Skip to content

feat: druid-opa-authorizer extension for Open Policy Agent authorization#19670

Open
JWuCines wants to merge 13 commits into
apache:masterfrom
JWuCines:druid-opa-authorizer
Open

feat: druid-opa-authorizer extension for Open Policy Agent authorization#19670
JWuCines wants to merge 13 commits into
apache:masterfrom
JWuCines:druid-opa-authorizer

Conversation

@JWuCines

@JWuCines JWuCines commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

druid-opa-authorizer extension for Open Policy Agent authorization

Description

This PR integrates the druid-opa-authorizer extension into the Apache Druid repository. The extension delegates authorization decisions to an Open Policy Agent (OPA) server, allowing users to define fine-grained access control policies using Rego rules.

Added the OPA Authorizer extension

The core authorizer sends a JSON payload containing the AuthenticationResult, Action, and Resource to a configurable OPA endpoint and interprets the boolean result from the OPA response. Key design decisions:

  • Uses java.net.http.HttpClient for OPA communication (no additional HTTP dependencies needed).
  • Creates a dedicated ObjectMapper configured with FAIL_ON_UNKNOWN_PROPERTIES = false for forward compatibility with new OPA response fields (e.g., decision_id).
  • Sanitizes AuthenticationResult context to handle non-serializable LDAP SearchResult objects, converting byte array attributes to Base64 strings.
  • Validates HTTP 200 status before parsing the OPA response, returning a descriptive deny message for non-200 responses.
  • Properly closes NamingEnumeration resources when iterating LDAP attributes.

Added embedded Docker tests

Two embedded test configurations using Testcontainers:

  • Basic auth + OPA: Spins up an OPA container with Rego rules and tests authorization with Druid's basic authenticator.
  • LDAP + OPA: Spins up both an OpenLDAP and OPA container, testing the full LDAP authentication → OPA authorization flow.

Added documentation and examples

  • Full documentation at docs/development/extensions-contrib/druid-opa-authorizer.md covering configuration, Rego rule authoring, local setup with basic auth, and LDAP integration.
  • Example Rego rules, JSON data files, LDAP bootstrap LDIF, and setup scripts in the example/ directory.

Release note

Added a new community extension druid-opa-authorizer that enables authorization through Open Policy Agent (OPA). Users can write Rego policies to control access to Druid resources based on user identity, action, and resource type. The extension supports both basic authentication and LDAP authentication workflows.


Key changed/added classes in this PR
  • OpaAuthorizer — Core authorizer that communicates with the OPA server
  • OpaDruidModule — Druid module that registers the opa authorizer type
  • OpaInput / OpaMessage / OpaResource / OpaResponse — JSON serialization types for OPA communication
  • OpaBasicAuthResource / OpaLdapAuthResource — Embedded test Docker resources
  • OpaBasicAuthConfigurationDockerTest / OpaLdapAuthConfigurationDockerTest — Embedded integration tests

This PR has:

  • been self-reviewed.
  • added documentation for new or modified features or behaviors.
  • a release note entry in the PR description.
  • added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
  • added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.
  • added integration tests.

@JWuCines JWuCines changed the title Add druid-opa-authorizer extension for Open Policy Agent authorization feat: druid-opa-authorizer extension for Open Policy Agent authorization Jul 9, 2026
@lfrancke

lfrancke commented Jul 9, 2026

Copy link
Copy Markdown
Member

We originally developed this authorizer at @stackabletech and are happy to "donate" it. Just commenting to make clear that this definitely has our blessing (not that it's needed due to the license anyway).

@FrankChen021 FrankChen021 left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Severity Findings
P0 0
P1 0
P2 1
P3 0
Total 1
Severity Findings
P0 0
P1 0
P2 1
P3 0
Total 1

Reviewed 34 of 34 changed files.

Found one availability issue in the new OPA authorizer: OPA authorization calls are synchronous and currently unbounded, so a hung policy endpoint can tie up Druid request threads instead of failing closed promptly.


This is an automated review by Codex GPT-5.5

@JWuCines JWuCines requested a review from FrankChen021 July 9, 2026 14:28
@JWuCines JWuCines force-pushed the druid-opa-authorizer branch from 257f45f to 7ddeea6 Compare July 9, 2026 15:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants