JWuCines opened a new pull request, #19670: URL: https://github.com/apache/druid/pull/19670
# druid-opa-authorizer extension for Open Policy Agent authorization ### Description This PR integrates the [druid-opa-authorizer](https://github.com/stackabletech/druid-opa-authorizer) extension into the Apache Druid repository. The extension delegates authorization decisions to an [Open Policy Agent](https://www.openpolicyagent.org/) (OPA) server, allowing users to define fine-grained access control policies using Rego rules. #### Added the OPA Authorizer extension The core authorizer sends a JSON payload containing the `AuthenticationResult`, `Action`, and `Resource` to a configurable OPA endpoint and interprets the boolean `result` from the OPA response. Key design decisions: - Uses `java.net.http.HttpClient` for OPA communication (no additional HTTP dependencies needed). - Creates a dedicated `ObjectMapper` configured with `FAIL_ON_UNKNOWN_PROPERTIES = false` for forward compatibility with new OPA response fields (e.g., `decision_id`). - Sanitizes `AuthenticationResult` context to handle non-serializable LDAP `SearchResult` objects, converting byte array attributes to Base64 strings. - Validates HTTP 200 status before parsing the OPA response, returning a descriptive deny message for non-200 responses. - Properly closes `NamingEnumeration` resources when iterating LDAP attributes. #### Added embedded Docker tests Two embedded test configurations using Testcontainers: - **Basic auth + OPA**: Spins up an OPA container with Rego rules and tests authorization with Druid's basic authenticator. - **LDAP + OPA**: Spins up both an OpenLDAP and OPA container, testing the full LDAP authentication → OPA authorization flow. #### Added documentation and examples - Full documentation at `docs/development/extensions-contrib/druid-opa-authorizer.md` covering configuration, Rego rule authoring, local setup with basic auth, and LDAP integration. - Example Rego rules, JSON data files, LDAP bootstrap LDIF, and setup scripts in the `example/` directory. #### Release note Added a new community extension `druid-opa-authorizer` that enables authorization through Open Policy Agent (OPA). Users can write Rego policies to control access to Druid resources based on user identity, action, and resource type. The extension supports both basic authentication and LDAP authentication workflows. <hr> ##### Key changed/added classes in this PR * `OpaAuthorizer` — Core authorizer that communicates with the OPA server * `OpaDruidModule` — Druid module that registers the `opa` authorizer type * `OpaInput` / `OpaMessage` / `OpaResource` / `OpaResponse` — JSON serialization types for OPA communication * `OpaBasicAuthResource` / `OpaLdapAuthResource` — Embedded test Docker resources * `OpaBasicAuthConfigurationDockerTest` / `OpaLdapAuthConfigurationDockerTest` — Embedded integration tests <hr> This PR has: - [x] been self-reviewed. - [x] added documentation for new or modified features or behaviors. - [x] a release note entry in the PR description. - [x] added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader. - [x] added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met. - [x] added integration tests. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
