feat: druid-opa-authorizer extension for Open Policy Agent authorization#19670
feat: druid-opa-authorizer extension for Open Policy Agent authorization#19670JWuCines wants to merge 14 commits into
Conversation
|
We originally developed this authorizer at @stackabletech and are happy to "donate" it. Just commenting to make clear that this definitely has our blessing (not that it's needed due to the license anyway). |
FrankChen021
left a comment
There was a problem hiding this comment.
| Severity | Findings |
|---|---|
| P0 | 0 |
| P1 | 0 |
| P2 | 1 |
| P3 | 0 |
| Total | 1 |
| Severity | Findings |
|---|---|
| P0 | 0 |
| P1 | 0 |
| P2 | 1 |
| P3 | 0 |
| Total | 1 |
Reviewed 34 of 34 changed files.
Found one availability issue in the new OPA authorizer: OPA authorization calls are synchronous and currently unbounded, so a hung policy endpoint can tie up Druid request threads instead of failing closed promptly.
This is an automated review by Codex GPT-5.5
257f45f to
7ddeea6
Compare
FrankChen021
left a comment
There was a problem hiding this comment.
| Severity | Findings |
|---|---|
| P0 | 0 |
| P1 | 0 |
| P2 | 1 |
| P3 | 1 |
| Total | 2 |
| Severity | Findings |
|---|---|
| P0 | 0 |
| P1 | 0 |
| P2 | 1 |
| P3 | 1 |
| Total | 2 |
Follow-up handled: timeoutMs now bounds both connection setup and each OPA request, with a 5-second default, and timeout failures deny access through the existing exception path. No inline reply was needed.
Reviewed 34 of 34 changed files.
This is an automated review by Codex GPT-5.6-Sol
druid-opa-authorizer extension for Open Policy Agent authorization
Description
This PR integrates the druid-opa-authorizer extension into the Apache Druid repository. The extension delegates authorization decisions to an Open Policy Agent (OPA) server, allowing users to define fine-grained access control policies using Rego rules.
Added the OPA Authorizer extension
The core authorizer sends a JSON payload containing the
AuthenticationResult,Action, andResourceto a configurable OPA endpoint and interprets the booleanresultfrom the OPA response. Key design decisions:java.net.http.HttpClientfor OPA communication (no additional HTTP dependencies needed).ObjectMapperconfigured withFAIL_ON_UNKNOWN_PROPERTIES = falsefor forward compatibility with new OPA response fields (e.g.,decision_id).AuthenticationResultcontext to handle non-serializable LDAPSearchResultobjects, converting byte array attributes to Base64 strings.NamingEnumerationresources when iterating LDAP attributes.Added embedded Docker tests
Two embedded test configurations using Testcontainers:
Added documentation and examples
docs/development/extensions-contrib/druid-opa-authorizer.mdcovering configuration, Rego rule authoring, local setup with basic auth, and LDAP integration.example/directory.Release note
Added a new community extension
druid-opa-authorizerthat enables authorization through Open Policy Agent (OPA). Users can write Rego policies to control access to Druid resources based on user identity, action, and resource type. The extension supports both basic authentication and LDAP authentication workflows.Key changed/added classes in this PR
OpaAuthorizer— Core authorizer that communicates with the OPA serverOpaDruidModule— Druid module that registers theopaauthorizer typeOpaInput/OpaMessage/OpaResource/OpaResponse— JSON serialization types for OPA communicationOpaBasicAuthResource/OpaLdapAuthResource— Embedded test Docker resourcesOpaBasicAuthConfigurationDockerTest/OpaLdapAuthConfigurationDockerTest— Embedded integration testsThis PR has: