TLS support

Apache Druid uses Jetty as an embedded web server. To get familiar with TLS/SSL in general and related concepts like Certificates etc. reading this Jetty documentation might be helpful. To get more in depth knowledge of TLS/SSL support in Java in general, please refer to this . The documentation here can help in understanding TLS/SSL configurations listed below. This lists all the possible values for the below mentioned configs among others provided by Java implementation.

The following table contains configuration options related to client certificate authentication.

Whenever possible Druid processes will use HTTPS to talk to each other. To enable this communication Druid’s HttpClient needs to be configured with a proper SSLContext that is able to validate the Server Certificates, otherwise communication will fail.

Since, there are various ways to configure SSLContext, by default, Druid looks for an instance of SSLContext Guice binding while creating the HttpClient. This binding can be achieved writing a which can provide an instance of SSLContext. Druid comes with a simple extension present here which should be useful enough for most simple cases, see for how to include extensions. If this extension does not satisfy the requirements then please follow the extension implementation to create your own extension.

Druid supports custom certificate check extensions. Please refer to the org.apache.druid.server.security.TLSCertificateChecker interface for details on the methods to be implemented.

To use a custom TLS certificate checker, specify the following property:

If using a non-default certificate checker, please refer to the extension documentation for additional configuration properties needed.