Skip to content

Migrate revised security IT to embedded tests #18358

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
kfaraz merged 11 commits into from
Aug 7, 2025
Merged

Migrate revised security IT to embedded tests #18358

Show file tree
Hide file tree
Changes from 10 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
ca0e699
Migrate revised security IT to embedded tests
kfaraz Aug 4, 2025
7ecb7b8
Minor cleanup
kfaraz Aug 4, 2025
97e4842
Remove CoordinatorServiceClient
kfaraz Aug 4, 2025
8eb2ff4
Fix compilation and tests
kfaraz Aug 4, 2025
a5981ba
Merge branch 'master' of github.com:apache/druid into add_embedded_au…
kfaraz Aug 4, 2025
7803011
Minor fixes
kfaraz Aug 4, 2025
eae1513
Clean up
kfaraz Aug 4, 2025
e70f828
Move test from ITCoordinatorOverlordProxyAuthTest to BasicAuthIndexin…
kfaraz Aug 4, 2025
9b21d45
Add EmbeddedBasicAuthResource
kfaraz Aug 7, 2025
3181c1f
Remove redundant throws clauses
kfaraz Aug 7, 2025
ee26cd2
Minor cleanup to address strict compile issues
kfaraz Aug 7, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/revised-its.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ jobs:
fail-fast: false
matrix:
jdk: [17]
it: [HighAvailability, MultiStageQuery, Catalog, BatchIndex, MultiStageQueryWithMM, InputSource, InputFormat, Security, Query, DruidExactCountBitmap]
it: [HighAvailability, MultiStageQuery, Catalog, BatchIndex, MultiStageQueryWithMM, InputSource, InputFormat, Query, DruidExactCountBitmap]
indexer: [middleManager]
uses: ./.github/workflows/reusable-revised-its.yml
if: ${{ needs.changes.outputs.core == 'true' || needs.changes.outputs.common-extensions == 'true' }}
Expand Down
6 changes: 6 additions & 0 deletions embedded-tests/pom.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -86,6 +86,12 @@
<version>${project.parent.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.apache.druid.extensions</groupId>
<artifactId>druid-basic-security</artifactId>
<version>${project.parent.version}</version>
<scope>test</scope>
</dependency>
<dependency>
<groupId>joda-time</groupId>
<artifactId>joda-time</artifactId>
Expand Down
61 changes: 61 additions & 0 deletions ...ded-tests/src/test/java/org/apache/druid/testing/embedded/auth/BasicAuthIndexingTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

package org.apache.druid.testing.embedded.auth;

import com.fasterxml.jackson.core.type.TypeReference;
import org.apache.druid.rpc.RequestBuilder;
import org.apache.druid.testing.embedded.EmbeddedDruidCluster;
import org.apache.druid.testing.embedded.EmbeddedRouter;
import org.apache.druid.testing.embedded.indexing.IndexTaskTest;
import org.jboss.netty.handler.codec.http.HttpMethod;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;

import java.util.List;

public class BasicAuthIndexingTest extends IndexTaskTest
{
@Override
public EmbeddedDruidCluster createCluster()
{
return EmbeddedDruidCluster
.withEmbeddedDerbyAndZookeeper()
.addResource(new EmbeddedBasicAuthResource())
.useLatchableEmitter()
.addServer(coordinator)
.addServer(overlord)
.addServer(indexer)
.addServer(historical)
.addServer(broker)
.addServer(new EmbeddedRouter())
.addCommonProperty("druid.indexer.autoscale.doAutoscale", "true");
}

@Test
public void test_getScalingStats_redirectFromCoordinatorToOverlord()
{
final List<Object> response = cluster.callApi().serviceClient().onLeaderCoordinator(
mapper -> new RequestBuilder(HttpMethod.GET, "/druid/indexer/v1/scaling"),
new TypeReference<>() {}
);
Assertions.assertNotNull(response);
Assertions.assertTrue(response.isEmpty());
}
}
268 changes: 122 additions & 146 deletions ...id/testsEx/auth/ITSecurityBasicQuery.java → ...sting/embedded/auth/BasicAuthMSQTest.java
View file
Open in desktop

Large diffs are not rendered by default.

83 changes: 83 additions & 0 deletions ...tests/src/test/java/org/apache/druid/testing/embedded/auth/EmbeddedBasicAuthResource.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,83 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

package org.apache.druid.testing.embedded.auth;

import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.security.basic.BasicSecurityDruidModule;
import org.apache.druid.testing.embedded.EmbeddedDruidCluster;
import org.apache.druid.testing.embedded.EmbeddedResource;

/**
* Resource to enable the basic auth extension in embedded tests.
*/
public class EmbeddedBasicAuthResource implements EmbeddedResource
{
public static final String ADMIN_PASSWORD = "priest";
public static final String SYSTEM_PASSWORD = "warlock";
public static final String SYSTEM_USER = "druid_system";

private static final String AUTHORIZER_NAME = "basic";
private static final String AUTHENTICATOR_NAME = "basic";

@Override
public void start()
{
// Do nothing
}

@Override
public void onStarted(EmbeddedDruidCluster cluster)
{
cluster
.addExtension(BasicSecurityDruidModule.class)
.addCommonProperty("druid.auth.authenticatorChain", StringUtils.format("[\"%s\"]", AUTHENTICATOR_NAME))
.addCommonProperty(authenticatorProp("type"), "basic")
.addCommonProperty(authenticatorProp("initialAdminPassword"), ADMIN_PASSWORD)
.addCommonProperty(authenticatorProp("initialInternalClientPassword"), SYSTEM_PASSWORD)
.addCommonProperty(authenticatorProp("authorizerName"), AUTHORIZER_NAME)
.addCommonProperty("druid.auth.authorizers", StringUtils.format("[\"%s\"]", AUTHORIZER_NAME))
.addCommonProperty(authorizerProp("type"), "basic")
.addCommonProperty(escalatorProp("type"), "basic")
.addCommonProperty(escalatorProp("internalClientPassword"), SYSTEM_PASSWORD)
.addCommonProperty(escalatorProp("internalClientUsername"), SYSTEM_USER)
.addCommonProperty(escalatorProp("authorizerName"), AUTHORIZER_NAME);
}

@Override
public void stop()
{
// Do nothing
}

private String authenticatorProp(String name)
{
return StringUtils.format("druid.auth.authenticator.%s.%s", AUTHENTICATOR_NAME, name);
}

private String authorizerProp(String name)
{
return StringUtils.format("druid.auth.authorizer.%s.%s", AUTHORIZER_NAME, name);
}

private String escalatorProp(String name)
{
return StringUtils.format("druid.escalator.%s", name);
}
}
171 changes: 171 additions & 0 deletions embedded-tests/src/test/java/org/apache/druid/testing/embedded/auth/SecurityClient.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,171 @@
/*
* Licensed to the Apache Software Foundation (ASF) under one
* or more contributor license agreements. See the NOTICE file
* distributed with this work for additional information
* regarding copyright ownership. The ASF licenses this file
* to you under the Apache License, Version 2.0 (the
* "License"); you may not use this file except in compliance
* with the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing,
* software distributed under the License is distributed on an
* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
* KIND, either express or implied. See the License for the
* specific language governing permissions and limitations
* under the License.
*/

package org.apache.druid.testing.embedded.auth;

import com.fasterxml.jackson.databind.ObjectMapper;
import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.rpc.RequestBuilder;
import org.apache.druid.server.security.ResourceAction;
import org.apache.druid.testing.embedded.EmbeddedServiceClient;
import org.jboss.netty.handler.codec.http.HttpMethod;

import java.util.List;
import java.util.Map;
import java.util.function.Function;

/**
* Client to call various basic auth APIs on the Coordinator.
Copy link
Contributor

@uds5501 uds5501 Aug 7, 2025
edited by kfaraz
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dummy suggestion to trigger CI:

Suggested change
* Client to call various basic auth APIs on the Coordinator.
* Client to call various basic auth APIs on the Coordinator for sure.

Copy link
Contributor

@gianm gianm Aug 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't understand this suggestion.

Copy link
Contributor Author

@kfaraz kfaraz Aug 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah, sorry for the confusion.

I was exploring the idea of trying out an alt account to bypass my GHA issue.
This is a dummy suggestion that I had requested @uds5501 to leave so that we could commit it and hopefully trigger CI. But that didn't work as only committers can commit from the GitHub console.

*/
public class SecurityClient
{
private static final String AUTHENTICATOR_URL = "/druid-ext/basic-security/authentication/db/basic";
private static final String AUTHORIZER_URL = "/druid-ext/basic-security/authorization/db/basic";

private final EmbeddedServiceClient clients;

SecurityClient(EmbeddedServiceClient clients)
{
this.clients = clients;
}

public void createAuthenticationUser(String username)
{
final RequestBuilder request = new RequestBuilder(
HttpMethod.POST,
StringUtils.format(
"%s/users/%s",
AUTHENTICATOR_URL,
StringUtils.urlEncode(username)
)
);
sendRequest(mapper -> request);
}

public void deleteAuthenticationUser(String username)
{
final RequestBuilder request = new RequestBuilder(
HttpMethod.DELETE,
StringUtils.format(
"%s/users/%s",
AUTHENTICATOR_URL,
StringUtils.urlEncode(username)
)
);
sendRequest(mapper -> request);
}

public void setUserPassword(String username, String password)
{
final RequestBuilder request = new RequestBuilder(
HttpMethod.POST,
StringUtils.format(
"%s/users/%s/credentials",
AUTHENTICATOR_URL,
StringUtils.urlEncode(username)
)
);

sendRequest(mapper -> request.jsonContent(mapper, Map.of("password", password)));
}

public void createAuthorizerUser(String username)
{
final RequestBuilder request = new RequestBuilder(
HttpMethod.POST,
StringUtils.format(
"%s/users/%s",
AUTHORIZER_URL,
StringUtils.urlEncode(username)
)
);
sendRequest(mapper -> request);
}

public void deleteAuthorizerUser(String username)
{
final RequestBuilder request = new RequestBuilder(
HttpMethod.DELETE,
StringUtils.format(
"%s/users/%s",
AUTHORIZER_URL,
StringUtils.urlEncode(username)
)
);
sendRequest(mapper -> request);
}

public void createAuthorizerRole(String role)
{
final RequestBuilder request = new RequestBuilder(
HttpMethod.POST,
StringUtils.format(
"%s/roles/%s",
AUTHORIZER_URL,
StringUtils.urlEncode(role)
)
);
sendRequest(mapper -> request);
}

public void deleteAuthorizerRole(String role)
{
final RequestBuilder request = new RequestBuilder(
HttpMethod.DELETE,
StringUtils.format(
"%s/roles/%s",
AUTHORIZER_URL,
StringUtils.urlEncode(role)
)
);
sendRequest(mapper -> request);
}

public void assignUserToRole(String user, String role)
{
final RequestBuilder request = new RequestBuilder(
HttpMethod.POST,
StringUtils.format(
"%s/users/%s/roles/%s",
AUTHORIZER_URL,
StringUtils.urlEncode(user),
StringUtils.urlEncode(role)
)
);
sendRequest(mapper -> request);
}

public void setPermissionsToRole(String role, List<ResourceAction> permissions)
{
final RequestBuilder request = new RequestBuilder(
HttpMethod.POST,
StringUtils.format(
"%s/roles/%s/permissions/",
AUTHORIZER_URL,
StringUtils.urlEncode(role)
)
);
sendRequest(mapper -> request.jsonContent(mapper, permissions));
}

private void sendRequest(Function<ObjectMapper, RequestBuilder> request)
{
clients.onLeaderCoordinator(request, null);
}
}
Loading
Loading