Re: [druid-user] Local Authentication
62 views
Skip to first unread message
Message has been deleted
Ben Krug
Sep 28, 2021, 12:17:59 PM9/28/21
to druid...@googlegroups.com
Hello -
Not sure what you're missing, or about the regex you've given, or how myBasicPostgreSQLAuthorizer is set up... Have you tried using some of the GET statements to see what is granted? There's a lot that could help troubleshoot here.
Eg
GET(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})
On Tue, Sep 28, 2021 at 6:09 AM Satish N <skn...@gmail.com> wrote:
Hi Vaibhav,I am trying to implement local authentication on my druid cluster running postgres metadata,My requirement isFirst role list of user who can do all loading operations(load/update/append/delete) the data sourcesSecond Role list of users who can do select operation all Data sources.1) Created Authenticator user and assigned the passwordscurl -u admin -XPOST http://TestSrv:8081/druid-ext/basic-security/authentication/db/MyBasicPostgreSQLAuthenticator/users/Testusrcurl -u admin:druidadmin -H'Content-Type: application/json' -XPOST --data-binary @pass.json http://TestSrv:8081/druid-ext/basic-security/authentication/db/MyBasicPostgreSQLAuthenticator/users/Testusr/credentials2) Created Authorization user and Authorizer rolecurl -u admin -XPOST http://Testsrv:8081/druid-ext/basic-security/authorization/db/MyBasicPostgreSQLAuthorizer/users/Testusrcurl -u admin -XPOST http://Testsrv:8081/druid-ext/basic-security/authorization/db/MyBasicPostgreSQLAuthorizer/roles/TestRole3) Assigned the roles to the users~$ curl -u admin -XPOST http://Testsrv:8081/druid-ext/basic-security/authorization/db/MyBasicPostgreSQLAuthorizer/users/Testusr/roles/TestRole4) Attach permissions to the rolescurl -u admin -H'Content-Type: application/json' -XPOST --data-binary @permissions.json http://TestSrv:8081/druid-ext/basic-security/authentication/db/MyBasicPostgreSQLAuthenticator/roles/TestRole/permissionspermissions.json[{"resource": {"name": ""\b(?:datsource1|datasource2|datasource3\b","type": "DATASOURCE"},"action": "READ|WRITE"}]Now when i login to the druid console using the user TestUsr it logs in but shows zero data sources and will not allow me to query or load anything.Can you please let me know what we are missing--
You received this message because you are subscribed to the Google Groups "Druid User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to druid-user+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/druid-user/d79daf1c-12ec-4d3e-ac96-29c82815e2bdn%40googlegroups.com.
Tijo Thomas
Sep 28, 2021, 12:27:30 PM9/28/21
to druid...@googlegroups.com
Hi ,
In addition to what Ben has mentioned, could you please include below permission to along with DATASOURCE permission?
{ "resource": { "name": ".*", "type": "STATE" }, "action": "READ" },
{ "resource": {"name": ".*", "type": "CONFIG"}, "action": "READ"}]
To view this discussion on the web visit https://groups.google.com/d/msgid/druid-user/CAP%2BetTsUqf%3DE-3eMko2OiDj47wDbmVO477CcL5XhFu91QoW-dA%40mail.gmail.com.
Tijo Thomas
Solutions Architect | => Imply , Bangalore , India 
Vaibhav Vaibhav
Sep 28, 2021, 2:49:40 PM9/28/21
to druid...@googlegroups.com
Hi Satish,
As per your screenshots - It seems that the cluster doesn't have any datasource as it shows datasource/segments as 0 OR the reg-ex used to access the datasource does not match with the available data sources in the cluster, otherwise you may have seen 403 ERROR on those part as well.
While closely looking at your permission.json content, i.e -
As per your screenshots - It seems that the cluster doesn't have any datasource as it shows datasource/segments as 0 OR the reg-ex used to access the datasource does not match with the available data sources in the cluster, otherwise you may have seen 403 ERROR on those part as well.
While closely looking at your permission.json content, i.e -
[
{
"resource": {
"name": ""\b(?:datsource1|datasource2|datasource3\b",
"type": "DATASOURCE"
},
"action": "READ|WRITE"
}
]
I notice that :
I notice that :
(1) The closing bracket is missing in the regex expression and there is pair of "" in the beginning - i.e ""\b(?:datsource1|datasource2|datasource3\b" - rather than "\b(?:datsource1|datasource2|datasource3)\b", If its not a copy/paste mistake then that could be the reason that you are not able to query/see them.
(2) The 1st datasource name is misspelled [ i.e datsource1 (missing 'a'), rather datasource1 - You may have your data source named like that but I am just pointing in case its not ]
I think, correcting the reg-ex could fix this issue. Once you fix it you should go to SQL TAB and see what all datasource are queryable.
Additionally, the Admin user has full access to the cluster/READ/WRITE/etc, and below are the permission for the admin user - You can use it as a reference to define the permissions as required by leveraging the regex as per your requirement -
{
"name": "admin",
"permissions": [
{
"resourceAction": {
"resource": {
"name": ".*",
"type": "DATASOURCE"
},
"action": "READ"
},
"resourceNamePattern": ".*"
},
{
"resourceAction": {
"resource": {
"name": ".*",
"type": "DATASOURCE"
},
"action": "WRITE"
},
"resourceNamePattern": ".*"
},
{
"resourceAction": {
"name": "admin",
"permissions": [
{
"resourceAction": {
"resource": {
"name": ".*",
"type": "DATASOURCE"
},
"action": "READ"
},
"resourceNamePattern": ".*"
},
{
"resourceAction": {
"resource": {
"name": ".*",
"type": "DATASOURCE"
},
"action": "WRITE"
},
"resourceNamePattern": ".*"
},
{
"resourceAction": {
"resource": {
"name": ".*",
"type": "CONFIG"
},
"action": "READ"
},
"resourceNamePattern": ".*"
},
{
"resourceAction": {
"resourceNamePattern": ".*"
},
{
"resourceAction": {
"resource": {
"name": ".*",
"type": "CONFIG"
},
"action": "WRITE"
},
"resourceNamePattern": ".*"
},
{
"resourceAction": {
},
"resourceNamePattern": ".*"
},
{
"resourceAction": {
"resource": {
"name": ".*",
"type": "STATE"
},
"action": "READ"
},
"resourceNamePattern": ".*"
},
{
"resourceAction": {
},
{
"resourceAction": {
"resource": {
"name": ".*",
"type": "STATE"
},
"action": "WRITE"
},
"resourceNamePattern": ".*"
}
]
}
as Ben/Tijo mentioned, you can refer to the below doc link which can further provide you more clarity on different components used in the permission JSON and available APIs-
https://druid.apache.org/docs/latest/development/extensions-core/druid-basic-security.html#coordinator-security-api
I hope this helps.
Best Regards,
Vaibhav
},
"resourceNamePattern": ".*"
}
]
}
as Ben/Tijo mentioned, you can refer to the below doc link which can further provide you more clarity on different components used in the permission JSON and available APIs-
https://druid.apache.org/docs/latest/development/extensions-core/druid-basic-security.html#coordinator-security-api
I hope this helps.
Best Regards,
Vaibhav
To view this discussion on the web visit https://groups.google.com/d/msgid/druid-user/CADQcQ%3D9pYZwquHVgEr%3Dp%3D87_t3jUVSv_bFPkUkNLLBwu7Wb2Xw%40mail.gmail.com.
Satish N
Sep 29, 2021, 11:52:45 PM9/29/21
to Druid User
Hi Vibhav
Our cluster have 21 datasources and I can see all of them when I login druidadmin user. In permissions.jsaon I was just using the dummy names but in actual file I have real datasource names
I created the permissions.json with the admin user permissions and assigned this to admin role
curl -u admin:<password> -H'Content-Type: application/json' -XPOST --data-binary @permissions.json http://<coordinator>:8081/druid-ext/basic-security/authentication/db/MyBasicPostgreSQLAuthenticator/roles/adminrole/permissions
After I login as user sneela4 I still see the same
I can see the users and roles from unix
Satish N
Oct 1, 2021, 3:49:16 PM10/1/21
to Druid User
Can we get some suggestions on this issue pl
Satish N
Nov 1, 2021, 8:46:02 AM11/1/21
to Druid User
Thank you Vaibhav for assisting with the issue. The problem was
The permissions are assigned to MyBasicPostgreSQLAuthenticator instead of (authoriser) i.e MyBasicPostgreSQLAuthorizer
Reply all
Reply to author
Forward
0 new messages