From 627310daefa3233d8567fd010c5e7b546360b286 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Rzepi=C5=84ski?= Date: Thu, 26 Mar 2026 19:50:42 +0100 Subject: [PATCH 01/14] Copy original druid-opa-authorizer files --- .../.github/pull_request_template.md | 17 + .../.github/workflows/maven.yml | 43 ++ .../.github/workflows/release.yml | 63 +++ .../.github/workflows/reviewdog.yml | 62 +++ .../druid-opa-authorizer/.gitignore | 9 + .../druid-opa-authorizer/.markdownlint.yaml | 20 + .../druid-opa-authorizer/.mvn/jvm.config | 10 + .../druid-opa-authorizer/.yamllint.yaml | 12 + .../druid-opa-authorizer/CHANGELOG.md | 85 ++++ .../druid-opa-authorizer/LICENSE | 43 ++ .../druid-opa-authorizer/README.md | 85 ++++ .../druid-opa-authorizer/checkstyle.xml | 74 ++++ .../druid-opa-authorizer/example/README.md | 51 +++ .../druid-opa-authorizer/example/druid.json | 76 ++++ .../druid-opa-authorizer/example/druid.rego | 39 ++ .../example/setup/alice_pass.json | 3 + .../example/setup/bob_pass.json | 3 + .../example/setup/christy_pass.json | 3 + .../example/setup/dylan_pass.json | 3 + .../example/setup/eve_pass.json | 3 + .../example/setup/setup.sh | 18 + .../druid-opa-authorizer/pom.xml | 409 ++++++++++++++++++ .../druid-opa-authorizer/renovate.json | 6 + .../druid/opaauthorizer/OpaAuthorizer.java | 81 ++++ .../druid/opaauthorizer/OpaDruidModule.java | 19 + .../opaauthorizer/opatypes/OpaInput.java | 19 + .../opaauthorizer/opatypes/OpaMessage.java | 15 + .../opaauthorizer/opatypes/OpaResource.java | 11 + .../opaauthorizer/opatypes/OpaResponse.java | 5 + ...rg.apache.druid.initialization.DruidModule | 1 + 30 files changed, 1288 insertions(+) create mode 100644 extensions-contrib/druid-opa-authorizer/.github/pull_request_template.md create mode 100644 extensions-contrib/druid-opa-authorizer/.github/workflows/maven.yml create mode 100644 extensions-contrib/druid-opa-authorizer/.github/workflows/release.yml create mode 100644 extensions-contrib/druid-opa-authorizer/.github/workflows/reviewdog.yml create mode 100644 extensions-contrib/druid-opa-authorizer/.gitignore create mode 100644 extensions-contrib/druid-opa-authorizer/.markdownlint.yaml create mode 100644 extensions-contrib/druid-opa-authorizer/.mvn/jvm.config create mode 100644 extensions-contrib/druid-opa-authorizer/.yamllint.yaml create mode 100644 extensions-contrib/druid-opa-authorizer/CHANGELOG.md create mode 100644 extensions-contrib/druid-opa-authorizer/LICENSE create mode 100644 extensions-contrib/druid-opa-authorizer/README.md create mode 100644 extensions-contrib/druid-opa-authorizer/checkstyle.xml create mode 100644 extensions-contrib/druid-opa-authorizer/example/README.md create mode 100644 extensions-contrib/druid-opa-authorizer/example/druid.json create mode 100644 extensions-contrib/druid-opa-authorizer/example/druid.rego create mode 100644 extensions-contrib/druid-opa-authorizer/example/setup/alice_pass.json create mode 100644 extensions-contrib/druid-opa-authorizer/example/setup/bob_pass.json create mode 100644 extensions-contrib/druid-opa-authorizer/example/setup/christy_pass.json create mode 100644 extensions-contrib/druid-opa-authorizer/example/setup/dylan_pass.json create mode 100644 extensions-contrib/druid-opa-authorizer/example/setup/eve_pass.json create mode 100755 extensions-contrib/druid-opa-authorizer/example/setup/setup.sh create mode 100644 extensions-contrib/druid-opa-authorizer/pom.xml create mode 100644 extensions-contrib/druid-opa-authorizer/renovate.json create mode 100644 extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/OpaAuthorizer.java create mode 100644 extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/OpaDruidModule.java create mode 100644 extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/opatypes/OpaInput.java create mode 100644 extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/opatypes/OpaMessage.java create mode 100644 extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/opatypes/OpaResource.java create mode 100644 extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/opatypes/OpaResponse.java create mode 100644 extensions-contrib/druid-opa-authorizer/src/main/resources/META-INF/services/org.apache.druid.initialization.DruidModule diff --git a/extensions-contrib/druid-opa-authorizer/.github/pull_request_template.md b/extensions-contrib/druid-opa-authorizer/.github/pull_request_template.md new file mode 100644 index 000000000000..50b69a2c08e2 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/.github/pull_request_template.md @@ -0,0 +1,17 @@ +# Description + +*Please add a description here. This will become the commit message of the merge request later.* + +## Definition of Done Checklist + +- Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant +- Please make sure all these things are done and tick the boxes + +# Reviewer +- [ ] Code contains useful comments +- [ ] (Integration-)Test cases added +- [ ] Documentation added or updated +- [ ] Changelog updated + +# Acceptance +- [ ] Proper release label has been added diff --git a/extensions-contrib/druid-opa-authorizer/.github/workflows/maven.yml b/extensions-contrib/druid-opa-authorizer/.github/workflows/maven.yml new file mode 100644 index 000000000000..db6f77b51dcf --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/.github/workflows/maven.yml @@ -0,0 +1,43 @@ +# This workflow will build a Java project with Maven, and cache/restore any dependencies to improve the workflow execution time +# For more information see: https://help.github.com/actions/language-and-framework-guides/building-and-testing-java-with-maven +--- +name: Java CI with Maven + +on: + push: + branches: + - main + - "renovate/**" + tags: + - "**" + pull_request: + merge_group: + +jobs: + build: + runs-on: ubuntu-latest + + strategy: + matrix: + profile: + - {druid: druid-30.0.1, java: '17'} + - {druid: druid-34.0.0, java: '17'} + - {druid: druid-35.0.1, java: '21'} + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Set up JDK + uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1 + with: + java-version: ${{ matrix.profile.java }} + distribution: 'temurin' + cache: maven + + - name: Build with Maven + run: mvn -B verify -P${{ matrix.profile.druid }} + + - name: Update dependency graph + if: github.event_name == 'push' && github.ref == 'refs/heads/main' + uses: advanced-security/maven-dependency-submission-action@aeab9f885293af501bae8bdfe88c589528ea5e25 # v4.1.2 + with: + maven-args: '-P${{matrix.profile.druid}}' diff --git a/extensions-contrib/druid-opa-authorizer/.github/workflows/release.yml b/extensions-contrib/druid-opa-authorizer/.github/workflows/release.yml new file mode 100644 index 000000000000..cd12810879e2 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/.github/workflows/release.yml @@ -0,0 +1,63 @@ +--- +name: Build and Release + +on: + workflow_dispatch: + inputs: + druid-version: + description: 'Select the Druid version to build the authorizer for.' + required: true + type: choice + options: + - druid-30.0.1 + - druid-34.0.0 + - druid-35.0.1 + stackable-version: + description: 'The stackable "patch" version to use for this release (e.g., "0").' + required: true + next-stackable-version: + description: 'The next stackable version to use, this updates the POM (without the "-SNAPSHOT"). If stackable-version is 0 then set this to 1 etc.' + required: true + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - name: Set Java Version + id: set_java_version + run: | + if [ "${{ github.event.inputs.druid-version }}" == "druid-30.0.0" ] || [ "${{ github.event.inputs.druid-version }}" == "druid-30.0.1" ] || [ "${{ github.event.inputs.druid-version }}" == "druid-31.0.1" ]; then + echo "JAVA_VERSION=17" >> "$GITHUB_ENV" + else + echo "JAVA_VERSION=unknown" >> "$GITHUB_ENV" + fi + + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + + - name: Release + uses: qcastel/github-actions-maven-release@0fd7a9e2ba3a4af8728a88cf57b11592fd8bdd0f # v1.12.43 + env: + # This action uses a Dockerfile with Java preinstalled + # See here for the list of supported JDKs: https://github.com/qcastel/docker-maven-release/blob/master/Dockerfile + JAVA_HOME: /usr/lib/jvm/java-${{ env.JAVA_VERSION }}-openjdk/ + with: + git-release-bot-name: "stacky-mcstackface" + git-release-bot-email: "info@stackable.tech" + maven-args: "clean install -P ${{ github.event.inputs.druid-version }}" + ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }} + maven-release-version-number: ${{ github.event.inputs.druid-version }}-stackable${{ github.event.inputs.stackable-version }} + maven-development-version-number: ${{ github.event.inputs.druid-version }}-stackable${{ github.event.inputs.next-stackable-version }}-SNAPSHOT + release-branch-name: "main" + + - name: Release to GitHub + uses: softprops/action-gh-release@da05d552573ad5aba039eaac05058a918a7bf631 # v2.2.2 + with: + files: | + target/checkout/target/*.jar + target/checkout/target/bom.* + token: ${{ secrets.GITHUB_TOKEN }} + tag_name: release/${{ github.event.inputs.druid-version }}-stackable${{ github.event.inputs.stackable-version }} + # Due to our current setup it doesn't make sense to generate release notes automatically because the "previous" version might be for something entirely different (e.g. another Druid version) + generate_release_notes: false + name: ${{ github.event.inputs.druid-version }}-stackable${{ github.event.inputs.stackable-version }} diff --git a/extensions-contrib/druid-opa-authorizer/.github/workflows/reviewdog.yml b/extensions-contrib/druid-opa-authorizer/.github/workflows/reviewdog.yml new file mode 100644 index 000000000000..c79f34e066b4 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/.github/workflows/reviewdog.yml @@ -0,0 +1,62 @@ +--- +name: reviewdog +on: + pull_request + +permissions: + contents: read + checks: write + pull-requests: write + issues: write + +jobs: + actionlint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: reviewdog/action-actionlint@a5524e1c19e62881d79c1f1b9b6f09f16356e281 # v1.65.2 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + + detect-secrets: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: reviewdog/action-detect-secrets@bc63f9282b0cee5af6187043f8e79e80e7f6ffe3 # v0.28.3 + with: + github_token: ${{ secrets.github_token }} + + flake8: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + with: + python-version: "3.9" + - uses: reviewdog/action-flake8@b65981e158319f08cb7d0132f28bc0081e110adc # v3.15.2 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + + markdownlint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: reviewdog/action-markdownlint@3667398db9118d7e78f7a63d10e26ce454ba5f58 # v0.26.2 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + + shellcheck: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: reviewdog/action-shellcheck@5ebd09ddbe2ebb471646ce234c6c8dd18663ca7c # v1.30.0 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + + yamllint: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 + - uses: reviewdog/action-yamllint@f01d8a48fd8d89f89895499fca2cff09f9e9e8c0 # v1.21.0 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} diff --git a/extensions-contrib/druid-opa-authorizer/.gitignore b/extensions-contrib/druid-opa-authorizer/.gitignore new file mode 100644 index 000000000000..eeb89d26b563 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/.gitignore @@ -0,0 +1,9 @@ +# Ignore Gradle project-specific cache directory +.gradle + +# Ignore Gradle build output directory +build + +.idea + +target \ No newline at end of file diff --git a/extensions-contrib/druid-opa-authorizer/.markdownlint.yaml b/extensions-contrib/druid-opa-authorizer/.markdownlint.yaml new file mode 100644 index 000000000000..dbfa4558ba6c --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/.markdownlint.yaml @@ -0,0 +1,20 @@ +--- +# All defaults or options can be checked here: +# https://github.com/DavidAnson/markdownlint/blob/main/schema/.markdownlint.yaml + +# Default state for all rules +default: true + +# MD013/line-length - Line length +MD013: + # Number of characters + line_length: 9999 + # Number of characters for headings + heading_line_length: 9999 + # Number of characters for code blocks + code_block_line_length: 9999 + +# MD024/no-duplicate-heading/no-duplicate-header - Multiple headings with the same content +MD024: + # Only check sibling headings + siblings_only: true diff --git a/extensions-contrib/druid-opa-authorizer/.mvn/jvm.config b/extensions-contrib/druid-opa-authorizer/.mvn/jvm.config new file mode 100644 index 000000000000..32599cefea51 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/.mvn/jvm.config @@ -0,0 +1,10 @@ +--add-exports jdk.compiler/com.sun.tools.javac.api=ALL-UNNAMED +--add-exports jdk.compiler/com.sun.tools.javac.file=ALL-UNNAMED +--add-exports jdk.compiler/com.sun.tools.javac.main=ALL-UNNAMED +--add-exports jdk.compiler/com.sun.tools.javac.model=ALL-UNNAMED +--add-exports jdk.compiler/com.sun.tools.javac.parser=ALL-UNNAMED +--add-exports jdk.compiler/com.sun.tools.javac.processing=ALL-UNNAMED +--add-exports jdk.compiler/com.sun.tools.javac.tree=ALL-UNNAMED +--add-exports jdk.compiler/com.sun.tools.javac.util=ALL-UNNAMED +--add-opens jdk.compiler/com.sun.tools.javac.code=ALL-UNNAMED +--add-opens jdk.compiler/com.sun.tools.javac.comp=ALL-UNNAMED diff --git a/extensions-contrib/druid-opa-authorizer/.yamllint.yaml b/extensions-contrib/druid-opa-authorizer/.yamllint.yaml new file mode 100644 index 000000000000..23a5a686c0d5 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/.yamllint.yaml @@ -0,0 +1,12 @@ +--- +extends: default + +ignore: | + deploy/helm/**/templates + +rules: + line-length: disable + truthy: + check-keys: false + comments: + min-spaces-from-content: 1 # Needed due to https://github.com/adrienverge/yamllint/issues/443 diff --git a/extensions-contrib/druid-opa-authorizer/CHANGELOG.md b/extensions-contrib/druid-opa-authorizer/CHANGELOG.md new file mode 100644 index 000000000000..1c2e7f1aa721 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/CHANGELOG.md @@ -0,0 +1,85 @@ +# Changelog + +## [Unreleased] + +### Added + +- Add support for Druid 35.0.1 ([#138]). +- Add support for Druid 34.0.0 (deprecated) ([#134], [#138]). + +### Removed + +- Remove support for Druid 33.0.0 ([#138]). +- Remove support for Druid 31.0.1 ([#134]). + +[#134]: https://github.com/stackabletech/druid-opa-authorizer/pull/134 +[#138]: https://github.com/stackabletech/druid-opa-authorizer/pull/138 + +## [0.7.0] - 2025-05-31 + +### Added + +- Add support for Druid 30.0.1, 31.0.1, and 33.0.0 ([#110], [#112]). + +### Changed + +- Update dependencies ([#106]). +- Updated Maven plugin versions ([#110]). + +### Removed + +- Remove support for Druid 26.0.0, 27.0.0, 28.0.1, 30.0.0 ([#104], [#105], [#110], [#112]). + +[#104]: https://github.com/stackabletech/druid-opa-authorizer/pull/104 +[#105]: https://github.com/stackabletech/druid-opa-authorizer/pull/105 +[#106]: https://github.com/stackabletech/druid-opa-authorizer/pull/106 +[#110]: https://github.com/stackabletech/druid-opa-authorizer/pull/110 +[#112]: https://github.com/stackabletech/druid-opa-authorizer/pull/112 + +## [0.6.0] - 2024-03-19 + +### Changed + +- BREAKING: Add authenticationResult to OPA input ([#85]). + +[#85]: https://github.com/stackabletech/druid-opa-authorizer/pull/85 + +## [0.5.0] - 2023-05-30 + +### Added + +- Added support for Druid `26.0.0` ([#75]). + +### Changed + +- Changed build system to Maven ([#61]). +- Changed module prefix from `de` to `tech` ([#61]). + +### Fixed + +- Ignore additional JSON fields the OPA server is sending. This can e.g. be the cause when OPA decision logs are enabled ([#74]). + +[#61]: https://github.com/stackabletech/druid-opa-authorizer/pull/61 +[#74]: https://github.com/stackabletech/druid-opa-authorizer/pull/74 +[#75]: https://github.com/stackabletech/druid-opa-authorizer/pull/75 + +## [0.3.0] - 2022-10-13 + +### Changed + +- Changed Druid dependencies to 24.0.0 ([#57]). + +[#57]: https://github.com/stackabletech/druid-opa-authorizer/pull/57 + +## [0.2.0] - 2022-03-22 + +### Changed + +- Changed from Java 8 to Java 11 support ([#43]). +- Changed HTTP client to Java native ([#43]). + +[#43]: https://github.com/stackabletech/druid-opa-authorizer/pull/43 + +## [0.1.0] - 2022-03-22 + +Initial Version diff --git a/extensions-contrib/druid-opa-authorizer/LICENSE b/extensions-contrib/druid-opa-authorizer/LICENSE new file mode 100644 index 000000000000..1b9535c9e7dd --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/LICENSE @@ -0,0 +1,43 @@ +Licensed under the Open Software License version 3.0 + +1) Grant of Copyright License. Licensor grants You a worldwide, royalty-free, non-exclusive, sublicensable license, for the duration of the copyright, to do the following: + +a) to reproduce the Original Work in copies, either alone or as part of a collective work; + +b) to translate, adapt, alter, transform, modify, or arrange the Original Work, thereby creating derivative works ("Derivative Works") based upon the Original Work; + +c) to distribute or communicate copies of the Original Work and Derivative Works to the public, with the proviso that copies of Original Work or Derivative Works that You distribute or communicate shall be licensed under this Open Software License; + +d) to perform the Original Work publicly; and + +e) to display the Original Work publicly. + +2) Grant of Patent License. Licensor grants You a worldwide, royalty-free, non-exclusive, sublicensable license, under patent claims owned or controlled by the Licensor that are embodied in the Original Work as furnished by the Licensor, for the duration of the patents, to make, use, sell, offer for sale, have made, and import the Original Work and Derivative Works. + +3) Grant of Source Code License. The term "Source Code" means the preferred form of the Original Work for making modifications to it and all available documentation describing how to modify the Original Work. Licensor agrees to provide a machine-readable copy of the Source Code of the Original Work along with each copy of the Original Work that Licensor distributes. Licensor reserves the right to satisfy this obligation by placing a machine-readable copy of the Source Code in an information repository reasonably calculated to permit inexpensive and convenient access by You for as long as Licensor continues to distribute the Original Work. + +4) Exclusions From License Grant. Neither the names of Licensor, nor the names of any contributors to the Original Work, nor any of their trademarks or service marks, may be used to endorse or promote products derived from this Original Work without express prior permission of the Licensor. Except as expressly stated herein, nothing in this License grants any license to Licensor's trademarks, copyrights, patents, trade secrets or any other intellectual property. No patent license is granted to make, use, sell, offer for sale, have made, or import embodiments of any patent claims other than the licensed claims defined in Section 2. No license is granted to the trademarks of Licensor even if such marks are included in the Original Work. Nothing in this License shall be interpreted to prohibit Licensor from licensing under terms different from this License any Original Work that Licensor otherwise would have a right to license. + +5) External Deployment. The term "External Deployment" means the use, distribution, or communication of the Original Work or Derivative Works in any way such that the Original Work or Derivative Works may be used by anyone other than You, whether those works are distributed or communicated to those persons or made available as an application intended for use over a network. As an express condition for the grants of license hereunder, You must treat any External Deployment by You of the Original Work or a Derivative Work as a distribution under section 1(c). + +6) Attribution Rights. You must retain, in the Source Code of any Derivative Works that You create, all copyright, patent, or trademark notices from the Source Code of the Original Work, as well as any notices of licensing and any descriptive text identified therein as an "Attribution Notice." You must cause the Source Code for any Derivative Works that You create to carry a prominent Attribution Notice reasonably calculated to inform recipients that You have modified the Original Work. + +7) Warranty of Provenance and Disclaimer of Warranty. Licensor warrants that the copyright in and to the Original Work and the patent rights granted herein by Licensor are owned by the Licensor or are sublicensed to You under the terms of this License with the permission of the contributor(s) of those copyrights and patent rights. Except as expressly stated in the immediately preceding sentence, the Original Work is provided under this License on an "AS IS" BASIS and WITHOUT WARRANTY, either express or implied, including, without limitation, the warranties of non-infringement, merchantability or fitness for a particular purpose. THE ENTIRE RISK AS TO THE QUALITY OF THE ORIGINAL WORK IS WITH YOU. This DISCLAIMER OF WARRANTY constitutes an essential part of this License. No license to the Original Work is granted by this License except under this disclaimer. + +8) Limitation of Liability. Under no circumstances and under no legal theory, whether in tort (including negligence), contract, or otherwise, shall the Licensor be liable to anyone for any indirect, special, incidental, or consequential damages of any character arising as a result of this License or the use of the Original Work including, without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses. This limitation of liability shall not apply to the extent applicable law prohibits such limitation. + +9) Acceptance and Termination. If, at any time, You expressly assented to this License, that assent indicates your clear and irrevocable acceptance of this License and all of its terms and conditions. If You distribute or communicate copies of the Original Work or a Derivative Work, You must make a reasonable effort under the circumstances to obtain the express assent of recipients to the terms of this License. This License conditions your rights to undertake the activities listed in Section 1, including your right to create Derivative Works based upon the Original Work, and doing so without honoring these terms and conditions is prohibited by copyright law and international treaty. Nothing in this License is intended to affect copyright exceptions and limitations (including "fair use" or "fair dealing"). This License shall terminate immediately and You may no longer exercise any of the rights granted to You by this License upon your failure to honor the conditions in Section 1(c). + +10) Termination for Patent Action. This License shall terminate automatically and You may no longer exercise any of the rights granted to You by this License as of the date You commence an action, including a cross-claim or counterclaim, against Licensor or any licensee alleging that the Original Work infringes a patent. This termination provision shall not apply for an action alleging patent infringement by combinations of the Original Work with other software or hardware. + +11) Jurisdiction, Venue and Governing Law. Any action or suit relating to this License may be brought only in the courts of a jurisdiction wherein the Licensor resides or in which Licensor conducts its primary business, and under the laws of that jurisdiction excluding its conflict-of-law provisions. The application of the United Nations Convention on Contracts for the International Sale of Goods is expressly excluded. Any use of the Original Work outside the scope of this License or after its termination shall be subject to the requirements and penalties of copyright or patent law in the appropriate jurisdiction. This section shall survive the termination of this License. + +12) Attorneys' Fees. In any action to enforce the terms of this License or seeking damages relating thereto, the prevailing party shall be entitled to recover its costs and expenses, including, without limitation, reasonable attorneys' fees and costs incurred in connection with such action, including any appeal of such action. This section shall survive the termination of this License. + +13) Miscellaneous. If any provision of this License is held to be unenforceable, such provision shall be reformed only to the extent necessary to make it enforceable. + +14) Definition of "You" in This License. "You" throughout this License, whether in upper or lower case, means an individual or a legal entity exercising rights under, and complying with all of the terms of, this License. For legal entities, "You" includes any entity that controls, is controlled by, or is under common control with you. For purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. + +15) Right to Use. You may use the Original Work in all ways not otherwise restricted or conditioned by this License or by law, and Licensor promises not to interfere with or be responsible for such uses by You. + +16) Modification of This License. This License is Copyright © 2005 Lawrence Rosen. Permission is granted to copy, distribute, or communicate this License without modification. Nothing in this License permits You to modify this License as applied to the Original Work or to Derivative Works. However, You may modify the text of this License and copy, distribute or communicate your modified version (the "Modified License") and apply it to other original works of authorship subject to the following conditions: (i) You may not indicate in any way that your Modified License is the "Open Software License" or "OSL" and you may not use those names in the name of your Modified License; (ii) You must replace the notice specified in the first paragraph above with the notice "Licensed under " or with a notice of your own that is not confusingly similar to the notice in this License; and (iii) You may not claim that your original works are open source software unless your Modified License has been approved by Open Source Initiative (OSI) and You comply with its license review and certification process. diff --git a/extensions-contrib/druid-opa-authorizer/README.md b/extensions-contrib/druid-opa-authorizer/README.md new file mode 100644 index 000000000000..c03eeb2e0fbd --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/README.md @@ -0,0 +1,85 @@ +# Apache Druid Open Policy Agent (OPA) Authorizer + +An Apache Druid extension to request policy decisions from [Open Policy Agent](https://www.openpolicyagent.org/) (OPA). + +## Supported Druid versions + +This project was tested against these Druid versions: + +- 30.0.1 (LTS) +- 34.0.0 (Deprecated) +- 35.0.1 + +## Building + +This repository uses Maven and requires at least Java 11 to build: + + mvn -P druid-35.0.1 clean package + +Please check that the Druid version you are building for is supported and adapt the profile accordingly. +The result of this is a JAR file in the `target` directory. + +## Installing + +Copy the JAR file into the `extensions` directory of your Druid installation. + +## Configuration Settings + +The OPA authorizer is created like so: + + druid.auth.authorizer.myOpaAuth.type=opa + druid.auth.authorizer.myOpaAuth.opaUri=http://:/v1/data/my/druid/allow + +Then the `myOpaAuth` authorizer needs to be referenced in your authenticator. + +## How to Write Your RegoRules + +The authorizer will send a request to the `uri` specified in the config. The input will be: + + { + authenticationResult: { + identity: + authorizerName: + authenticatedBy: + context: Map + } + action: + resource: { + name: + type: + } + } + +For the details - especially the kind of resources - consult the Druid documentation on the [Authentication and Authorization Model](https://druid.apache.org/docs/latest/operations/security-user-auth.html#authentication-and-authorization-model). + +Inside your RegoRules, this snippet of data will be available as `input`. For the details on how to write RegoRule, have a look at the [OPA documentation](https://www.openpolicyagent.org/docs/latest/). + +### Example + +For a simple example, have a look inside the `example` directory. + +## Troubleshooting + +If you get 500 type errors it might be that the internal `druid_system` user doesn't have full permissions. + +You can increase log output for the authorizer by adding this snippet to your `log4j.xml`: + + + + + +## Development + +### How to add support for a new version + +1. Add a new profile and get the dependency version from the upstream Druid POM +2. Add the new profile to the `requireActiveProfile` enforcer rule +3. Update `.github/workflows/maven.yml` to include the new profile in CI +4. Update `README.md` to name the newly supported version +5. _After_ the PR has been merged update the GitHub settings to require the new Druid version to pass + +### Release + +Currently, we do not have an automatted way of releasing this tool. +We have a `release.yml` GitHub Action workflow but it fails as the artifact is built within a Docker action and the later steps don't have access to the final artifact. +It is a failed attempt. diff --git a/extensions-contrib/druid-opa-authorizer/checkstyle.xml b/extensions-contrib/druid-opa-authorizer/checkstyle.xml new file mode 100644 index 000000000000..9d8f4b56daa9 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/checkstyle.xml @@ -0,0 +1,74 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + diff --git a/extensions-contrib/druid-opa-authorizer/example/README.md b/extensions-contrib/druid-opa-authorizer/example/README.md new file mode 100644 index 000000000000..5e57cc608240 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/example/README.md @@ -0,0 +1,51 @@ +# Setting up OPA locally to test + +This document will guide you through downloading OPA, configuring it with a sample config and configuring your Druid instance to connect to it. + +## Run a local OPA server with example files + +1. Download the [OPA binary](https://www.openpolicyagent.org/docs/latest/#running-opa) into this directory and follow the instructions (setting execute permissions). +2. Start the server with the provided example files: `./opa run -s druid.rego druid.json`. + +By default the server will then run on port `8181`. + +The example files define 6 users and 4 roles, with rules that work based on the roles. There is a fifth special `admin` role that grants full access to everything. + +## Install the Extension + +TODO + +## Configure Druid & Setup Users + +In Druid in your common `runtime.properties` add the following: + + # Druid basic security + druid.auth.authenticatorChain=["basicAuthenticator"] + druid.auth.authenticator.basicAuthenticator.type=basic + + # Default password for 'admin' user, should be changed for production. + druid.auth.authenticator.basicAuthenticator.initialAdminPassword=password1 + + # Default password for internal 'druid_system' user, should be changed for production. + druid.auth.authenticator.basicAuthenticator.initialInternalClientPassword=password2 + + # Uses the metadata store for storing users, you can use authentication API to create new users and grant permissions + druid.auth.authenticator.basicAuthenticator.credentialsValidator.type=metadata + + # If true and the request credential doesn't exists in this credentials store, the request will proceed to next Authenticator in the chain. + druid.auth.authenticator.basicAuthenticator.skipOnFailure=false + druid.auth.authenticator.basicAuthenticator.authorizerName=opaAuthorizer + + # Escalator + druid.escalator.type=basic + druid.escalator.internalClientUsername=druid_system + druid.escalator.internalClientPassword=password2 + druid.escalator.authorizerName=opaAuthorizer + + druid.auth.authorizers=["opaAuthorizer"] + druid.auth.authorizer.opaAuthorizer.type=opa + druid.auth.authorizer.opaAuthorizer.opaUri=http://localhost:8181/v1/data/app/druid/allow + +Then run the `setup.sh` script in the `setup` directory to create the example users. 5 users will be created: alice, bob, christy, dylan and eve. The password for each user is the same as their username. + +When connecting to the dashboard you will now be prompted to log in. If you log in with Alice - the admin - you will be able to access everything. If you login with Eve (she wasn't granted access to the dashboard) you should see 403 errors in the info boxes. diff --git a/extensions-contrib/druid-opa-authorizer/example/druid.json b/extensions-contrib/druid-opa-authorizer/example/druid.json new file mode 100644 index 000000000000..78f1fb43d148 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/example/druid.json @@ -0,0 +1,76 @@ +{ + "user_roles": { + "alice": [ + "admin" + ], + "druid_system": [ + "admin" + ], + "bob": [ + "data_science" + ], + "christy": [ + "data_science", + "data_manager" + ], + "dylan": [ + "data_science", + "cluster_admin" + ], + "eve": [ + "external" + ] + }, + "role_grants": { + "data_science": [ + { + "action": "READ", + "resource": { + "type": "DATASOURCE", + "name": ".*" + } + }, + { + "action": "READ", + "resource": { + "type": "STATE", + "name": "STATE" + } + } + ], + "data_manager": [ + { + "action": "WRITE", + "resource": { + "type": "DATASOURCE", + "name": ".*" + } + } + ], + "cluster_admin": [ + { + "action": "READ", + "resource": { + "type": "CONFIG", + "name": "CONFIG" + } + }, + { + "action": "WRITE", + "resource": { + "type": "CONFIG", + "name": "CONFIG" + } + } + ], + "external": [ + { + "action": "READ", + "resource": { + "type": "DATASOURCE", + "name": "ReportTable" + } + } + ] + } +} diff --git a/extensions-contrib/druid-opa-authorizer/example/druid.rego b/extensions-contrib/druid-opa-authorizer/example/druid.rego new file mode 100644 index 000000000000..b3b52daa9e20 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/example/druid.rego @@ -0,0 +1,39 @@ +package app.druid + +import future.keywords.in + +# By default, deny requests. +default allow = false + +# Allow admins to do anything. +allow { + user_is_admin +} + +# Allow the action if the user is granted permission to perform the action. +allow { + # Find grants for the user. + some grant + user_is_granted[grant] + + # Check if the grant permits the action. + input.action == grant.action + input.resource == grant.resource.name + input.type == grant.resource.type +} + +# user_is_admin is true if... +user_is_admin { + # "admin" is among the user's roles as per data.user_roles + "admin" in data.user_roles[input.authenticationResult.identity] +} + +# user_is_granted is a set of grants for the user identified in the request. +# The `grant` will be contained if the set `user_is_granted` for every... +user_is_granted[grant] { + # `role` assigned an element of the user_roles for this user... + some role in data.user_roles[input.authenticationResult.identity] + + # `grant` assigned a single grant from the grants list for 'role'... + some grant in data.role_grants[role] +} diff --git a/extensions-contrib/druid-opa-authorizer/example/setup/alice_pass.json b/extensions-contrib/druid-opa-authorizer/example/setup/alice_pass.json new file mode 100644 index 000000000000..5333cfbfde74 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/example/setup/alice_pass.json @@ -0,0 +1,3 @@ +{ + "password": "alice" +} \ No newline at end of file diff --git a/extensions-contrib/druid-opa-authorizer/example/setup/bob_pass.json b/extensions-contrib/druid-opa-authorizer/example/setup/bob_pass.json new file mode 100644 index 000000000000..d9f3122ac2f5 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/example/setup/bob_pass.json @@ -0,0 +1,3 @@ +{ + "password": "bob" +} \ No newline at end of file diff --git a/extensions-contrib/druid-opa-authorizer/example/setup/christy_pass.json b/extensions-contrib/druid-opa-authorizer/example/setup/christy_pass.json new file mode 100644 index 000000000000..4b1489bf3a9f --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/example/setup/christy_pass.json @@ -0,0 +1,3 @@ +{ + "password": "christy" +} \ No newline at end of file diff --git a/extensions-contrib/druid-opa-authorizer/example/setup/dylan_pass.json b/extensions-contrib/druid-opa-authorizer/example/setup/dylan_pass.json new file mode 100644 index 000000000000..97cc676cdea4 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/example/setup/dylan_pass.json @@ -0,0 +1,3 @@ +{ + "password": "dylan" +} \ No newline at end of file diff --git a/extensions-contrib/druid-opa-authorizer/example/setup/eve_pass.json b/extensions-contrib/druid-opa-authorizer/example/setup/eve_pass.json new file mode 100644 index 000000000000..93bce8bcb769 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/example/setup/eve_pass.json @@ -0,0 +1,3 @@ +{ + "password": "eve" +} \ No newline at end of file diff --git a/extensions-contrib/druid-opa-authorizer/example/setup/setup.sh b/extensions-contrib/druid-opa-authorizer/example/setup/setup.sh new file mode 100755 index 000000000000..a567ca6c2fdb --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/example/setup/setup.sh @@ -0,0 +1,18 @@ +#! /bin/bash + +coordinator_ip=localhost +coordinator_port=8081 +protocol=http +authenticator_name=MyBasicMetadataAuthenticator + +create_user() { + local user=$1 + curl -u admin:password1 -XPOST ${protocol}://$coordinator_ip:${coordinator_port}/druid-ext/basic-security/authentication/db/${authenticator_name}/users/${user} + curl -u admin:password1 -H'Content-Type: application/json' -XPOST --data-binary @${user}_pass.json ${protocol}://$coordinator_ip:${coordinator_port}/druid-ext/basic-security/authentication/db/${authenticator_name}/users/${user}/credentials +} + +create_user alice +create_user bob +create_user christy +create_user dylan +create_user eve diff --git a/extensions-contrib/druid-opa-authorizer/pom.xml b/extensions-contrib/druid-opa-authorizer/pom.xml new file mode 100644 index 000000000000..5399198a76e7 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/pom.xml @@ -0,0 +1,409 @@ + + + 4.0.0 + + tech.stackable + druid-opa-authorizer + 0.8.0-SNAPSHOT + + Apache Druid OpenPolicyAgent Authorizer + https://github.com/stackabletech/druid-opa-authorizer/ + + Stackable GmbH + https://stackable.tech + + + + OSL-3.0 + + + + scm:git:${project.scm.url} + scm:git:${project.scm.url} + HEAD + git@github.com:stackabletech/druid-opa-authorizer.git + + + GitHub + https://github.com/stackabletech/druid-opa-authorizer/issues + + + + ${java.version} + ${java.version} + ${java.version} + UTF-8 + + 2.17 + 2.27.1 + 1.19.2 + + 2.9.1 + 1.14.0 + 3.6.0 + 3.4.1 + 3.14.0 + 3.8.1 + 3.1.4 + 3.5.0 + 3.1.4 + 3.4.2 + 3.1.1 + 3.3.1 + 3.21.0 + 3.5.3 + 4.9.3.0 + 4.9.3 + 2.44.4 + 2.18.0 + + + + + com.google.guava + guava + ${guava.version} + provided + + + com.google.inject + guice + ${guice.version} + provided + + + com.fasterxml.jackson.core + jackson-annotations + ${jackson.version} + provided + + + com.fasterxml.jackson.core + jackson-core + ${jackson.version} + provided + + + com.fasterxml.jackson.core + jackson-databind + ${jackson.version} + provided + + + org.apache.druid + druid-server + ${druid.version} + provided + + + org.apache.druid + druid-processing + ${druid.version} + provided + + + + + + + org.apache.maven.plugins + maven-checkstyle-plugin + ${maven-checkstyle-plugin.version} + + checkstyle.xml + + + + + check + + validate + + + + + org.apache.maven.plugins + maven-clean-plugin + ${maven-clean-plugin.version} + + + org.apache.maven.plugins + maven-compiler-plugin + ${maven-compiler-plugin.version} + + + -XDcompilePolicy=simple + -Xplugin:ErrorProne + + + + com.google.errorprone + error_prone_core + ${error-prone.version} + + + + + + org.apache.maven.plugins + maven-dependency-plugin + ${maven-dependency-plugin.version} + + + org.apache.maven.plugins + maven-deploy-plugin + ${maven-deploy-plugin.version} + + + org.apache.maven.plugins + maven-enforcer-plugin + ${maven-enforcer-plugin.version} + + + + + + druid-30.0.1,druid-34.0.0,druid-35.0.1 + false + + + ${java.version} + + + 3.6.3 + + + + + + + + enforce + + + + + + org.apache.maven.plugins + maven-install-plugin + ${maven-install-plugin.version} + + + org.apache.maven.plugins + maven-jar-plugin + ${maven-jar-plugin.version} + + + org.apache.maven.plugins + maven-release-plugin + ${maven-release-plugin.version} + + + -Dmaven.deploy.skip=true + [ci skip] + release/@{project.version} + + + + org.apache.maven.plugins + maven-resources-plugin + ${maven-resources-plugin.version} + + + org.apache.maven.plugins + maven-site-plugin + ${maven-site-plugin.version} + + + org.apache.maven.plugins + maven-surefire-plugin + ${maven-surefire-plugin.version} + + + org.codehaus.mojo + versions-maven-plugin + ${versions-maven-plugin.version} + + + org.cyclonedx + cyclonedx-maven-plugin + ${cyclonedx-maven-plugin.version} + + + + makeAggregateBom + + package + + + + + com.diffplug.spotless + spotless-maven-plugin + ${spotless-maven-plugin.version} + + + + ${cleanthat.version} + + + + + ${google-java-format.version} + + + + + **/*.md + + + + + + src/**/*.json + + + + + + + + + + apply + + verify + + + + + com.github.spotbugs + spotbugs-maven-plugin + ${spotbugs-maven-plugin.version} + + + + com.h3xstream.findsecbugs + findsecbugs-plugin + ${findsecbugs-plugin.version} + + + + + + com.github.spotbugs + spotbugs + ${spotbugs.version} + + + + + + + + + + + druid-30.0.1 + + 17 + 30.0.1 + 32.0.1-jre + 4.1.0 + + 2.12.7 + + + + com.fasterxml.jackson.core + jackson-databind + 2.12.7.1 + provided + + + + + + druid-34.0.0 + + 17 + 34.0.0 + 32.1.3-jre + 5.1.0 + 2.18.4 + + + + + com.fasterxml.jackson.core + jackson-core + 2.18.4.1 + provided + + + + + + + com.google.inject + guice + ${guice.version} + provided + + + + + + + druid-35.0.1 + + 21 + 35.0.1 + 32.1.3-jre + 5.1.0 + 2.19.2 + + + + + + com.google.inject + guice + ${guice.version} + provided + + + + + + + diff --git a/extensions-contrib/druid-opa-authorizer/renovate.json b/extensions-contrib/druid-opa-authorizer/renovate.json new file mode 100644 index 000000000000..41d579721a72 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/renovate.json @@ -0,0 +1,6 @@ +{ + "$schema": "https://docs.renovatebot.com/renovate-schema.json", + "extends": [ + "local>stackabletech/.github:renovate-config" + ] +} diff --git a/extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/OpaAuthorizer.java b/extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/OpaAuthorizer.java new file mode 100644 index 000000000000..63d1a2fc9e6f --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/OpaAuthorizer.java @@ -0,0 +1,81 @@ +package tech.stackable.druid.opaauthorizer; + +import com.fasterxml.jackson.annotation.JsonCreator; +import com.fasterxml.jackson.annotation.JsonProperty; +import com.fasterxml.jackson.annotation.JsonTypeName; +import com.fasterxml.jackson.core.JsonProcessingException; +import com.fasterxml.jackson.databind.DeserializationFeature; +import com.fasterxml.jackson.databind.ObjectMapper; +import java.net.URI; +import java.net.http.HttpClient; +import java.net.http.HttpRequest; +import java.net.http.HttpResponse; +import org.apache.druid.java.util.common.logger.Logger; +import org.apache.druid.server.security.Access; +import org.apache.druid.server.security.Action; +import org.apache.druid.server.security.AuthenticationResult; +import org.apache.druid.server.security.Authorizer; +import org.apache.druid.server.security.Resource; +import tech.stackable.druid.opaauthorizer.opatypes.OpaMessage; +import tech.stackable.druid.opaauthorizer.opatypes.OpaResponse; + +@JsonTypeName("opa") +public class OpaAuthorizer implements Authorizer { + private static final Logger LOG = new Logger(OpaAuthorizer.class); + private final String opaUri; + private final ObjectMapper objectMapper; + + @JsonCreator + public OpaAuthorizer(@JsonProperty("name") String name, @JsonProperty("opaUri") String opaUri) { + this.opaUri = opaUri; + objectMapper = + new ObjectMapper() + // https://github.com/stackabletech/druid-opa-authorizer/issues/72 + // OPA server can send other fields, such as `decision_id`` when enabling decision logs + // We could add all the fields we *currently* know, but it's more future-proof to ignore + // any unknown fields. + .configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false); + } + + @Override + public Access authorize( + AuthenticationResult authenticationResult, Resource resource, Action action) { + LOG.debug( + "Authorizing %s for %s on %s", + authenticationResult.getIdentity(), action.name(), resource.toString()); + LOG.trace("Creating OPA request JSON."); + OpaMessage msg = + new OpaMessage(authenticationResult, action.name(), resource.getName(), resource.getType()); + String msgJson; + try { + msgJson = objectMapper.writeValueAsString(msg); + } catch (JsonProcessingException e) { + return new Access(false, "Failed to create the OPA request JSON: " + e); + } + + LOG.trace("Creating HTTP Client and executing post."); + var client = HttpClient.newHttpClient(); + try { + var request = + HttpRequest.newBuilder() + .uri(new URI(opaUri)) + .header("Content-Type", "application/json") + .POST(HttpRequest.BodyPublishers.ofString(msgJson)) + .build(); + + var response = client.send(request, HttpResponse.BodyHandlers.ofString()); + + LOG.debug("OPA Response code: %s - %s", response.statusCode(), response.body()); + LOG.trace("Parsing OPA response."); + OpaResponse opaResponse = objectMapper.readValue(response.body(), OpaResponse.class); + if (opaResponse.result) { + return Access.OK; + } else { + return new Access(false, "Access denied."); + } + + } catch (Exception e) { + return new Access(false, "An error occurred: " + e); + } + } +} diff --git a/extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/OpaDruidModule.java b/extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/OpaDruidModule.java new file mode 100644 index 000000000000..1222a076fd94 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/OpaDruidModule.java @@ -0,0 +1,19 @@ +package tech.stackable.druid.opaauthorizer; + +import com.fasterxml.jackson.databind.Module; +import com.fasterxml.jackson.databind.module.SimpleModule; +import com.google.common.collect.ImmutableList; +import com.google.inject.Binder; +import java.util.List; +import org.apache.druid.initialization.DruidModule; + +public class OpaDruidModule implements DruidModule { + + @Override + public void configure(Binder binder) {} + + @Override + public List getJacksonModules() { + return ImmutableList.of(new SimpleModule("Opa").registerSubtypes(OpaAuthorizer.class)); + } +} diff --git a/extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/opatypes/OpaInput.java b/extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/opatypes/OpaInput.java new file mode 100644 index 000000000000..2b021e0cc0a1 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/opatypes/OpaInput.java @@ -0,0 +1,19 @@ +package tech.stackable.druid.opaauthorizer.opatypes; + +import org.apache.druid.server.security.AuthenticationResult; + +public class OpaInput { + public AuthenticationResult authenticationResult; + public String action; + public OpaResource resource; + + public OpaInput( + AuthenticationResult authenticationResult, + String action, + String resourceName, + String resourceType) { + this.authenticationResult = authenticationResult; + this.action = action; + this.resource = new OpaResource(resourceName, resourceType); + } +} diff --git a/extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/opatypes/OpaMessage.java b/extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/opatypes/OpaMessage.java new file mode 100644 index 000000000000..bd1e1c7ea684 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/opatypes/OpaMessage.java @@ -0,0 +1,15 @@ +package tech.stackable.druid.opaauthorizer.opatypes; + +import org.apache.druid.server.security.AuthenticationResult; + +public class OpaMessage { + public OpaInput input; + + public OpaMessage( + AuthenticationResult authenticationResult, + String action, + String resourceName, + String resourceType) { + this.input = new OpaInput(authenticationResult, action, resourceName, resourceType); + } +} diff --git a/extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/opatypes/OpaResource.java b/extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/opatypes/OpaResource.java new file mode 100644 index 000000000000..e6463bf2de34 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/opatypes/OpaResource.java @@ -0,0 +1,11 @@ +package tech.stackable.druid.opaauthorizer.opatypes; + +public class OpaResource { + public String name; + public String type; + + public OpaResource(String name, String type) { + this.name = name; + this.type = type; + } +} diff --git a/extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/opatypes/OpaResponse.java b/extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/opatypes/OpaResponse.java new file mode 100644 index 000000000000..a45611e90f20 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/opatypes/OpaResponse.java @@ -0,0 +1,5 @@ +package tech.stackable.druid.opaauthorizer.opatypes; + +public class OpaResponse { + public boolean result; +} diff --git a/extensions-contrib/druid-opa-authorizer/src/main/resources/META-INF/services/org.apache.druid.initialization.DruidModule b/extensions-contrib/druid-opa-authorizer/src/main/resources/META-INF/services/org.apache.druid.initialization.DruidModule new file mode 100644 index 000000000000..1fbd609e7325 --- /dev/null +++ b/extensions-contrib/druid-opa-authorizer/src/main/resources/META-INF/services/org.apache.druid.initialization.DruidModule @@ -0,0 +1 @@ +tech.stackable.druid.opaauthorizer.OpaDruidModule From f4f2138d94cc98f098b75ad580da1f97577bdc6c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Rzepi=C5=84ski?= Date: Thu, 26 Mar 2026 19:50:58 +0100 Subject: [PATCH 02/14] Adjust druid-opa-authorizer files to match Apache Druid repo --- .idea/inspectionProfiles/Druid.xml | 310 +++++++------- distribution/pom.xml | 2 + docs/configuration/extensions.md | 1 + .../druid-opa-authorizer.md | 137 ++++++ .../.github/pull_request_template.md | 17 - .../.github/workflows/maven.yml | 43 -- .../.github/workflows/release.yml | 63 --- .../.github/workflows/reviewdog.yml | 62 --- .../druid-opa-authorizer/.gitignore | 9 - .../druid-opa-authorizer/.markdownlint.yaml | 20 - .../druid-opa-authorizer/.mvn/jvm.config | 10 - .../druid-opa-authorizer/.yamllint.yaml | 12 - .../druid-opa-authorizer/CHANGELOG.md | 85 ---- .../druid-opa-authorizer/LICENSE | 43 -- .../druid-opa-authorizer/README.md | 86 +--- .../druid-opa-authorizer/checkstyle.xml | 74 ---- .../druid-opa-authorizer/example/README.md | 51 --- .../druid-opa-authorizer/example/druid.json | 3 + .../example/setup/setup.sh | 2 +- .../druid-opa-authorizer/pom.xml | 391 ++---------------- .../druid-opa-authorizer/renovate.json | 6 - .../druid/security/opa}/OpaAuthorizer.java | 76 +++- .../druid/security/opa/OpaDruidModule.java | 43 ++ .../druid/security/opa/opatypes/OpaInput.java | 41 ++ .../security/opa/opatypes/OpaMessage.java | 37 ++ .../security/opa/opatypes/OpaResource.java | 32 ++ .../security/opa/opatypes/OpaResponse.java | 25 ++ .../druid/opaauthorizer/OpaDruidModule.java | 19 - .../opaauthorizer/opatypes/OpaInput.java | 19 - .../opaauthorizer/opatypes/OpaMessage.java | 15 - .../opaauthorizer/opatypes/OpaResource.java | 11 - .../opaauthorizer/opatypes/OpaResponse.java | 5 - ...rg.apache.druid.initialization.DruidModule | 2 +- pom.xml | 1 + website/.spelling | 20 + 35 files changed, 602 insertions(+), 1171 deletions(-) create mode 100644 docs/development/extensions-contrib/druid-opa-authorizer.md delete mode 100644 extensions-contrib/druid-opa-authorizer/.github/pull_request_template.md delete mode 100644 extensions-contrib/druid-opa-authorizer/.github/workflows/maven.yml delete mode 100644 extensions-contrib/druid-opa-authorizer/.github/workflows/release.yml delete mode 100644 extensions-contrib/druid-opa-authorizer/.github/workflows/reviewdog.yml delete mode 100644 extensions-contrib/druid-opa-authorizer/.gitignore delete mode 100644 extensions-contrib/druid-opa-authorizer/.markdownlint.yaml delete mode 100644 extensions-contrib/druid-opa-authorizer/.mvn/jvm.config delete mode 100644 extensions-contrib/druid-opa-authorizer/.yamllint.yaml delete mode 100644 extensions-contrib/druid-opa-authorizer/CHANGELOG.md delete mode 100644 extensions-contrib/druid-opa-authorizer/LICENSE delete mode 100644 extensions-contrib/druid-opa-authorizer/checkstyle.xml delete mode 100644 extensions-contrib/druid-opa-authorizer/example/README.md delete mode 100644 extensions-contrib/druid-opa-authorizer/renovate.json rename extensions-contrib/druid-opa-authorizer/src/main/java/{tech/stackable/druid/opaauthorizer => org/apache/druid/security/opa}/OpaAuthorizer.java (57%) create mode 100644 extensions-contrib/druid-opa-authorizer/src/main/java/org/apache/druid/security/opa/OpaDruidModule.java create mode 100644 extensions-contrib/druid-opa-authorizer/src/main/java/org/apache/druid/security/opa/opatypes/OpaInput.java create mode 100644 extensions-contrib/druid-opa-authorizer/src/main/java/org/apache/druid/security/opa/opatypes/OpaMessage.java create mode 100644 extensions-contrib/druid-opa-authorizer/src/main/java/org/apache/druid/security/opa/opatypes/OpaResource.java create mode 100644 extensions-contrib/druid-opa-authorizer/src/main/java/org/apache/druid/security/opa/opatypes/OpaResponse.java delete mode 100644 extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/OpaDruidModule.java delete mode 100644 extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/opatypes/OpaInput.java delete mode 100644 extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/opatypes/OpaMessage.java delete mode 100644 extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/opatypes/OpaResource.java delete mode 100644 extensions-contrib/druid-opa-authorizer/src/main/java/tech/stackable/druid/opaauthorizer/opatypes/OpaResponse.java diff --git a/.idea/inspectionProfiles/Druid.xml b/.idea/inspectionProfiles/Druid.xml index 0889de4cc67a..54c4dd931c09 100644 --- a/.idea/inspectionProfiles/Druid.xml +++ b/.idea/inspectionProfiles/Druid.xml @@ -39,9 +39,13 @@