Basic Security

    • an Authenticator which supports HTTP Basic authentication using the Druid metadata store or LDAP as its credentials store.
    • an Authorizer which implements basic role-based access control for Druid metadata store or LDAP users and groups.

    To load the extension, in the druid.extensions.loadList in your common.runtime.properties. For example:

    See Authentication and Authorization for more information on the implemented extension interfaces.

    The examples in the section use the following names for the Authenticators and Authorizers:

    • MyBasicMetadataAuthenticator
    • MyBasicLDAPAuthenticator
    • MyBasicMetadataAuthorizer
    • MyBasicLDAPAuthorizer.

    These properties are not tied to specific Authenticator or Authorizer instances.

    To set the value for the configuration properties, add them to the common runtime properties file.

    1. druid.auth.authenticatorChain=["MyBasicMetadataAuthenticator"]
    3. druid.auth.authenticator.MyBasicMetadataAuthenticator.type=basic
    4. druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword=password1
    5. druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword=password2
    6. druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type=metadata
    7. druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure=false
    8. druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName=MyBasicMetadataAuthorizer

    To use the Basic authenticator, add an authenticator with type basic to the authenticatorChain. The default credentials validator (credentialsValidator) is metadata. To use the LDAP validator, define a credentials validator with a type of ‘ldap’.

    Configuration of the named authenticator is assigned through properties with the form:

    1. druid.auth.authenticator.<authenticatorName>.<authenticatorProperty>

    The remaining examples of authenticator configuration use either MyBasicMetadataAuthenticator or MyBasicLDAPAuthenticator as the authenticator name.

    Properties for Druid metadata store user authentication

    PropertyDescriptionDefaultrequired
    druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPasswordInitial Password Provider for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will not affect its password.nullNo
    druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPasswordInitial for the default internal system user, used for internal process communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will not affect its password.nullNo
    druid.auth.authenticator.MyBasicMetadataAuthenticator.enableCacheNotificationsIf true, the Coordinator will notify Druid processes whenever a configuration change to this Authenticator occurs, allowing them to immediately update their state without waiting for polling.trueNo
    druid.auth.authenticator.MyBasicMetadataAuthenticator.cacheNotificationTimeoutThe timeout in milliseconds for the cache notifications.5000No
    druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialIterationsNumber of iterations to use for password hashing. See Credential iterations and API performance10000No
    druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.typeThe type of credentials store (metadata) to validate requests credentials.metadataNo
    druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailureIf true and the request credential doesn’t exists or isn’t fully configured in the credentials store, the request will proceed to next Authenticator in the chain.falseNo
    druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerNameAuthorizer that requests should be directed toN/AYes
    Credential iterations and API performance

    The credential iterations setting affects API performance, including query times. The default setting of 10000 is intentionally high to prevent attackers from using brute force to guess passwords, but it adds latency.

    You can decrease the number of iterations to speed up API response times, but it potentially exposes your system to dictionary attacks. Therefore, only reduce the number of iterations if your environment fits one of the following conditions:

    • All passwords are long and random which make them as safe as a randomly-generated token.
    • You have secured network access to Druid so that no attacker can execute a dictionary attack against it.

    Properties for LDAP user authentication

    1. # Escalator
    2. druid.escalator.type=basic
    3. druid.escalator.internalClientUsername=druid_system
    4. druid.escalator.internalClientPassword=password2
    5. druid.escalator.authorizerName=MyBasicMetadataAuthorizer

    Properties

    PropertyDescriptionDefaultrequired
    druid.escalator.internalClientUsernameThe escalator will use this username for requests made as the internal system user.n/aYes
    druid.escalator.internalClientPasswordThe escalator will use this Password Provider for requests made as the internal system user.n/aYes
    druid.escalator.authorizerNameAuthorizer that requests should be directed to.n/aYes
    1. druid.auth.authorizers=["MyBasicMetadataAuthorizer"]
    3. druid.auth.authorizer.MyBasicMetadataAuthorizer.type=basic

    To use the Basic authorizer, add an authorizer with type basic to the authorizers list.

    Configuration of the named authorizer is assigned through properties with the form:

    The authorizer configuration examples in the rest of this document will use “MyBasicMetadataAuthorizer” or “MyBasicLDAPAuthorizer” as the name of the authenticators being configured.

    Properties for Druid metadata store user authorization

    Properties for LDAP user authorization

    PropertyDescriptionDefaultrequired
    druid.auth.authorizer.MyBasicLDAPAuthorizer.enableCacheNotificationsIf true, the Coordinator will notify Druid processes whenever a configuration change to this Authorizer occurs, allowing them to immediately update their state without waiting for polling.trueNo
    druid.auth.authorizer.MyBasicLDAPAuthorizer.cacheNotificationTimeoutThe timeout in milliseconds for the cache notifications.5000No
    druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminUserThe initial admin user with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned.adminNo
    druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminRoleThe initial admin role to create if it doesn’t already exists.adminNo
    druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminGroupMappingThe initial admin group mapping with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned. The name of this initial admin group mapping will be set to adminGroupMappingnullNo
    druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.typeThe type of role provider (ldap) to authorize requests credentials.metadataNo
    druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.groupFiltersArray of LDAP group filters used to filter out the allowed set of groups returned from LDAP search. Filters can be begin with , or end with , to provide configurational flexibility to limit or filter allowed set of groups available to LDAP Authorizer.nullNo

    Usage

    To use these APIs, a user needs read/write permissions for the CONFIG resource type with name “security”.

    Authentication API

    Root path: /druid-ext/basic-security/authentication

    Each API endpoint includes {authenticatorName}, specifying which Authenticator instance is being configured.

    User/Credential Management

    GET(/druid-ext/basic-security/authentication/db/{authenticatorName}/users) Return a list of all user names.

    POST(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName}) Create a new user with name {userName}

    DELETE(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName}) Delete the user with name {userName}

    POST(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName}/credentials) Assign a password used for HTTP basic authentication for {userName} Content: JSON password request object

    Example request body:

    1. {
    2.   "password": "helloworld"
    3. }
    Cache Load Status

    GET(/druid-ext/basic-security/authentication/loadStatus) Return the current load status of the local caches of the authentication Druid metadata store.

    Authorization API

    Root path: /druid-ext/basic-security/authorization

    Each API endpoint includes {authorizerName}, specifying which Authorizer instance is being configured.

    User Creation/Deletion

    GET(/druid-ext/basic-security/authorization/db/{authorizerName}/users) Return a list of all user names.

    GET(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}) Return the name and role information of the user with name {userName}

    Example output:

    1. {
    2.   "name": "druid2",
    3.     "druidRole"
    4.   ]
    5. }

    This API supports the following flags:

    • ?full: The response will also include the full information for each role currently assigned to the user.

    Example output:

    1. {
    2.   "name": "druid2",
    3.   "roles": [
    4.     {
    5.       "name": "druidRole",
    6.       "permissions": [
    7.         {
    8.           "resourceAction": {
    9.             "resource": {
    10.               "name": "A",
    11.               "type": "DATASOURCE"
    12.             },
    13.             "action": "READ"
    14.           },
    15.           "resourceNamePattern": "A"
    16.         },
    17.         {
    18.           "resourceAction": {
    19.             "resource": {
    20.               "name": "C",
    21.               "type": "CONFIG"
    22.             },
    23.             "action": "WRITE"
    24.           },
    25.           "resourceNamePattern": "C"
    26.         }
    27.       ]
    28.     }
    29.   ]
    30. }

    The output format of this API when ?full is specified is deprecated and in later versions will be switched to the output format used when both ?full and ?simplifyPermissions flag is set.

    The resourceNamePattern is a compiled version of the resource name regex. It is redundant and complicates the use of this API for clients such as frontends that edit the authorization configuration, as the permission format in this output does not match the format used for adding permissions to a role.

    • ?full?simplifyPermissions: When both ?full and ?simplifyPermissions are set, the permissions in the output will contain only a list of resourceAction objects, without the extraneous resourceNamePattern field.
    1. {
    2.   "name": "druid2",
    3.   "roles": [
    4.     {
    5.       "name": "druidRole",
    6.       "users": null,
    7.       "permissions": [
    8.         {
    9.           "resource": {
    10.             "name": "A",
    11.             "type": "DATASOURCE"
    12.           },
    13.           "action": "READ"
    14.         },
    15.         {
    16.           "resource": {
    17.             "name": "C",
    18.             "type": "CONFIG"
    20.         }
    21.       ]
    22.     }
    23.   ]
    24. }

    POST(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}) Create a new user with name {userName}

    DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}) Delete the user with name {userName}

    Group mapping Creation/Deletion

    GET(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings) Return a list of all group mappings.

    POST(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}) Create a new group mapping with name {groupMappingName} Content: JSON group mapping object Example request body:

    DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}) Delete the group mapping with name {groupMappingName}

    Role Creation/Deletion

    GET(/druid-ext/basic-security/authorization/db/{authorizerName}/roles) Return a list of all role names.

    GET(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName}) Return name and permissions for the role named {roleName}.

    Example output:

    1. {
    2.   "name": "druidRole2",
    3.   "permissions": [
    4.     {
    5.       "resourceAction": {
    6.         "resource": {
    7.           "name": "E",
    8.           "type": "DATASOURCE"
    9.         },
    10.         "action": "WRITE"
    11.       },
    12.       "resourceNamePattern": "E"
    13.     }
    14.   ]
    15. }

    The default output format of this API is deprecated and in later versions will be switched to the output format used when the ?simplifyPermissions flag is set. The resourceNamePattern is a compiled version of the resource name regex. It is redundant and complicates the use of this API for clients such as frontends that edit the authorization configuration, as the permission format in this output does not match the format used for adding permissions to a role.

    This API supports the following flags:

    • ?full: The output will contain an extra users list, containing the users that currently have this role.
    1. {"users":["druid"]}
    • ?simplifyPermissions: The permissions in the output will contain only a list of resourceAction objects, without the extraneous resourceNamePattern field. The users field will be null when ?full is not specified.

    Example output:

    1. {
    2.   "name": "druidRole2",
    3.   "users": null,
    4.   "permissions": [
    5.     {
    6.       "resource": {
    7.         "name": "E",
    8.         "type": "DATASOURCE"
    9.       },
    10.       "action": "WRITE"
    11.     }
    12.   ]
    13. }

    POST(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName}) Create a new role with name {roleName}. Content: username string

    DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName}) Delete the role with name {roleName}.

    Role Assignment

    POST(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}/roles/{roleName}) Assign role {roleName} to user {userName}.

    DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}/roles/{roleName}) Unassign role {roleName} from user {userName}

    POST(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}/roles/{roleName}) Assign role {roleName} to group mapping {groupMappingName}.

    DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}/roles/{roleName}) Unassign role {roleName} from group mapping {groupMappingName}

    Permissions

    POST(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName}/permissions) Set the permissions of {roleName}. This replaces the previous set of permissions on the role.

    Content: List of JSON Resource-Action objects, e.g.:

    1. [
    2. {
    3.   "resource": {
    4.     "name": "wiki.*",
    5.     "type": "DATASOURCE"
    6.   },
    7.   "action": "READ"
    8. },
    9. {
    10.   "resource": {
    11.     "name": "wikiticker",
    12.     "type": "DATASOURCE"
    13.   },
    14.   "action": "WRITE"
    15. }
    16. ]

    The “name” field for resources in the permission definitions are regexes used to match resource names during authorization checks.

    Cache Load Status

    GET(/druid-ext/basic-security/authorization/loadStatus) Return the current load status of the local caches of the authorization Druid metadata store.