does:
    • For every resource, resourceActionGenerator generates an Iterable of ResourceAction or null.
    • If null, continue with next resource. If any resource-action in the iterable has deny-access, continue with next resource. Only when every resource-action has allow-access, add the resource to the result.
      • Parameters:
      authenticationResult - Authentication result representing identity of requester
      resources - resources to be processed into resource-actions
      resourceActionGenerator - Function that creates an iterable of resource-actions from a resource
      authorizerMapper - authorizer mapper
      Returns:
      Iterable containing resources that were authorized

    • filterAuthorizedResources

      public static <KeyType, ResType> Map<KeyType,List<ResType>> filterAuthorizedResources(javax.servlet.http.HttpServletRequest request, Map<KeyType,List<ResType>> unfilteredResources, com.google.common.base.Function<? super ResType,Iterable<ResourceAction>> resourceActionGenerator, AuthorizerMapper authorizerMapper)
      Return a map of authorized resources, by filtering the input resources with authorization checks based on the authentication fields from the request. This method does:
    • For every resource, resourceActionGenerator generates an Iterable of ResourceAction or null.
    • If null, continue with next resource. If any resource-action in the iterable has deny-access, continue with next resource. Only when every resource-action has allow-access, add the resource to the result.

      • This function will set the DRUID_AUTHORIZATION_CHECKED attribute in the request. If this attribute is already set when this function is called, an exception is thrown.

      Parameters:
      request - HTTP request to be authorized
      unfilteredResources - Map of resource lists to be filtered
      resourceActionGenerator - Function that creates an iterable of resource-actions from a resource
      authorizerMapper - authorizer mapper
      Returns:
      Map containing lists of resources that were authorized

    • filterByAuthorizedDatasources

      public static <T> List<T> filterByAuthorizedDatasources(javax.servlet.http.HttpServletRequest request, List<T> resources, com.google.common.base.Function<T,String> getDatasource, AuthorizerMapper authorizerMapper)
      Filters the given datasource-related resources on the basis of datasource permissions.
      Returns:
      List of resources to which the user has access, based on whether the user has access to the underlying datasource or not.

    • createExternalResourceReadAction

      public static ResourceAction createExternalResourceReadAction(String resourceName)
      Creates a ResourceAction to read an external resource.

    • makeSuperUserPermissions

      public static List<ResourceAction> makeSuperUserPermissions()
      This method constructs a 'superuser' set of permissions composed of Action.READ and Action.WRITE permissions for all known ResourceType.knownTypes() for any Authorizer implementation which is built on pattern matching with a regex.

      Note that if any Resource exist that use custom types not registered with ResourceType.registerResourceType(java.lang.String), those permissions will not be included in this list and will need to be added manually.