org.apache.druid.server.security

Class AuthorizationUtils

java.lang.Object

org.apache.druid.server.security.AuthorizationUtils

public class AuthorizationUtils
extends Object

Static utility functions for performing authorization checks.

Field Summary

Fields

Modifier and Type	Field and Description
static com.google.common.base.Function<String,ResourceAction>	DATASOURCE_READ_RA_GENERATOR Function for the common pattern of generating a resource-action for reading from a datasource, using the datasource name.
static com.google.common.base.Function<String,ResourceAction>	DATASOURCE_WRITE_RA_GENERATOR Function for the common pattern of generating a resource-action for reading from a datasource, using the datasource name.
static com.google.common.base.Function<Resource,ResourceAction>	RESOURCE_READ_RA_GENERATOR Function for the pattern of generating a ResourceAction for reading from a given Resource
static com.google.common.base.Function<String,ResourceAction>	VIEW_READ_RA_GENERATOR Function for the common pattern of generating a resource-action for reading from a view, using the view name.

Constructor Summary

Constructors

Constructor and Description
AuthorizationUtils()

Method Summary

Modifier and Type	Method and Description
static AuthenticationResult	authenticationResultFromRequest(javax.servlet.http.HttpServletRequest request) Returns the authentication information for a request.
static Access	authorizeAllResourceActions(AuthenticationResult authenticationResult, Iterable<ResourceAction> resourceActions, AuthorizerMapper authorizerMapper) Check a list of resource-actions to be performed by the identity represented by authenticationResult.
static Access	authorizeAllResourceActions(javax.servlet.http.HttpServletRequest request, Iterable<ResourceAction> resourceActions, AuthorizerMapper authorizerMapper) Check a list of resource-actions to be performed as a result of an HTTP request.
static Access	authorizeResourceAction(javax.servlet.http.HttpServletRequest request, ResourceAction resourceAction, AuthorizerMapper authorizerMapper) Check a resource-action using the authorization fields from the request.
static <ResType> Iterable<ResType>	filterAuthorizedResources(AuthenticationResult authenticationResult, Iterable<ResType> resources, com.google.common.base.Function<? super ResType,Iterable<ResourceAction>> resourceActionGenerator, AuthorizerMapper authorizerMapper) Filter a collection of resources by applying the resourceActionGenerator to each resource, return an iterable containing the filtered resources.
static <ResType> Iterable<ResType>	filterAuthorizedResources(javax.servlet.http.HttpServletRequest request, Iterable<ResType> resources, com.google.common.base.Function<? super ResType,Iterable<ResourceAction>> resourceActionGenerator, AuthorizerMapper authorizerMapper) Filter a collection of resources by applying the resourceActionGenerator to each resource, return an iterable containing the filtered resources.
static <KeyType,ResType> Map<KeyType,List<ResType>>	filterAuthorizedResources(javax.servlet.http.HttpServletRequest request, Map<KeyType,List<ResType>> unfilteredResources, com.google.common.base.Function<? super ResType,Iterable<ResourceAction>> resourceActionGenerator, AuthorizerMapper authorizerMapper) Given a map of resource lists, filter each resources list by applying the resource action generator to each item in each resource list.
static List<ResourceAction>	makeSuperUserPermissions() This method constructs a 'superuser' set of permissions composed of Action.READ and Action.WRITE permissions for all known ResourceType.knownTypes() for any Authorizer implementation which is built on pattern matching with a regex.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Detail

DATASOURCE_READ_RA_GENERATOR

public static final com.google.common.base.Function<String,ResourceAction> DATASOURCE_READ_RA_GENERATOR

Function for the common pattern of generating a resource-action for reading from a datasource, using the datasource name.

DATASOURCE_WRITE_RA_GENERATOR

public static final com.google.common.base.Function<String,ResourceAction> DATASOURCE_WRITE_RA_GENERATOR

Function for the common pattern of generating a resource-action for reading from a datasource, using the datasource name.

VIEW_READ_RA_GENERATOR

public static final com.google.common.base.Function<String,ResourceAction> VIEW_READ_RA_GENERATOR

Function for the common pattern of generating a resource-action for reading from a view, using the view name.

RESOURCE_READ_RA_GENERATOR

public static final com.google.common.base.Function<Resource,ResourceAction> RESOURCE_READ_RA_GENERATOR

Function for the pattern of generating a ResourceAction for reading from a given Resource

Constructor Detail

AuthorizationUtils

public AuthorizationUtils()

Method Detail

authorizeResourceAction

public static Access authorizeResourceAction(javax.servlet.http.HttpServletRequest request,
                                             ResourceAction resourceAction,
                                             AuthorizerMapper authorizerMapper)

Check a resource-action using the authorization fields from the request. Otherwise, if the resource-actions is authorized, return ACCESS_OK. This function will set the DRUID_AUTHORIZATION_CHECKED attribute in the request. If this attribute is already set when this function is called, an exception is thrown.

Parameters:

request - HTTP request to be authorized

resourceAction - A resource identifier and the action to be taken the resource.

authorizerMapper - The singleton AuthorizerMapper instance

Returns:

ACCESS_OK or the failed Access object returned by the Authorizer that checked the request.

authenticationResultFromRequest

public static AuthenticationResult authenticationResultFromRequest(javax.servlet.http.HttpServletRequest request)

Returns the authentication information for a request.

Parameters:

request - http request

Returns:

authentication result

Throws:

IllegalStateException - if the request was not authenticated

authorizeAllResourceActions

public static Access authorizeAllResourceActions(AuthenticationResult authenticationResult,
                                                 Iterable<ResourceAction> resourceActions,
                                                 AuthorizerMapper authorizerMapper)

Check a list of resource-actions to be performed by the identity represented by authenticationResult. If one of the resource-actions fails the authorization check, this method returns the failed Access object from the check. Otherwise, return ACCESS_OK if all resource-actions were successfully authorized.

Parameters:

authenticationResult - Authentication result representing identity of requester

resourceActions - An Iterable of resource-actions to authorize

Returns:

ACCESS_OK or the Access object from the first failed check

authorizeAllResourceActions

public static Access authorizeAllResourceActions(javax.servlet.http.HttpServletRequest request,
                                                 Iterable<ResourceAction> resourceActions,
                                                 AuthorizerMapper authorizerMapper)

Check a list of resource-actions to be performed as a result of an HTTP request. If one of the resource-actions fails the authorization check, this method returns the failed Access object from the check. Otherwise, return ACCESS_OK if all resource-actions were successfully authorized. This function will set the DRUID_AUTHORIZATION_CHECKED attribute in the request. If this attribute is already set when this function is called, an exception is thrown.

Parameters:

request - HTTP request to be authorized

resourceActions - An Iterable of resource-actions to authorize

Returns:

ACCESS_OK or the Access object from the first failed check

filterAuthorizedResources

public static <ResType> Iterable<ResType> filterAuthorizedResources(javax.servlet.http.HttpServletRequest request,
                                                                    Iterable<ResType> resources,
                                                                    com.google.common.base.Function<? super ResType,Iterable<ResourceAction>> resourceActionGenerator,
                                                                    AuthorizerMapper authorizerMapper)

Filter a collection of resources by applying the resourceActionGenerator to each resource, return an iterable containing the filtered resources. The resourceActionGenerator returns an Iterable for each resource. If every resource-action in the iterable is authorized, the resource will be added to the filtered resources. If there is an authorization failure for one of the resource-actions, the resource will not be added to the returned filtered resources.. If the resourceActionGenerator returns null for a resource, that resource will not be added to the filtered resources. This function will set the DRUID_AUTHORIZATION_CHECKED attribute in the request. If this attribute is already set when this function is called, an exception is thrown.

Parameters:

request - HTTP request to be authorized

resources - resources to be processed into resource-actions

resourceActionGenerator - Function that creates an iterable of resource-actions from a resource

authorizerMapper - authorizer mapper

Returns:

Iterable containing resources that were authorized

filterAuthorizedResources

public static <ResType> Iterable<ResType> filterAuthorizedResources(AuthenticationResult authenticationResult,
                                                                    Iterable<ResType> resources,
                                                                    com.google.common.base.Function<? super ResType,Iterable<ResourceAction>> resourceActionGenerator,
                                                                    AuthorizerMapper authorizerMapper)

Filter a collection of resources by applying the resourceActionGenerator to each resource, return an iterable containing the filtered resources. The resourceActionGenerator returns an Iterable for each resource. If every resource-action in the iterable is authorized, the resource will be added to the filtered resources. If there is an authorization failure for one of the resource-actions, the resource will not be added to the returned filtered resources.. If the resourceActionGenerator returns null for a resource, that resource will not be added to the filtered resources.

Parameters:

authenticationResult - Authentication result representing identity of requester

resources - resources to be processed into resource-actions

resourceActionGenerator - Function that creates an iterable of resource-actions from a resource

authorizerMapper - authorizer mapper

Returns:

Iterable containing resources that were authorized

filterAuthorizedResources

public static <KeyType,ResType> Map<KeyType,List<ResType>> filterAuthorizedResources(javax.servlet.http.HttpServletRequest request,
                                                                                     Map<KeyType,List<ResType>> unfilteredResources,
                                                                                     com.google.common.base.Function<? super ResType,Iterable<ResourceAction>> resourceActionGenerator,
                                                                                     AuthorizerMapper authorizerMapper)

Given a map of resource lists, filter each resources list by applying the resource action generator to each item in each resource list. The resourceActionGenerator returns an Iterable for each resource. If a resource list is null or has no authorized items after filtering, it will not be included in the returned map. This function will set the DRUID_AUTHORIZATION_CHECKED attribute in the request. If this attribute is already set when this function is called, an exception is thrown.

Parameters:

request - HTTP request to be authorized

unfilteredResources - Map of resource lists to be filtered

resourceActionGenerator - Function that creates an iterable of resource-actions from a resource

authorizerMapper - authorizer mapper

Returns:

Map containing lists of resources that were authorized

makeSuperUserPermissions

public static List<ResourceAction> makeSuperUserPermissions()

This method constructs a 'superuser' set of permissions composed of Action.READ and Action.WRITE permissions for all known ResourceType.knownTypes() for any Authorizer implementation which is built on pattern matching with a regex. Note that if any Resource exist that use custom types not registered with ResourceType.registerResourceType(java.lang.String), those permissions will not be included in this list and will need to be added manually.