apache · kfaraz · Dec 19, 2023 · Dec 4, 2023 · Dec 4, 2023 · Dec 4, 2023
diff --git a/...a/org/apache/druid/security/basic/authentication/endpoint/BasicAuthenticatorResource.java b/...a/org/apache/druid/security/basic/authentication/endpoint/BasicAuthenticatorResource.java
@@ -22,6 +22,9 @@
 import com.fasterxml.jackson.jaxrs.smile.SmileMediaTypes;
 import com.google.inject.Inject;
 import com.sun.jersey.spi.container.ResourceFilters;
+import org.apache.druid.audit.AuditEvent;
+import org.apache.druid.audit.AuditInfo;
+import org.apache.druid.audit.AuditManager;
 import org.apache.druid.guice.LazySingleton;
 import org.apache.druid.security.basic.BasicSecurityResourceFilter;
 import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate;
@@ -30,30 +33,36 @@
 import javax.servlet.http.HttpServletRequest;
 import javax.ws.rs.Consumes;
 import javax.ws.rs.DELETE;
+import javax.ws.rs.DefaultValue;
 import javax.ws.rs.GET;
+import javax.ws.rs.HeaderParam;
 import javax.ws.rs.POST;
 import javax.ws.rs.Path;
 import javax.ws.rs.PathParam;
 import javax.ws.rs.Produces;
 import javax.ws.rs.core.Context;
 import javax.ws.rs.core.MediaType;
 import javax.ws.rs.core.Response;
+import java.util.Collections;
 
 @Path("/druid-ext/basic-security/authentication")
 @LazySingleton
 public class BasicAuthenticatorResource
 {
   private final BasicAuthenticatorResourceHandler handler;
   private final AuthValidator authValidator;
+  private final AuditManager auditManager;
 
   @Inject
   public BasicAuthenticatorResource(
       BasicAuthenticatorResourceHandler handler,
-      AuthValidator authValidator
+      AuthValidator authValidator,
+      AuditManager auditManager
   )
   {
     this.handler = handler;
     this.authValidator = authValidator;
+    this.auditManager = auditManager;
   }
 
   /**
@@ -147,11 +156,21 @@
   public Response createUser(
       @Context HttpServletRequest req,
       @PathParam("authenticatorName") final String authenticatorName,
-      @PathParam("userName") String userName
+      @PathParam("userName") String userName,
+      @HeaderParam(AuditManager.X_DRUID_AUTHOR) @DefaultValue("") final String author,
+      @HeaderParam(AuditManager.X_DRUID_COMMENT) @DefaultValue("") final String comment
   )
   {
     authValidator.validateAuthenticatorName(authenticatorName);
-    return handler.createUser(authenticatorName, userName);
+
+    final Response response = handler.createUser(authenticatorName, userName);
+
+    if (isSuccess(response)) {
+      final AuditInfo auditInfo = new AuditInfo(author, comment, req.getRemoteAddr());
+      performAudit(authenticatorName, "users.create", Collections.singletonMap("username", userName), auditInfo);
+    }
+
+    return response;
   }
 
   /**
@@ -170,11 +189,20 @@
   public Response deleteUser(
       @Context HttpServletRequest req,
       @PathParam("authenticatorName") final String authenticatorName,
-      @PathParam("userName") String userName
+      @PathParam("userName") String userName,
+      @HeaderParam(AuditManager.X_DRUID_AUTHOR) @DefaultValue("") final String author,
+      @HeaderParam(AuditManager.X_DRUID_COMMENT) @DefaultValue("") final String comment
   )
   {
     authValidator.validateAuthenticatorName(authenticatorName);
-    return handler.deleteUser(authenticatorName, userName);
+    final Response response = handler.deleteUser(authenticatorName, userName);
+
+    if (isSuccess(response)) {
+      final AuditInfo auditInfo = new AuditInfo(author, comment, req.getRemoteAddr());
+      performAudit(authenticatorName, "users.delete", Collections.singletonMap("username", userName), auditInfo);
+    }
+
+    return response;
   }
 
   /**
@@ -194,11 +222,20 @@
       @Context HttpServletRequest req,
       @PathParam("authenticatorName") final String authenticatorName,
       @PathParam("userName") String userName,
-      BasicAuthenticatorCredentialUpdate update
+      BasicAuthenticatorCredentialUpdate update,
+      @HeaderParam(AuditManager.X_DRUID_AUTHOR) @DefaultValue("") final String author,
+      @HeaderParam(AuditManager.X_DRUID_COMMENT) @DefaultValue("") final String comment
   )
   {
     authValidator.validateAuthenticatorName(authenticatorName);
-    return handler.updateUserCredentials(authenticatorName, userName, update);
+    final Response response = handler.updateUserCredentials(authenticatorName, userName, update);
+
+    if (isSuccess(response)) {
+      final AuditInfo auditInfo = new AuditInfo(author, comment, req.getRemoteAddr());
+      performAudit(authenticatorName, "users.update", Collections.singletonMap("username", userName), auditInfo);
+    }
+
+    return response;
   }
 
   /**
@@ -229,7 +266,7 @@
  @Consumes(MediaType.APPLICATION_JSON)
  @ResourceFilters(BasicSecurityResourceFilter.class)
  public Response authenticatorUpdateListener(
      @Context HttpServletRequest req,
      @PathParam("authenticatorName") final String authenticatorName,
      byte[] serializedUserMap
  )
@@ -237,4 +274,26 @@
     authValidator.validateAuthenticatorName(authenticatorName);
     return handler.authenticatorUserUpdateListener(authenticatorName, serializedUserMap);
   }
+
+  private boolean isSuccess(Response response)
+  {
+    if (response == null) {
+      return false;
+    }
+
+    int responseCode = response.getStatus();
+    return responseCode >= 200 && responseCode < 300;
+  }
+
+  private void performAudit(String authenticatorName, String action, Object payload, AuditInfo auditInfo)
+  {
+    auditManager.doAudit(
+        AuditEvent.builder()
+                  .key(authenticatorName)
+                  .type(action)
+                  .auditInfo(auditInfo)
+                  .payload(payload)
+                  .build()
+    );
+  }
 }
diff --git a/...a/org/apache/druid/security/authentication/CoordinatorBasicAuthenticatorResourceTest.java b/...a/org/apache/druid/security/authentication/CoordinatorBasicAuthenticatorResourceTest.java
@@ -23,6 +23,7 @@
 import com.fasterxml.jackson.dataformat.smile.SmileFactory;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
+import org.apache.druid.audit.AuditManager;
 import org.apache.druid.metadata.DefaultPasswordProvider;
 import org.apache.druid.metadata.MetadataStorageTablesConfig;
 import org.apache.druid.metadata.TestDerbyConnector;
@@ -68,6 +69,9 @@
 
   @Mock
   private AuthValidator authValidator;
+
+  @Mock
+  private AuditManager auditManager;
   private BasicAuthenticatorResource resource;
   private CoordinatorBasicAuthenticatorMetadataStorageUpdater storageUpdater;
   private HttpServletRequest req;
@@ -83,7 +87,7 @@
    MetadataStorageTablesConfig tablesConfig = derbyConnectorRule.metadataTablesConfigSupplier().get();
    connector.createConfigTable();

    ObjectMapper objectMapper = new ObjectMapper(new SmileFactory());

    AuthenticatorMapper authenticatorMapper = new AuthenticatorMapper(
        ImmutableMap.of(
@@ -145,7 +149,8 @@
             authenticatorMapper,
             objectMapper
         ),
-        authValidator
+        authValidator,
+        auditManager
     );
 
     storageUpdater.start();
@@ -175,9 +180,9 @@
     Assert.assertEquals(200, response.getStatus());
     Assert.assertEquals(ImmutableSet.of(BasicAuthUtils.ADMIN_NAME, BasicAuthUtils.INTERNAL_USER_NAME), response.getEntity());
 
-    resource.createUser(req, AUTHENTICATOR_NAME, "druid");
-    resource.createUser(req, AUTHENTICATOR_NAME, "druid2");
-    resource.createUser(req, AUTHENTICATOR_NAME, "druid3");
+    resource.createUser(req, AUTHENTICATOR_NAME, "druid", null, null);
+    resource.createUser(req, AUTHENTICATOR_NAME, "druid2", null, null);
+    resource.createUser(req, AUTHENTICATOR_NAME, "druid3", null, null);
 
     Set<String> expectedUsers = ImmutableSet.of(
         BasicAuthUtils.ADMIN_NAME,
@@ -215,13 +220,13 @@
     Assert.assertEquals(200, response.getStatus());
     Assert.assertEquals(ImmutableSet.of(BasicAuthUtils.ADMIN_NAME, BasicAuthUtils.INTERNAL_USER_NAME), response.getEntity());
 
-    resource.createUser(req, AUTHENTICATOR_NAME, "druid");
-    resource.createUser(req, AUTHENTICATOR_NAME, "druid2");
-    resource.createUser(req, AUTHENTICATOR_NAME, "druid3");
+    resource.createUser(req, AUTHENTICATOR_NAME, "druid", null, null);
+    resource.createUser(req, AUTHENTICATOR_NAME, "druid2", null, null);
+    resource.createUser(req, AUTHENTICATOR_NAME, "druid3", null, null);
 
-    resource.createUser(req, AUTHENTICATOR_NAME2, "druid4");
-    resource.createUser(req, AUTHENTICATOR_NAME2, "druid5");
-    resource.createUser(req, AUTHENTICATOR_NAME2, "druid6");
+    resource.createUser(req, AUTHENTICATOR_NAME2, "druid4", null, null);
+    resource.createUser(req, AUTHENTICATOR_NAME2, "druid5", null, null);
+    resource.createUser(req, AUTHENTICATOR_NAME2, "druid6", null, null);
 
     Set<String> expectedUsers = ImmutableSet.of(
         BasicAuthUtils.ADMIN_NAME,
@@ -285,15 +290,15 @@
   @Test
   public void testCreateDeleteUser()
   {
-    Response response = resource.createUser(req, AUTHENTICATOR_NAME, "druid");
+    Response response = resource.createUser(req, AUTHENTICATOR_NAME, "druid", null, null);
     Assert.assertEquals(200, response.getStatus());
 
     response = resource.getUser(req, AUTHENTICATOR_NAME, "druid");
     Assert.assertEquals(200, response.getStatus());
     BasicAuthenticatorUser expectedUser = new BasicAuthenticatorUser("druid", null);
     Assert.assertEquals(expectedUser, response.getEntity());
 
-    response = resource.deleteUser(req, AUTHENTICATOR_NAME, "druid");
+    response = resource.deleteUser(req, AUTHENTICATOR_NAME, "druid", null, null);
     Assert.assertEquals(200, response.getStatus());
 
     response = resource.getCachedSerializedUserMap(req, AUTHENTICATOR_NAME);
@@ -303,7 +308,7 @@
     Assert.assertNotNull(cachedUserMap);
     Assert.assertNull(cachedUserMap.get("druid"));
 
-    response = resource.deleteUser(req, AUTHENTICATOR_NAME, "druid");
+    response = resource.deleteUser(req, AUTHENTICATOR_NAME, "druid", null, null);
     Assert.assertEquals(400, response.getStatus());
     Assert.assertEquals(errorMapWithMsg("User [druid] does not exist."), response.getEntity());
 
@@ -315,14 +320,15 @@
   @Test
   public void testUserCredentials()
   {
-    Response response = resource.createUser(req, AUTHENTICATOR_NAME, "druid");
+    Response response = resource.createUser(req, AUTHENTICATOR_NAME, "druid", null, null);
     Assert.assertEquals(200, response.getStatus());
 
     response = resource.updateUserCredentials(
         req,
         AUTHENTICATOR_NAME,
         "druid",
-        new BasicAuthenticatorCredentialUpdate("helloworld", null)
+        new BasicAuthenticatorCredentialUpdate("helloworld", null),
+        null, null
     );
     Assert.assertEquals(200, response.getStatus());
 
@@ -369,7 +375,7 @@
     );
     Assert.assertArrayEquals(recalculatedHash, hash);
 
-    response = resource.deleteUser(req, AUTHENTICATOR_NAME, "druid");
+    response = resource.deleteUser(req, AUTHENTICATOR_NAME, "druid", null, null);
     Assert.assertEquals(200, response.getStatus());
 
     response = resource.getUser(req, AUTHENTICATOR_NAME, "druid");
@@ -380,7 +386,8 @@
         req,
         AUTHENTICATOR_NAME,
         "druid",
-        new BasicAuthenticatorCredentialUpdate("helloworld", null)
+        new BasicAuthenticatorCredentialUpdate("helloworld", null),
+        null, null
     );
     Assert.assertEquals(400, response.getStatus());
     Assert.assertEquals(errorMapWithMsg("User [druid] does not exist."), response.getEntity());

diff --git a/...g/apache/druid/security/basic/authentication/endpoint/BasicAuthenticatorResourceTest.java b/...g/apache/druid/security/basic/authentication/endpoint/BasicAuthenticatorResourceTest.java
@@ -58,7 +58,7 @@ public void setUp()
            .when(authValidator)
            .validateAuthenticatorName(INVALID_AUTHENTICATOR_NAME);
 
-    target = new BasicAuthenticatorResource(handler, authValidator);
+    target = new BasicAuthenticatorResource(handler, authValidator, null);
   }
 
   @Test
@@ -88,37 +88,37 @@ public void getCachedSerializedUserMapWithInvalidAuthenticatorNameShouldReturnEx
   @Test
   public void updateUserCredentialsShouldReturnExpectedResponse()
   {
-    Assert.assertNotNull(target.updateUserCredentials(req, AUTHENTICATOR_NAME, USER_NAME, update));
+    Assert.assertNotNull(target.updateUserCredentials(req, AUTHENTICATOR_NAME, USER_NAME, update, null, null));
   }
 
   @Test(expected = IllegalArgumentException.class)
   public void updateUserCredentialsWithInvalidAuthenticatorNameShouldReturnExpectedResponse()
   {
-    target.updateUserCredentials(req, INVALID_AUTHENTICATOR_NAME, USER_NAME, update);
+    target.updateUserCredentials(req, INVALID_AUTHENTICATOR_NAME, USER_NAME, update, null, null);
   }
 
   @Test
   public void deleteUserShouldReturnExpectedResponse()
   {
-    Assert.assertNotNull(target.deleteUser(req, AUTHENTICATOR_NAME, USER_NAME));
+    Assert.assertNotNull(target.deleteUser(req, AUTHENTICATOR_NAME, USER_NAME, null, null));
   }
 
   @Test(expected = IllegalArgumentException.class)
   public void deleteUserWithInvalidAuthenticatorNameShouldReturnExpectedResponse()
   {
-    target.deleteUser(req, INVALID_AUTHENTICATOR_NAME, USER_NAME);
+    target.deleteUser(req, INVALID_AUTHENTICATOR_NAME, USER_NAME, null, null);
   }
 
   @Test
   public void createUserShouldReturnExpectedResponse()
   {
-    Assert.assertNotNull(target.createUser(req, AUTHENTICATOR_NAME, USER_NAME));
+    Assert.assertNotNull(target.createUser(req, AUTHENTICATOR_NAME, USER_NAME, null, null));
   }
 
   @Test(expected = IllegalArgumentException.class)
   public void createUserWithInvalidAuthenticatorNameShouldReturnExpectedResponse()
   {
-    target.createUser(req, INVALID_AUTHENTICATOR_NAME, USER_NAME);
+    target.createUser(req, INVALID_AUTHENTICATOR_NAME, USER_NAME, null, null);
   }
 
   @Test