Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Druid authentication/authorization on router's side #73

Open
wants to merge 7 commits into
base: 0.12.1-mmx
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 3 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -0,0 +1,128 @@
/*
* Licensed to Metamarkets Group Inc. (Metamarkets) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. Metamarkets licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

package io.druid.security.basic;

import com.fasterxml.jackson.annotation.JsonCreator;
import com.fasterxml.jackson.annotation.JsonProperty;

/**
* Basic authentication storage/cache/resource handler config.
* BasicAuthClassCompositionConfig provides options to specify authenticator/authorizer classes.

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I intended that "of user/role managers, caches and notifiers" is retained - please fix the upstream PR.

* If a field in this class is non-null then the corresponding class is instantiated
* regardless of what type of Druid component runs it (see {@link BasicSecurityDruidModule}).
* Hence every Druid component might be a user/role manager and notify others by sending notifications.
* Every field must be a valid class name (appropriate for the corresponding goal) or null.
*/
public class BasicAuthClassCompositionConfig

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This class has a lot of fields, but seems that only one of them is used, why is that?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, all of them are in use (see BasicSecurityDruidModule)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a class-level comment describing something or pointing somewhere.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added

{
@JsonProperty
private final String authenticatorMetadataStorageUpdater;

@JsonProperty
private final String authenticatorCacheManager;

@JsonProperty
private final String authenticatorResourceHandler;

@JsonProperty
private final String authenticatorCacheNotifier;

@JsonProperty
private final String authorizerMetadataStorageUpdater;

@JsonProperty
private final String authorizerCacheManager;

@JsonProperty
private final String authorizerResourceHandler;

@JsonProperty
private final String authorizerCacheNotifier;

@JsonCreator
public BasicAuthClassCompositionConfig(
@JsonProperty("authenticatorMetadataStorageUpdater") String authenticatorMetadataStorageUpdater,
@JsonProperty("authenticatorCacheManager") String authenticatorCacheManager,
@JsonProperty("authenticatorResourceHandler") String authenticatorResourceHandler,
@JsonProperty("authenticatorCacheNotifier") String authenticatorCacheNotifier,
@JsonProperty("authorizerMetadataStorageUpdater") String authorizerMetadataStorageUpdater,
@JsonProperty("authorizerCacheManager") String authorizerCacheManager,
@JsonProperty("authorizerResourceHandler") String authorizerResourceHandler,
@JsonProperty("authorizerCacheNotifier") String authorizerCacheNotifier
)
{
this.authenticatorMetadataStorageUpdater = authenticatorMetadataStorageUpdater;
this.authenticatorCacheManager = authenticatorCacheManager;
this.authenticatorResourceHandler = authenticatorResourceHandler;
this.authenticatorCacheNotifier = authenticatorCacheNotifier;
this.authorizerMetadataStorageUpdater = authorizerMetadataStorageUpdater;
this.authorizerCacheManager = authorizerCacheManager;
this.authorizerResourceHandler = authorizerResourceHandler;
this.authorizerCacheNotifier = authorizerCacheNotifier;
}

@JsonProperty
public String getAuthenticatorMetadataStorageUpdater()
{
return authenticatorMetadataStorageUpdater;
}

@JsonProperty
public String getAuthenticatorCacheManager()
{
return authenticatorCacheManager;
}

@JsonProperty
public String getAuthenticatorResourceHandler()
{
return authenticatorResourceHandler;
}

@JsonProperty
public String getAuthenticatorCacheNotifier()
{
return authenticatorCacheNotifier;
}

@JsonProperty
public String getAuthorizerMetadataStorageUpdater()
{
return authorizerMetadataStorageUpdater;
}

@JsonProperty
public String getAuthorizerCacheManager()
{
return authorizerCacheManager;
}

@JsonProperty
public String getAuthorizerResourceHandler()
{
return authorizerResourceHandler;
}

@JsonProperty
public String getAuthorizerCacheNotifier()
{
return authorizerCacheNotifier;
}
}
Original file line number Diff line number Diff line change
Expand Up @@ -58,14 +58,17 @@
import io.druid.security.basic.authorization.endpoint.CoordinatorBasicAuthorizerResourceHandler;
import io.druid.security.basic.authorization.endpoint.DefaultBasicAuthorizerResourceHandler;

import javax.annotation.Nullable;
import java.util.List;

public class BasicSecurityDruidModule implements DruidModule
{

@Override
public void configure(Binder binder)
{
JsonConfigProvider.bind(binder, "druid.auth.basic.common", BasicAuthCommonCacheConfig.class);
JsonConfigProvider.bind(binder, "druid.auth.basic.composition", BasicAuthClassCompositionConfig.class);

LifecycleModule.register(binder, BasicAuthenticatorMetadataStorageUpdater.class);
LifecycleModule.register(binder, BasicAuthorizerMetadataStorageUpdater.class);
Expand All @@ -76,84 +79,124 @@ public void configure(Binder binder)
Jerseys.addResource(binder, BasicAuthorizerResource.class);
}

@Provides @LazySingleton
public static BasicAuthenticatorMetadataStorageUpdater createAuthenticatorStorageUpdater(final Injector injector)
@Provides
@LazySingleton
public static BasicAuthenticatorMetadataStorageUpdater createAuthenticatorStorageUpdater(
final Injector injector,
BasicAuthClassCompositionConfig config
) throws ClassNotFoundException
{
if (isCoordinator(injector)) {
return injector.getInstance(CoordinatorBasicAuthenticatorMetadataStorageUpdater.class);
} else {
return null;
}
return getInstance(
injector,
config.getAuthenticatorMetadataStorageUpdater(),
CoordinatorBasicAuthenticatorMetadataStorageUpdater.class,
null
);
}

@Provides @LazySingleton
public static BasicAuthenticatorCacheManager createAuthenticatorCacheManager(final Injector injector)
@Provides
@LazySingleton
public static BasicAuthenticatorCacheManager createAuthenticatorCacheManager(
final Injector injector,
BasicAuthClassCompositionConfig config
) throws ClassNotFoundException
{
if (isCoordinator(injector)) {
return injector.getInstance(MetadataStoragePollingBasicAuthenticatorCacheManager.class);
} else {
return injector.getInstance(CoordinatorPollingBasicAuthenticatorCacheManager.class);
}
return getInstance(
injector,
config.getAuthenticatorCacheManager(),
MetadataStoragePollingBasicAuthenticatorCacheManager.class,
CoordinatorPollingBasicAuthenticatorCacheManager.class
);
}

@Provides @LazySingleton
public static BasicAuthenticatorResourceHandler createAuthenticatorResourceHandler(final Injector injector)
@Provides
@LazySingleton
public static BasicAuthenticatorResourceHandler createAuthenticatorResourceHandler(
final Injector injector,
BasicAuthClassCompositionConfig config
) throws ClassNotFoundException
{
if (isCoordinator(injector)) {
return injector.getInstance(CoordinatorBasicAuthenticatorResourceHandler.class);
} else {
return injector.getInstance(DefaultBasicAuthenticatorResourceHandler.class);
}
return getInstance(
injector,
config.getAuthenticatorResourceHandler(),
CoordinatorBasicAuthenticatorResourceHandler.class,
DefaultBasicAuthenticatorResourceHandler.class
);
}

@Provides @LazySingleton
public static BasicAuthenticatorCacheNotifier createAuthenticatorCacheNotifier(final Injector injector)
@Provides
@LazySingleton
public static BasicAuthenticatorCacheNotifier createAuthenticatorCacheNotifier(
final Injector injector,
BasicAuthClassCompositionConfig config
) throws ClassNotFoundException
{
if (isCoordinator(injector)) {
return injector.getInstance(CoordinatorBasicAuthenticatorCacheNotifier.class);
} else {
return null;
}
return getInstance(
injector,
config.getAuthenticatorCacheNotifier(),
CoordinatorBasicAuthenticatorCacheNotifier.class,
null
);
}

@Provides @LazySingleton
public static BasicAuthorizerMetadataStorageUpdater createAuthorizerStorageUpdater(final Injector injector)
@Provides
@LazySingleton
public static BasicAuthorizerMetadataStorageUpdater createAuthorizerStorageUpdater(
final Injector injector,
BasicAuthClassCompositionConfig config
) throws ClassNotFoundException
{
if (isCoordinator(injector)) {
return injector.getInstance(CoordinatorBasicAuthorizerMetadataStorageUpdater.class);
} else {
return null;
}
return getInstance(
injector,
config.getAuthorizerMetadataStorageUpdater(),
CoordinatorBasicAuthorizerMetadataStorageUpdater.class,
null
);
}

@Provides @LazySingleton
public static BasicAuthorizerCacheManager createAuthorizerCacheManager(final Injector injector)
@Provides
@LazySingleton
public static BasicAuthorizerCacheManager createAuthorizerCacheManager(
final Injector injector,
BasicAuthClassCompositionConfig config
) throws ClassNotFoundException
{
if (isCoordinator(injector)) {
return injector.getInstance(MetadataStoragePollingBasicAuthorizerCacheManager.class);
} else {
return injector.getInstance(CoordinatorPollingBasicAuthorizerCacheManager.class);
}
return getInstance(
injector,
config.getAuthorizerCacheManager(),
MetadataStoragePollingBasicAuthorizerCacheManager.class,
CoordinatorPollingBasicAuthorizerCacheManager.class
);
}

@Provides @LazySingleton
public static BasicAuthorizerResourceHandler createAuthorizerResourceHandler(final Injector injector)
@Provides
@LazySingleton
public static BasicAuthorizerResourceHandler createAuthorizerResourceHandler(
final Injector injector,
BasicAuthClassCompositionConfig config
) throws ClassNotFoundException
{
if (isCoordinator(injector)) {
return injector.getInstance(CoordinatorBasicAuthorizerResourceHandler.class);
} else {
return injector.getInstance(DefaultBasicAuthorizerResourceHandler.class);
}
return getInstance(
injector,
config.getAuthorizerResourceHandler(),
CoordinatorBasicAuthorizerResourceHandler.class,

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should rename CoordinatorBasicAuthorizerResourceHandler to something else, as it is not bound to Coordinator now.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let me update names and some logic around centralized user management in the next PR

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you create a ticket for that?

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

BTW, I wonder what's the purpose of doing it in a separate PR?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As we decided that this feature might be helpful for the community the PR into upstream druid was created and merged. So it would be great to follow this strategy and pull new changes into the upstream before pulling into our fork.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should I create a ticket in the upstream?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Original PR into Druid
apache#7789

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should I create a ticket in the upstream?

Yes.

DefaultBasicAuthorizerResourceHandler.class
);
}

@Provides @LazySingleton
public static BasicAuthorizerCacheNotifier createAuthorizerCacheNotifier(final Injector injector)
@Provides
@LazySingleton
public static BasicAuthorizerCacheNotifier createAuthorizerCacheNotifier(
final Injector injector,
BasicAuthClassCompositionConfig config
) throws ClassNotFoundException
{
if (isCoordinator(injector)) {
return injector.getInstance(CoordinatorBasicAuthorizerCacheNotifier.class);
} else {
return null;
}
return getInstance(
injector,
config.getAuthorizerCacheNotifier(),
CoordinatorBasicAuthorizerCacheNotifier.class,
null
);
}

@Override
Expand All @@ -168,6 +211,33 @@ public List<? extends Module> getJacksonModules()
);
}

/**
* Returns the instance provided either by a config property or coordinator-run class or default class.
* The order of check corresponds to the order of method params.
*/
@Nullable
public static <T> T getInstance(
Injector injector,
String configClassName,
Class<? extends T> classRunByCoordinator,
Class<? extends T> defaultClass
) throws ClassNotFoundException
{
if (configClassName != null) {
// ClassCastException is thrown in case of a mismatch, configuration fix is required.
@SuppressWarnings("unchecked")
final T instance = (T) injector.getInstance(Class.forName(configClassName));

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we exposing too much internals in configs propagating the class names for each sub-component. In fact, we would like a switch like ...authorization.management.enabled=true/false which can effectively select required classes for us.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will require refactoring current DI of the module

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That works for testing, but it's awkward for production.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree, this might be improved

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's add it to the issue we create for #73 (comment)

return instance;
}
if (classRunByCoordinator != null && isCoordinator(injector)) {
return injector.getInstance(classRunByCoordinator);
}
if (defaultClass != null) {
return injector.getInstance(defaultClass);
}
return null;
}

private static boolean isCoordinator(Injector injector)
{
final String serviceName;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -17,15 +17,18 @@
* under the License.
*/

package io.druid.security.authentication;

import io.druid.security.basic.authentication.db.cache.BasicAuthenticatorCacheNotifier;
package io.druid.security.basic.authentication.db.cache;

/**
* Noop basic authenticator cache notifier.
* No notification is sent on user udpate.
* Might be used as a config option to override default authenticator cache notifier.
*/
public class NoopBasicAuthenticatorCacheNotifier implements BasicAuthenticatorCacheNotifier

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this class is needed? It's not used in this PR.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is needed on a config level
https://github.com/metamx/druid-config/pull/99

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be nice to specify whether "noop" means "no auth" or "always rejecting auth".

{
@Override
public void addUpdate(String updatedAuthenticatorPrefix, byte[] updatedUserMap)
{

// Do nothing as this is a noop implementation
}
}
Loading