github-advanced-security[bot] commented on code in PR #19236: URL: https://github.com/apache/druid/pull/19236#discussion_r3013142323
########## indexing-service/src/main/java/org/apache/druid/indexing/common/task/TaskAuthContextProvider.java: ########## @@ -0,0 +1,54 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.indexing.common.task; + +import org.apache.druid.auth.TaskAuthContext; +import org.apache.druid.guice.annotations.ExtensionPoint; +import org.apache.druid.server.security.AuthenticationResult; + +import javax.annotation.Nullable; + +/** + * Creates {@link TaskAuthContext} from authentication results during task submission. + * + * <p>Implementations extract relevant credentials from the {@link AuthenticationResult} + * (populated by the Authenticator) and create a TaskAuthContext that will be passed + * to the task for use during execution. + * + * <p>This interface is bound optionally via Guice. If no implementation is configured, + * no auth context will be injected into tasks. + * + * @see TaskAuthContext + */ +@ExtensionPoint +public interface TaskAuthContextProvider +{ + /** + * Extract auth context from the authentication result for the given task. + * + * @param authenticationResult the authentication result from the Authenticator, + * containing identity and context map with credentials + * @param task the task being submitted, can be used to make decisions + * based on task type, datasource, etc. + * @return TaskAuthContext to inject into the task, or null to skip injection + */ + @Nullable + TaskAuthContext createTaskAuthContext(AuthenticationResult authenticationResult, Task task); Review Comment: ## Useless parameter The parameter 'authenticationResult' is never used. [Show more details](https://github.com/apache/druid/security/code-scanning/10936) ########## indexing-service/src/main/java/org/apache/druid/indexing/common/task/TaskAuthContextProvider.java: ########## @@ -0,0 +1,54 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.indexing.common.task; + +import org.apache.druid.auth.TaskAuthContext; +import org.apache.druid.guice.annotations.ExtensionPoint; +import org.apache.druid.server.security.AuthenticationResult; + +import javax.annotation.Nullable; + +/** + * Creates {@link TaskAuthContext} from authentication results during task submission. + * + * <p>Implementations extract relevant credentials from the {@link AuthenticationResult} + * (populated by the Authenticator) and create a TaskAuthContext that will be passed + * to the task for use during execution. + * + * <p>This interface is bound optionally via Guice. If no implementation is configured, + * no auth context will be injected into tasks. + * + * @see TaskAuthContext + */ +@ExtensionPoint +public interface TaskAuthContextProvider +{ + /** + * Extract auth context from the authentication result for the given task. + * + * @param authenticationResult the authentication result from the Authenticator, + * containing identity and context map with credentials + * @param task the task being submitted, can be used to make decisions + * based on task type, datasource, etc. + * @return TaskAuthContext to inject into the task, or null to skip injection + */ + @Nullable + TaskAuthContext createTaskAuthContext(AuthenticationResult authenticationResult, Task task); Review Comment: ## Useless parameter The parameter 'task' is never used. [Show more details](https://github.com/apache/druid/security/code-scanning/10937) ########## indexing-service/src/test/java/org/apache/druid/indexing/overlord/http/OverlordResourceAuthContextTest.java: ########## @@ -0,0 +1,226 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ + +package org.apache.druid.indexing.overlord.http; + +import com.google.common.base.Optional; +import org.apache.druid.audit.AuditManager; +import org.apache.druid.auth.TaskAuthContext; +import org.apache.druid.common.config.JacksonConfigManager; +import org.apache.druid.indexing.common.task.NoopTask; +import org.apache.druid.indexing.overlord.DruidOverlord; +import org.apache.druid.indexing.overlord.IndexerMetadataStorageAdapter; +import org.apache.druid.indexing.overlord.TaskMaster; +import org.apache.druid.indexing.overlord.TaskQueryTool; +import org.apache.druid.indexing.overlord.TaskQueue; +import org.apache.druid.indexing.overlord.TaskRunner; +import org.apache.druid.indexing.overlord.WorkerTaskRunnerQueryAdapter; +import org.apache.druid.server.security.Access; +import org.apache.druid.server.security.Action; +import org.apache.druid.server.security.AuthConfig; +import org.apache.druid.server.security.AuthenticationResult; +import org.apache.druid.server.security.Authorizer; +import org.apache.druid.server.security.AuthorizerMapper; +import org.apache.druid.server.security.Resource; +import org.easymock.EasyMock; +import org.junit.After; +import org.junit.Assert; +import org.junit.Before; +import org.junit.Test; + +import javax.annotation.Nullable; +import javax.servlet.http.HttpServletRequest; +import java.util.Map; + +public class OverlordResourceAuthContextTest +{ + private OverlordResource overlordResource; + private TaskMaster taskMaster; + private TaskQueue taskQueue; + private TaskRunner taskRunner; + private HttpServletRequest req; + private AuthConfig authConfig; + private DruidOverlord overlord; + private JacksonConfigManager configManager; + private AuditManager auditManager; + private WorkerTaskRunnerQueryAdapter workerTaskRunnerQueryAdapter; + + @Before + public void setUp() + { + taskRunner = EasyMock.createMock(TaskRunner.class); + taskQueue = EasyMock.createStrictMock(TaskQueue.class); + taskMaster = EasyMock.createStrictMock(TaskMaster.class); + overlord = EasyMock.createStrictMock(DruidOverlord.class); + configManager = EasyMock.createMock(JacksonConfigManager.class); + auditManager = EasyMock.createMock(AuditManager.class); + authConfig = EasyMock.createMock(AuthConfig.class); + req = EasyMock.createStrictMock(HttpServletRequest.class); + workerTaskRunnerQueryAdapter = EasyMock.createStrictMock(WorkerTaskRunnerQueryAdapter.class); + + EasyMock.expect(taskMaster.getTaskRunner()).andReturn(Optional.of(taskRunner)).anyTimes(); + + AuthorizerMapper authMapper = new AuthorizerMapper(null) + { + @Override + public Authorizer getAuthorizer(String name) + { + return (AuthenticationResult authenticationResult, Resource resource, Action action) -> + new Access(true); Review Comment: ## Deprecated method or constructor invocation Invoking [Access.Access](1) should be avoided because it has been deprecated. [Show more details](https://github.com/apache/druid/security/code-scanning/10938) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
