(druid) branch master updated: Fix bug in basic authorizer auditing and add embedded test (#18688)

Thu, 23 Oct 2025 05:11:39 -0700 

This is an automated email from the ASF dual-hosted git repository.

kfaraz pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git


The following commit(s) were added to refs/heads/master by this push:
     new 277e3dc86a3 Fix bug in basic authorizer auditing and add embedded test 
(#18688)
277e3dc86a3 is described below

commit 277e3dc86a3dfb57980ef3f3f4ff88de382d2e79
Author: Kashif Faraz <[email protected]>
AuthorDate: Thu Oct 23 17:40:30 2025 +0530

    Fix bug in basic authorizer auditing and add embedded test (#18688)
    
    Bug:
    #17916 introduced a bug where it creates audit log entries when a change 
made to authorizer roles
    and permissions are synced from the Coordinator to other services.
    Audit entries should not be created in the /listen APIs and should be 
created only by the Coordinator.
    
    Changes:
    * Revert changes in #17916
    * Add embedded test for basic authorizer auditing
---
 .../testing/embedded/auth/BasicAuthAuditTest.java  | 93 ++++++++++++++++++++++
 .../endpoint/BasicAuthorizerResource.java          | 16 +---
 2 files changed, 96 insertions(+), 13 deletions(-)

diff --git 
a/embedded-tests/src/test/java/org/apache/druid/testing/embedded/auth/BasicAuthAuditTest.java
 
b/embedded-tests/src/test/java/org/apache/druid/testing/embedded/auth/BasicAuthAuditTest.java
new file mode 100644
index 00000000000..55429a341b6
--- /dev/null
+++ 
b/embedded-tests/src/test/java/org/apache/druid/testing/embedded/auth/BasicAuthAuditTest.java
@@ -0,0 +1,93 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *   http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing,
+ * software distributed under the License is distributed on an
+ * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+ * KIND, either express or implied.  See the License for the
+ * specific language governing permissions and limitations
+ * under the License.
+ */
+
+package org.apache.druid.testing.embedded.auth;
+
+import org.apache.druid.audit.AuditEntry;
+import org.apache.druid.audit.AuditManager;
+import org.apache.druid.java.util.common.StringUtils;
+import org.apache.druid.testing.embedded.EmbeddedBroker;
+import org.apache.druid.testing.embedded.EmbeddedCoordinator;
+import org.apache.druid.testing.embedded.EmbeddedDruidCluster;
+import org.apache.druid.testing.embedded.EmbeddedHistorical;
+import org.apache.druid.testing.embedded.EmbeddedIndexer;
+import org.apache.druid.testing.embedded.EmbeddedOverlord;
+import org.apache.druid.testing.embedded.EmbeddedRouter;
+import org.apache.druid.testing.embedded.junit5.EmbeddedClusterTestBase;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+import java.util.List;
+
+/**
+ * Tests to verify audit logging done for basic authorizer.
+ */
+public class BasicAuthAuditTest extends EmbeddedClusterTestBase
+{
+  private final EmbeddedBroker broker = new EmbeddedBroker();
+  private final EmbeddedIndexer indexer = new 
EmbeddedIndexer().addProperty("druid.worker.capacity", "25");
+  private final EmbeddedOverlord overlord = new EmbeddedOverlord();
+  private final EmbeddedHistorical historical = new EmbeddedHistorical();
+  private final EmbeddedCoordinator coordinator = new EmbeddedCoordinator();
+
+  private SecurityClient securityClient;
+
+  @Override
+  public EmbeddedDruidCluster createCluster()
+  {
+    return EmbeddedDruidCluster
+        .withEmbeddedDerbyAndZookeeper()
+        .addResource(new EmbeddedBasicAuthResource())
+        .useLatchableEmitter()
+        .addServer(coordinator)
+        .addServer(overlord)
+        .addServer(indexer)
+        .addServer(historical)
+        .addServer(broker)
+        .addServer(new EmbeddedRouter())
+        .addCommonProperty("druid.auth.basic.common.pollingPeriod", "10");
+  }
+
+  @BeforeAll
+  public void setupClient()
+  {
+    securityClient = new SecurityClient(cluster.callApi().serviceClient());
+  }
+
+  @Test
+  public void test_createRole_createsSingleAuditEntry() throws Exception
+  {
+    securityClient.createAuthorizerRole(dataSource);
+
+    // Wait for all services to be synced
+    Thread.sleep(100L);
+
+    final List<AuditEntry> entries = 
coordinator.bindings().getInstance(AuditManager.class).fetchAuditHistory(
+        "basic",
+        "basic.authorizer",
+        100
+    );
+    Assertions.assertEquals(1, entries.size());
+    Assertions.assertEquals(
+        StringUtils.format("\"Create role[%s]\"", dataSource),
+        entries.get(0).getPayload().serialized()
+    );
+  }
+}
diff --git 
a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/BasicAuthorizerResource.java
 
b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/BasicAuthorizerResource.java
index 4f3728fc06c..e759b19d569 100644
--- 
a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/BasicAuthorizerResource.java
+++ 
b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authorization/endpoint/BasicAuthorizerResource.java
@@ -610,7 +610,6 @@ public class BasicAuthorizerResource
     return resourceHandler.getCachedGroupMappingMaps(authorizerName);
   }
 
-
   /**
    * Listen for update notifications for the user auth storage
    * @deprecated  path /listen/{authorizerName} is to replaced by 
/listen/users/{authorizerName}
@@ -630,10 +629,7 @@ public class BasicAuthorizerResource
   {
     authValidator.validateAuthorizerName(authorizerName);
 
-    final Response response = 
resourceHandler.authorizerUserUpdateListener(authorizerName, 
serializedUserAndRoleMap);
-    performAuditIfSuccess(authorizerName, req, response, "Update user 
authorization for authorizer[%s]", authorizerName);
-
-    return response;
+    return resourceHandler.authorizerUserUpdateListener(authorizerName, 
serializedUserAndRoleMap);
   }
 
   /**
@@ -652,10 +648,7 @@ public class BasicAuthorizerResource
   {
     authValidator.validateAuthorizerName(authorizerName);
 
-    final Response response = 
resourceHandler.authorizerUserUpdateListener(authorizerName, 
serializedUserAndRoleMap);
-    performAuditIfSuccess(authorizerName, req, response, "Update authorization 
for authorizer[%s]", authorizerName);
-
-    return response;
+    return resourceHandler.authorizerUserUpdateListener(authorizerName, 
serializedUserAndRoleMap);
   }
 
   /**
@@ -674,10 +667,7 @@ public class BasicAuthorizerResource
   {
     authValidator.validateAuthorizerName(authorizerName);
 
-    final Response response = 
resourceHandler.authorizerGroupMappingUpdateListener(authorizerName, 
serializedGroupMappingAndRoleMap);
-    performAuditIfSuccess(authorizerName, req, response, "Update group 
mappings for authorizer[%s]", authorizerName);
-
-    return response;
+    return 
resourceHandler.authorizerGroupMappingUpdateListener(authorizerName, 
serializedGroupMappingAndRoleMap);
   }
 
   private boolean isSuccess(Response response)


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to