Security overview

    To implement Druid security, you configure authenticators and authorizers. Authenticators control the way user identities are verified, while authorizers map the authenticated users (via user roles) to the datasources they are permitted to access. Consequently, implementing Druid security also involves consideration of your datasource scheme, given they represent the granularity at which data access permissions are allocated.

    The following graphic depicts the course of request through the authentication process:

    This document gives you an overview of security features in Druid and how to configure them, and some best practices for securing Druid.

    Best practices

    • Do not expose the Druid Console without authentication on untrusted networks. Access to the console effectively confers access the file system on the installation machine, via file browsers in the UI. You should use an API gateway that restricts who can connect from untrusted networks, whitelist the specific APIs that your users need to access, and implements account lockout and throttling features.
    • Grant users the minimum permissions necessary to perform their functions. For instance, do not allow user who only need to query data to write to data sources or view state.
    • Disable JavaScript, as noted in the of the JavaScript guide.

    • Run Druid as an unprivileged Unix user on the installation machine (not root).

    You can configure authentication and authorization to control access to the the Druid APIs. The first step is enabling TLS for the cluster nodes. Then configure users, roles, and permissions, as described in the following sections.

    The configuration settings mentioned below are primarily located in the common.runtime.properties file. Note that you need to make the configuration changes on each Druid server in the cluster.

    The first step in securing Druid is enabling TLS. You can enable TLS to secure external client connections to Druid as well as connections between cluster nodes.

    The configuration steps are:

    1. Enable TLS by adding druid.enableTlsPort=true to common.runtime.properties on each node in the Druid cluster.
    2. Disable the non-TLS port by setting druid.enablePlaintextPort to false.
    3. Follow the steps in Understanding Certificates and Keys to generate or import a key and certificate.
    4. Configure the keystore and truststore settings in common.runtime.properties. The file should look something like this:
    1. Add the simple-client-sslcontext extension to druid.extensions.loadList in common.runtime.properties. This enables TLS for Druid nodes acting as clients.
    2. Restart the cluster.

    For more information, see and Simple SSLContext Provider Module.

    Druid uses Jetty as its embedded web server. Therefore you refer to for complete instructions.

    Enable an authenticator

    To authenticate requests in Druid, you configure an Authenticator. Authenticator extensions exist for HTTP basic authentication, LDAP, and Kerberos.

    1. Add the druid-basic-security extension to druid.extensions.loadList in common.runtime.properties. For the quickstart installation, for example, the properties file is at conf/druid/cluster/_common:

      1. druid.extensions.loadList=["druid-basic-security", "druid-histogram", "druid-datasketches", "druid-kafka-indexing-service", "imply-utility-belt"]

    2. Configure the basic Authenticator, Authorizer, and Escalator settings in the same common.runtime.properties file. For example:

      1. # Druid basic security
      2. druid.auth.authenticatorChain=["MyBasicMetadataAuthenticator"]
      4. druid.auth.authenticator.MyBasicMetadataAuthenticator.type=basic
      5. druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword=password1
      6. druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword=password2
      7. druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type=metadata
      8. druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure=false
      9. druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName=MyBasicMetadataAuthorizer
      11. druid.escalator.type=basic
      12. druid.escalator.internalClientUsername=druid_system
      14. druid.escalator.authorizerName=MyBasicMetadataAuthorizer
      16. druid.auth.authorizers=["MyBasicMetadataAuthorizer"]
      18. druid.auth.authorizer.MyBasicMetadataAuthorizer.type=basic

    3. Restart the cluster.

    See for more information about the Authenticator, Escalator, and Authorizer concepts. See Basic Security for more information about the extension used in the examples above, and for Kerberos authentication.

    After enabling the basic auth extension, you can add users, roles, and permissions via the Druid Coordinator user endpoint. Note that you cannot assign permissions directly to individual users. They must be assigned through roles.

    The following diagram depicts the authorization model, and the relationship between users, roles, permissions, and resources.

    Druid Security model

    The following steps walk through a sample setup procedure:

    1. Create a user by issuing a POST request to druid-ext/basic-security/authentication/db/MyBasicMetadataAuthenticator/users/<USERNAME>, replacing USERNAME with the new username. For example:
    1.  curl -u admin:password -XPOST https://my-coordinator-ip:8281/druid-ext/basic-security/authentication/db/basic/users/myname

    1. Add a credential for the user by issuing a POST to druid-ext/basic-security/authentication/db/MyBasicMetadataAuthenticator/users/<USERNAME>/credentials. For example:

      1. curl -u admin:password -H'Content-Type: application/json' -XPOST --data-binary @pass.json https://my-coordinator-ip:8281/druid-ext/basic-security/authentication/db/basic/users/myname/credentials

      The password is conveyed in the pass.json file in the following form:

      1. {
      2.   "password": "password"
      3. }

    2. For each authenticator user you create, create a corresponding authorizer user by issuing a POST request to druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/users/<USERNAME>. For example:

      1. curl -u admin:password -XPOST https://my-coordinator-ip:8281/druid-ext/basic-security/authorization/db/basic/roles/myrole

    4. Assign roles to users by issuing a POST request to druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/users/<USERNAME>/roles/<ROLENAME>. For example:

      1. curl -u admin:password -XPOST https://my-coordinator-ip:8281/druid-ext/basic-security/authorization/db/basic/users/myname/roles/myrole | jq

    5. Finally, attach permissions to the roles to control how they can interact with Druid at druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/roles/<ROLENAME>/permissions. For example:

      1. curl -u admin:password -H'Content-Type: application/json' -XPOST --data-binary @perms.json https://my-coordinator-ip:8281/druid-ext/basic-security/authorization/db/basic/roles/myrole/permissions

      The payload of perms.json should be in the form:

      1. [
      2. {
      3.   "resource": {
      4.     "name": "<PATTERN>",
      6.   },
      7. },
      8. {
      9.   "resource": {
      10.   "name": "STATE",
      11.   "type": "STATE"
      12. },
      13. "action": "READ"
      14. }
      15. ]

    Configuring an LDAP authenticator

    As an alternative to using the basic metadata authenticator, as shown in the previous section, you can use LDAP to authenticate users. The following steps provide an overview of the setup steps. For more information on these settings, see .

    1. In common.runtime.properties, add LDAP to the authenticator chain in the order in which you want requests to be evaluated. For example:

      1. # Druid basic security
      2. druid.auth.authenticatorChain=["ldap", "MyBasicMetadataAuthenticator"]

    2. Configure LDAP settings in common.runtime.properties as appropriate for your LDAP scheme and system. For example:

    3. Use the Druid API to create the group mapping and allocate initial roles. For example, using curl and given a group named group1 in the directory, run:

      1. curl -i -v  -H "Content-Type: application/json" -u internal -X POST -d @groupmap.json http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map

      The groupmap.json file contents would be something like:

      1. {
      2.   "name": "group1map",
      3.   "groupPattern": "CN=group1,CN=Users,DC=example,DC=com",
      4.   "roles": [
      5.       "readRole"
      6.   ]
      7. }

    4. Check if the group mapping is created successfully by executing the following API. This lists all group mappings.

      1. curl -i -v  -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings

      Alternatively, to check the details of a specific group mapping, use the following API:

      1. curl -i -v  -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map

    5. To add additional roles to the group mapping, use the following API:

    6. Add the LDAP user to Druid. To add a user, use the following authentication API:

    7. Use the following command to assign the role to a user: