Package org.apache.druid.server.security

Interface Authorizer

All Known Implementing Classes:

AllowAllAuthorizer

public interface Authorizer

An Authorizer is responsible for performing authorization checks for resource accesses.

A single instance of each Authorizer implementation will be created per node. Security-sensitive endpoints will need to extract the identity string contained in the request's Druid-Auth-Token attribute, previously set by an Authenticator. Each endpoint will pass this identity String to the Authorizer's authorize() method along with any Resource/Action pairs created for the request being handled. The endpoint can use these checks to filter out resources or deny the request as needed. After a request is authorized, a new attribute, "Druid-Authorization-Checked", should be set in the request header with the result of the authorization decision.

Method Summary

Modifier and Type	Method	Description
Access	authorize(AuthenticationResult authenticationResult, Resource resource, Action action)	Check if the entity represented by identity is authorized to perform action on resource.

Method Details

authorize

Access authorize(AuthenticationResult authenticationResult,
 Resource resource,
 Action action)

Check if the entity represented by identity is authorized to perform action on resource.

If the action involves reading a table, the outcome could include Policy restrictions. However, if the action does not involve reading a table, there must be no Policy restrictions.

Parameters:

authenticationResult - The authentication result of the request

resource - The resource to be accessed

action - The action to perform on the resource

Returns:

An Access object representing the result of the authorization check. Must not be null.