Access Control

[Hassain K]

Hi ALL,

If i have 10 DataSources 

my requirement is to give access to 9 Datasource and exclude 1 DataSource using role.

can anyone pls guide me how to proceed ahead.

Thanks

Hassain K

[Peter Marshall]

I would definitely familiarise yourself with this set of docs:

https://druid.apache.org/docs/0.21.1/operations/security-overview.html

[Hassain K]

Hi Peter,

thanks alot for the information.

can you pls guide on the below

{ "resource": { "name": "<PATTERN>", "type": "DATASOURCE" },

what would be the possible values for PATTERN

i think .* ----> this will include all the tables.

how to include all the Data Source and exclude one from the available DataSources.

[Peter Marshall]

Oooooh!

Well, I am not sure... but I think that PATTERN is a regular expression:

> You can also provide the name in the form of regular expression. For example, to give access to all data sources starting with wiki, specify the name as { "name": "wiki.*", ......

So maybe it is more, how do you craft a regular expression that would _exclude_ the datasource... and I am afraid that I am NO GOOD at regex... hahahaha!!

If you find a solution, please do post it because it would make a great addition to that page as an example... (And of course feel free to submit your own PR :))

- Peter

[Vaibhav Vaibhav]

Hi Hussain K,

You can define a regex pattern to select the datasources like an OR operator - `\b(?:$datasource1|$datasource2|......|$datasourceN)\b`. 

For Example - Let say I have three datasource and I want a druid user only have READ access to  first two datasource (i.e except Wikipedia) 
1) mydatasource
2) testdata_source
3) wikipedia 

I will define role permission as below and will assign it to a druid user -

[
 {
  "resource": {
   "name": "\b(?:mydatasource|testdata_source)\b",
   "type": "DATASOURCE"
  },
  "action": "READ"
 }
]

Admin user who has got full access can see all the datasources- 

A druid user assigned with the above Role permissions ( Only access to mydatasource and testdata_source)




You can define the regular expression in various other ways for many other use cases, you can use an online java regex validator to define and validate the regex - Eg:

I hope this helps.

Regards,
Vaibhav

--
You received this message because you are subscribed to the Google Groups "Druid User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to druid-user+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/druid-user/ddfe6da1-2a97-473b-b233-e2b48611192fn%40googlegroups.com.

[Vaibhav Vaibhav]

Hi Satish,

For the datasource query part - Possibly,  the reg-ex used to access the datasource does not match with the available data sources in the cluster, otherwise you may have seen 403 ERROR on those parts as well.

While closely looking at your permission.json content, i.e -

[

{

  "resource": {

    "name": ""\b(?:datsource1|datasource2|datasource3\b",

    "type": "DATASOURCE"

  },

  "action": "READ|WRITE"

}

]

I notice that :

(1) The closing bracket is missing in the regex expression and there is pair of "" in the beginning - i.e   ""\b(?:datsource1|datasource2|datasource3\b" - rather than "\b(?:datsource1|datasource2|datasource3)\b", If its not a copy/paste mistake then that could be the reason that you are not able to query/see them. 

(2) The 1st datasource name is misspelled [ i.e datsource1 (missing 'a'), rather datasource1 - You may have your data source named like that  but I am just pointing in case its not ]

I think, correcting the reg-ex could fix this issue. Once you fix it you should go to SQL TAB and see what all datasource are available to query.

Additionally, the Admin user has full access to the cluster/READ/WRITE/etc, and below are the permission for the admin user - You can use it as a reference to define the permissions as required by leveraging the regex as per your requirement -

{
  "name": "admin",
  "permissions": [
    {
      "resourceAction": {
        "resource": {
          "name": ".*",

          "type": "DATASOURCE"
        },
        "action": "READ"

      },
      "resourceNamePattern": ".*"
    },
    {
      "resourceAction": {
        "resource": {
          "name": ".*",
          "type": "DATASOURCE"
        },
        "action": "WRITE"
      },
      "resourceNamePattern": ".*"
    },
    {
      "resourceAction": {
        "resource": {
          "name": ".*",
          "type": "CONFIG"
        },
        "action": "READ"
      },
      "resourceNamePattern": ".*"
    },
    {
      "resourceAction": {
        "resource": {
          "name": ".*",
          "type": "CONFIG"
        },
        "action": "WRITE"
      },
      "resourceNamePattern": ".*"
    },
    {
      "resourceAction": {
        "resource": {
          "name": ".*",
          "type": "STATE"
        },
        "action": "READ"
      },
      "resourceNamePattern": ".*"
    },
    {
      "resourceAction": {
        "resource": {
          "name": ".*",
          "type": "STATE"
        },
        "action": "WRITE"
      },
      "resourceNamePattern": ".*"
    }
  ]
}


You can refer to the below doc link which can further provide you more clarity on different components used in the permission JSON and available APIs-

https://druid.apache.org/docs/latest/development/extensions-core/druid-basic-security.html#coordinator-security-api


I hope this helps.

Best Regards,
Vaibhav

On Mon, Sep 27, 2021 at 9:44 AM Satish N <skn...@gmail.com> wrote:

Hi Vaibhav,

I am trying to implement local authentication on my druid cluster running postgres metadata,

My requirement is 

First  role list of user who can do all loading operations(load/update/append/delete) the data sources

Second Role list of users who can do select operation all Data sources. 

1) Created Authenticator user  and assigned the passwords

curl -u admin -XPOST http://TestSrv:8081/druid-ext/basic-security/authentication/db/MyBasicPostgreSQLAuthenticator/users/Testusr

curl -u admin:druidadmin -H'Content-Type: application/json' -XPOST --data-binary @pass.json http://TestSrv:8081/druid-ext/basic-security/authentication/db/MyBasicPostgreSQLAuthenticator/users/Testusr/credentials

2) Created Authorization user and Authorizer role

 curl -u admin -XPOST http://Testsrv:8081/druid-ext/basic-security/authorization/db/MyBasicPostgreSQLAuthorizer/users/Testusr

curl -u admin -XPOST http://Testsrv:8081/druid-ext/basic-security/authorization/db/MyBasicPostgreSQLAuthorizer/roles/TestRole

3) Assigned the roles to the users

~$ curl -u admin -XPOST http://Testsrv:8081/druid-ext/basic-security/authorization/db/MyBasicPostgreSQLAuthorizer/users/Testusr/roles/TestRole

4) Attach permissions to the roles 

curl -u admin -H'Content-Type: application/json' -XPOST --data-binary @permissions.json http://TestSrv:8081/druid-ext/basic-security/authentication/db/MyBasicPostgreSQLAuthenticator/roles/TestRole/permissions

permissions.json

[

{

  "resource": {

    "name": ""\b(?:datsource1|datasource2|datasource3\b",

    "type": "DATASOURCE"

  },

  "action": "READ|WRITE"

}

]

Now when i login to the druid console using the user TestUsr it logs in but shows zero data sources and will not allow me to query or load anything.  

 

Can you please let me know what i am missing. 

To view this discussion on the web visit https://groups.google.com/d/msgid/druid-user/a49e3ebb-2877-4686-a058-b3e4efaf678cn%40googlegroups.com.

[Laxmikant Pandhare]

Does anyone know about exclude operation during assigning roles. Let's say I have to exclude one or two files our of hundred then exclude will be more useful rather than adding all in OR condition.