Authentication and Authorization

    Authenticator chain

    Authentication decisions are handled by a chain of Authenticator instances. A request will be checked by Authenticators in the sequence defined by the druid.auth.authenticatorChain.

    Authenticator implementations are provided by extensions.

    For example, the following authenticator chain definition enables the Kerberos and HTTP Basic authenticators, from the druid-kerberos and druid-basic-security core extensions, respectively:

    A request will pass through all Authenticators in the chain, until one of the Authenticators successfully authenticates the request or sends an HTTP error response. Authenticators later in the chain will be skipped after the first successful authentication or if the request is terminated with an error response.

    If no Authenticator in the chain successfully authenticated a request or sent an HTTP error response, an HTTP error response will be sent at the end of the chain.

    Druid includes two built-in Authenticators, one of which is used for the default unsecured configuration.

    This built-in Authenticator authenticates all requests, and always directs them to an Authorizer named “allowAll”. It is not intended to be used for anything other than the default unsecured configuration.

    Anonymous authenticator

    This built-in Authenticator authenticates all requests, and directs them to an Authorizer specified in the configuration by the user. It is intended to be used for adding a default level of access so the Anonymous Authenticator should be added to the end of the authenticator chain. A request that reaches the Anonymous Authenticator at the end of the chain will succeed or fail depending on how the Authorizer linked to the Anonymous Authenticator is configured.

    To use the Anonymous Authenticator, add an authenticator with type anonymous to the authenticatorChain.

    For example, the following enables the Anonymous Authenticator with the extension:

    1. druid.auth.authenticator.anonymous.type=anonymous
    2. druid.auth.authenticator.anonymous.identity=defaultUser
    3. druid.auth.authenticator.anonymous.authorizerName=myBasicAuthorizer
    4. # ... usual configs for basic authentication would go here ...

    This built-in Trusted Domain Authenticator authenticates requests originating from the configured trusted domain, and directs them to an Authorizer specified in the configuration by the user. It is intended to be used for adding a default level of trust and allow access for hosts within same domain.

    To use the Trusted Domain Authenticator, add an authenticator with type to the authenticatorChain.

    The druid.escalator.type property determines what authentication scheme should be used for internal Druid cluster communications (such as when a Broker process communicates with Historical processes for query processing).

    The Escalator chosen for this property must use an authentication scheme that is supported by an Authenticator in druid.auth.authenticatorChain. Authenticator extension implementers must also provide a corresponding Escalator implementation if they intend to use a particular authentication scheme for internal Druid communications.

    Noop escalator

    This built-in default Escalator is intended for use only with the default AllowAll Authenticator and Authorizer.

    Authorizers

    Authorization decisions are handled by an Authorizer. The druid.auth.authorizers property determines what Authorizer implementations will be active.

    There are two built-in Authorizers, “default” and “noop”. Other implementations are provided by extensions.

    For example, the following authorizers definition enables the “basic” implementation from druid-basic-security:

    1. druid.auth.authorizers=["basic"]

    Only a single Authorizer will authorize any given request.

    Druid includes one built in authorizer:

    The Authorizer with type name “allowAll” accepts all requests.

    When druid.auth.authenticatorChain is left empty or unspecified, Druid will create an authenticator chain with a single AllowAll Authenticator named “allowAll”.

    When druid.auth.authorizers is left empty or unspecified, Druid will create a single AllowAll Authorizer named “allowAll”.

    The default value of druid.escalator.type is “noop” to match the default unsecured Authenticator/Authorizer configurations.

    Authenticator to Authorizer Routing

    An Authenticator implementation should provide some means through configuration to allow users to select what Authorizer(s) the Authenticator should route requests to.

    Internal requests between Druid processes (non-user initiated communications) need to have authentication credentials attached.

    These requests should be run as an “internal system user”, an identity that represents the Druid cluster itself, with full access permissions.

    The details of how the internal system user is defined is left to extension implementations.

    Authorizer Internal System User Handling

    Authorizers implementations must recognize and authorize an identity for the “internal system user”, with full access permissions.

    An Authenticator implementation that is intended to support internal Druid communications must recognize credentials for the “internal system user”, as provided by a corresponding Escalator implementation.

    An Escalator must implement three methods related to the internal system user:

    createEscalatedClient returns an wrapped HttpClient that attaches the credentials of the “internal system user” to requests.

    createEscalatedJettyClient is similar to createEscalatedClient, except that it operates on a Jetty HttpClient.

    createEscalatedAuthenticationResult returns an AuthenticationResult containing the identity of the “internal system user”.

    Reserved Name Configuration Property

    For extension implementers, please note that the following configuration properties are reserved for the names of Authenticators and Authorizers:

    1. druid.auth.authorizer.<authorizer-name>.name=<authorizer-name>

    These properties provide the authenticator and authorizer names to the implementations as @JsonProperty parameters, potentially useful when multiple authenticators or authorizers of the same type are configured.