jacek-jablonski opened a new issue #6922: Authorizer is never executed after 
passing from Authenticator
URL: https://github.com/apache/incubator-druid/issues/6922
 
 
   Hi,
   I am developing OAuth security plugin for Druid. I've got some troubles 
getting Authorizer to work.
   Here is my current security config:
   ```
   #
   # Authentication
   #
   druid.auth.allowUnauthenticatedHttpOptions=True
   druid.auth.authenticatorChain=["oauth"]
   druid.auth.authenticator.oauth.type=oauth
   druid.auth.authenticator.oauth.oauthHost=***
   druid.auth.authenticator.oauth.oauthClient=druid
   druid.auth.authenticator.oauth.oauthSecret=***
   druid.auth.authenticator.oauth.introspectionPath=/auth/oauth/check_token
   druid.auth.authenticator.oauth.authorizerName=oauth
   
   #
   # Authorization
   #
   druid.auth.authorizers=["oauth"]
   druid.auth.authorizer.oauth.type=oauth
   ```
   Inside my Filter's class, I am sure that authorizerName gets passed to 
AuthenticationResult:
   ```
   @Override
   public void doFilter(ServletRequest servletRequest, ServletResponse 
servletResponse, FilterChain filterChain) throws IOException, ServletException
   ...
       log.debug("authorizer name: " + authorizerName); // here "authorizer 
name: oauth" is printed
       AuthenticationResult authenticationResult = new 
AuthenticationResult(username, authorizerName, name, null);
       servletRequest.setAttribute(AuthConfig.DRUID_AUTHENTICATION_RESULT, 
authenticationResult);
   
       if (filterChain != null) {
         filterChain.doFilter(servletRequest, servletResponse);
       }
   }
   ```
   and my simple Authorizer that should deny all:
   ```
   @JsonTypeName("oauth")
   public class OAuthAuthorizer implements Authorizer
   {
     private static final Logger log = new Logger(OAuthAuthorizer.class);
   
     @JsonCreator
     public OAuthAuthorizer(
         @JsonProperty("name") String name
     )
     {
       log.debug("OAuth Authorizer created"); // this gets printed on startup
     }
   
     @Override
     public Access authorize(AuthenticationResult authenticationResult, 
Resource resource, Action action)
     {
       Log.debug("authorize called"); // never gets called
       if (authenticationResult == null) {
         throw new IAE("WTF? authenticationResult should never be null.");
       }
   
       return new Access(false);
     }
   }
   ```
   From above Authorizer code, Request should never get passed, but it does 
(authorize method is never called).
   Even without any configuration regarding security (default 
AllowAllAuthenticator) in logs I can see:
   ```
   io.druid.java.util.common.ISE: Request did not have an authorization check 
performed.
   ```
   Do you have any clue what might cause this situation?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to