Apache Ranger Security

    Make sure to include in the extensions load list.

    Support for Apache Ranger authorization consists of three elements:

    • configuring the extension in Apache Druid
    • providing the service definition for Druid to Apache Ranger

    Ensure that you have a valid authenticator chain and escalator set in your common.runtime.properties. For every authenticator your wish to use the authorizer for, set druid.auth.authenticator.<authenticatorName>.authorizerName to the name you will give the authorizer, e.g. ranger.

    Then add the following and amend to your needs (in case you need to use multiple authorizers):

    Properties to configure the extension in Apache Druid

    Configuring the connection to Apache Ranger

    The Apache Ranger authorization extension will read several configuration files. Discussing the contents of those files is beyond the scope of this document. Depending on your needs you will need to create them. The minimum you will need to have is a ranger-druid-security.xml file that you will need to put in the classpath (e.g. _common). For auditing, the configuration is in ranger-druid-audit.xml.

    At the time of writing of this document Apache Ranger (2.0) does not include an out of the box service and service definition for Druid. You can add the service definition to Apache Ranger by entering the following command:

    curl -u <user>:<password> -d "@ranger-servicedef-druid.json" -X POST -H "Accept: application/json" -H "Content-Type: application/json" http://localhost:6080/service/public/v2/api/servicedef/

    You should get back json describing the service definition you just added. You can now go to the web interface of Apache Ranger which should now include a widget for “Druid”. Click the plus sign and create the new service. Ensure your service name is equal to what you configured in ranger-druid-security.xml.

    Configuring Apache Ranger policies

    Usage

    HTTP methods

    For information on what HTTP methods are supported for a particular request endpoint, please refer to the .

    GET requires READ permission, while POST and DELETE require WRITE permission.

    Queries on Druid datasources require DATASOURCE READ permissions for the specified datasource.

    Queries on the will return information about datasources that the caller has DATASOURCE READ access to. Other datasources will be omitted.

    • segments: Segments will be filtered based on DATASOURCE READ permissions.
    • servers: The user requires STATE READ permissions.
    • server_segments: The user requires STATE READ permissions and segments will be filtered based on DATASOURCE READ permissions.
    • tasks: Tasks will be filtered based on DATASOURCE READ permissions.

    Debugging

    If you face difficulty grasping why access is denied to certain elements, and the audit section in Apache Ranger does not give you any detail, you can enable debug logging for . To do so add the following in your log4j2.xml: