| <div role="region" aria-label="Skip to main content"><a class="skipToContent_fXgn" href="#__docusaurus_skipToContent_fallback">Skip to main content</a></div><nav aria-label="Main" class="navbar navbar--fixed-top navbar--dark"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Toggle navigation bar" aria-expanded="false" class="navbar__toggle clean-btn" type="button"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/"><div class="navbar__logo"><img src="/img/druid_nav.png" alt="Apache® Druid" class="themedImage_ToTc themedImage--light_HNdA"><img src="/img/druid_nav.png" alt="Apache® Druid" class="themedImage_ToTc themedImage--dark_i4oU"></div></a></div><div class="navbar__items navbar__items--right"><a class="navbar__item navbar__link" href="/technology">Technology</a><a class="navbar__item navbar__link" href="/use-cases">Use Cases</a><a class="navbar__item navbar__link" href="/druid-powered">Powered By</a><a aria-current="page" class="navbar__item navbar__link navbar__link--active" href="/docs/latest/design/">Docs</a><a class="navbar__item navbar__link" href="/community/">Community</a><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a href="#" aria-haspopup="true" aria-expanded="false" role="button" class="navbar__link">Apache®</a><ul class="dropdown__menu"><li><a href="https://www.apache.org/" target="_blank" rel="noopener noreferrer" class="dropdown__link">Foundation<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://apachecon.com/?ref=druid.apache.org" target="_blank" rel="noopener noreferrer" class="dropdown__link">Events<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/licenses/" target="_blank" rel="noopener noreferrer" class="dropdown__link">License<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/foundation/thanks.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Thanks<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/security/" target="_blank" rel="noopener noreferrer" class="dropdown__link">Security<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/foundation/sponsorship.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Sponsorship<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li></ul></div><a class="navbar__item navbar__link" href="/downloads/">Download</a><div class="searchBox_ZlJk"><div class="navbar__search"><span aria-label="expand searchbar" role="button" class="search-icon" tabindex="0"></span><input type="search" id="search_input_react" placeholder="Loading..." aria-label="Search" class="navbar__search-input search-bar" disabled=""></div></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div id="__docusaurus_skipToContent_fallback" class="main-wrapper mainWrapper_z2l0 docsWrapper_BCFX"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_sjWU" type="button"></button><div class="docPage__5DB"><main class="docMainContainer_gTbr docMainContainerEnhanced_Uz_u"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_VOVn"><div class="docItemContainer_Djhp"><article><div class="tocCollapsible_ETCw theme-doc-toc-mobile tocMobile_ITEo"><button type="button" class="clean-btn tocCollapsibleButton_TO0P">On this page</button></div><div class="theme-doc-markdown markdown"><header><h1>Authentication and Authorization</h1></header><p>This document describes non-extension specific Apache Druid authentication and authorization configurations.</p><table><thead><tr><th>Property</th><th>Type</th><th>Description</th><th>Default</th><th>Required</th></tr></thead><tbody><tr><td><code>druid.auth.authenticatorChain</code></td><td>JSON List of Strings</td><td>List of Authenticator type names</td><td>["allowAll"]</td><td>no</td></tr><tr><td><code>druid.escalator.type</code></td><td>String</td><td>Type of the Escalator that should be used for internal Druid communications. This Escalator must use an authentication scheme that is supported by an Authenticator in <code>druid.auth.authenticatorChain</code>.</td><td>"noop"</td><td>no</td></tr><tr><td><code>druid.auth.authorizers</code></td><td>JSON List of Strings</td><td>List of Authorizer type names</td><td>["allowAll"]</td><td>no</td></tr><tr><td><code>druid.auth.unsecuredPaths</code></td><td>List of Strings</td><td>List of paths for which security checks will not be performed. All requests to these paths will be allowed.</td><td>[]</td><td>no</td></tr><tr><td><code>druid.auth.allowUnauthenticatedHttpOptions</code></td><td>Boolean</td><td>If true, allow HTTP OPTIONS requests by unauthenticated users. This is primarily useful for supporting CORS preflight requests, which Druid does not support directly, but which can be enabled using third-party extensions.<br><br>Note that you must add "OPTIONS" to <code>druid.server.http.allowedHttpMethods</code>.<br><br>Also note that disabling authentication checks for OPTIONS requests will allow unauthenticated users to determine what Druid endpoints are valid (by checking if the OPTIONS request returns a 200 instead of 404). Enabling this option will reveal information about server configuration, including information about what extensions are loaded, to unauthenticated users.</td><td>false</td><td>no</td></tr></tbody></table><h2 class="anchor anchorWithStickyNavbar_LWe7" id="enabling-authenticationauthorizationloadinglookuptest">Enabling Authentication/AuthorizationLoadingLookupTest<a href="#enabling-authenticationauthorizationloadinglookuptest" class="hash-link" aria-label="Direct link to Enabling Authentication/AuthorizationLoadingLookupTest" title="Direct link to Enabling Authentication/AuthorizationLoadingLookupTest"></a></h2><h2 class="anchor anchorWithStickyNavbar_LWe7" id="authenticator-chain">Authenticator chain<a href="#authenticator-chain" class="hash-link" aria-label="Direct link to Authenticator chain" title="Direct link to Authenticator chain"></a></h2><p>Authentication decisions are handled by a chain of Authenticator instances. A request will be checked by Authenticators in the sequence defined by the <code>druid.auth.authenticatorChain</code>.</p><p>Authenticator implementations are provided by extensions.</p><p>For example, the following authenticator chain definition enables the Kerberos and HTTP Basic authenticators, from the <code>druid-kerberos</code> and <code>druid-basic-security</code> core extensions, respectively:</p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticatorChain=["kerberos", "basic"]</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>A request will pass through all Authenticators in the chain, until one of the Authenticators successfully authenticates the request or sends an HTTP error response. Authenticators later in the chain will be skipped after the first successful authentication or if the request is terminated with an error response.</p><p>If no Authenticator in the chain successfully authenticated a request or sent an HTTP error response, an HTTP error response will be sent at the end of the chain.</p><p>Druid includes two built-in Authenticators, one of which is used for the default unsecured configuration.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="allowall-authenticator">AllowAll authenticator<a href="#allowall-authenticator" class="hash-link" aria-label="Direct link to AllowAll authenticator" title="Direct link to AllowAll authenticator"></a></h3><p>This built-in Authenticator authenticates all requests, and always directs them to an Authorizer named "allowAll". It is not intended to be used for anything other than the default unsecured configuration.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="anonymous-authenticator">Anonymous authenticator<a href="#anonymous-authenticator" class="hash-link" aria-label="Direct link to Anonymous authenticator" title="Direct link to Anonymous authenticator"></a></h3><p>This built-in Authenticator authenticates all requests, and directs them to an Authorizer specified in the configuration by the user. It is intended to be used for adding a default level of access so |
| the Anonymous Authenticator should be added to the end of the authenticator chain. A request that reaches the Anonymous Authenticator at the end of the chain will succeed or fail depending on how the Authorizer linked to the Anonymous Authenticator is configured.</p><table><thead><tr><th>Property</th><th>Description</th><th>Default</th><th>Required</th></tr></thead><tbody><tr><td><code>druid.auth.authenticator.<authenticatorName>.authorizerName</code></td><td>Authorizer that requests should be directed to.</td><td>N/A</td><td>Yes</td></tr><tr><td><code>druid.auth.authenticator.<authenticatorName>.identity</code></td><td>The identity of the requester.</td><td>defaultUser</td><td>No</td></tr></tbody></table><p>To use the Anonymous Authenticator, add an authenticator with type <code>anonymous</code> to the authenticatorChain.</p><p>For example, the following enables the Anonymous Authenticator with the <code>druid-basic-security</code> extension:</p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticatorChain=["basic", "anonymous"]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.anonymous.type=anonymous</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.anonymous.identity=defaultUser</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.anonymous.authorizerName=myBasicAuthorizer</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># ... usual configs for basic authentication would go here ...</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><h3 class="anchor anchorWithStickyNavbar_LWe7" id="trusted-domain-authenticator">Trusted domain Authenticator<a href="#trusted-domain-authenticator" class="hash-link" aria-label="Direct link to Trusted domain Authenticator" title="Direct link to Trusted domain Authenticator"></a></h3><p>This built-in Trusted Domain Authenticator authenticates requests originating from the configured trusted domain, and directs them to an Authorizer specified in the configuration by the user. It is intended to be used for adding a default level of trust and allow access for hosts within same domain. </p><table><thead><tr><th>Property</th><th>Description</th><th>Default</th><th>Required</th></tr></thead><tbody><tr><td><code>druid.auth.authenticator.<authenticatorName>.name</code></td><td>authenticator name.</td><td>N/A</td><td>Yes</td></tr><tr><td><code>druid.auth.authenticator.<authenticatorName>.domain</code></td><td>Trusted Domain from which requests should be authenticated. If authentication is allowed for connections from only a given host, fully qualified hostname of that host needs to be specified.</td><td>N/A</td><td>Yes</td></tr><tr><td><code>druid.auth.authenticator.<authenticatorName>.useForwardedHeaders</code></td><td>Clients connecting to druid could pass through many layers of proxy. Some proxies also append its own IP address to 'X-Forwarded-For' header before passing on the request to another proxy. Some proxies also connect on behalf of client. If this config is set to true and if 'X-Forwarded-For' is present, trusted domain authenticator will use left most host name from X-Forwarded-For header. Note: It is possible to spoof X-Forwarded-For headers in HTTP requests, enable this with caution.</td><td>false</td><td>No</td></tr><tr><td><code>druid.auth.authenticator.<authenticatorName>.authorizerName</code></td><td>Authorizer that requests should be directed to.</td><td>N/A</td><td>Yes</td></tr><tr><td><code>druid.auth.authenticator.<authenticatorName>.identity</code></td><td>The identity of the requester.</td><td>defaultUser</td><td>No</td></tr></tbody></table><p>To use the Trusted Domain Authenticator, add an authenticator with type <code>trustedDomain</code> to the authenticatorChain.</p><p>For example, the following enables the Trusted Domain Authenticator :</p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticatorChain=["trustedDomain"]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.trustedDomain.type=trustedDomain</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.trustedDomain.domain=trustedhost.mycompany.com</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.trustedDomain.identity=defaultUser</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.trustedDomain.authorizerName=myBasicAuthorizer</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.trustedDomain.name=myTrustedAutenticator</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># ... usual configs for druid would go here ...</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><h2 class="anchor anchorWithStickyNavbar_LWe7" id="escalator">Escalator<a href="#escalator" class="hash-link" aria-label="Direct link to Escalator" title="Direct link to Escalator"></a></h2><p>The <code>druid.escalator.type</code> property determines what authentication scheme should be used for internal Druid cluster communications (such as when a Broker process communicates with Historical processes for query processing).</p><p>The Escalator chosen for this property must use an authentication scheme that is supported by an Authenticator in <code>druid.auth.authenticatorChain</code>. Authenticator extension implementers must also provide a corresponding Escalator implementation if they intend to use a particular authentication scheme for internal Druid communications.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="noop-escalator">Noop escalator<a href="#noop-escalator" class="hash-link" aria-label="Direct link to Noop escalator" title="Direct link to Noop escalator"></a></h3><p>This built-in default Escalator is intended for use only with the default AllowAll Authenticator and Authorizer.</p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="authorizers">Authorizers<a href="#authorizers" class="hash-link" aria-label="Direct link to Authorizers" title="Direct link to Authorizers"></a></h2><p>Authorization decisions are handled by an Authorizer. The <code>druid.auth.authorizers</code> property determines what Authorizer implementations will be active.</p><p>There are two built-in Authorizers, "default" and "noop". Other implementations are provided by extensions.</p><p>For example, the following authorizers definition enables the "basic" implementation from <code>druid-basic-security</code>:</p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authorizers=["basic"]</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>Only a single Authorizer will authorize any given request.</p><p>Druid includes one built in authorizer:</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="allowall-authorizer">AllowAll authorizer<a href="#allowall-authorizer" class="hash-link" aria-label="Direct link to AllowAll authorizer" title="Direct link to AllowAll authorizer"></a></h3><p>The Authorizer with type name "allowAll" accepts all requests.</p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="default-unsecured-configuration">Default Unsecured Configuration<a href="#default-unsecured-configuration" class="hash-link" aria-label="Direct link to Default Unsecured Configuration" title="Direct link to Default Unsecured Configuration"></a></h2><p>When <code>druid.auth.authenticatorChain</code> is left empty or unspecified, Druid will create an authenticator chain with a single AllowAll Authenticator named "allowAll".</p><p>When <code>druid.auth.authorizers</code> is left empty or unspecified, Druid will create a single AllowAll Authorizer named "allowAll".</p><p>The default value of <code>druid.escalator.type</code> is "noop" to match the default unsecured Authenticator/Authorizer configurations.</p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="authenticator-to-authorizer-routing">Authenticator to Authorizer Routing<a href="#authenticator-to-authorizer-routing" class="hash-link" aria-label="Direct link to Authenticator to Authorizer Routing" title="Direct link to Authenticator to Authorizer Routing"></a></h2><p>When an Authenticator successfully authenticates a request, it must attach a AuthenticationResult to the request, containing an information about the identity of the requester, as well as the name of the Authorizer that should authorize the authenticated request.</p><p>An Authenticator implementation should provide some means through configuration to allow users to select what Authorizer(s) the Authenticator should route requests to.</p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="internal-system-user">Internal system user<a href="#internal-system-user" class="hash-link" aria-label="Direct link to Internal system user" title="Direct link to Internal system user"></a></h2><p>Internal requests between Druid processes (non-user initiated communications) need to have authentication credentials attached.</p><p>These requests should be run as an "internal system user", an identity that represents the Druid cluster itself, with full access permissions.</p><p>The details of how the internal system user is defined is left to extension implementations.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="authorizer-internal-system-user-handling">Authorizer Internal System User Handling<a href="#authorizer-internal-system-user-handling" class="hash-link" aria-label="Direct link to Authorizer Internal System User Handling" title="Direct link to Authorizer Internal System User Handling"></a></h3><p>Authorizers implementations must recognize and authorize an identity for the "internal system user", with full access permissions.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="authenticator-and-escalator-internal-system-user-handling">Authenticator and Escalator Internal System User Handling<a href="#authenticator-and-escalator-internal-system-user-handling" class="hash-link" aria-label="Direct link to Authenticator and Escalator Internal System User Handling" title="Direct link to Authenticator and Escalator Internal System User Handling"></a></h3><p>An Authenticator implementation that is intended to support internal Druid communications must recognize credentials for the "internal system user", as provided by a corresponding Escalator implementation.</p><p>An Escalator must implement three methods related to the internal system user:</p><div class="language-java codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-java codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain"> public HttpClient createEscalatedClient(HttpClient baseClient);</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> public org.eclipse.jetty.client.HttpClient createEscalatedJettyClient(org.eclipse.jetty.client.HttpClient baseClient);</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> public AuthenticationResult createEscalatedAuthenticationResult();</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p><code>createEscalatedClient</code> returns an wrapped HttpClient that attaches the credentials of the "internal system user" to requests.</p><p><code>createEscalatedJettyClient</code> is similar to <code>createEscalatedClient</code>, except that it operates on a Jetty HttpClient.</p><p><code>createEscalatedAuthenticationResult</code> returns an AuthenticationResult containing the identity of the "internal system user".</p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="reserved-name-configuration-property">Reserved Name Configuration Property<a href="#reserved-name-configuration-property" class="hash-link" aria-label="Direct link to Reserved Name Configuration Property" title="Direct link to Reserved Name Configuration Property"></a></h2><p>For extension implementers, please note that the following configuration properties are reserved for the names of Authenticators and Authorizers:</p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.<authenticator-name>.name=<authenticator-name></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authorizer.<authorizer-name>.name=<authorizer-name></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>These properties provide the authenticator and authorizer names to the implementations as @JsonProperty parameters, potentially useful when multiple authenticators or authorizers of the same type are configured.</p></div></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages"></nav></div></div><div class="col col--3"><div class="tableOfContents_bqdL thin-scrollbar theme-doc-toc-desktop"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#enabling-authenticationauthorizationloadinglookuptest" class="table-of-contents__link toc-highlight">Enabling Authentication/AuthorizationLoadingLookupTest</a></li><li><a href="#authenticator-chain" class="table-of-contents__link toc-highlight">Authenticator chain</a><ul><li><a href="#allowall-authenticator" class="table-of-contents__link toc-highlight">AllowAll authenticator</a></li><li><a href="#anonymous-authenticator" class="table-of-contents__link toc-highlight">Anonymous authenticator</a></li><li><a href="#trusted-domain-authenticator" class="table-of-contents__link toc-highlight">Trusted domain Authenticator</a></li></ul></li><li><a href="#escalator" class="table-of-contents__link toc-highlight">Escalator</a><ul><li><a href="#noop-escalator" class="table-of-contents__link toc-highlight">Noop escalator</a></li></ul></li><li><a href="#authorizers" class="table-of-contents__link toc-highlight">Authorizers</a><ul><li><a href="#allowall-authorizer" class="table-of-contents__link toc-highlight">AllowAll authorizer</a></li></ul></li><li><a href="#default-unsecured-configuration" class="table-of-contents__link toc-highlight">Default Unsecured Configuration</a></li><li><a href="#authenticator-to-authorizer-routing" class="table-of-contents__link toc-highlight">Authenticator to Authorizer Routing</a></li><li><a href="#internal-system-user" class="table-of-contents__link toc-highlight">Internal system user</a><ul><li><a href="#authorizer-internal-system-user-handling" class="table-of-contents__link toc-highlight">Authorizer Internal System User Handling</a></li><li><a href="#authenticator-and-escalator-internal-system-user-handling" class="table-of-contents__link toc-highlight">Authenticator and Escalator Internal System User Handling</a></li></ul></li><li><a href="#reserved-name-configuration-property" class="table-of-contents__link toc-highlight">Reserved Name Configuration Property</a></li></ul></div></div></div></div></main></div></div><footer class="footer"><div class="container container-fluid"><div class="footer__bottom text--center"><div class="margin-bottom--sm"><img src="/img/favicon.png" class="themedImage_ToTc themedImage--light_HNdA footer__logo"><img src="/img/favicon.png" class="themedImage_ToTc themedImage--dark_i4oU footer__logo"></div><div class="footer__copyright">Copyright © 2023 Apache Software Foundation. Except where otherwise noted, licensed under CC BY-SA 4.0. Apache Druid, Druid, and the Druid logo are either registered trademarks or trademarks of The Apache Software Foundation in the United States and other countries.</div></div></div></footer></div> |
