refactor sql authorization to get resource type from schema, resource type to be string

benchmarks/src/test/java/org/apache/druid/benchmark/query/SqlBenchmark.java

@@ -21,7 +21,6 @@
 
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
-import org.apache.calcite.schema.SchemaPlus;
 import org.apache.druid.common.config.NullHandling;
 import org.apache.druid.java.util.common.granularity.Granularities;
 import org.apache.druid.java.util.common.guava.Sequence;
@@ -46,6 +45,7 @@
 import org.apache.druid.sql.calcite.planner.PlannerConfig;
 import org.apache.druid.sql.calcite.planner.PlannerFactory;
 import org.apache.druid.sql.calcite.planner.PlannerResult;
+import org.apache.druid.sql.calcite.schema.DruidSchemaCatalog;
 import org.apache.druid.sql.calcite.util.CalciteTests;
 import org.apache.druid.sql.calcite.util.SpecificSegmentsQuerySegmentWalker;
 import org.apache.druid.timeline.DataSegment;
@@ -421,7 +421,7 @@ public void setup()
     );
     closer.register(walker);
 
-    final SchemaPlus rootSchema =
+    final DruidSchemaCatalog rootSchema =
         CalciteTests.createMockRootSchema(conglomerate, walker, plannerConfig, AuthTestUtils.TEST_AUTHORIZER_MAPPER);
     plannerFactory = new PlannerFactory(
         rootSchema,

benchmarks/src/test/java/org/apache/druid/benchmark/query/SqlExpressionBenchmark.java

@@ -21,7 +21,6 @@
 
 import com.google.common.collect.ImmutableList;
 import com.google.common.collect.ImmutableMap;
-import org.apache.calcite.schema.SchemaPlus;
 import org.apache.druid.common.config.NullHandling;
 import org.apache.druid.java.util.common.granularity.Granularities;
 import org.apache.druid.java.util.common.guava.Sequence;
@@ -42,6 +41,7 @@
 import org.apache.druid.sql.calcite.planner.PlannerConfig;
 import org.apache.druid.sql.calcite.planner.PlannerFactory;
 import org.apache.druid.sql.calcite.planner.PlannerResult;
+import org.apache.druid.sql.calcite.schema.DruidSchemaCatalog;
 import org.apache.druid.sql.calcite.util.CalciteTests;
 import org.apache.druid.sql.calcite.util.SpecificSegmentsQuerySegmentWalker;
 import org.apache.druid.timeline.DataSegment;
@@ -264,7 +264,7 @@ public void setup()
     );
     closer.register(walker);
 
-    final SchemaPlus rootSchema =
+    final DruidSchemaCatalog rootSchema =
         CalciteTests.createMockRootSchema(conglomerate, walker, plannerConfig, AuthTestUtils.TEST_AUTHORIZER_MAPPER);
     plannerFactory = new PlannerFactory(
         rootSchema,

benchmarks/src/test/java/org/apache/druid/benchmark/query/SqlVsNativeBenchmark.java

@@ -19,7 +19,6 @@
 
 package org.apache.druid.benchmark.query;
 
-import org.apache.calcite.schema.SchemaPlus;
 import org.apache.druid.common.config.NullHandling;
 import org.apache.druid.java.util.common.Intervals;
 import org.apache.druid.java.util.common.granularity.Granularities;
@@ -43,6 +42,7 @@
 import org.apache.druid.sql.calcite.planner.PlannerConfig;
 import org.apache.druid.sql.calcite.planner.PlannerFactory;
 import org.apache.druid.sql.calcite.planner.PlannerResult;
+import org.apache.druid.sql.calcite.schema.DruidSchemaCatalog;
 import org.apache.druid.sql.calcite.util.CalciteTests;
 import org.apache.druid.sql.calcite.util.SpecificSegmentsQuerySegmentWalker;
 import org.apache.druid.timeline.DataSegment;
@@ -111,7 +111,7 @@ public void setup()
     final PlannerConfig plannerConfig = new PlannerConfig();
 
     this.walker = closer.register(new SpecificSegmentsQuerySegmentWalker(conglomerate).add(dataSegment, index));
-    final SchemaPlus rootSchema =
+    final DruidSchemaCatalog rootSchema =
         CalciteTests.createMockRootSchema(conglomerate, walker, plannerConfig, AuthTestUtils.TEST_AUTHORIZER_MAPPER);
     plannerFactory = new PlannerFactory(
         rootSchema,

extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/BasicRoleBasedAuthorizer.java

@@ -36,6 +36,7 @@
 
 import java.util.HashSet;
 import java.util.Map;
+import java.util.Objects;
 import java.util.Set;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -116,7 +117,7 @@ private boolean permissionCheck(Resource resource, Action action, BasicAuthorize
     }
 
     Resource permissionResource = permission.getResourceAction().getResource();
-    if (permissionResource.getType() != resource.getType()) {
+    if (!Objects.equals(permissionResource.getType(), resource.getType())) {
       return false;
     }
 

extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/BasicAuthUtilsTest.java

@@ -60,6 +60,7 @@ public void testPermissionSerdeIsChillAboutUnknownEnumStuffs() throws JsonProces
     final String thirdRoleName = "third-role";
     final ResourceAction fooRead = new ResourceAction(new Resource("foo", ResourceType.DATASOURCE), Action.READ);
     final ResourceAction barRead = new ResourceAction(new Resource("bar", ResourceType.DATASOURCE), Action.READ);
+    final ResourceAction customRead = new ResourceAction(new Resource("bar", "CUSTOM"), Action.READ);
 
     final ObjectMapper mapper = TestHelper.makeJsonMapper();
     mapper.registerModules(new BasicSecurityDruidModule().getJacksonModules());
@@ -76,7 +77,7 @@ public void testPermissionSerdeIsChillAboutUnknownEnumStuffs() throws JsonProces
           )
       )
     );
-    // bad ResourceType
+    // custom ResourceType
     rawMap.put(
         otherRoleName,
         ImmutableMap.of(
@@ -89,12 +90,7 @@ public void testPermissionSerdeIsChillAboutUnknownEnumStuffs() throws JsonProces
                     "resourceNamePattern", "foo"
                 ),
                 ImmutableMap.of(
-                    "resourceAction",
-                    ImmutableMap.of(
-                        "resource",
-                        ImmutableMap.of("name", "bar", "type", "UNKNOWN"),
-                        "action", "READ"
-                    ),
+                    "resourceAction", customRead,
                     "resourceNamePattern", "bar"
                 )
             )
@@ -141,11 +137,11 @@ public void testPermissionSerdeIsChillAboutUnknownEnumStuffs() throws JsonProces
         roleMap.get(someRoleName).getPermissions()
     );
 
-    // this one has an unknown ResourceType, expect only 1 permission to deserialize correctly and failure ignored
+    // this one has custom resource type... this test is somewhat pointless, it made more sense when type was an enum
     Assert.assertTrue(roleMap.containsKey(otherRoleName));
-    Assert.assertEquals(1, roleMap.get(otherRoleName).getPermissions().size());
+    Assert.assertEquals(2, roleMap.get(otherRoleName).getPermissions().size());
     Assert.assertEquals(
-        BasicAuthorizerPermission.makePermissionList(ImmutableList.of(fooRead)),
+        BasicAuthorizerPermission.makePermissionList(ImmutableList.of(fooRead, customRead)),
         roleMap.get(otherRoleName).getPermissions()
     );
 

extensions-core/druid-ranger-security/src/main/java/org/apache/druid/security/ranger/authorizer/RangerAuthorizer.java

@@ -126,7 +126,7 @@ class RangerDruidResource extends RangerAccessResourceImpl
 {
   public RangerDruidResource(Resource resource)
   {
-    setValue(resource.getType().name().toLowerCase(Locale.ENGLISH), resource.getName());
+    setValue(resource.getType().toLowerCase(Locale.ENGLISH), resource.getName());
   }
 }
 

server/src/main/java/org/apache/druid/server/security/AuthorizationUtils.java

@@ -25,6 +25,7 @@
 import org.apache.druid.java.util.common.ISE;
 
 import javax.servlet.http.HttpServletRequest;
+import java.util.ArrayList;
 import java.util.Collections;
 import java.util.HashMap;
 import java.util.HashSet;
@@ -359,49 +360,27 @@ public static <KeyType, ResType> Map<KeyType, List<ResType>> filterAuthorizedRes
     return filteredResources;
   }
 
+  /**
+   * This method constructs a 'superuser' set of permissions composed of {@link Action#READ} and {@link Action#WRITE}
+   * permissions for all known {@link ResourceType#knownTypes()} for any {@link Authorizer} implementation which is
+   * built on pattern matching with a regex.
+   *
+   * Note that if any {@link Resource} exist that use custom types not registered with
+   * {@link ResourceType#registerResourceType}, those permissions will not be included in this list and will need to
+   * be added manually.
+   */
   public static List<ResourceAction> makeSuperUserPermissions()
   {
-    ResourceAction datasourceR = new ResourceAction(
-        new Resource(".*", ResourceType.DATASOURCE),
-        Action.READ
-    );
-
-    ResourceAction datasourceW = new ResourceAction(
-        new Resource(".*", ResourceType.DATASOURCE),
-        Action.WRITE
-    );
-
-    ResourceAction viewR = new ResourceAction(
-        new Resource(".*", ResourceType.VIEW),
-        Action.READ
-    );
-
-    ResourceAction viewW = new ResourceAction(
-        new Resource(".*", ResourceType.VIEW),
-        Action.WRITE
-    );
-
-    ResourceAction configR = new ResourceAction(
-        new Resource(".*", ResourceType.CONFIG),
-        Action.READ
-    );
-
-    ResourceAction configW = new ResourceAction(
-        new Resource(".*", ResourceType.CONFIG),
-        Action.WRITE
-    );
-
-    ResourceAction stateR = new ResourceAction(
-        new Resource(".*", ResourceType.STATE),
-        Action.READ
-    );
-
-    ResourceAction stateW = new ResourceAction(
-        new Resource(".*", ResourceType.STATE),
-        Action.WRITE
-    );
-
-    return Lists.newArrayList(datasourceR, datasourceW, viewR, viewW, configR, configW, stateR, stateW);
+    List<ResourceAction> allReadAndWrite = new ArrayList<>(ResourceType.knownTypes().size() * 2);
+    for (String type : ResourceType.knownTypes()) {
+      allReadAndWrite.add(
+          new ResourceAction(new Resource(".*", type), Action.READ)
+      );
+      allReadAndWrite.add(
+          new ResourceAction(new Resource(".*", type), Action.WRITE)
+      );
+    }
+    return allReadAndWrite;
   }
 
   /**

server/src/main/java/org/apache/druid/server/security/Resource.java

@@ -22,17 +22,19 @@
 import com.fasterxml.jackson.annotation.JsonCreator;
 import com.fasterxml.jackson.annotation.JsonProperty;
 
+import java.util.Objects;
+
 public class Resource
 {
   public static final Resource STATE_RESOURCE = new Resource("STATE", ResourceType.STATE);
 
   private final String name;
-  private final ResourceType type;
+  private final String type;
 
   @JsonCreator
   public Resource(
       @JsonProperty("name") String name,
-      @JsonProperty("type") ResourceType type
+      @JsonProperty("type") String type
   )
   {
     this.name = name;
@@ -46,7 +48,7 @@ public String getName()
   }
 
   @JsonProperty
-  public ResourceType getType()
+  public String getType()
   {
     return type;
   }
@@ -66,16 +68,14 @@ public boolean equals(Object o)
     if (!name.equals(resource.name)) {
       return false;
     }
-    return type == resource.type;
+    return Objects.equals(type, resource.type);
 
   }
 
   @Override
   public int hashCode()
   {
-    int result = name.hashCode();
-    result = 31 * result + type.hashCode();
-    return result;
+    return Objects.hash(name, type);
   }
 
   @Override

server/src/main/java/org/apache/druid/server/security/ResourceType.java

@@ -19,22 +19,44 @@
 
 package org.apache.druid.server.security;
 
-import com.fasterxml.jackson.annotation.JsonCreator;
-import org.apache.druid.java.util.common.StringUtils;
+import com.google.common.collect.Sets;
 
-public enum ResourceType
+import java.util.Set;
+
+/**
+ * Set of built-in and 'registered' {@link Resource} types for use by {@link Authorizer}
+ */
+public class ResourceType
 {
-  DATASOURCE,
-  VIEW,
-  CONFIG,
-  STATE;
+  public static final String DATASOURCE = "DATASOURCE";
+  public static final String VIEW = "VIEW";
+  public static final String CONFIG = "CONFIG";
+  public static final String STATE = "STATE";
+
+  private static final Set<String> KNOWN_TYPES = Sets.newConcurrentHashSet();
+
+  // initialize built-ins
+  static {
+    registerResourceType(DATASOURCE);
+    registerResourceType(VIEW);
+    registerResourceType(CONFIG);
+    registerResourceType(STATE);
+  }
+
+  /**
+   * Set of 'known' {@link Resource} types which have been registered with {@link #registerResourceType}, for use by
+   * utility methods looking to construct permission sets for all types (e.g. 'superuser' permission set)
+   */
+  public static Set<String> knownTypes()
+  {
+    return KNOWN_TYPES;
+  }
 
-  @JsonCreator
-  public static ResourceType fromString(String name)
+  /**
+   * 'register' a 'known' type of {@link Resource} to make available via {@link #knownTypes()}
+   */
+  public static void registerResourceType(String type)
   {
-    if (name == null) {
-      return null;
-    }
-    return valueOf(StringUtils.toUpperCase(name));
+    KNOWN_TYPES.add(type);
   }
 }

server/src/test/java/org/apache/druid/server/security/AuthorizationUtilsTest.java

@@ -30,6 +30,7 @@
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 
 public class AuthorizationUtilsTest
 {
@@ -88,16 +89,26 @@ public Iterable<ResourceAction> apply(@Nullable String input)
   @Test
   public void testMakeSuperuserPermissions()
   {
+    final String customType = "CUSTOM";
+    ResourceType.registerResourceType(customType);
     final List<ResourceAction> permissions = AuthorizationUtils.makeSuperUserPermissions();
     // every type and action should have a wildcard pattern
-    for (ResourceType type : ResourceType.values()) {
+    for (String type : ResourceType.knownTypes()) {
       for (Action action : Action.values()) {
         Assert.assertTrue(
             permissions.stream()
-                       .filter(ra -> type == ra.getResource().getType())
+                       .filter(ra -> Objects.equals(type, ra.getResource().getType()))
                        .anyMatch(ra -> action == ra.getAction() && ".*".equals(ra.getResource().getName()))
         );
       }
     }
+    // custom type should be there too
+    for (Action action : Action.values()) {
+      Assert.assertTrue(
+          permissions.stream()
+                     .filter(ra -> Objects.equals(customType, ra.getResource().getType()))
+                     .anyMatch(ra -> action == ra.getAction() && ".*".equals(ra.getResource().getName()))
+      );
+    }
   }
 }

sql/src/main/java/org/apache/druid/sql/calcite/planner/DruidPlanner.java

@@ -120,7 +120,7 @@ public ValidationResult validate(final String sql) throws SqlParseException, Val
       throw new ValidationException(e);
     }
     SqlResourceCollectorShuttle resourceCollectorShuttle =
-        new SqlResourceCollectorShuttle(validator, frameworkConfig.getDefaultSchema().getName());
+        new SqlResourceCollectorShuttle(validator, plannerContext);
     validated.accept(resourceCollectorShuttle);
     plannerContext.setResources(resourceCollectorShuttle.getResources());
     return new ValidationResult(resourceCollectorShuttle.getResources());