Package org.apache.druid.server.security

Interface Authenticator

    • Method Detail

      • getFilter

        javax.servlet.Filter getFilter()
        Create a Filter that performs authentication checks on incoming HTTP requests.

        If the authentication succeeds, the Filter should set the "Druid-Authentication-Result" attribute in the request, containing an AuthenticationResult that represents the authenticated identity of the requester, along with the name of the Authorizer instance that should authorize the request. An Authenticator may choose to add a Map context to the authentication result, containing additional information to be used by the Authorizer. The contents of this map are left for Authenticator/Authorizer implementors to decide.

        If the "Druid-Authentication-Result" attribute is already set (i.e., request has been authenticated by an earlier Filter), this Filter should skip any authentication checks and proceed to the next Filter.

        If a filter cannot recognize a request's format (e.g., the request does not have credentials compatible with a filter's authentication scheme), the filter should not send an error response, allowing other filters to handle the request. A challenge response will be sent if the filter chain is exhausted.

        If the authentication fails (i.e., a filter recognized the authentication scheme of a request, but the credentials failed to authenticate successfully) the Filter should send an error response, without needing to proceed to other filters in the chain..

        Specified by:
        getFilter in interface ServletFilterHolder
        Returns:
        Filter that authenticates HTTP requests

      • getAuthChallengeHeader

        @Nullable
String getAuthChallengeHeader()
        Return a WWW-Authenticate challenge scheme string appropriate for this Authenticator's authentication mechanism.

        For example, a Basic HTTP implementation should return "Basic", while a Kerberos implementation would return "Negotiate". If this method returns null, no authentication scheme will be added for that Authenticator implementation.

        Returns:
        Authentication scheme

      • authenticateJDBCContext

        @Nullable
AuthenticationResult authenticateJDBCContext​(Map<String,​Object> context)
        Given a JDBC connection context, authenticate the identity represented by the information in the context. This is used to secure JDBC access for Druid SQL.

        For example, a Basic HTTP auth implementation could read the "user" and "password" fields from the JDBC context.

        The expected contents of the context are left to the implementation.

        Parameters:
        context - JDBC connection context
        Returns:
        AuthenticationResult of the identity represented by the context is successfully authenticated, null if authentication failed

      • decorateProxyRequest

        default void decorateProxyRequest​(javax.servlet.http.HttpServletRequest clientRequest,
                                  javax.servlet.http.HttpServletResponse proxyResponse,
                                  org.eclipse.jetty.client.api.Request proxyRequest)
        This is used to add some Headers or Authentication token/results that can be used by down stream target host. Such token can be used to authenticate the user down stream, in cases where to original credentials are not forwardable as is and therefore the need to attach some authentication tokens by the proxy.
        Parameters:
        clientRequest - original client request processed by the upstream chain of authenticator
        proxyResponse - proxy Response
        proxyRequest - actual proxy request targeted to a given broker