LDAP auth

    Before starting, verify that the active directory is reachable from the Druid Master servers. Command line tools such as and ldapwhoami, which are included with OpenLDAP, are useful for this testing.

    First test that the basic connection and user credential works. For example, given a user uuser1@example.com, try:

    Enter the password associated with the user when prompted and verify that the command succeeded. If it didn’t, try the following troubleshooting steps:

    • Verify that you’ve used the correct port for your LDAP instance. By default, the LDAP port is 389, but double-check with your LDAP admin if unable to connect.
    • Check whether a network firewall is not preventing connections to the LDAP port.
    • Check whether LDAP clients need to be specifically whitelisted at the LDAP server to be able to reach it. If so, add the Druid Coordinator server to the AD whitelist.

    Check the search criteria

    After verifying basic connectivity, check your search criteria. For example, the command for searching for user uuser1@example.com is as follows:

    1. ldapsearch -x -W -H ldap://<ldap_server>  -D"uuser1@example.com" -b "dc=example,dc=com" "(sAMAccountName=uuser1)"

    Note the memberOf attribute in the results; it shows the groups that the user belongs to. You will use this value to map the LDAP group to the Druid roles later. This attribute may be implemented differently on different types of LDAP servers. For instance, some LDAP servers may support recursive groupings, and some may not. Some LDAP server implementations may not have any object classes that contain this attribute altogether. If your LDAP server does not use the memberOf attribute, then Druid will not be able to determine a user’s group membership using LDAP. The sAMAccountName attribute used in this example contains the authenticated user identity. This is an attribute of an object class specific to Microsoft Active Directory. The object classes and attribute used in your LDAP server may be different.

    1. Enable the druid-basic-security extension in the common.runtime.properties file. See Security Overview for details.

    2. As a best practice, create a user in LDAP to be used for internal communication with Druid.

    3. In common.runtime.properties, update LDAP-related properties, as shown in the following listing:

      1. druid.auth.authenticator.ldap.type=basic
      2. druid.auth.authenticator.ldap.enableCacheNotifications=true
      3. druid.auth.authenticator.ldap.credentialsValidator.type=ldap
      4. druid.auth.authenticator.ldap.credentialsValidator.url=ldap://<AD host>:<AD port>
      5. druid.auth.authenticator.ldap.credentialsValidator.bindUser=<AD admin user, e.g.: Administrator@example.com>
      6. druid.auth.authenticator.ldap.credentialsValidator.bindPassword=<AD admin password>
      7. druid.auth.authenticator.ldap.credentialsValidator.baseDn=<base dn, e.g.: dc=example,dc=com>
      9. druid.auth.authenticator.ldap.credentialsValidator.userAttribute=sAMAccountName
      10. druid.auth.authenticator.ldap.authorizerName=ldapauth
      11. druid.escalator.type=basic
      12. druid.escalator.internalClientUsername=<AD internal user, e.g.: internal@example.com>
      13. druid.escalator.internalClientPassword=Welcome123
      14. druid.escalator.authorizerName=ldapauth
      15. druid.auth.authorizers=["ldapauth"]
      16. druid.auth.authorizer.ldapauth.type=basic
      17. druid.auth.authorizer.ldapauth.initialAdminUser=AD user who acts as the initial admin user, e.g.: internal@example.com>
      18. druid.auth.authorizer.ldapauth.roleProvider.type=ldap

      Notice that the LDAP user created in the previous step, internal@example.com, serves as the internal client user and the initial admin user.

    First create the role in Druid using the Druid REST API.

    Creating a role involves submitting a POST request to the Coordinator process.

    The following REST APIs to create the role to read access for datasource, config, state.

    Call the following API to create role readRole .

    1. curl -i -v  -H "Content-Type: application/json" -u internal -X POST  http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles/readRole

    Check that the role has been created successfully by entering the following:

    1. curl -i -v  -H "Content-Type: application/json" -u internal -X GET  http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles

    Step 2: Add permissions to a role

    You can now add one or more permission to the role. The following example adds read-only access to a wikipedia data source.

    Given the following JSON in a file named perm.json:

    The following command associates the permissions in the JSON file with the role

    1. [{ "resource": { "name": "wikipedia", "type": "DATASOURCE" }, "action": "READ" }]

    You can also provide the name in the form of regular expression. For example, to give access to all data sources starting with wiki, specify the name as { "name": "wiki.*", ......

    The following shows an example of a group to role mapping. It assumes that a group named group1 exists in the directory. Also assuming the following role mapping in a file named groupmap.json:

    1. {
    2.     "name": "group1map",
    3.     "groupPattern": "CN=group1,CN=Users,DC=example,DC=com",
    4.     "roles": [
    5.         "readRole"
    6.     ]
    7. }

    You can configure the mapping as follows:

    1. curl -i -v  -H "Content-Type: application/json" -u internal -X POST -d @groupmap.json http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map

    To check whether the group mapping was created successfully, run the following command:

    To check the details of a specific group mapping, use the following:

    1. curl -i -v  -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map

    To add additional roles to the group mapping, use the following API:

    1. curl -i -v  -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1/roles/<newrole>

    In the next two steps you will be creating a user, and assigning previously created roles to it. These steps are only needed in the following cases:

    • Your LDAP server does not support the memberOf attribute, or
    • You want to configure a user with additional roles that are not mapped to the group(s) that the user is a member of

    If this is not the case for your scenario, you can skip these steps.

    Step 4. Create a user

    Once LDAP is enabled, only user passwords are verified with LDAP. You add the LDAP user to Druid as follows:

      1. curl -i -v  -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/users/<AD user>/roles/<rolename>

      For more information about security and the basic security extension, see .