-
Notifications
You must be signed in to change notification settings - Fork 32
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Druid authentication/authorization on router's side #73
base: 0.12.1-mmx
Are you sure you want to change the base?
Changes from 5 commits
0af5d8c
d4237cf
517b714
2ad064e
945d752
d047b2c
5619b2f
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,128 @@ | ||
/* | ||
* Licensed to Metamarkets Group Inc. (Metamarkets) under one | ||
* or more contributor license agreements. See the NOTICE file | ||
* distributed with this work for additional information | ||
* regarding copyright ownership. Metamarkets licenses this file | ||
* to you under the Apache License, Version 2.0 (the | ||
* "License"); you may not use this file except in compliance | ||
* with the License. You may obtain a copy of the License at | ||
* | ||
* http://www.apache.org/licenses/LICENSE-2.0 | ||
* | ||
* Unless required by applicable law or agreed to in writing, | ||
* software distributed under the License is distributed on an | ||
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY | ||
* KIND, either express or implied. See the License for the | ||
* specific language governing permissions and limitations | ||
* under the License. | ||
*/ | ||
|
||
package io.druid.security.basic; | ||
|
||
import com.fasterxml.jackson.annotation.JsonCreator; | ||
import com.fasterxml.jackson.annotation.JsonProperty; | ||
|
||
/** | ||
* Basic authentication storage/cache/resource handler config. | ||
* BasicAuthClassCompositionConfig provides options to specify authenticator/authorizer classes. | ||
* If a field in this class is non-null then the corresponding class is instantiated | ||
* regardless of what type of Druid component runs it (see {@link BasicSecurityDruidModule}). | ||
* Hence every Druid component might be a user/role manager and notify others by sending notifications. | ||
* Every field must be a valid class name (appropriate for the corresponding goal) or null. | ||
*/ | ||
public class BasicAuthClassCompositionConfig | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This class has a lot of fields, but seems that only one of them is used, why is that? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Actually, all of them are in use (see BasicSecurityDruidModule) There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please add a class-level comment describing something or pointing somewhere. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. added |
||
{ | ||
@JsonProperty | ||
private final String authenticatorMetadataStorageUpdater; | ||
|
||
@JsonProperty | ||
private final String authenticatorCacheManager; | ||
|
||
@JsonProperty | ||
private final String authenticatorResourceHandler; | ||
|
||
@JsonProperty | ||
private final String authenticatorCacheNotifier; | ||
|
||
@JsonProperty | ||
private final String authorizerMetadataStorageUpdater; | ||
|
||
@JsonProperty | ||
private final String authorizerCacheManager; | ||
|
||
@JsonProperty | ||
private final String authorizerResourceHandler; | ||
|
||
@JsonProperty | ||
private final String authorizerCacheNotifier; | ||
|
||
@JsonCreator | ||
public BasicAuthClassCompositionConfig( | ||
@JsonProperty("authenticatorMetadataStorageUpdater") String authenticatorMetadataStorageUpdater, | ||
@JsonProperty("authenticatorCacheManager") String authenticatorCacheManager, | ||
@JsonProperty("authenticatorResourceHandler") String authenticatorResourceHandler, | ||
@JsonProperty("authenticatorCacheNotifier") String authenticatorCacheNotifier, | ||
@JsonProperty("authorizerMetadataStorageUpdater") String authorizerMetadataStorageUpdater, | ||
@JsonProperty("authorizerCacheManager") String authorizerCacheManager, | ||
@JsonProperty("authorizerResourceHandler") String authorizerResourceHandler, | ||
@JsonProperty("authorizerCacheNotifier") String authorizerCacheNotifier | ||
) | ||
{ | ||
this.authenticatorMetadataStorageUpdater = authenticatorMetadataStorageUpdater; | ||
this.authenticatorCacheManager = authenticatorCacheManager; | ||
this.authenticatorResourceHandler = authenticatorResourceHandler; | ||
this.authenticatorCacheNotifier = authenticatorCacheNotifier; | ||
this.authorizerMetadataStorageUpdater = authorizerMetadataStorageUpdater; | ||
this.authorizerCacheManager = authorizerCacheManager; | ||
this.authorizerResourceHandler = authorizerResourceHandler; | ||
this.authorizerCacheNotifier = authorizerCacheNotifier; | ||
} | ||
|
||
@JsonProperty | ||
public String getAuthenticatorMetadataStorageUpdater() | ||
{ | ||
return authenticatorMetadataStorageUpdater; | ||
} | ||
|
||
@JsonProperty | ||
public String getAuthenticatorCacheManager() | ||
{ | ||
return authenticatorCacheManager; | ||
} | ||
|
||
@JsonProperty | ||
public String getAuthenticatorResourceHandler() | ||
{ | ||
return authenticatorResourceHandler; | ||
} | ||
|
||
@JsonProperty | ||
public String getAuthenticatorCacheNotifier() | ||
{ | ||
return authenticatorCacheNotifier; | ||
} | ||
|
||
@JsonProperty | ||
public String getAuthorizerMetadataStorageUpdater() | ||
{ | ||
return authorizerMetadataStorageUpdater; | ||
} | ||
|
||
@JsonProperty | ||
public String getAuthorizerCacheManager() | ||
{ | ||
return authorizerCacheManager; | ||
} | ||
|
||
@JsonProperty | ||
public String getAuthorizerResourceHandler() | ||
{ | ||
return authorizerResourceHandler; | ||
} | ||
|
||
@JsonProperty | ||
public String getAuthorizerCacheNotifier() | ||
{ | ||
return authorizerCacheNotifier; | ||
} | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -39,8 +39,10 @@ | |
import io.druid.security.basic.authentication.db.cache.CoordinatorBasicAuthenticatorCacheNotifier; | ||
import io.druid.security.basic.authentication.db.cache.CoordinatorPollingBasicAuthenticatorCacheManager; | ||
import io.druid.security.basic.authentication.db.cache.MetadataStoragePollingBasicAuthenticatorCacheManager; | ||
import io.druid.security.basic.authentication.db.cache.NoopBasicAuthenticatorCacheNotifier; | ||
import io.druid.security.basic.authentication.db.updater.BasicAuthenticatorMetadataStorageUpdater; | ||
import io.druid.security.basic.authentication.db.updater.CoordinatorBasicAuthenticatorMetadataStorageUpdater; | ||
import io.druid.security.basic.authentication.db.updater.NoopBasicAuthenticatorMetadataStorageUpdater; | ||
import io.druid.security.basic.authentication.endpoint.BasicAuthenticatorResource; | ||
import io.druid.security.basic.authentication.endpoint.BasicAuthenticatorResourceHandler; | ||
import io.druid.security.basic.authentication.endpoint.CoordinatorBasicAuthenticatorResourceHandler; | ||
|
@@ -51,8 +53,10 @@ | |
import io.druid.security.basic.authorization.db.cache.CoordinatorBasicAuthorizerCacheNotifier; | ||
import io.druid.security.basic.authorization.db.cache.CoordinatorPollingBasicAuthorizerCacheManager; | ||
import io.druid.security.basic.authorization.db.cache.MetadataStoragePollingBasicAuthorizerCacheManager; | ||
import io.druid.security.basic.authorization.db.cache.NoopBasicAuthorizerCacheNotifier; | ||
import io.druid.security.basic.authorization.db.updater.BasicAuthorizerMetadataStorageUpdater; | ||
import io.druid.security.basic.authorization.db.updater.CoordinatorBasicAuthorizerMetadataStorageUpdater; | ||
import io.druid.security.basic.authorization.db.updater.NoopBasicAuthorizerMetadataStorageUpdater; | ||
import io.druid.security.basic.authorization.endpoint.BasicAuthorizerResource; | ||
import io.druid.security.basic.authorization.endpoint.BasicAuthorizerResourceHandler; | ||
import io.druid.security.basic.authorization.endpoint.CoordinatorBasicAuthorizerResourceHandler; | ||
|
@@ -62,10 +66,12 @@ | |
|
||
public class BasicSecurityDruidModule implements DruidModule | ||
{ | ||
|
||
@Override | ||
public void configure(Binder binder) | ||
{ | ||
JsonConfigProvider.bind(binder, "druid.auth.basic.common", BasicAuthCommonCacheConfig.class); | ||
JsonConfigProvider.bind(binder, "druid.auth.basic.composition", BasicAuthClassCompositionConfig.class); | ||
|
||
LifecycleModule.register(binder, BasicAuthenticatorMetadataStorageUpdater.class); | ||
LifecycleModule.register(binder, BasicAuthorizerMetadataStorageUpdater.class); | ||
|
@@ -76,84 +82,124 @@ public void configure(Binder binder) | |
Jerseys.addResource(binder, BasicAuthorizerResource.class); | ||
} | ||
|
||
@Provides @LazySingleton | ||
public static BasicAuthenticatorMetadataStorageUpdater createAuthenticatorStorageUpdater(final Injector injector) | ||
@Provides | ||
@LazySingleton | ||
public static BasicAuthenticatorMetadataStorageUpdater createAuthenticatorStorageUpdater( | ||
final Injector injector, | ||
BasicAuthClassCompositionConfig config | ||
) throws ClassNotFoundException | ||
{ | ||
if (isCoordinator(injector)) { | ||
return injector.getInstance(CoordinatorBasicAuthenticatorMetadataStorageUpdater.class); | ||
} else { | ||
return null; | ||
} | ||
return getInstance( | ||
injector, | ||
config.getAuthenticatorMetadataStorageUpdater(), | ||
CoordinatorBasicAuthenticatorMetadataStorageUpdater.class, | ||
NoopBasicAuthenticatorMetadataStorageUpdater.class | ||
); | ||
} | ||
|
||
@Provides @LazySingleton | ||
public static BasicAuthenticatorCacheManager createAuthenticatorCacheManager(final Injector injector) | ||
@Provides | ||
@LazySingleton | ||
public static BasicAuthenticatorCacheManager createAuthenticatorCacheManager( | ||
final Injector injector, | ||
BasicAuthClassCompositionConfig config | ||
) throws ClassNotFoundException | ||
{ | ||
if (isCoordinator(injector)) { | ||
return injector.getInstance(MetadataStoragePollingBasicAuthenticatorCacheManager.class); | ||
} else { | ||
return injector.getInstance(CoordinatorPollingBasicAuthenticatorCacheManager.class); | ||
} | ||
return getInstance( | ||
injector, | ||
config.getAuthenticatorCacheManager(), | ||
MetadataStoragePollingBasicAuthenticatorCacheManager.class, | ||
CoordinatorPollingBasicAuthenticatorCacheManager.class | ||
); | ||
} | ||
|
||
@Provides @LazySingleton | ||
public static BasicAuthenticatorResourceHandler createAuthenticatorResourceHandler(final Injector injector) | ||
@Provides | ||
@LazySingleton | ||
public static BasicAuthenticatorResourceHandler createAuthenticatorResourceHandler( | ||
final Injector injector, | ||
BasicAuthClassCompositionConfig config | ||
) throws ClassNotFoundException | ||
{ | ||
if (isCoordinator(injector)) { | ||
return injector.getInstance(CoordinatorBasicAuthenticatorResourceHandler.class); | ||
} else { | ||
return injector.getInstance(DefaultBasicAuthenticatorResourceHandler.class); | ||
} | ||
return getInstance( | ||
injector, | ||
config.getAuthenticatorResourceHandler(), | ||
CoordinatorBasicAuthenticatorResourceHandler.class, | ||
DefaultBasicAuthenticatorResourceHandler.class | ||
); | ||
} | ||
|
||
@Provides @LazySingleton | ||
public static BasicAuthenticatorCacheNotifier createAuthenticatorCacheNotifier(final Injector injector) | ||
@Provides | ||
@LazySingleton | ||
public static BasicAuthenticatorCacheNotifier createAuthenticatorCacheNotifier( | ||
final Injector injector, | ||
BasicAuthClassCompositionConfig config | ||
) throws ClassNotFoundException | ||
{ | ||
if (isCoordinator(injector)) { | ||
return injector.getInstance(CoordinatorBasicAuthenticatorCacheNotifier.class); | ||
} else { | ||
return null; | ||
} | ||
return getInstance( | ||
injector, | ||
config.getAuthenticatorCacheNotifier(), | ||
CoordinatorBasicAuthenticatorCacheNotifier.class, | ||
NoopBasicAuthenticatorCacheNotifier.class | ||
); | ||
} | ||
|
||
@Provides @LazySingleton | ||
public static BasicAuthorizerMetadataStorageUpdater createAuthorizerStorageUpdater(final Injector injector) | ||
@Provides | ||
@LazySingleton | ||
public static BasicAuthorizerMetadataStorageUpdater createAuthorizerStorageUpdater( | ||
final Injector injector, | ||
BasicAuthClassCompositionConfig config | ||
) throws ClassNotFoundException | ||
{ | ||
if (isCoordinator(injector)) { | ||
return injector.getInstance(CoordinatorBasicAuthorizerMetadataStorageUpdater.class); | ||
} else { | ||
return null; | ||
} | ||
return getInstance( | ||
injector, | ||
config.getAuthorizerMetadataStorageUpdater(), | ||
CoordinatorBasicAuthorizerMetadataStorageUpdater.class, | ||
NoopBasicAuthorizerMetadataStorageUpdater.class | ||
); | ||
} | ||
|
||
@Provides @LazySingleton | ||
public static BasicAuthorizerCacheManager createAuthorizerCacheManager(final Injector injector) | ||
@Provides | ||
@LazySingleton | ||
public static BasicAuthorizerCacheManager createAuthorizerCacheManager( | ||
final Injector injector, | ||
BasicAuthClassCompositionConfig config | ||
) throws ClassNotFoundException | ||
{ | ||
if (isCoordinator(injector)) { | ||
return injector.getInstance(MetadataStoragePollingBasicAuthorizerCacheManager.class); | ||
} else { | ||
return injector.getInstance(CoordinatorPollingBasicAuthorizerCacheManager.class); | ||
} | ||
return getInstance( | ||
injector, | ||
config.getAuthorizerCacheManager(), | ||
MetadataStoragePollingBasicAuthorizerCacheManager.class, | ||
CoordinatorPollingBasicAuthorizerCacheManager.class | ||
); | ||
} | ||
|
||
@Provides @LazySingleton | ||
public static BasicAuthorizerResourceHandler createAuthorizerResourceHandler(final Injector injector) | ||
@Provides | ||
@LazySingleton | ||
public static BasicAuthorizerResourceHandler createAuthorizerResourceHandler( | ||
final Injector injector, | ||
BasicAuthClassCompositionConfig config | ||
) throws ClassNotFoundException | ||
{ | ||
if (isCoordinator(injector)) { | ||
return injector.getInstance(CoordinatorBasicAuthorizerResourceHandler.class); | ||
} else { | ||
return injector.getInstance(DefaultBasicAuthorizerResourceHandler.class); | ||
} | ||
return getInstance( | ||
injector, | ||
config.getAuthorizerResourceHandler(), | ||
CoordinatorBasicAuthorizerResourceHandler.class, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we should rename There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Let me update names and some logic around centralized user management in the next PR There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Could you create a ticket for that? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. BTW, I wonder what's the purpose of doing it in a separate PR? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. As we decided that this feature might be helpful for the community the PR into upstream druid was created and merged. So it would be great to follow this strategy and pull new changes into the upstream before pulling into our fork. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Should I create a ticket in the upstream? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Original PR into Druid There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Yes. |
||
DefaultBasicAuthorizerResourceHandler.class | ||
); | ||
} | ||
|
||
@Provides @LazySingleton | ||
public static BasicAuthorizerCacheNotifier createAuthorizerCacheNotifier(final Injector injector) | ||
@Provides | ||
@LazySingleton | ||
public static BasicAuthorizerCacheNotifier createAuthorizerCacheNotifier( | ||
final Injector injector, | ||
BasicAuthClassCompositionConfig config | ||
) throws ClassNotFoundException | ||
{ | ||
if (isCoordinator(injector)) { | ||
return injector.getInstance(CoordinatorBasicAuthorizerCacheNotifier.class); | ||
} else { | ||
return null; | ||
} | ||
return getInstance( | ||
injector, | ||
config.getAuthorizerCacheNotifier(), | ||
CoordinatorBasicAuthorizerCacheNotifier.class, | ||
NoopBasicAuthorizerCacheNotifier.class | ||
); | ||
} | ||
|
||
@Override | ||
|
@@ -168,6 +214,29 @@ public List<? extends Module> getJacksonModules() | |
); | ||
} | ||
|
||
/** | ||
* Returns the instance provided either by a config property or coordinator-run class or default class. | ||
* The order of check corresponds to the order of method params. | ||
*/ | ||
private static <T> T getInstance( | ||
Injector injector, | ||
String configClassName, | ||
Class<? extends T> classRunByCoordinator, | ||
Class<? extends T> defaultClass | ||
) throws ClassNotFoundException | ||
{ | ||
if (configClassName != null) { | ||
// ClassCastException is thrown in case of a mismatch, configuration fix is required. | ||
@SuppressWarnings("unchecked") | ||
final T instance = (T) injector.getInstance(Class.forName(configClassName)); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we exposing too much internals in configs propagating the class names for each sub-component. In fact, we would like a switch like There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This will require refactoring current DI of the module There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. That works for testing, but it's awkward for production. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Agree, this might be improved There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Let's add it to the issue we create for #73 (comment) |
||
return instance; | ||
} | ||
if (isCoordinator(injector)) { | ||
return injector.getInstance(classRunByCoordinator); | ||
} | ||
return injector.getInstance(defaultClass); | ||
} | ||
|
||
private static boolean isCoordinator(Injector injector) | ||
{ | ||
final String serviceName; | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -17,15 +17,18 @@ | |
* under the License. | ||
*/ | ||
|
||
package io.druid.security.authentication; | ||
|
||
import io.druid.security.basic.authentication.db.cache.BasicAuthenticatorCacheNotifier; | ||
package io.druid.security.basic.authentication.db.cache; | ||
|
||
/** | ||
* Noop basic authenticator cache notifier. | ||
* No notification is sent on user udpate. | ||
* Might be used as a config option to override default authenticator cache notifier. | ||
*/ | ||
public class NoopBasicAuthenticatorCacheNotifier implements BasicAuthenticatorCacheNotifier | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why this class is needed? It's not used in this PR. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It is needed on a config level There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Would be nice to specify whether "noop" means "no auth" or "always rejecting auth". |
||
{ | ||
@Override | ||
public void addUpdate(String updatedAuthenticatorPrefix, byte[] updatedUserMap) | ||
{ | ||
|
||
// Do nothing as this is a noop implementation | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I intended that "of user/role managers, caches and notifiers" is retained - please fix the upstream PR.