Migrate revised security IT to embedded tests (#18358)

Main changes:
- Move `ITSecurityBasicQuery` to `BasicAuthMsqTest`
- Add new test `BasicAuthIndexingTest` which extends `IndexTaskTest`
- Add `EmbeddedServiceClient` to allow creation of a custom client that can talk to various services
in an embedded cluster

Other changes:
- Refactor `SecurityClient` to work with `EmbeddedServiceClient`
- Simplify `CompactionResourceTestClient` to work with `EmbeddedServiceClient`
- Bind annotated `ServiceClient` instances for Coordinator, Overlord and Broker in `ServiceClientModule`
- Replace usages of `CoordinatorServiceClient` with `@Coordinator ServiceClient`
- Add resource `MsqExportDirectory`

Author: kfaraz

.github/workflows/revised-its.yml

@@ -67,7 +67,7 @@ jobs:
       fail-fast: false
       matrix:
         jdk: [17]
-        it: [HighAvailability, MultiStageQuery, Catalog, BatchIndex, MultiStageQueryWithMM, InputSource, InputFormat, Security, Query, DruidExactCountBitmap]
+        it: [HighAvailability, MultiStageQuery, Catalog, BatchIndex, MultiStageQueryWithMM, InputSource, InputFormat, Query, DruidExactCountBitmap]
         indexer: [middleManager]
     uses: ./.github/workflows/reusable-revised-its.yml
     if: ${{ needs.changes.outputs.core == 'true' || needs.changes.outputs.common-extensions == 'true' }}

embedded-tests/pom.xml

@@ -86,6 +86,12 @@
       <version>${project.parent.version}</version>
       <scope>test</scope>
     </dependency>
+    <dependency>
+      <groupId>org.apache.druid.extensions</groupId>
+      <artifactId>druid-basic-security</artifactId>
+      <version>${project.parent.version}</version>
+      <scope>test</scope>
+    </dependency>
     <dependency>
       <groupId>joda-time</groupId>
       <artifactId>joda-time</artifactId>

embedded-tests/src/test/java/org/apache/druid/testing/embedded/auth/BasicAuthIndexingTest.java

@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.druid.testing.embedded.auth;
+
+import com.fasterxml.jackson.core.type.TypeReference;
+import org.apache.druid.rpc.RequestBuilder;
+import org.apache.druid.testing.embedded.EmbeddedDruidCluster;
+import org.apache.druid.testing.embedded.EmbeddedRouter;
+import org.apache.druid.testing.embedded.indexing.IndexTaskTest;
+import org.jboss.netty.handler.codec.http.HttpMethod;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.Test;
+
+import java.util.List;
+
+public class BasicAuthIndexingTest extends IndexTaskTest
+{
+  @Override
+  public EmbeddedDruidCluster createCluster()
+  {
+    return EmbeddedDruidCluster
+        .withEmbeddedDerbyAndZookeeper()
+        .addResource(new EmbeddedBasicAuthResource())
+        .useLatchableEmitter()
+        .addServer(coordinator)
+        .addServer(overlord)
+        .addServer(indexer)
+        .addServer(historical)
+        .addServer(broker)
+        .addServer(new EmbeddedRouter())
+        .addCommonProperty("druid.indexer.autoscale.doAutoscale", "true");
+  }
+
+  @Test
+  public void test_getScalingStats_redirectFromCoordinatorToOverlord()
+  {
+    final List<Object> response = cluster.callApi().serviceClient().onLeaderCoordinator(
+        mapper -> new RequestBuilder(HttpMethod.GET, "/druid/indexer/v1/scaling"),
+        new TypeReference<>() {}
+    );
+    Assertions.assertNotNull(response);
+    Assertions.assertTrue(response.isEmpty());
+  }
+}

…d/testsEx/auth/ITSecurityBasicQuery.java …ting/embedded/auth/BasicAuthMSQTest.javaintegration-tests-ex/cases/src/test/java/org/apache/druid/testsEx/auth/ITSecurityBasicQuery.java renamed to embedded-tests/src/test/java/org/apache/druid/testing/embedded/auth/BasicAuthMSQTest.java integration-tests-ex/cases/src/test/java/org/apache/druid/testsEx/auth/ITSecurityBasicQuery.java renamed to embedded-tests/src/test/java/org/apache/druid/testing/embedded/auth/BasicAuthMSQTest.java

@@ -0,0 +1,83 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.druid.testing.embedded.auth;
+
+import org.apache.druid.java.util.common.StringUtils;
+import org.apache.druid.security.basic.BasicSecurityDruidModule;
+import org.apache.druid.testing.embedded.EmbeddedDruidCluster;
+import org.apache.druid.testing.embedded.EmbeddedResource;
+
+/**
+ * Resource to enable the basic auth extension in embedded tests.
+ */
+public class EmbeddedBasicAuthResource implements EmbeddedResource
+{
+  public static final String ADMIN_PASSWORD = "priest";
+  public static final String SYSTEM_PASSWORD = "warlock";
+  public static final String SYSTEM_USER = "druid_system";
+
+  private static final String AUTHORIZER_NAME = "basic";
+  private static final String AUTHENTICATOR_NAME = "basic";
+
+  @Override
+  public void start()
+  {
+    // Do nothing
+  }
+
+  @Override
+  public void onStarted(EmbeddedDruidCluster cluster)
+  {
+    cluster
+        .addExtension(BasicSecurityDruidModule.class)
+        .addCommonProperty("druid.auth.authenticatorChain", StringUtils.format("[\"%s\"]", AUTHENTICATOR_NAME))
+        .addCommonProperty(authenticatorProp("type"), "basic")
+        .addCommonProperty(authenticatorProp("initialAdminPassword"), ADMIN_PASSWORD)
+        .addCommonProperty(authenticatorProp("initialInternalClientPassword"), SYSTEM_PASSWORD)
+        .addCommonProperty(authenticatorProp("authorizerName"), AUTHORIZER_NAME)
+        .addCommonProperty("druid.auth.authorizers", StringUtils.format("[\"%s\"]", AUTHORIZER_NAME))
+        .addCommonProperty(authorizerProp("type"), "basic")
+        .addCommonProperty(escalatorProp("type"), "basic")
+        .addCommonProperty(escalatorProp("internalClientPassword"), SYSTEM_PASSWORD)
+        .addCommonProperty(escalatorProp("internalClientUsername"), SYSTEM_USER)
+        .addCommonProperty(escalatorProp("authorizerName"), AUTHORIZER_NAME);
+  }
+
+  @Override
+  public void stop()
+  {
+    // Do nothing
+  }
+  
+  private String authenticatorProp(String name)
+  {
+    return StringUtils.format("druid.auth.authenticator.%s.%s", AUTHENTICATOR_NAME, name);
+  }
+  
+  private String authorizerProp(String name)
+  {
+    return StringUtils.format("druid.auth.authorizer.%s.%s", AUTHORIZER_NAME, name);
+  }
+  
+  private String escalatorProp(String name)
+  {
+    return StringUtils.format("druid.escalator.%s", name);
+  }
+}

embedded-tests/src/test/java/org/apache/druid/testing/embedded/auth/EmbeddedBasicAuthResource.java

@@ -0,0 +1,171 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.druid.testing.embedded.auth;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.apache.druid.java.util.common.StringUtils;
+import org.apache.druid.rpc.RequestBuilder;
+import org.apache.druid.server.security.ResourceAction;
+import org.apache.druid.testing.embedded.EmbeddedServiceClient;
+import org.jboss.netty.handler.codec.http.HttpMethod;
+
+import java.util.List;
+import java.util.Map;
+import java.util.function.Function;
+
+/**
+ * Client to call various basic auth APIs on the Coordinator. 
+ */
+public class SecurityClient
+{
+  private static final String AUTHENTICATOR_URL = "/druid-ext/basic-security/authentication/db/basic";
+  private static final String AUTHORIZER_URL = "/druid-ext/basic-security/authorization/db/basic";
+
+  private final EmbeddedServiceClient clients;
+
+  SecurityClient(EmbeddedServiceClient clients)
+  {
+    this.clients = clients;
+  }
+
+  public void createAuthenticationUser(String username)
+  {
+    final RequestBuilder request = new RequestBuilder(
+        HttpMethod.POST,
+        StringUtils.format(
+            "%s/users/%s",
+            AUTHENTICATOR_URL,
+            StringUtils.urlEncode(username)
+        )
+    );
+    sendRequest(mapper -> request);
+  }
+
+  public void deleteAuthenticationUser(String username)
+  {
+    final RequestBuilder request = new RequestBuilder(
+        HttpMethod.DELETE,
+        StringUtils.format(
+            "%s/users/%s",
+            AUTHENTICATOR_URL,
+            StringUtils.urlEncode(username)
+        )
+    );
+    sendRequest(mapper -> request);
+  }
+
+  public void setUserPassword(String username, String password)
+  {
+    final RequestBuilder request = new RequestBuilder(
+        HttpMethod.POST,
+        StringUtils.format(
+            "%s/users/%s/credentials",
+            AUTHENTICATOR_URL,
+            StringUtils.urlEncode(username)
+        )
+    );
+
+    sendRequest(mapper -> request.jsonContent(mapper, Map.of("password", password)));
+  }
+
+  public void createAuthorizerUser(String username)
+  {
+    final RequestBuilder request = new RequestBuilder(
+        HttpMethod.POST,
+        StringUtils.format(
+            "%s/users/%s",
+            AUTHORIZER_URL,
+            StringUtils.urlEncode(username)
+        )
+    );
+    sendRequest(mapper -> request);
+  }
+
+  public void deleteAuthorizerUser(String username)
+  {
+    final RequestBuilder request = new RequestBuilder(
+        HttpMethod.DELETE,
+        StringUtils.format(
+            "%s/users/%s",
+            AUTHORIZER_URL,
+            StringUtils.urlEncode(username)
+        )
+    );
+    sendRequest(mapper -> request);
+  }
+
+  public void createAuthorizerRole(String role)
+  {
+    final RequestBuilder request = new RequestBuilder(
+        HttpMethod.POST,
+        StringUtils.format(
+            "%s/roles/%s",
+            AUTHORIZER_URL,
+            StringUtils.urlEncode(role)
+        )
+    );
+    sendRequest(mapper -> request);
+  }
+
+  public void deleteAuthorizerRole(String role)
+  {
+    final RequestBuilder request = new RequestBuilder(
+        HttpMethod.DELETE,
+        StringUtils.format(
+            "%s/roles/%s",
+            AUTHORIZER_URL,
+            StringUtils.urlEncode(role)
+        )
+    );
+    sendRequest(mapper -> request);
+  }
+
+  public void assignUserToRole(String user, String role)
+  {
+    final RequestBuilder request = new RequestBuilder(
+        HttpMethod.POST,
+        StringUtils.format(
+            "%s/users/%s/roles/%s",
+            AUTHORIZER_URL,
+            StringUtils.urlEncode(user),
+            StringUtils.urlEncode(role)
+        )
+    );
+    sendRequest(mapper -> request);
+  }
+
+  public void setPermissionsToRole(String role, List<ResourceAction> permissions)
+  {
+    final RequestBuilder request = new RequestBuilder(
+        HttpMethod.POST,
+        StringUtils.format(
+            "%s/roles/%s/permissions/",
+            AUTHORIZER_URL,
+            StringUtils.urlEncode(role)
+        )
+    );
+    sendRequest(mapper -> request.jsonContent(mapper, permissions));
+  }
+
+  private void sendRequest(Function<ObjectMapper, RequestBuilder> request)
+  {
+    clients.onLeaderCoordinator(request, null);
+  }
+}