Skip to content
/ druid-opa-authorizer Public

Apache Druid Authorizer for OpenPolicyAgent

License

View license
6 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

stackabletech/druid-opa-authorizer

BranchesTags

Repository files navigation

Apache Druid Open Policy Agent (OPA) Authorizer

An Apache Druid extension to request policy decisions from Open Policy Agent (OPA).

Supported Druid versions

This project was tested against these Druid versions:

  • 26.0.0
  • 30.0.0

Building

This repository uses Maven and requires at least Java 11 to build:

    mvn clean package

The result of this is a JAR file in the target directory.

Installing

Copy the JAR file into the extensions directory of your Druid installation.

Configuration Settings

The OPA authorizer is created like so:

    druid.auth.authorizer.myOpaAuth.type=opa
    druid.auth.authorizer.myOpaAuth.opaUri=http://<host>:<port>/v1/data/my/druid/allow

Then the myOpaAuth authorizer needs to be referenced in your authenticator.

How to Write Your RegoRules

The authorizer will send a request to the uri specified in the config. The input will be:

    {
        authenticationResult: {
            identity: <String: user name>
            authorizerName: <String>
            authenticatedBy: <String>
            context: Map<String, Object>
        }
        action: <String: READ|WRITE>
        resource: {
            name: <String>
            type: <String>
        }
    }

For the details - especially the kind of resources - consult the Druid documentation on the Authentication and Authorization Model.

Inside your RegoRules, this snippet of data will be available as input. For the details on how to write RegoRule, have a look at the OPA documentation.

Example

For a simple example, have a look inside the example directory.

Troubleshooting

If you get 500 type errors it might be that the internal druid_system user doesn't have full permissions.

You can increase log output for the authorizer by adding this snippet to your log4j.xml:

    <Logger name="tech.stackable.druid.opaauthorizer.OpaAuthorizer" level="trace" additivity="false">
      <Appender-ref ref="Console"/>
    </Logger>

Development

How to add support for a new version

  1. Add a new profile and get the dependency version from the upstream Druid POM
  2. Add the new profile to the requireActiveProfile enforcer rule
  3. Update .github/workflows/maven.yml to include the new profile in CI
  4. Update README.md to name the newly supported version
  5. After the PR has been merged update the GitHub settings to require the new Druid version to pass

Release

To release this run the relevant GitHub Action which asks for various inputs. It will then create a release in GitHub and upload all artifacts.

About

Apache Druid Authorizer for OpenPolicyAgent

Resources

Readme

License

View license
Activity
Custom properties

Stars

6 stars

Watchers

7 watching

Forks

1 fork
Report repository

Releases

6 tags

Contributors 10

Languages