turnilo icon indicating copy to clipboard operation
turnilo copied to clipboard

Published 20 hours ago verified publisher icon allegro

Basic Security extension support

Open l2dy opened this issue 4 years ago • 9 comments

It would be nice to add support for the Basic Security extension.

Previously mentioned in #88.

l2dy avatar Mar 09 '20 03:03 l2dy

plywood-druid-requester has support for basic-auth.

https://github.com/implydata/plywood-druid-requester/blob/v2.6.2/src/druidRequester.ts#L102-L108

l2dy avatar Apr 17 '20 11:04 l2dy

@mkuthan could you chime in?

adrianmroz avatar Apr 21 '20 11:04 adrianmroz

@l2dy - what kind of authentication scenario would be expected:

  1. Authentication between Turnilo sever and Druid broker only. Access to Turnilo for end-users stays unauthenticated as is now. For this scenario all end-users requests will be impersonated using credentials defined in Turnilo configuration file.

  2. Fully authenticated access to the Turnilo . Turnilo will present basic auth browser dialog and forward provided by end-user credentials to Druid broker.

I would prefer option 1) as starting point:

  • should be easy to implement
  • browser dialog for basic auth is far from usability, and what is worse user is not able to change credentials easily

mkuthan avatar Apr 22 '20 08:04 mkuthan

I would prefer option 1) as starting point:

  • should be easy to implement

  • browser dialog for basic auth is far from usability, and what is worse user is not able to change credentials easily

1) works for me. I could add an authenticating HTTP proxy in front of Turnilo, which is more flexible than putting credentials in the configuration file.

l2dy avatar Apr 22 '20 10:04 l2dy

1) works for me. I could add an authenticating HTTP proxy in front of Turnilo, which is more flexible than putting credentials in the configuration file.

More specifically, (1) + data-cube level access, which is already implemented in aa1947d6c4c16b355e7362ff5867538c0d6af637.

l2dy avatar May 20 '20 10:05 l2dy

If we place an authentication proxy in front of Turnilo to auth end-users, is there a means to configure Turnilo to only accept requests from the proxy? We have some end-users who have book-marked the URL to the physical Turnilo server, which bypasses auth. Thanks for the help.

jmbowles avatar Jun 05 '20 12:06 jmbowles

If we place an authentication proxy in front of Turnilo to auth end-users, is there a means to configure Turnilo to only accept requests from the proxy? We have some end-users who have book-marked the URL to the physical Turnilo server, which bypasses auth. Thanks for the help.

@jmbowles You could use the system firewall, or the recently implemented plugin system in Turnilo (see #666).

l2dy avatar Dec 01 '20 03:12 l2dy

Yeah, right now you have two entry points for your code in turnilo.

You can define plugin which have access to underlying express application. We are using it internally and we are catching all requests, check for auth token, if not present we redirect user to authorisation page. This is still experimental feature, we will release documentation and final version soon. If you want to try it with us, start thread at slack.

You also can define request decorator for all druid queries. Decorator can add any header and by extension Authorization header with basic HTTP credentials. One issue is that you can't pass any dynamic context to the decorator function, only static object defined in config.

adrianmroz avatar Dec 01 '20 08:12 adrianmroz

Thanks for the follow-up. The plugin sounds useful. I'll take a look at the documentation when it's released. Keep up the great work.

jmbowles avatar Dec 13 '20 14:12 jmbowles