Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Proposal] Enable writing of druid extensions that can provide dataSource level authorization #2355

Closed
himanshug opened this issue Jan 29, 2016 · 4 comments
Labels

Comments

@himanshug
Copy link
Contributor

See https://groups.google.com/forum/?utm_medium=email&utm_source=footer#!msg/druid-development/4nByc_xxxrU/ZJa-9qUEBgAJ

@himanshug
Copy link
Contributor Author

I'm working on this one with @pjain1 , so assigning it to him.

@drcrallen
Copy link
Contributor

One thing that wasn't clear from the group thread, are you planning on having all auth information in headers, or will it require parsing the message body?

@himanshug
Copy link
Contributor Author

@drcrallen I'm thinking of putting no authentication code inside druid-core , any AuthenticationFilter can be injected from the extension and extension writer can choose to use whatever mechanism fits for them. Only thing that would go inside druid-core will be an interface AuthorizationInfo and checks at jersey endpoints. AuthenticationFilter injected from the extension will be responsible for setting up an implementation of AuthorizationInfo in the context and individual jersey end points will use that to accept/deny/filter the request.
How the injected AuthenticationFilter authenticates and fills the AuthorizationInfo implementation is up to the extension implementation and different ways are possible.

Parag would soon do a PR and that might clarify things more.

@drcrallen
Copy link
Contributor

Note that https://github.com/acesinc/druid-cors-filter-extension is essentially a servlet extension. If you find some stuff that works well or that needs to change to make druid servlet extensions work well, it would be worth notifying them about.

@fjy fjy closed this as completed in #2424 Apr 28, 2016
fjy pushed a commit that referenced this issue Apr 28, 2016
- Introduce `AuthorizationInfo` interface, specific implementations of which would be provided by extensions
- If the `druid.auth.enabled` is set to `true` then the `isAuthorized` method of `AuthorizationInfo` will be called to perform authorization checks
-  `AuthorizationInfo` object will be created in the servlet filters of specific extension and will be passed as a request attribute with attribute name as `AuthConfig.DRUID_AUTH_TOKEN`
- As per the scope of this PR, all resources that needs to be secured are divided into 3 types - `DATASOURCE`, `CONFIG` and `STATE`. For any type of resource, possible actions are  - `READ` or `WRITE`
- Specific ResourceFilters are used to perform auth checks for all endpoints that corresponds to a specific resource type. This prevents duplication of logic and need to inject HttpServletRequest inside each endpoint. For example
 - `DatasourceResourceFilter` is used for endpoints where the datasource information is present after "datasources" segment in the request Path such as `/druid/coordinator/v1/datasources/`, `/druid/coordinator/v1/metadata/datasources/`, `/druid/v2/datasources/`
 - `RulesResourceFilter` is used where the datasource information is present after "rules" segment in the request Path such as `/druid/coordinator/v1/rules/`
 - `TaskResourceFilter` is used for endpoints is used where the datasource information is present after "task" segment in the request Path such as `druid/indexer/v1/task`
 - `ConfigResourceFilter` is used for endpoints like `/druid/coordinator/v1/config`, `/druid/indexer/v1/worker`, `/druid/worker/v1` etc
 - `StateResourceFilter` is used for endpoints like `/druid/broker/v1/loadstatus`, `/druid/coordinator/v1/leader`, `/druid/coordinator/v1/loadqueue`, `/druid/coordinator/v1/rules` etc
- For endpoints where a list of resources is returned like `/druid/coordinator/v1/datasources`, `/druid/indexer/v1/completeTasks` etc. the list is filtered to return only the resources to which the requested user has access. In these cases, `HttpServletRequest` instance needs to be injected in the endpoint method.

Note -
JAX-RS specification provides an interface called `SecurityContext`. However, we did not use this but provided our own interface `AuthorizationInfo` mainly because it provides more flexibility. For example, `SecurityContext` has a method called `isUserInRole(String role)` which would be used for auth checks and if used then the mapping of what roles can access what resource needs to be modeled inside Druid either using some convention or some other means which is not very flexible as Druid has dynamic resources like datasources. Fixes #2355 with PR #2424
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants