apache · jon-wei · Oct 9, 2017 · Oct 20, 2017 · Oct 26, 2017 · Oct 26, 2017
diff --git a/distribution/pom.xml b/distribution/pom.xml
@@ -110,6 +110,8 @@
                                 <argument>io.druid.extensions:druid-examples</argument>
                                 <argument>-c</argument>
                                 <argument>io.druid.extensions:simple-client-sslcontext</argument>
+                                <argument>-c</argument>
+                                <argument>io.druid.extensions:druid-basic-security</argument>
                                 <argument>${druid.distribution.pulldeps.opts}</argument>
                             </arguments>
                         </configuration>

diff --git a/docs/content/development/extensions-core/druid-basic-security.md b/docs/content/development/extensions-core/druid-basic-security.md
@@ -0,0 +1,157 @@
+---
+layout: doc_page
+---
+
+# Druid-Basic-Security
+
+This extension adds:
+- an Authenticator which supports [HTTP Basic authentication](https://en.wikipedia.org/wiki/Basic_access_authentication)
+- an Authorizer which implements basic role-based access control
+
+Make sure to [include](../../operations/including-extensions.html) `druid-basic-security` as an extension.
+
+
+## Configuration
+
+
+### Properties
+|Property|Description|Default|required|
+|--------|-----------|-------|--------|
+|`druid.auth.basic.initialAdminPassword`|Password to assign when Druid automatically creates the default admin account. See [Default user accounts](#default-user-accounts) for more information.|"druid"|No|
+|`druid.auth.basic.initialInternalClientPassword`|Password to assign when Druid automatically creates the default admin account. See [Default user accounts](#default-user-accounts) for more information.|"druid"|No|
+
+### Creating an Authenticator
+```
+druid.auth.authenticatorChain=["MyBasicAuthenticator"]
+
+druid.auth.authenticator.MyBasicAuthenticator.type=basic
+```
+
+To use the Basic authenticator, add an authenticator with type `basic` to the authenticatorChain. The example above uses the name "MyBasicAuthenticator" for the Authenticator.
+
+Configuration of the named authenticator is assigned through properties with the form:
+
+```
+druid.auth.authenticator.<authenticatorName>.<authenticatorProperty>
+```
+
+The configuration examples in the rest of this document will use "MyBasicAuthenticator" as the name of the authenticator being configured.
+
+Only one instance of a "basic" type authenticator should be created and used, multiple "basic" authenticator instances are not supported.
+
+#### Properties
+|Property|Description|Default|required|
+|--------|-----------|-------|--------|
+|`druid.auth.authenticator.MyBasicAuthenticator.internalClientUsername`| Username for the internal system user, used for internal node communication|N/A|Yes|
+|`druid.auth.authenticator.MyBasicAuthenticator.internalClientPassword`| Password for the internal system user, used for internal node communication|N/A|Yes|
+|`druid.auth.authenticator.MyBasicAuthenticator.authorizerName`|Authorizer that requests should be directed to|N/A|Yes|
+
+### Creating an Authorizer
+```
+druid.auth.authorizers=["MyBasicAuthorizer"]
+
+druid.auth.authorizer.MyBasicAuthorizer.type=basic
+```
+
+To use the Basic authorizer, add an authenticator with type `basic` to the authorizers list. The example above uses the name "MyBasicAuthorizer" for the Authorizer.
+
+Configuration of the named authenticator is assigned through properties with the form:
+
+```
+druid.auth.authorizer.<authorizerName>.<authorizerProperty>
+```
+
+The Basic authorizer has no additional configuration properties at this time.
+
+Only one instance of a "basic" type authorizer should be created and used, multiple "basic" authorizer instances are not supported.
+
+
+## Usage
+
+
+### Coordinator Security API
+To use these APIs, a user needs read/write permissions for the CONFIG resource type with name "security".
+
+Root path: `/druid/coordinator/v1/security`
+
+#### User Management
+`GET(/users)`
+Return a list of all user names.
+
+`GET(/users/{userName})`
+Return the name, roles, permissions of the user named {userName}
+
+`POST(/users/{userName})`
+Create a new user with name {userName}
+
+`DELETE(/users/{userName})`
+Delete the user with name {userName}
+
+
+#### User Credentials
+`GET(/credentials/{userName})`
+Return the salt/hash/iterations info used for HTTP basic authentication for {userName}
+
+`POST(/credentials/{userName})`
+Assign a password used for HTTP basic authentication for {userName}
+Content: password string
+
+
+#### Role Creation/Deletion
+`GET(/roles)`
+Return a list of all role names.
+
+`GET(/roles/{roleName})`
+Return name and permissions for the role named {roleName}
+
+`POST(/roles/{roleName})`
+Create a new role with name {roleName}.
+Content: username string
+
+`DELETE(/roles/{roleName})`
+Delete the role with name {roleName}.
+
+
+#### Role Assignment
+`POST(/users/{userName}/roles/{roleName})`
+Assign role {roleName} to user {userName}.
+
+`DELETE(/users/{userName}/roles/{roleName})`
+Unassign role {roleName} from user {userName}
+
+
+#### Permissions
+`POST(/roles/{roleName}/permissions)`
+Create a new permissions and assign them to role named {roleName}.
+Content: List of JSON Resource-Action objects, e.g.:
+```
+[
+{ 
+  resource": {
+    "name": "wiki.*",
+    "type": "DATASOURCE"
+  },
+  "action": "READ"
+},
+{ 
+  resource": {
+    "name": "wikiticker",
+    "type": "DATASOURCE"
+  },
+  "action": "WRITE"
+}
+]
+```
+
+`DELETE(/permissions/{permId})`
+Delete the permission with ID {permId}. Permission IDs are available from the output of individual user/role GET endpoints.
+
+## Default user accounts
+
+By default, an administrator account with full privileges is created with credentials `admin/druid`. The password assigned at account creation can be overridden by setting the `druid.auth.basic.initialAdminPassword` property.
+
+A default internal system user account with full privileges, meant for internal communications between Druid services, is also created with credentials `druid_system/druid`. The password assigned at account creation can be overridden by setting the `druid.auth.basic.initialInternalClientPassword` property.
+
+The values for `druid.authenticator.<authenticatorName>.internalClientUsername` and `druid.authenticator.<authenticatorName>.internalClientPassword` must match the credentials of the internal system user account.
+
+Cluster administrators should change the default passwords for these accounts before exposing a cluster to users.
diff --git a/extensions-core/druid-basic-security/pom.xml b/extensions-core/druid-basic-security/pom.xml
@@ -0,0 +1,78 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<!--
+  ~ Druid - a distributed column store.
+  ~ Copyright 2012 - 2015 Metamarkets Group Inc.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~     http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <modelVersion>4.0.0</modelVersion>
+
+  <groupId>io.druid.extensions</groupId>
+  <artifactId>druid-basic-security</artifactId>
+  <name>druid-basic-security</name>
+  <description>druid-basic-security</description>
+
+  <parent>
+    <groupId>io.druid</groupId>
+    <artifactId>druid</artifactId>
+    <version>0.11.1-SNAPSHOT</version>
+    <relativePath>../../pom.xml</relativePath>
+  </parent>
+
+  <dependencies>
+    <dependency>
+      <groupId>io.druid</groupId>
+      <artifactId>druid-services</artifactId>
+      <version>${project.parent.version}</version>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>io.druid</groupId>
+      <artifactId>druid-server</artifactId>
+      <version>${project.parent.version}</version>
+      <scope>provided</scope>
+    </dependency>
+    <dependency>
+      <groupId>mysql</groupId>
+      <artifactId>mysql-connector-java</artifactId>
+      <version>5.1.38</version>
+    </dependency>
+    <dependency>
+      <groupId>org.postgresql</groupId>
+      <artifactId>postgresql</artifactId>
+      <version>9.4.1208.jre7</version>
+    </dependency>
+    <dependency>
+      <groupId>org.jdbi</groupId>
+      <artifactId>jdbi</artifactId>
+      <scope>provided</scope>
+    </dependency>
+
+    <!-- Tests -->
+    <dependency>
+      <groupId>junit</groupId>
+      <artifactId>junit</artifactId>
+      <scope>test</scope>
+    </dependency>
+    <dependency>
+      <groupId>org.easymock</groupId>
+      <artifactId>easymock</artifactId>
+      <scope>test</scope>
+    </dependency>
+  </dependencies>
+</project>
diff --git a/...ions-core/druid-basic-security/src/main/java/io/druid/security/basic/BasicAuthConfig.java b/...ions-core/druid-basic-security/src/main/java/io/druid/security/basic/BasicAuthConfig.java
@@ -0,0 +1,41 @@
+/*
+ * Licensed to Metamarkets Group Inc. (Metamarkets) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. Metamarkets licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package io.druid.security.basic;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+public class BasicAuthConfig
+{
+  @JsonProperty
+  private String initialAdminPassword = "druid";
+
+  @JsonProperty
+  private String initialInternalClientPassword = "druid";
+
+  public String getInitialAdminPassword()
+  {
+    return initialAdminPassword;
+  }
+
+  public String getInitialInternalClientPassword()
+  {
+    return initialInternalClientPassword;
+  }
+}
diff --git a/...sions-core/druid-basic-security/src/main/java/io/druid/security/basic/BasicAuthUtils.java b/...sions-core/druid-basic-security/src/main/java/io/druid/security/basic/BasicAuthUtils.java
@@ -0,0 +1,103 @@
+/*
+ * Licensed to Metamarkets Group Inc. (Metamarkets) under one
+ * or more contributor license agreements. See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership. Metamarkets licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package io.druid.security.basic;
+
+import io.druid.java.util.common.StringUtils;
+import io.druid.java.util.common.logger.Logger;
+
+import javax.crypto.SecretKey;
+import javax.crypto.SecretKeyFactory;
+import javax.crypto.spec.PBEKeySpec;
+import javax.servlet.http.HttpServletRequest;
+import java.security.NoSuchAlgorithmException;
+import java.security.SecureRandom;
+import java.security.spec.InvalidKeySpecException;
+import java.util.Base64;
+
+public class BasicAuthUtils
+{
+  private static final Logger log = new Logger(BasicAuthUtils.class);
+  private static final Base64.Encoder ENCODER = Base64.getEncoder();
+  private static final Base64.Decoder DECODER = Base64.getDecoder();
+  private static final SecureRandom SECURE_RANDOM = new SecureRandom();
+
+
+  public static int SALT_LENGTH = 32;
+  public static int KEY_ITERATIONS = 10000;
+  public static int KEY_LENGTH = 512;
+  public static String ALGORITHM = "PBKDF2WithHmacSHA512";
+
+  public static String getEncodedCredentials(final String unencodedCreds)
+  {
+    return ENCODER.encodeToString(StringUtils.toUtf8(unencodedCreds));
+  }
+
+  public static byte[] hashPassword(final char[] password, final byte[] salt, final int iterations)
+  {
+    try {
+      SecretKeyFactory keyFactory = SecretKeyFactory.getInstance(ALGORITHM);
+      SecretKey key = keyFactory.generateSecret(
+          new PBEKeySpec(
+              password,
+              salt,
+              iterations,
+              KEY_LENGTH
+          )
+      );
+      return key.getEncoded();
+    }
+    catch (InvalidKeySpecException ikse) {
+      log.error("WTF? invalid keyspec");
+      throw new RuntimeException(ikse);
+    }
+    catch (NoSuchAlgorithmException nsae) {
+      log.error("%s not supported on this system.", ALGORITHM);
+      throw new RuntimeException(nsae);
+    }
+  }
+
+  public static byte[] generateSalt()
+  {
+    byte salt[] = new byte[SALT_LENGTH];
+    SECURE_RANDOM.nextBytes(salt);
+    return salt;
+  }
+
+  public static String getBasicUserSecretFromHttpReq(HttpServletRequest httpReq)
+  {
+    try {
+      String authHeader = httpReq.getHeader("Authorization");
+
+      if (authHeader == null) {
+        return null;
+      }
+
+      if (!authHeader.substring(0, 6).equals("Basic ")) {
+        return null;
+      }
+
+      String encodedUserSecret = authHeader.substring(6);
+      return StringUtils.fromUtf8(DECODER.decode(encodedUserSecret));
+    }
+    catch (Exception e) {
+      return null;
+    }
+  }
+}