Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Router: Authorize permissionless internal requests. #16419

Merged
merged 2 commits into from
Jun 5, 2024
+26 −3
Merged

Router: Authorize permissionless internal requests. #16419

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0b7ac19
Router: Authorize permissionless internal requests.
gianm May 9, 2024
6b2d5e2
Fix tests.
gianm May 9, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
19 changes: 18 additions & 1 deletion server/src/main/java/org/apache/druid/server/AsyncManagementForwardingServlet.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@
import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.server.initialization.jetty.StandardResponseHeaderFilterHolder;
import org.apache.druid.server.security.AuthConfig;
import org.apache.druid.server.security.AuthorizationUtils;
import org.apache.druid.server.security.AuthorizerMapper;
import org.eclipse.jetty.client.HttpClient;
import org.eclipse.jetty.client.api.Request;
import org.eclipse.jetty.client.api.Response;
Expand All @@ -41,6 +43,7 @@
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Collections;
import java.util.concurrent.TimeUnit;

public class AsyncManagementForwardingServlet extends AsyncProxyServlet
Expand Down Expand Up @@ -71,21 +74,24 @@ public class AsyncManagementForwardingServlet extends AsyncProxyServlet
private final DruidHttpClientConfig httpClientConfig;
private final DruidLeaderSelector coordLeaderSelector;
private final DruidLeaderSelector overlordLeaderSelector;
private final AuthorizerMapper authorizerMapper;

@Inject
public AsyncManagementForwardingServlet(
@Json ObjectMapper jsonMapper,
@Global Provider<HttpClient> httpClientProvider,
@Global DruidHttpClientConfig httpClientConfig,
@Coordinator DruidLeaderSelector coordLeaderSelector,
@IndexingService DruidLeaderSelector overlordLeaderSelector
@IndexingService DruidLeaderSelector overlordLeaderSelector,
AuthorizerMapper authorizerMapper
)
{
this.jsonMapper = jsonMapper;
this.httpClientProvider = httpClientProvider;
this.httpClientConfig = httpClientConfig;
this.coordLeaderSelector = coordLeaderSelector;
this.overlordLeaderSelector = overlordLeaderSelector;
this.authorizerMapper = authorizerMapper;
}

@Override
Expand All @@ -110,9 +116,11 @@ protected void service(HttpServletRequest request, HttpServletResponse response)
request.getRequestURI().substring(ARBITRARY_OVERLORD_BASE_PATH.length())
);
} else if (ENABLED_PATH.equals(requestURI)) {
authorizeNoPermissionsNeeded(request);
handleEnabledRequest(response);
return;
} else {
authorizeNoPermissionsNeeded(request);
handleInvalidRequest(
response,
StringUtils.format("Unsupported proxy destination[%s]", request.getRequestURI()),
Expand All @@ -122,6 +130,7 @@ protected void service(HttpServletRequest request, HttpServletResponse response)
}

if (currentLeader == null) {
authorizeNoPermissionsNeeded(request);
handleInvalidRequest(
response,
StringUtils.format(
Expand Down Expand Up @@ -191,6 +200,14 @@ protected void onServerResponseHeaders(
super.onServerResponseHeaders(clientRequest, proxyResponse, serverResponse);
}

/**
* Authorizes router-internal requests that do not require any permissions. (But do require an authenticated user.)
*/
private void authorizeNoPermissionsNeeded(HttpServletRequest request)
{
AuthorizationUtils.authorizeAllResourceActions(request, Collections.emptyList(), authorizerMapper);
}

private void handleInvalidRequest(HttpServletResponse response, String errorMessage, int statusCode) throws IOException
{
if (!response.isCommitted()) {
Expand Down
10 changes: 8 additions & 2 deletions server/src/test/java/org/apache/druid/server/AsyncManagementForwardingServletTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,10 @@
import org.apache.druid.server.initialization.ServerConfig;
import org.apache.druid.server.initialization.jetty.JettyServerInitUtils;
import org.apache.druid.server.initialization.jetty.JettyServerInitializer;
import org.apache.druid.server.security.AllowAllAuthenticator;
import org.apache.druid.server.security.AllowAllAuthorizer;
import org.apache.druid.server.security.AuthenticationUtils;
import org.apache.druid.server.security.AuthorizerMapper;
import org.eclipse.jetty.client.HttpClient;
import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.Server;
Expand Down Expand Up @@ -321,7 +325,7 @@ public void testOverlordProxyLeader() throws Exception
}

@Test
public void testProxyEnebledCheck() throws Exception
public void testProxyEnabledCheck() throws Exception
{
HttpURLConnection connection = ((HttpURLConnection)
new URL(StringUtils.format("http://localhost:%d/proxy/enabled", port)).openConnection());
Expand Down Expand Up @@ -491,7 +495,8 @@ public String getCurrentLeader()
injector.getProvider(HttpClient.class),
injector.getInstance(DruidHttpClientConfig.class),
coordinatorLeaderSelector,
overlordLeaderSelector
overlordLeaderSelector,
new AuthorizerMapper(ImmutableMap.of("allowAll", new AllowAllAuthorizer()))
)
);

Expand All @@ -502,6 +507,7 @@ public String getCurrentLeader()
root.addServlet(holder, "/druid/indexer/*");
root.addServlet(holder, "/proxy/*");

AuthenticationUtils.addAuthenticationFilterChain(root, ImmutableList.of(new AllowAllAuthenticator()));
JettyServerInitUtils.addExtensionFilters(root, injector);

final HandlerList handlerList = new HandlerList();
Expand Down