Basic Security

This Apache Druid extension adds:

  • an Authenticator which supports HTTP Basic authentication using the Druid metadata store or LDAP as its credentials store
  • an Authorizer which implements basic role-based access control for Druid metadata store or LDAP users and groups

Make sure to include druid-basic-security as an extension.

Please see Authentication and Authorization for more information on the extension interfaces being implemented.

Configuration

The examples in the section will use “MyBasicMetadataAuthenticator”, “MyBasicLDAPAuthenticator”, “MyBasicMetadataAuthorizer”, and “MyBasicLDAPAuthorizer” as names for the Authenticators and Authorizer.

These properties are not tied to specific Authenticator or Authorizer instances.

These configuration properties should be added to the common runtime properties file.

Properties

PropertyDescriptionDefaultrequired
druid.auth.basic.common.pollingPeriodDefines in milliseconds how often processes should poll the Coordinator for the current Druid metadata store authenticator/authorizer state.60000No
druid.auth.basic.common.maxRandomDelayDefines in milliseconds the amount of random delay to add to the pollingPeriod, to spread polling requests across time.6000No
druid.auth.basic.common.maxSyncRetriesDetermines how many times a service will retry if the authentication/authorization Druid metadata store state sync with the Coordinator fails.10No
druid.auth.basic.common.cacheDirectoryIf defined, snapshots of the basic Authenticator and Authorizer Druid metadata store caches will be stored on disk in this directory. If this property is defined, when a service is starting, it will attempt to initialize its caches from these on-disk snapshots, if the service is unable to initialize its state by communicating with the Coordinator.nullNo

Creating an Authenticator that uses the Druid metadata store to lookup and validate credentials

  1. druid.auth.authenticatorChain=["MyBasicMetadataAuthenticator"]
  2. druid.auth.authenticator.MyBasicMetadataAuthenticator.type=basic
  3. druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword=password1
  4. druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword=password2
  5. druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type=metadata
  6. druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure=false
  7. druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName=MyBasicMetadataAuthorizer

To use the Basic authenticator, add an authenticator with type basic to the authenticatorChain. The authenticator needs to also define a credentialsValidator with type ‘metadata’ or ‘ldap’. If credentialsValidator is not specified, type ‘metadata’ will be used as default.

Configuration of the named authenticator is assigned through properties with the form:

  1. druid.auth.authenticator.<authenticatorName>.<authenticatorProperty>

The authenticator configuration examples in the rest of this document will use “MyBasicMetadataAuthenticator” or “MyBasicLDAPAuthenticator” as the name of the authenticators being configured.

Properties for Druid metadata store user authentication

PropertyDescriptionDefaultrequired
druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPasswordInitial Password Provider for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will not affect its password.nullNo
druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPasswordInitial Password Provider for the default internal system user, used for internal process communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will not affect its password.nullNo
druid.auth.authenticator.MyBasicMetadataAuthenticator.enableCacheNotificationsIf true, the Coordinator will notify Druid processes whenever a configuration change to this Authenticator occurs, allowing them to immediately update their state without waiting for polling.trueNo
druid.auth.authenticator.MyBasicMetadataAuthenticator.cacheNotificationTimeoutThe timeout in milliseconds for the cache notifications.5000No
druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialIterationsNumber of iterations to use for password hashing.10000No
druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.typeThe type of credentials store (metadata) to validate requests credentials.metadataNo
druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailureIf true and the request credential doesn’t exists or isn’t fully configured in the credentials store, the request will proceed to next Authenticator in the chain.falseNo
druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerNameAuthorizer that requests should be directed toN/AYes

Properties for LDAP user authentication

PropertyDescriptionDefaultrequired
druid.auth.authenticator.MyBasicLDAPAuthenticator.initialAdminPasswordInitial Password Provider for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will not affect its password.nullNo
druid.auth.authenticator.MyBasicLDAPAuthenticator.initialInternalClientPasswordInitial Password Provider for the default internal system user, used for internal process communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will not affect its password.nullNo
druid.auth.authenticator.MyBasicLDAPAuthenticator.enableCacheNotificationsIf true, the Coordinator will notify Druid processes whenever a configuration change to this Authenticator occurs, allowing them to immediately update their state without waiting for polling.trueNo
druid.auth.authenticator.MyBasicLDAPAuthenticator.cacheNotificationTimeoutThe timeout in milliseconds for the cache notifications.5000No
druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialIterationsNumber of iterations to use for password hashing.10000No
druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.typeThe type of credentials store (ldap) to validate requests credentials.metadataNo
druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.urlURL of the LDAP server.nullYes
druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.bindUserLDAP bind user username.nullYes
druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.bindPasswordPassword Provider LDAP bind user password.nullYes
druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.baseDnThe point from where the LDAP server will search for users.nullYes
druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.userSearchThe filter/expression to use for the search. For example, (&(sAMAccountName=%s)(objectClass=user))nullYes
druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.userAttributeThe attribute id identifying the attribute that will be returned as part of the search. For example, sAMAccountName.nullYes
druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialVerifyDurationThe duration in seconds for how long valid credentials are verifiable within the cache when not requested.600No
druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialMaxDurationThe max duration in seconds for valid credentials that can reside in cache regardless of how often they are requested.3600No
druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialCacheSizeThe valid credentials cache size. The cache uses a LRU policy.100No
druid.auth.authenticator.MyBasicLDAPAuthenticator.skipOnFailureIf true and the request credential doesn’t exists or isn’t fully configured in the credentials store, the request will proceed to next Authenticator in the chain.falseNo
druid.auth.authenticator.MyBasicLDAPAuthenticator.authorizerNameAuthorizer that requests should be directed to.N/AYes

Creating an Escalator

  1. # Escalator
  2. druid.escalator.type=basic
  3. druid.escalator.internalClientUsername=druid_system
  4. druid.escalator.internalClientPassword=password2
  5. druid.escalator.authorizerName=MyBasicMetadataAuthorizer

Properties

PropertyDescriptionDefaultrequired
druid.escalator.internalClientUsernameThe escalator will use this username for requests made as the internal system user.n/aYes
druid.escalator.internalClientPasswordThe escalator will use this Password Provider for requests made as the internal system user.n/aYes
druid.escalator.authorizerNameAuthorizer that requests should be directed to.n/aYes

Creating an Authorizer

  1. druid.auth.authorizers=["MyBasicMetadataAuthorizer"]
  2. druid.auth.authorizer.MyBasicMetadataAuthorizer.type=basic

To use the Basic authorizer, add an authorizer with type basic to the authorizers list.

Configuration of the named authorizer is assigned through properties with the form:

  1. druid.auth.authorizer.<authorizerName>.<authorizerProperty>

The authorizer configuration examples in the rest of this document will use “MyBasicMetadataAuthorizer” or “MyBasicLDAPAuthorizer” as the name of the authenticators being configured.

Properties for Druid metadata store user authorization

PropertyDescriptionDefaultrequired
druid.auth.authorizer.MyBasicMetadataAuthorizer.enableCacheNotificationsIf true, the Coordinator will notify Druid processes whenever a configuration change to this Authorizer occurs, allowing them to immediately update their state without waiting for polling.trueNo
druid.auth.authorizer.MyBasicMetadataAuthorizer.cacheNotificationTimeoutThe timeout in milliseconds for the cache notifications.5000No
druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminUserThe initial admin user with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned.adminNo
druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminRoleThe initial admin role to create if it doesn’t already exists.adminNo
druid.auth.authorizer.MyBasicMetadataAuthorizer.roleProvider.typeThe type of role provider to authorize requests credentials.metadataNo

Properties for LDAP user authorization

PropertyDescriptionDefaultrequired
druid.auth.authorizer.MyBasicLDAPAuthorizer.enableCacheNotificationsIf true, the Coordinator will notify Druid processes whenever a configuration change to this Authorizer occurs, allowing them to immediately update their state without waiting for polling.trueNo
druid.auth.authorizer.MyBasicLDAPAuthorizer.cacheNotificationTimeoutThe timeout in milliseconds for the cache notifications.5000No
druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminUserThe initial admin user with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned.adminNo
druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminRoleThe initial admin role to create if it doesn’t already exists.adminNo
druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminGroupMappingThe initial admin group mapping with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned. The name of this initial admin group mapping will be set to adminGroupMappingnullNo
druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.typeThe type of role provider (ldap) to authorize requests credentials.metadataNo
druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.groupFiltersArray of LDAP group filters used to filter out the allowed set of groups returned from LDAP search. Filters can be begin with , or end with , to provide configurational flexibility to limit or filter allowed set of groups available to LDAP Authorizer.nullNo

Usage

Coordinator Security API

To use these APIs, a user needs read/write permissions for the CONFIG resource type with name “security”.

Authentication API

Root path: /druid-ext/basic-security/authentication

Each API endpoint includes {authenticatorName}, specifying which Authenticator instance is being configured.

User/Credential Management

GET(/druid-ext/basic-security/authentication/db/{authenticatorName}/users) Return a list of all user names.

GET(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName}) Return the name and credentials information of the user with name {userName}

POST(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName}) Create a new user with name {userName}

DELETE(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName}) Delete the user with name {userName}

POST(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName}/credentials) Assign a password used for HTTP basic authentication for {userName} Content: JSON password request object

Example request body:

  1. {
  2. "password": "helloworld"
  3. }
Cache Load Status

GET(/druid-ext/basic-security/authentication/loadStatus) Return the current load status of the local caches of the authentication Druid metadata store.

Authorization API

Root path: /druid-ext/basic-security/authorization

Each API endpoint includes {authorizerName}, specifying which Authorizer instance is being configured.

User Creation/Deletion

GET(/druid-ext/basic-security/authorization/db/{authorizerName}/users) Return a list of all user names.

GET(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}) Return the name and role information of the user with name {userName}

Example output:

  1. {
  2. "name": "druid2",
  3. "roles": [
  4. "druidRole"
  5. ]
  6. }

This API supports the following flags:

  • ?full: The response will also include the full information for each role currently assigned to the user.

Example output:

  1. {
  2. "name": "druid2",
  3. "roles": [
  4. {
  5. "name": "druidRole",
  6. "permissions": [
  7. {
  8. "resourceAction": {
  9. "resource": {
  10. "name": "A",
  11. "type": "DATASOURCE"
  12. },
  13. "action": "READ"
  14. },
  15. "resourceNamePattern": "A"
  16. },
  17. {
  18. "resourceAction": {
  19. "resource": {
  20. "name": "C",
  21. "type": "CONFIG"
  22. },
  23. "action": "WRITE"
  24. },
  25. "resourceNamePattern": "C"
  26. }
  27. ]
  28. }
  29. ]
  30. }

The output format of this API when ?full is specified is deprecated and in later versions will be switched to the output format used when both ?full and ?simplifyPermissions flag is set.

The resourceNamePattern is a compiled version of the resource name regex. It is redundant and complicates the use of this API for clients such as frontends that edit the authorization configuration, as the permission format in this output does not match the format used for adding permissions to a role.

  • ?full?simplifyPermissions: When both ?full and ?simplifyPermissions are set, the permissions in the output will contain only a list of resourceAction objects, without the extraneous resourceNamePattern field.
  1. {
  2. "name": "druid2",
  3. "roles": [
  4. {
  5. "name": "druidRole",
  6. "users": null,
  7. "permissions": [
  8. {
  9. "resource": {
  10. "name": "A",
  11. "type": "DATASOURCE"
  12. },
  13. "action": "READ"
  14. },
  15. {
  16. "resource": {
  17. "name": "C",
  18. "type": "CONFIG"
  19. },
  20. "action": "WRITE"
  21. }
  22. ]
  23. }
  24. ]
  25. }

POST(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}) Create a new user with name {userName}

DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}) Delete the user with name {userName}

Group mapping Creation/Deletion

GET(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings) Return a list of all group mappings.

GET(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}) Return the group mapping and role information of the group mapping with name {groupMappingName}

POST(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}) Create a new group mapping with name {groupMappingName} Content: JSON group mapping object Example request body:

  1. {
  2. "name": "user",
  3. "groupPattern": "CN=aaa,OU=aaa,OU=Groupings,DC=corp,DC=company,DC=com",
  4. "roles": [
  5. "user"
  6. ]
  7. }

DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}) Delete the group mapping with name {groupMappingName}

Role Creation/Deletion

GET(/druid-ext/basic-security/authorization/db/{authorizerName}/roles) Return a list of all role names.

GET(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName}) Return name and permissions for the role named {roleName}.

Example output:

  1. {
  2. "name": "druidRole2",
  3. "permissions": [
  4. {
  5. "resourceAction": {
  6. "resource": {
  7. "name": "E",
  8. "type": "DATASOURCE"
  9. },
  10. "action": "WRITE"
  11. },
  12. "resourceNamePattern": "E"
  13. }
  14. ]
  15. }

The default output format of this API is deprecated and in later versions will be switched to the output format used when the ?simplifyPermissions flag is set. The resourceNamePattern is a compiled version of the resource name regex. It is redundant and complicates the use of this API for clients such as frontends that edit the authorization configuration, as the permission format in this output does not match the format used for adding permissions to a role.

This API supports the following flags:

  • ?full: The output will contain an extra users list, containing the users that currently have this role.
  1. {"users":["druid"]}
  • ?simplifyPermissions: The permissions in the output will contain only a list of resourceAction objects, without the extraneous resourceNamePattern field. The users field will be null when ?full is not specified.

Example output:

  1. {
  2. "name": "druidRole2",
  3. "users": null,
  4. "permissions": [
  5. {
  6. "resource": {
  7. "name": "E",
  8. "type": "DATASOURCE"
  9. },
  10. "action": "WRITE"
  11. }
  12. ]
  13. }

POST(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName}) Create a new role with name {roleName}. Content: username string

DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName}) Delete the role with name {roleName}.

Role Assignment

POST(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}/roles/{roleName}) Assign role {roleName} to user {userName}.

DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}/roles/{roleName}) Unassign role {roleName} from user {userName}

POST(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}/roles/{roleName}) Assign role {roleName} to group mapping {groupMappingName}.

DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}/roles/{roleName}) Unassign role {roleName} from group mapping {groupMappingName}

Permissions

POST(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName}/permissions) Set the permissions of {roleName}. This replaces the previous set of permissions on the role.

Content: List of JSON Resource-Action objects, e.g.:

  1. [
  2. {
  3. "resource": {
  4. "name": "wiki.*",
  5. "type": "DATASOURCE"
  6. },
  7. "action": "READ"
  8. },
  9. {
  10. "resource": {
  11. "name": "wikiticker",
  12. "type": "DATASOURCE"
  13. },
  14. "action": "WRITE"
  15. }
  16. ]

The “name” field for resources in the permission definitions are regexes used to match resource names during authorization checks.

Please see Defining permissions for more details.

Cache Load Status

GET(/druid-ext/basic-security/authorization/loadStatus) Return the current load status of the local caches of the authorization Druid metadata store.

Default user accounts

Authenticator

If druid.auth.authenticator.<authenticator-name>.initialAdminPassword is set, a default admin user named “admin” will be created, with the specified initial password. If this configuration is omitted, the “admin” user will not be created.

If druid.auth.authenticator.<authenticator-name>.initialInternalClientPassword is set, a default internal system user named “druid_system” will be created, with the specified initial password. If this configuration is omitted, the “druid_system” user will not be created.

Authorizer

Each Authorizer will always have a default “admin” and “druid_system” user with full privileges.

Defining permissions

There are two action types in Druid: READ and WRITE

There are three resource types in Druid: DATASOURCE, CONFIG, and STATE.

DATASOURCE

Resource names for this type are datasource names. Specifying a datasource permission allows the administrator to grant users access to specific datasources.

CONFIG

There are two possible resource names for the “CONFIG” resource type, “CONFIG” and “security”. Granting a user access to CONFIG resources allows them to access the following endpoints.

“CONFIG” resource name covers the following endpoints:

EndpointProcess Type
/druid/coordinator/v1/configcoordinator
/druid/indexer/v1/workeroverlord
/druid/indexer/v1/worker/historyoverlord
/druid/worker/v1/disablemiddleManager
/druid/worker/v1/enablemiddleManager

“security” resource name covers the following endpoint:

EndpointProcess Type
/druid-ext/basic-security/authenticationcoordinator
/druid-ext/basic-security/authorizationcoordinator

STATE

There is only one possible resource name for the “STATE” config resource type, “STATE”. Granting a user access to STATE resources allows them to access the following endpoints.

“STATE” resource name covers the following endpoints:

EndpointProcess Type
/druid/coordinator/v1coordinator
/druid/coordinator/v1/rulescoordinator
/druid/coordinator/v1/rules/historycoordinator
/druid/coordinator/v1/serverscoordinator
/druid/coordinator/v1/tierscoordinator
/druid/broker/v1broker
/druid/v2/candidatesbroker
/druid/indexer/v1/leaderoverlord
/druid/indexer/v1/isLeaderoverlord
/druid/indexer/v1/actionoverlord
/druid/indexer/v1/workersoverlord
/druid/indexer/v1/scalingoverlord
/druid/worker/v1/enabledmiddleManager
/druid/worker/v1/tasksmiddleManager
/druid/worker/v1/task/{taskid}/shutdownmiddleManager
/druid/worker/v1/task/{taskid}/logmiddleManager
/druid/historical/v1historical
/druid-internal/v1/segments/historical
/druid-internal/v1/segments/peon
/druid-internal/v1/segments/realtime
/statusall process types

HTTP methods

For information on what HTTP methods are supported on a particular request endpoint, please refer to the API documentation.

GET requires READ permission, while POST and DELETE require WRITE permission.

SQL Permissions

Queries on Druid datasources require DATASOURCE READ permissions for the specified datasource.

Queries on the INFORMATION_SCHEMA tables will return information about datasources that the caller has DATASOURCE READ access to. Other datasources will be omitted.

Queries on the system schema tables require the following permissions:

  • segments: Segments will be filtered based on DATASOURCE READ permissions.
  • servers: The user requires STATE READ permissions.
  • server_segments: The user requires STATE READ permissions and segments will be filtered based on DATASOURCE READ permissions.
  • tasks: Tasks will be filtered based on DATASOURCE READ permissions.

Configuration Propagation

To prevent excessive load on the Coordinator, the Authenticator and Authorizer user/role Druid metadata store state is cached on each Druid process.

Each process will periodically poll the Coordinator for the latest Druid metadata store state, controlled by the druid.auth.basic.common.pollingPeriod and druid.auth.basic.common.maxRandomDelay properties.

When a configuration update occurs, the Coordinator can optionally notify each process with the updated Druid metadata store state. This behavior is controlled by the enableCacheNotifications and cacheNotificationTimeout properties on Authenticators and Authorizers.

Note that because of the caching, changes made to the user/role Druid metadata store may not be immediately reflected at each Druid process.