define superuser permissions set in druid-server instead of druid-basic-auth extension (#11376)
diff --git a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/updater/CoordinatorBasicAuthorizerMetadataStorageUpdater.java b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/updater/CoordinatorBasicAuthorizerMetadataStorageUpdater.java
index 291383f..dc6db5b 100644
--- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/updater/CoordinatorBasicAuthorizerMetadataStorageUpdater.java
+++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/db/updater/CoordinatorBasicAuthorizerMetadataStorageUpdater.java
@@ -21,7 +21,6 @@
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.base.Preconditions;
-import com.google.common.collect.Lists;
import com.google.inject.Inject;
import org.apache.druid.common.config.ConfigManager;
import org.apache.druid.concurrent.LifecycleLock;
@@ -52,12 +51,10 @@
import org.apache.druid.security.basic.authorization.entity.BasicAuthorizerUserMapBundle;
import org.apache.druid.security.basic.authorization.entity.GroupMappingAndRoleMap;
import org.apache.druid.security.basic.authorization.entity.UserAndRoleMap;
-import org.apache.druid.server.security.Action;
+import org.apache.druid.server.security.AuthorizationUtils;
import org.apache.druid.server.security.Authorizer;
import org.apache.druid.server.security.AuthorizerMapper;
-import org.apache.druid.server.security.Resource;
import org.apache.druid.server.security.ResourceAction;
-import org.apache.druid.server.security.ResourceType;
import org.joda.time.Duration;
import javax.annotation.Nonnull;
@@ -86,7 +83,7 @@
private static final String GROUP_MAPPINGS = "groupMappings";
private static final String ROLES = "roles";
- public static final List<ResourceAction> SUPERUSER_PERMISSIONS = makeSuperUserPermissions();
+ public static final List<ResourceAction> SUPERUSER_PERMISSIONS = AuthorizationUtils.makeSuperUserPermissions();
private final AuthorizerMapper authorizerMapper;
private final MetadataStorageConnector connector;
@@ -1195,49 +1192,4 @@
createGroupMappingInternal(authorizerName, groupMapping);
}
}
-
- private static List<ResourceAction> makeSuperUserPermissions()
- {
- ResourceAction datasourceR = new ResourceAction(
- new Resource(".*", ResourceType.DATASOURCE),
- Action.READ
- );
-
- ResourceAction datasourceW = new ResourceAction(
- new Resource(".*", ResourceType.DATASOURCE),
- Action.WRITE
- );
-
- ResourceAction viewR = new ResourceAction(
- new Resource(".*", ResourceType.VIEW),
- Action.READ
- );
-
- ResourceAction viewW = new ResourceAction(
- new Resource(".*", ResourceType.VIEW),
- Action.WRITE
- );
-
- ResourceAction configR = new ResourceAction(
- new Resource(".*", ResourceType.CONFIG),
- Action.READ
- );
-
- ResourceAction configW = new ResourceAction(
- new Resource(".*", ResourceType.CONFIG),
- Action.WRITE
- );
-
- ResourceAction stateR = new ResourceAction(
- new Resource(".*", ResourceType.STATE),
- Action.READ
- );
-
- ResourceAction stateW = new ResourceAction(
- new Resource(".*", ResourceType.STATE),
- Action.WRITE
- );
-
- return Lists.newArrayList(datasourceR, datasourceW, viewR, viewW, configR, configW, stateR, stateW);
- }
}
diff --git a/server/src/main/java/org/apache/druid/server/security/AuthorizationUtils.java b/server/src/main/java/org/apache/druid/server/security/AuthorizationUtils.java
index a39c86a..6ba34f6 100644
--- a/server/src/main/java/org/apache/druid/server/security/AuthorizationUtils.java
+++ b/server/src/main/java/org/apache/druid/server/security/AuthorizationUtils.java
@@ -359,6 +359,51 @@
return filteredResources;
}
+ public static List<ResourceAction> makeSuperUserPermissions()
+ {
+ ResourceAction datasourceR = new ResourceAction(
+ new Resource(".*", ResourceType.DATASOURCE),
+ Action.READ
+ );
+
+ ResourceAction datasourceW = new ResourceAction(
+ new Resource(".*", ResourceType.DATASOURCE),
+ Action.WRITE
+ );
+
+ ResourceAction viewR = new ResourceAction(
+ new Resource(".*", ResourceType.VIEW),
+ Action.READ
+ );
+
+ ResourceAction viewW = new ResourceAction(
+ new Resource(".*", ResourceType.VIEW),
+ Action.WRITE
+ );
+
+ ResourceAction configR = new ResourceAction(
+ new Resource(".*", ResourceType.CONFIG),
+ Action.READ
+ );
+
+ ResourceAction configW = new ResourceAction(
+ new Resource(".*", ResourceType.CONFIG),
+ Action.WRITE
+ );
+
+ ResourceAction stateR = new ResourceAction(
+ new Resource(".*", ResourceType.STATE),
+ Action.READ
+ );
+
+ ResourceAction stateW = new ResourceAction(
+ new Resource(".*", ResourceType.STATE),
+ Action.WRITE
+ );
+
+ return Lists.newArrayList(datasourceR, datasourceW, viewR, viewW, configR, configW, stateR, stateW);
+ }
+
/**
* Function for the common pattern of generating a resource-action for reading from a datasource, using the
* datasource name.
diff --git a/server/src/test/java/org/apache/druid/server/security/AuthorizationUtilsTest.java b/server/src/test/java/org/apache/druid/server/security/AuthorizationUtilsTest.java
index 64d4fcc..8c6ec81 100644
--- a/server/src/test/java/org/apache/druid/server/security/AuthorizationUtilsTest.java
+++ b/server/src/test/java/org/apache/druid/server/security/AuthorizationUtilsTest.java
@@ -84,4 +84,20 @@
Assert.assertEquals("hello", itr.next());
Assert.assertFalse(itr.hasNext());
}
+
+ @Test
+ public void testMakeSuperuserPermissions()
+ {
+ final List<ResourceAction> permissions = AuthorizationUtils.makeSuperUserPermissions();
+ // every type and action should have a wildcard pattern
+ for (ResourceType type : ResourceType.values()) {
+ for (Action action : Action.values()) {
+ Assert.assertTrue(
+ permissions.stream()
+ .filter(ra -> type == ra.getResource().getType())
+ .anyMatch(ra -> action == ra.getAction() && ".*".equals(ra.getResource().getName()))
+ );
+ }
+ }
+ }
}