TLS support

    Apache Druid uses Jetty as its embedded web server.

    To get familiar with TLS/SSL, along with related concepts like keys and certificates, read Configuring SSL/TLS in the Jetty documentation. To get more in-depth knowledge of TLS/SSL support in Java in general, refer to the . The Configuring the Jetty SslContextFactory section can help in understanding TLS/SSL configurations listed below. Finally, lists all possible values for the configs below, among others provided by Java implementation.

    The following table contains configuration options related to client certificate authentication.

    Whenever possible Druid processes will use HTTPS to talk to each other. To enable this communication Druid’s HttpClient needs to be configured with a proper that is able to validate the Server Certificates, otherwise communication will fail.

    Since, there are various ways to configure SSLContext, by default, Druid looks for an instance of SSLContext Guice binding while creating the HttpClient. This binding can be achieved writing a Druid extension which can provide an instance of SSLContext. Druid comes with a simple extension present which should be useful enough for most simple cases, see this for how to include extensions. If this extension does not satisfy the requirements then please follow the extension to create your own extension.

    When Druid Coordinator/Overlord have both HTTP and HTTPS enabled and Client sends request to non-leader process, then Client is always redirected to the HTTPS endpoint on leader process. So, Clients should be first upgraded to be able to handle redirect to HTTPS. Then Druid Overlord/Coordinator should be upgraded and configured to run both HTTP and HTTPS ports. Then Client configuration should be changed to refer to Druid Coordinator/Overlord via the HTTPS endpoint and then HTTP port on Druid Coordinator/Overlord should be disabled.

    To use a custom TLS certificate checker, specify the following property:

    The default checker delegates to the standard trust manager and performs no additional actions or checks.

    If using a non-default certificate checker, please refer to the extension documentation for additional configuration properties needed.