Package org.apache.druid.server.security

Class AuthorizationUtils

  • public class AuthorizationUtils
extends Object
    Static utility functions for performing authorization checks.

    • Field Detail

      • DATASOURCE_READ_RA_GENERATOR

        public static final com.google.common.base.Function<String,​ResourceAction> DATASOURCE_READ_RA_GENERATOR
        Function for the common pattern of generating a resource-action for reading from a datasource, using the datasource name.

      • DATASOURCE_WRITE_RA_GENERATOR

        public static final com.google.common.base.Function<String,​ResourceAction> DATASOURCE_WRITE_RA_GENERATOR
        Function for the common pattern of generating a resource-action for reading from a datasource, using the datasource name.

      • VIEW_READ_RA_GENERATOR

        public static final com.google.common.base.Function<String,​ResourceAction> VIEW_READ_RA_GENERATOR
        Function for the common pattern of generating a resource-action for reading from a view, using the view name.

      • RESOURCE_READ_RA_GENERATOR

        public static final com.google.common.base.Function<Resource,​ResourceAction> RESOURCE_READ_RA_GENERATOR
        Function for the pattern of generating a ResourceAction for reading from a given Resource

    • Constructor Detail

      • AuthorizationUtils

        public AuthorizationUtils()

    • Method Detail

      • authorizeResourceAction

        public static Access authorizeResourceAction​(javax.servlet.http.HttpServletRequest request,
                                             ResourceAction resourceAction,
                                             AuthorizerMapper authorizerMapper)
        Check a resource-action using the authorization fields from the request. Otherwise, if the resource-actions is authorized, return ACCESS_OK. This function will set the DRUID_AUTHORIZATION_CHECKED attribute in the request. If this attribute is already set when this function is called, an exception is thrown.
        Parameters:
        request - HTTP request to be authorized
        resourceAction - A resource identifier and the action to be taken the resource.
        authorizerMapper - The singleton AuthorizerMapper instance
        Returns:
        ACCESS_OK or the failed Access object returned by the Authorizer that checked the request.

      • authenticationResultFromRequest

        public static AuthenticationResult authenticationResultFromRequest​(javax.servlet.http.HttpServletRequest request)
        Returns the authentication information for a request.
        Parameters:
        request - http request
        Returns:
        authentication result
        Throws:
        IllegalStateException - if the request was not authenticated

      • getAuthenticatedIdentity

        public static String getAuthenticatedIdentity​(javax.servlet.http.HttpServletRequest request)
        Extracts the identity from the authentication result if set as an atrribute of this request.

      • buildAuditInfo

        public static org.apache.druid.audit.AuditInfo buildAuditInfo​(javax.servlet.http.HttpServletRequest request)
        Builds an AuditInfo for the given request by extracting the following from it:

      • buildRequestInfo

        public static org.apache.druid.audit.RequestInfo buildRequestInfo​(String service,
                                                                  javax.servlet.http.HttpServletRequest request)
        Builds a RequestInfo object that can be used for auditing purposes.

      • authorizeAllResourceActions

        public static Access authorizeAllResourceActions​(AuthenticationResult authenticationResult,
                                                 Iterable<ResourceAction> resourceActions,
                                                 AuthorizerMapper authorizerMapper)
        Check a list of resource-actions to be performed by the identity represented by authenticationResult. If one of the resource-actions fails the authorization check, this method returns the failed Access object from the check. Otherwise, return ACCESS_OK if all resource-actions were successfully authorized.
        Parameters:
        authenticationResult - Authentication result representing identity of requester
        resourceActions - An Iterable of resource-actions to authorize
        Returns:
        ACCESS_OK or the Access object from the first failed check

      • authorizeAllResourceActions

        public static Access authorizeAllResourceActions​(javax.servlet.http.HttpServletRequest request,
                                                 Iterable<ResourceAction> resourceActions,
                                                 AuthorizerMapper authorizerMapper)
        Check a list of resource-actions to be performed as a result of an HTTP request. If one of the resource-actions fails the authorization check, this method returns the failed Access object from the check. Otherwise, return ACCESS_OK if all resource-actions were successfully authorized. This function will set the DRUID_AUTHORIZATION_CHECKED attribute in the request. If this attribute is already set when this function is called, an exception is thrown.
        Parameters:
        request - HTTP request to be authorized
        resourceActions - An Iterable of resource-actions to authorize
        Returns:
        ACCESS_OK or the Access object from the first failed check

      • filterAuthorizedResources

        public static <ResType> Iterable<ResType> filterAuthorizedResources​(javax.servlet.http.HttpServletRequest request,
                                                                    Iterable<ResType> resources,
                                                                    com.google.common.base.Function<? super ResType,​Iterable<ResourceAction>> resourceActionGenerator,
                                                                    AuthorizerMapper authorizerMapper)
        Filter a collection of resources by applying the resourceActionGenerator to each resource, return an iterable containing the filtered resources. The resourceActionGenerator returns an Iterable for each resource. If every resource-action in the iterable is authorized, the resource will be added to the filtered resources. If there is an authorization failure for one of the resource-actions, the resource will not be added to the returned filtered resources.. If the resourceActionGenerator returns null for a resource, that resource will not be added to the filtered resources. This function will set the DRUID_AUTHORIZATION_CHECKED attribute in the request. If this attribute is already set when this function is called, an exception is thrown.
        Parameters:
        request - HTTP request to be authorized
        resources - resources to be processed into resource-actions
        resourceActionGenerator - Function that creates an iterable of resource-actions from a resource
        authorizerMapper - authorizer mapper
        Returns:
        Iterable containing resources that were authorized

      • filterAuthorizedResources

        public static <ResType> Iterable<ResType> filterAuthorizedResources​(AuthenticationResult authenticationResult,
                                                                    Iterable<ResType> resources,
                                                                    com.google.common.base.Function<? super ResType,​Iterable<ResourceAction>> resourceActionGenerator,
                                                                    AuthorizerMapper authorizerMapper)
        Filter a collection of resources by applying the resourceActionGenerator to each resource, return an iterable containing the filtered resources. The resourceActionGenerator returns an Iterable for each resource. If every resource-action in the iterable is authorized, the resource will be added to the filtered resources. If there is an authorization failure for one of the resource-actions, the resource will not be added to the returned filtered resources.. If the resourceActionGenerator returns null for a resource, that resource will not be added to the filtered resources.
        Parameters:
        authenticationResult - Authentication result representing identity of requester
        resources - resources to be processed into resource-actions
        resourceActionGenerator - Function that creates an iterable of resource-actions from a resource
        authorizerMapper - authorizer mapper
        Returns:
        Iterable containing resources that were authorized

      • filterAuthorizedResources

        public static <KeyType,​ResType> Map<KeyType,​List<ResType>> filterAuthorizedResources​(javax.servlet.http.HttpServletRequest request,
                                                                                                 Map<KeyType,​List<ResType>> unfilteredResources,
                                                                                                 com.google.common.base.Function<? super ResType,​Iterable<ResourceAction>> resourceActionGenerator,
                                                                                                 AuthorizerMapper authorizerMapper)
        Given a map of resource lists, filter each resources list by applying the resource action generator to each item in each resource list. The resourceActionGenerator returns an Iterable for each resource. If a resource list is null or has no authorized items after filtering, it will not be included in the returned map. This function will set the DRUID_AUTHORIZATION_CHECKED attribute in the request. If this attribute is already set when this function is called, an exception is thrown.
        Parameters:
        request - HTTP request to be authorized
        unfilteredResources - Map of resource lists to be filtered
        resourceActionGenerator - Function that creates an iterable of resource-actions from a resource
        authorizerMapper - authorizer mapper
        Returns:
        Map containing lists of resources that were authorized