Use PasswordProvider, fix info on initial passwords in basic security extension docs (#6303)

* Fix info on initial passwords in basic security extension docs * Use PasswordProvider * Compile fix

Use PasswordProvider, fix info on initial passwords in basic security extension docs (#6303)
* Fix info on initial passwords in basic security extension docs * Use PasswordProvider * Compile fix
60cbc644 · Jonathan Wei · GitHub · d61f708e · 60cbc644 · 60cbc644
6 changed file
--- a/docs/content/development/extensions-core/druid-basic-security.md
+++ b/docs/content/development/extensions-core/druid-basic-security.md
@@ -53,8 +53,8 @@ The configuration examples in the rest of this document will use "MyBasicAuthent
 #### Properties
 |Property|Description|Default|required|
 |--------|-----------|-------|--------|
-|`druid.auth.authenticator.MyBasicAuthenticator.initialAdminPassword`|Initial password for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will affect its password.|null|No|
-|`druid.auth.authenticator.MyBasicAuthenticator.initialInternalClientPassword`|Initial password for the default internal system user, used for internal node communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will affect its password.|null|No|
+|`druid.auth.authenticator.MyBasicAuthenticator.initialAdminPassword`|Initial [Password Provider](../../operations/password-provider.html) for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will not affect its password.|null|No|
+|`druid.auth.authenticator.MyBasicAuthenticator.initialInternalClientPassword`|Initial [Password Provider](../../operations/password-provider.html) for the default internal system user, used for internal node communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will not affect its password.|null|No|
 |`druid.auth.authenticator.MyBasicAuthenticator.enableCacheNotifications`|If true, the coordinator will notify Druid nodes whenever a configuration change to this Authenticator occurs, allowing them to immediately update their state without waiting for polling.|true|No|
 |`druid.auth.authenticator.MyBasicAuthenticator.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No|
 |`druid.auth.authenticator.MyBasicAuthenticator.credentialIterations`|Number of iterations to use for password hashing.|10000|No|

--- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthDBConfig.java
+++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/BasicAuthDBConfig.java
@@ -19,19 +19,21 @@

 package org.apache.druid.security.basic;

+import org.apache.druid.metadata.PasswordProvider;
+
 public class BasicAuthDBConfig
 {
  public static final long DEFAULT_CACHE_NOTIFY_TIMEOUT_MS = 5000;

-  private final String initialAdminPassword;
-  private final String initialInternalClientPassword;
+  private final PasswordProvider initialAdminPassword;
+  private final PasswordProvider initialInternalClientPassword;
  private final boolean enableCacheNotifications;
  private final long cacheNotificationTimeout;
  private final int iterations;

  public BasicAuthDBConfig(
-      final String initialAdminPassword,
-      final String initialInternalClientPassword,
+      final PasswordProvider initialAdminPassword,
+      final PasswordProvider initialInternalClientPassword,
      final Boolean enableCacheNotifications,
      final Long cacheNotificationTimeout,
      final int iterations
@@ -44,12 +46,12 @@ public class BasicAuthDBConfig
    this.iterations = iterations;
  }

-  public String getInitialAdminPassword()
+  public PasswordProvider getInitialAdminPassword()
  {
    return initialAdminPassword;
  }

-  public String getInitialInternalClientPassword()
+  public PasswordProvider getInitialInternalClientPassword()
  {
    return initialInternalClientPassword;
  }

--- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/BasicHTTPAuthenticator.java
+++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/BasicHTTPAuthenticator.java
@@ -25,6 +25,7 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.annotation.JsonTypeName;
 import com.google.inject.Provider;
 import org.apache.druid.java.util.common.IAE;
+import org.apache.druid.metadata.PasswordProvider;
 import org.apache.druid.security.basic.BasicAuthDBConfig;
 import org.apache.druid.security.basic.BasicAuthUtils;
 import org.apache.druid.security.basic.authentication.db.cache.BasicAuthenticatorCacheManager;
@@ -62,8 +63,8 @@ public class BasicHTTPAuthenticator implements Authenticator
      @JacksonInject Provider<BasicAuthenticatorCacheManager> cacheManager,
      @JsonProperty("name") String name,
      @JsonProperty("authorizerName") String authorizerName,
-      @JsonProperty("initialAdminPassword") String initialAdminPassword,
-      @JsonProperty("initialInternalClientPassword") String initialInternalClientPassword,
+      @JsonProperty("initialAdminPassword") PasswordProvider initialAdminPassword,
+      @JsonProperty("initialInternalClientPassword") PasswordProvider initialInternalClientPassword,
      @JsonProperty("enableCacheNotifications") Boolean enableCacheNotifications,
      @JsonProperty("cacheNotificationTimeout") Long cacheNotificationTimeout,
      @JsonProperty("credentialIterations") Integer credentialIterations

--- a/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/updater/CoordinatorBasicAuthenticatorMetadataStorageUpdater.java
+++ b/extensions-core/druid-basic-security/src/main/java/org/apache/druid/security/basic/authentication/db/updater/CoordinatorBasicAuthenticatorMetadataStorageUpdater.java
@@ -138,7 +138,7 @@ public class CoordinatorBasicAuthenticatorMetadataStorageUpdater implements Basi
                authenticatorName,
                BasicAuthUtils.ADMIN_NAME,
                new BasicAuthenticatorCredentialUpdate(
-                    dbConfig.getInitialAdminPassword(),
+                    dbConfig.getInitialAdminPassword().getPassword(),
                    BasicAuthUtils.DEFAULT_KEY_ITERATIONS
                )
            );
@@ -151,7 +151,7 @@ public class CoordinatorBasicAuthenticatorMetadataStorageUpdater implements Basi
                authenticatorName,
                BasicAuthUtils.INTERNAL_USER_NAME,
                new BasicAuthenticatorCredentialUpdate(
-                    dbConfig.getInitialInternalClientPassword(),
+                    dbConfig.getInitialInternalClientPassword().getPassword(),
                    BasicAuthUtils.DEFAULT_KEY_ITERATIONS
                )
            );

--- a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/BasicHTTPAuthenticatorTest.java
+++ b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/BasicHTTPAuthenticatorTest.java
@@ -23,6 +23,7 @@ import com.google.common.collect.ImmutableMap;
 import com.google.inject.Provider;
 import com.google.inject.util.Providers;
 import org.apache.druid.java.util.common.StringUtils;
+import org.apache.druid.metadata.DefaultPasswordProvider;
 import org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator;
 import org.apache.druid.security.basic.authentication.db.cache.BasicAuthenticatorCacheManager;
 import org.apache.druid.security.basic.authentication.entity.BasicAuthenticatorCredentialUpdate;
@@ -71,8 +72,8 @@ public class BasicHTTPAuthenticatorTest
      CACHE_MANAGER_PROVIDER,
      "basic",
      "basic",
-      "a",
-      "a",
+      new DefaultPasswordProvider("a"),
+      new DefaultPasswordProvider("a"),
      false,
      null,
      null

--- a/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/CoordinatorBasicAuthenticatorResourceTest.java
+++ b/extensions-core/druid-basic-security/src/test/java/org/apache/druid/security/authentication/CoordinatorBasicAuthenticatorResourceTest.java
@@ -23,6 +23,7 @@ import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.dataformat.smile.SmileFactory;
 import com.google.common.collect.ImmutableMap;
 import com.google.common.collect.ImmutableSet;
+import org.apache.druid.metadata.DefaultPasswordProvider;
 import org.apache.druid.metadata.MetadataStorageTablesConfig;
 import org.apache.druid.metadata.TestDerbyConnector;
 import org.apache.druid.security.basic.BasicAuthCommonCacheConfig;
@@ -83,8 +84,8 @@ public class CoordinatorBasicAuthenticatorResourceTest
                null,
                AUTHENTICATOR_NAME,
                "test",
-                "druid",
-                "druid",
+                new DefaultPasswordProvider("druid"),
+                new DefaultPasswordProvider("druid"),
                null,
                null,
                null
@@ -94,8 +95,8 @@ public class CoordinatorBasicAuthenticatorResourceTest
                null,
                AUTHENTICATOR_NAME2,
                "test",
-                "druid",
-                "druid",
+                new DefaultPasswordProvider("druid"),
+                new DefaultPasswordProvider("druid"),
                null,
                null,
                null