Basic auth extension

[jon-wei]

This PR adds an extension that provides implementations of the auth interfaces introduced in #4271 :

• an Authenticator which supports HTTP Basic authentication
• an Authorizer which implements basic role-based access control

[fjy]

👍

[gianm]

@jon-wei please merge from master if you haven't recently; I hope that will fix the VM crash we got during CI.

[jon-wei]

Making some modifications to this re: password initialization, marking WIP

[jihoonson]

Reviewed up to SQLBasicSecurityStorageConnector.

[jihoonson]

mysql-metadata-storage also has this dependency of the same version. Did you intentionally specify these versions separately? Similar comment on the dependency on postgresql below.

[jon-wei]

Hm, moved the mysql/postgres versions to the main druid pom.xml, changed these to reference those versions

[jihoonson]

Please removes the hyphens.

[jon-wei]

Removed hyphens

[jihoonson]

Please add some java doc and unit tests.

[jon-wei]

Added javadoc and tests

[jihoonson]

This always returns false. Is this for any user-defined subclasses?

[jon-wei]

I copied this from SQLMetadataConnector initially, I think that was the intent, this is now in the common BaseSQLMetadataConnector class

[jihoonson]

Please remove unused method.

[jon-wei]

removed

[jihoonson]

Please remove unused variable.

[jon-wei]

Removed

[jihoonson]

Any error message like 'null authenticationResult'?

[jon-wei]

I changed this to throw an IAE, the authenticationResult should never be null here and indicates a bug if it is

[jihoonson]

Similar comment. 'Cannot find an authorization name for authenticationResult.getIdentity()'?

[jon-wei]

I decided to remove the authentication name -> authorization name features, felt like the benefit (possibly avoiding cases where two user accounts are essentially the same with a different name) wasn't worth the added complexity, so this block is gone now

[jihoonson]

Similar comment. Maybe 'permission denied'?

[jon-wei]

hm, I think that's a bit redundant in this case, since Access(false) already directly expresses an authorization denial

[jihoonson]

Hmm, do you have any performance benchmark result? I'm not sure how this is fast enough.

[jon-wei]

Not yet, I'll run some shortly

[jihoonson]

VARCHAR(255)?

[jon-wei]

fixed, thanks

[jihoonson]

Maybe better to return a map containing the exception?

[jon-wei]

Made this propagate the exception since it should never happen under any normal conditions

[jihoonson]

Should be the camel case or simply return without defining a variable.

[jon-wei]

Changed this and similar places to return without defining a variable

[jihoonson]

Should be the camel case or simply return without defining a variable.

[jihoonson]

Please break the line.

[jon-wei]

This is method is deleted now since I removed the name mapping table

[jihoonson]

What do you think about making all non get* methods to return the result indicating success or failure? For example, delete* methods return the number of deleted rows. It may be useful for operators to reduce mistakes.

[jihoonson]

Or maybe it's better to create a new super class which both SQLMetadataConnector and this class extend.

[jihoonson]

Looks not being used.

[jon-wei]

Removed unused class, the Derby implementation now uses MetadataStorage

[jihoonson]

Looks not being used.

[jon-wei]

It's not instantiated directly, but the class is bound in BasicSecurityDruidModule:

    PolyBind.optionBinder(binder, Key.get(BasicSecurityStorageConnector.class))
            .addBinding("derby")
            .to(DerbySQLBasicSecurityStorageConnector.class)
            .in(ManageLifecycle.class);

    PolyBind.optionBinder(binder, Key.get(SQLBasicSecurityStorageConnector.class))
            .addBinding("derby")
            .to(DerbySQLBasicSecurityStorageConnector.class)
            .in(ManageLifecycle.class);

[jihoonson]

Ah ok.

[jihoonson]

bail -> fail?

[jon-wei]

"bail" is used here in the sense of "abandon what it's doing"

[jihoonson]

The latest patch looks good to me. I have one question.

[jihoonson]

What does the "InTransaction" suffix mean in this and below methods?

[jon-wei]

It's referring to how they're called from within the DB transactions, for example:

    getDBI().inTransaction(
        new TransactionCallback<Void>()
        {
          @Override
          public Void inTransaction(Handle handle, TransactionStatus transactionStatus) throws Exception
          {

[jihoonson]

Thanks for the explanation. I was confused with its name. It sounds to me like getUserCount() is executed in a transaction. I think just getUserCount() is fine.

[jon-wei]

Cool, I changed the names to remove "inTransaction"

[jon-wei]

@jihoonson I added a RegexMatchBenchmark for benchmarking regex pattern compilation and matching, these are the results I'm seeing on my macbook:

# Run complete. Total time: 00:06:22

Benchmark                                                   (numPatterns)  Mode  Cnt       Score      Error  Units
RegexMatchBenchmark.compileGranularityPathRegex                    100000  avgt   25  176488.968 ± 2731.548  us/op
RegexMatchBenchmark.compileGranularityPathRegexAndMatch            100000  avgt   25  196734.506 ± 6023.698  us/op
RegexMatchBenchmark.compileUUIDRegex                               100000  avgt   25   62557.928 ± 1232.438  us/op
RegexMatchBenchmark.compileUUIDRegexAndMatch                       100000  avgt   25   98763.608 ± 2052.479  us/op
RegexMatchBenchmark.compileUUIDsAsRegex                            100000  avgt   25   74987.953 ± 1011.895  us/op
RegexMatchBenchmark.compileUUIDsAsRegexAndMatchRandomUUID          100000  avgt   25   79894.899 ± 1000.825  us/op
RegexMatchBenchmark.deserializeGranularityPathRegex                100000  avgt   25  233961.684 ± 2421.426  us/op
RegexMatchBenchmark.deserializeUUIDRegex                           100000  avgt   25  107444.061 ± 1850.141  us/op
RegexMatchBenchmark.precompileGranularityPathRegexAndMatch         100000  avgt   25   19848.358 ±  312.136  us/op
RegexMatchBenchmark.precompileUUIDRegexAndMatch                    100000  avgt   25   29987.644 ±  407.776  us/op

Roughly, with the test regexes used in that benchmark (one for UUID strings, and a more complex one taken from Granularity), compile + match takes ~2us or lower.

Deserializing a byte[] representation of a Pattern using DefaultObjectMapper is also slower than recompiling the pattern from the regex string.

[jihoonson]

@jon-wei thanks for sharing the benchmark result. I was concerned with the performance because BasicRoleBasedAuthorizer.permissionCheck() always compile a new pattern for each permissionResourceName. This method may become slow as the number of resourceAction increases. Do you have any better idea? Maybe caching compiled patterns?

[jon-wei]

@jihoonson I added a cache for the compiled regex patterns

[jihoonson]

@jon-wei thanks for the quick fix!

[gianm]

Link to the docs for Authenticator and Authorizer (druid's auth.md) -- otherwise, if a user comes in to this page first, they will be lost.

[gianm]

This isn't related to the authenticator or authorizer? That seems strange to me.

[gianm]

What happens if you configure more than one?

[gianm]

What happens if you configure more than one?

[gianm]

This section of the doc looks like it applies to all authorizers and should be part of Druid's auth.md.

[gianm]

The permissionPatternCache won't be needed if all permissions details are cached -- since the permission objects would be long-lived and could contain their own compiled Patterns.

[gianm]

Same comment as in the Authorizer: we need to avoid hitting the DB here.

[gianm]

Similar -- need to avoid hitting the DB.

[gianm]

IMO, this should be optional -- superuser may use a different authenticator.

[gianm]

IMO, this should be optional -- internal may use a different authenticator.

[jon-wei]

closing this in favor of #5099