JWuCines opened a new pull request, #19670:
URL: https://github.com/apache/druid/pull/19670

   # druid-opa-authorizer extension for Open Policy Agent authorization
   
   ### Description
   
   This PR integrates the 
[druid-opa-authorizer](https://github.com/stackabletech/druid-opa-authorizer) 
extension into the Apache Druid repository. The extension delegates 
authorization decisions to an [Open Policy 
Agent](https://www.openpolicyagent.org/) (OPA) server, allowing users to define 
fine-grained access control policies using Rego rules.
   
   #### Added the OPA Authorizer extension
   
   The core authorizer sends a JSON payload containing the 
`AuthenticationResult`, `Action`, and `Resource` to a configurable OPA endpoint 
and interprets the boolean `result` from the OPA response. Key design decisions:
   
   - Uses `java.net.http.HttpClient` for OPA communication (no additional HTTP 
dependencies needed).
   - Creates a dedicated `ObjectMapper` configured with 
`FAIL_ON_UNKNOWN_PROPERTIES = false` for forward compatibility with new OPA 
response fields (e.g., `decision_id`).
   - Sanitizes `AuthenticationResult` context to handle non-serializable LDAP 
`SearchResult` objects, converting byte array attributes to Base64 strings.
   - Validates HTTP 200 status before parsing the OPA response, returning a 
descriptive deny message for non-200 responses.
   - Properly closes `NamingEnumeration` resources when iterating LDAP 
attributes.
   
   #### Added embedded Docker tests
   
   Two embedded test configurations using Testcontainers:
   - **Basic auth + OPA**: Spins up an OPA container with Rego rules and tests 
authorization with Druid's basic authenticator.
   - **LDAP + OPA**: Spins up both an OpenLDAP and OPA container, testing the 
full LDAP authentication → OPA authorization flow.
   
   #### Added documentation and examples
   
   - Full documentation at 
`docs/development/extensions-contrib/druid-opa-authorizer.md` covering 
configuration, Rego rule authoring, local setup with basic auth, and LDAP 
integration.
   - Example Rego rules, JSON data files, LDAP bootstrap LDIF, and setup 
scripts in the `example/` directory.
   
   #### Release note
   
   Added a new community extension `druid-opa-authorizer` that enables 
authorization through Open Policy Agent (OPA). Users can write Rego policies to 
control access to Druid resources based on user identity, action, and resource 
type. The extension supports both basic authentication and LDAP authentication 
workflows.
   
   <hr>
   
   ##### Key changed/added classes in this PR
    * `OpaAuthorizer` — Core authorizer that communicates with the OPA server
    * `OpaDruidModule` — Druid module that registers the `opa` authorizer type
    * `OpaInput` / `OpaMessage` / `OpaResource` / `OpaResponse` — JSON 
serialization types for OPA communication
    * `OpaBasicAuthResource` / `OpaLdapAuthResource` — Embedded test Docker 
resources
    * `OpaBasicAuthConfigurationDockerTest` / 
`OpaLdapAuthConfigurationDockerTest` — Embedded integration tests
   
   <hr>
   
   This PR has:
   
   - [x] been self-reviewed.
   - [x] added documentation for new or modified features or behaviors.
   - [x] a release note entry in the PR description.
   - [x] added comments explaining the "why" and the intent of the code 
wherever would not be obvious for an unfamiliar reader.
   - [x] added unit tests or modified existing tests to cover new code paths, 
ensuring the threshold for code coverage is met.
   - [x] added integration tests.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to