Skip to content

Druid Security

Imported from Confluence

Content may be outdated. Verify before following any procedures. View original | Last updated: March 2022

Everything you need to know about Druid Security - Druid Basic Security

Example of basic security configuration on common. properties:

>>> cat /opt/druid/conf/_common/common.runtime.properties
druid.auth.authenticatorChain=["BasicAuthenticator", "anonymous"]
druid.auth.authenticator.BasicAuthenticator.type=basic
druid.auth.authenticator.BasicAuthenticator.initialAdminPassword=<CHANGE_ME>
druid.auth.authenticator.BasicAuthenticator.initialInternalClientPassword=<CHANGE_ME>
druid.auth.authenticator.BasicAuthenticator.credentialsValidator.type=metadata
druid.auth.authenticator.BasicAuthenticator.skipOnFailure=true
druid.auth.authenticator.BasicAuthenticator.authorizerName=BasicAuthorizer
druid.auth.authenticator.allowAll.type=allowAll
druid.auth.authenticator.allowAll.authorizerName=allowAll
druid.auth.authenticator.anonymous.type=anonymous
druid.auth.authenticator.anonymous.identity=anonymous
druid.auth.authenticator.anonymous.authorizerName=BasicAuthorizer
druid.escalator.type=basic
druid.escalator.internalClientUsername=druid_system
druid.escalator.internalClientPassword=<CHANGE_ME>
druid.escalator.authorizerName=BasicAuthorizer
druid.auth.authorizers=["BasicAuthorizer", "allowAll"]
druid.auth.authorizer.BasicAuthorizer.type=basic
druid.auth.authorizer.allowAll.type=allowAll
druid.extensions.loadList=["druid-kafka-indexing-service","kafka-emitter","mysql-metadata-storage","druid-s3-extensions","druid-parquet-extensions","druid-lookups-cached-global","druid-datasketches","druid-histogram","druid-stats","druid-pac4j","druid-basic-security"]

The following diagram describes granting permissions in Druid. For more details read documentation - Security Overview

Screenshot 2021-10-20 at 13.46.22.png

After successful deployment user should be created via API: (in below example IP is related to Coordinator IP from kitchen test instance)

List users:

curl -u admin:<PASSWORD> http://10.37.167.184:8081/druid-ext/basic-security/authentication/db/BasicAuthenticator/users
["admin","druid_system"]

Create user for both Authentication and Authorizer:

#BasicAuthenticator
curl -u admin:<PASSWORD> -XPOST http://10.37.167.184:8081/druid-ext/basic-security/authentication/db/BasicAuthenticator/users/anonymous
#BasicAuthorizer
curl -u admin:<PASSWORD> -XPOST http://10.37.129.44:8081/druid-ext/basic-security/authorization/db/BasicAuthorizer/users/anonymous

Describe user and set a password for user:

curl -u admin:<PASSWORD> http://10.37.167.184:8081/druid-ext/basic-security/authentication/db/BasicAuthenticator/users/anonymous
{"name":"anonymous","credentials":{"salt":"U+EWBShYhMd/pnAjlYH0bmlSLOP1aX6LLFtmdfFmD8w=","hash":"9gC/XzrrZqzP84L/oAq0O8pdoUkCuLC0AU8irdqkZaMkbQHN4/k4epQosB8zd1Ri+eTxo/h1pEk6htsBcPKYAg==","iterations":10000}}

>> cat pass.json

>> {"password": "<CHANGE_ME>"}

curl -u admin:<PASSWORD> -H'Content-Type: application/json' -XPOST --data-binary @pass.json http://10.37.167.184:8081/druid-ext/basic-security/authentication/db/BasicAuthenticator/users/anonymous/credentials

Crete Role and verify it is created:

curl -u admin:<PASSWORD> -XPOST http://10.37.167.184:8081/druid-ext/basic-security/authorization/db/BasicAuthorizer/roles/READONLY
curl -X GET http://10.37.167.184:8081/druid-ext/basic-security/authorization/db/BasicAuthorizer/roles -u admin:<PASSWORD>
["admin","druid_system","READONLY"]

Map Role and User and verify mapping:

curl -u admin:<PASSWORD> -XPOST http://10.37.167.184:8081/druid-ext/basic-security/authorization/db/BasicAuthorizer/users/anonymous/roles/READONLY

curl -u admin:<PASSWORD> http://10.37.167.184:8081/druid-ext/basic-security/authorization/db/BasicAuthorizer/users/anonymous
{"name":"anonymous","roles":["READONLY"]}

Grant Role permissions:

cat permissions.json 

[{
  "resource": {
    "name": ".*",
    "type": "DATASOURCE"
  },
  "action": "READ"
}, {
  "resource": {
    "name": ".*",
    "type": "CONFIG"
  },
  "action": "READ"
}, {
  "resource": {
    "name": ".*",
    "type": "STATE"
  },
  "action": "READ"
}, {
  "resource": {
    "name": ".*",
    "type": "CONFIG"
   },
   "action": "WRITE"
}, {
   "resource": {
     "name": ".*",
     "type": "STATE"
   },
   "action": "WRITE"
}]

curl -u admin:<PASSWORD> -XPOST -H "Content-Type: application/json" --data @permissions.json http://10.37.167.184:8081/druid-ext/basic-security/authorization/db/BasicAuthorizer/roles/READONLY/permissions

Druid Okta Integration

  # 'druid.auth.authenticatorChain'            => { 'value' =>  '["pac4j"]' },
  # 'druid.auth.authenticator.pac4j.type'      => { 'value' =>  'pac4j' },
  # 'druid.auth.pac4j.cookiePassphrase'        => { 'value' =>  '<CHANGE_ME>' },
  # 'druid.auth.pac4j.oidc.clientID'           => { 'value' =>  '<CLIENT_ID>' },
  # 'druid.auth.pac4j.oidc.clientSecret'       => { 'value' =>  '<CLIENT_SECRET>' },
  # 'druid.auth.pac4j.oidc.discoveryURI'       => { 'value' =>  'https://fyber-admin.okta-emea.com/.well-known/openid-configuration' },