Druid authentication/authorization on router's side #73
Conversation
…nent as user/role manager: 1. Added dependency on MetadataStorage because it is used as a storage for users/roles 2. Authenticator/authorizer cache/handler/notifier take class composition form a config
|
@egor-ryashin @leventov could you please run integration test locally using |
|
I got the same result for the branch |
| import com.fasterxml.jackson.annotation.JsonCreator; | ||
| import com.fasterxml.jackson.annotation.JsonProperty; | ||
|
|
||
| public class BasicAuthClassCompositionConfig |
There was a problem hiding this comment.
This class has a lot of fields, but seems that only one of them is used, why is that?
There was a problem hiding this comment.
Actually, all of them are in use (see BasicSecurityDruidModule)
| import com.fasterxml.jackson.annotation.JsonCreator; | ||
| import com.fasterxml.jackson.annotation.JsonProperty; | ||
|
|
||
| public class BasicAuthClassCompositionConfig |
There was a problem hiding this comment.
Please add a class-level comment describing something or pointing somewhere.
| { | ||
| if (config.getAuthenticatorMetadataStorageUpdater() != null) { |
There was a problem hiding this comment.
This block of code can be extracted as a method.
There was a problem hiding this comment.
Please add some explanation. What is going on here?
There was a problem hiding this comment.
Refactored and added description
|
|
||
| package io.druid.security.basic.authentication.db.cache; | ||
|
|
||
| public class NoopBasicAuthenticatorCacheNotifier implements BasicAuthenticatorCacheNotifier |
There was a problem hiding this comment.
Why this class is needed? It's not used in this PR.
There was a problem hiding this comment.
It is needed on a config level
https://github.com/metamx/druid-config/pull/99
There was a problem hiding this comment.
Would be nice to specify whether "noop" means "no auth" or "always rejecting auth".
|
|
||
| package io.druid.security.basic.authorization.db.cache; | ||
|
|
||
| public class NoopBasicAuthorizerCacheNotifier implements BasicAuthorizerCacheNotifier |
There was a problem hiding this comment.
I also removed the same classes from test scope so this class is used in tests now
|
There are errors in Travis log: |
|
Also updated AWS S3 access and secret keys as they were changed last year so that's why integration tests were failing @leventov |
| @@ -22,6 +22,14 @@ | |||
| import com.fasterxml.jackson.annotation.JsonCreator; | |||
| import com.fasterxml.jackson.annotation.JsonProperty; | |||
|
|
|||
| /** | |||
| * Basic authentication storage/cache/resource hadler config. | |||
| @@ -22,6 +22,14 @@ | |||
| import com.fasterxml.jackson.annotation.JsonCreator; | |||
| import com.fasterxml.jackson.annotation.JsonProperty; | |||
|
|
|||
| /** | |||
| * Basic authentication storage/cache/resource hadler config. | |||
| * The config is an option to specify classes of user/role managers, caches and notifiers. | |||
There was a problem hiding this comment.
I would put it "BasicAuthClassCompositionConfig provides options to specify authenticator classes..."
| /** | ||
| * Basic authentication storage/cache/resource hadler config. | ||
| * The config is an option to specify classes of user/role managers, caches and notifiers. | ||
| * If a config field is specified then the corresponding class is instantiated |
There was a problem hiding this comment.
Not very clear, I would put it "If a field in this class is non-null then ..."
| public static <T> T getInstance( | ||
| Injector injector, | ||
| String configClassName, | ||
| Class<? extends T> isCoordClass, |
There was a problem hiding this comment.
Maybe call the param classRunByCoordinator
|
|
||
| package io.druid.security.basic.authentication.db.cache; | ||
|
|
||
| public class NoopBasicAuthenticatorCacheNotifier implements BasicAuthenticatorCacheNotifier |
There was a problem hiding this comment.
Would be nice to specify whether "noop" means "no auth" or "always rejecting auth".
|
|
||
| package io.druid.security.basic.authorization.db.cache; | ||
|
|
||
| public class NoopBasicAuthorizerCacheNotifier implements BasicAuthorizerCacheNotifier |
esevastyanov
force-pushed
the
druid-router-auth
branch
from
afc14cb to
e7e4eab
Compare
esevastyanov
force-pushed
the
druid-router-auth
branch
from
e7e4eab to
d4237cf
Compare
| @@ -24,8 +24,8 @@ | |||
|
|
|||
| /** | |||
| * Basic authentication storage/cache/resource handler config. | |||
| * The config is an option to specify classes of user/role managers, caches and notifiers. | |||
| * If a config field is specified then the corresponding class is instantiated | |||
| * BasicAuthClassCompositionConfig provides options to specify authenticator/authorizer classes. | |||
There was a problem hiding this comment.
I intended that "of user/role managers, caches and notifiers" is retained - please fix the upstream PR.
| @@ -17,8 +17,8 @@ command=java | |||
| -Ddruid.indexer.fork.property.druid.processing.buffer.sizeBytes=75000000 | |||
| -Ddruid.indexer.fork.property.druid.processing.numThreads=1 | |||
| -Ddruid.indexer.fork.server.http.numThreads=100 | |||
| -Ddruid.s3.accessKey=AKIAIMKECRUYKDQGR6YQ | |||
| -Ddruid.s3.secretKey=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 | |||
| -Ddruid.s3.accessKey=AKIAJI7DG7CDECGBQ6NA | |||
There was a problem hiding this comment.
Just wonder what s3 storage is accessed by those credentials, is it safe to keep those credentials in github repo?
There was a problem hiding this comment.
This is not our s3 account
https://github.com/apache/incubator-druid/blob/master/integration-tests/docker/middlemanager.conf#L19
There was a problem hiding this comment.
I don't understand why we change them?
There was a problem hiding this comment.
Since we depend on third-party's s3 account in integration-tests (and it was updated). As a solution, we might duplicate that data into our s3.
| return getInstance( | ||
| injector, | ||
| config.getAuthorizerResourceHandler(), | ||
| CoordinatorBasicAuthorizerResourceHandler.class, |
There was a problem hiding this comment.
I think we should rename CoordinatorBasicAuthorizerResourceHandler to something else, as it is not bound to Coordinator now.
There was a problem hiding this comment.
Let me update names and some logic around centralized user management in the next PR
There was a problem hiding this comment.
Could you create a ticket for that?
There was a problem hiding this comment.
BTW, I wonder what's the purpose of doing it in a separate PR?
There was a problem hiding this comment.
As we decided that this feature might be helpful for the community the PR into upstream druid was created and merged. So it would be great to follow this strategy and pull new changes into the upstream before pulling into our fork.
There was a problem hiding this comment.
Should I create a ticket in the upstream?
There was a problem hiding this comment.
Original PR into Druid
apache#7789
There was a problem hiding this comment.
Should I create a ticket in the upstream?
Yes.
| if (configClassName != null) { | ||
| // ClassCastException is thrown in case of a mismatch, configuration fix is required. | ||
| @SuppressWarnings("unchecked") | ||
| final T instance = (T) injector.getInstance(Class.forName(configClassName)); |
There was a problem hiding this comment.
I think we exposing too much internals in configs propagating the class names for each sub-component. In fact, we would like a switch like ...authorization.management.enabled=true/false which can effectively select required classes for us.
There was a problem hiding this comment.
This will require refactoring current DI of the module
There was a problem hiding this comment.
That works for testing, but it's awkward for production.
There was a problem hiding this comment.
Agree, this might be improved
There was a problem hiding this comment.
Let's add it to the issue we create for #73 (comment)
|
@egor-ryashin I moved everything from merged incubator-druid PR |
| @@ -17,8 +17,8 @@ command=java | |||
| -Ddruid.indexer.fork.property.druid.processing.buffer.sizeBytes=75000000 | |||
| -Ddruid.indexer.fork.property.druid.processing.numThreads=1 | |||
| -Ddruid.indexer.fork.server.http.numThreads=100 | |||
| -Ddruid.s3.accessKey=AKIAIMKECRUYKDQGR6YQ | |||
| -Ddruid.s3.secretKey=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 | |||
| -Ddruid.s3.accessKey=AKIAJI7DG7CDECGBQ6NA | |||
There was a problem hiding this comment.
I don't understand why we change them?
| if (configClassName != null) { | ||
| // ClassCastException is thrown in case of a mismatch, configuration fix is required. | ||
| @SuppressWarnings("unchecked") | ||
| final T instance = (T) injector.getInstance(Class.forName(configClassName)); |
There was a problem hiding this comment.
That works for testing, but it's awkward for production.
| return getInstance( | ||
| injector, | ||
| config.getAuthorizerResourceHandler(), | ||
| CoordinatorBasicAuthorizerResourceHandler.class, |
There was a problem hiding this comment.
Could you create a ticket for that?
Updated the druid-basic-security module to make it work on any Druid component as a user/role manager: