published_versions/docs/latest/development/extensions-core/druid-pac4j/index.html - druid-website-src - Git at Google

 <!doctype html>
 <html lang="en" dir="ltr" class="docs-wrapper docs-doc-page docs-version-current plugin-docs plugin-id-default docs-doc-id-development/extensions-core/druid-pac4j">
 <head>
 <meta charset="UTF-8">
 <meta name="generator" content="Docusaurus v2.4.1">
 <title data-rh="true">Druid pac4j based Security extension | Apache® Druid</title><meta data-rh="true" name="viewport" content="width=device-width,initial-scale=1"><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" property="og:image" content="https://druid.apache.org/img/druid_nav.png"><meta data-rh="true" name="twitter:image" content="https://druid.apache.org/img/druid_nav.png"><meta data-rh="true" property="og:url" content="https://druid.apache.org/docs/latest/development/extensions-core/druid-pac4j"><meta data-rh="true" name="docusaurus_locale" content="en"><meta data-rh="true" name="docsearch:language" content="en"><meta data-rh="true" name="docusaurus_version" content="current"><meta data-rh="true" name="docusaurus_tag" content="docs-default-current"><meta data-rh="true" name="docsearch:version" content="current"><meta data-rh="true" name="docsearch:docusaurus_tag" content="docs-default-current"><meta data-rh="true" property="og:title" content="Druid pac4j based Security extension | Apache® Druid"><meta data-rh="true" name="description" content="&lt;!--"><meta data-rh="true" property="og:description" content="&lt;!--"><link data-rh="true" rel="icon" href="/img/favicon.png"><link data-rh="true" rel="canonical" href="https://druid.apache.org/docs/latest/development/extensions-core/druid-pac4j"><link data-rh="true" rel="alternate" href="https://druid.apache.org/docs/latest/development/extensions-core/druid-pac4j" hreflang="en"><link data-rh="true" rel="alternate" href="https://druid.apache.org/docs/latest/development/extensions-core/druid-pac4j" hreflang="x-default"><link rel="preconnect" href="https://www.google-analytics.com">
 <link rel="preconnect" href="https://www.googletagmanager.com">
 <script async src="https://www.googletagmanager.com/gtag/js?id=UA-131010415-1"></script>
 <script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],gtag("js",new Date),gtag("config","UA-131010415-1",{})</script>


 <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.7.2/css/all.css">
 <script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.4/clipboard.min.js"></script><link rel="stylesheet" href="/assets/css/styles.546f39eb.css">
 <link rel="preload" href="/assets/js/runtime~main.26d714fb.js" as="script">
 <link rel="preload" href="/assets/js/main.bd54ee66.js" as="script">
 </head>
 <body class="navigation-with-keyboard">
 <script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=new URLSearchParams(window.location.search).get("docusaurus-theme")}catch(t){}return t}()||function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
 <div role="region" aria-label="Skip to main content"><a class="skipToContent_fXgn" href="#__docusaurus_skipToContent_fallback">Skip to main content</a></div><nav aria-label="Main" class="navbar navbar--fixed-top navbar--dark"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Toggle navigation bar" aria-expanded="false" class="navbar__toggle clean-btn" type="button"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/"><div class="navbar__logo"><img src="/img/druid_nav.png" alt="Apache® Druid" class="themedImage_ToTc themedImage--light_HNdA"><img src="/img/druid_nav.png" alt="Apache® Druid" class="themedImage_ToTc themedImage--dark_i4oU"></div></a></div><div class="navbar__items navbar__items--right"><a class="navbar__item navbar__link" href="/technology">Technology</a><a class="navbar__item navbar__link" href="/use-cases">Use Cases</a><a class="navbar__item navbar__link" href="/druid-powered">Powered By</a><a class="navbar__item navbar__link" href="/docs/latest/design/">Docs</a><a class="navbar__item navbar__link" href="/community/">Community</a><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a href="#" aria-haspopup="true" aria-expanded="false" role="button" class="navbar__link">Apache®</a><ul class="dropdown__menu"><li><a href="https://www.apache.org/" target="_blank" rel="noopener noreferrer" class="dropdown__link">Foundation<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://apachecon.com/?ref=druid.apache.org" target="_blank" rel="noopener noreferrer" class="dropdown__link">Events<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/licenses/" target="_blank" rel="noopener noreferrer" class="dropdown__link">License<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/foundation/thanks.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Thanks<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/security/" target="_blank" rel="noopener noreferrer" class="dropdown__link">Security<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/foundation/sponsorship.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Sponsorship<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li></ul></div><a class="navbar__item navbar__link" href="/downloads/">Download</a><div class="searchBox_ZlJk"><div class="navbar__search"><span aria-label="expand searchbar" role="button" class="search-icon" tabindex="0"></span><input type="search" id="search_input_react" placeholder="Loading..." aria-label="Search" class="navbar__search-input search-bar" disabled=""></div></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div id="__docusaurus_skipToContent_fallback" class="main-wrapper mainWrapper_z2l0 docsWrapper_BCFX"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_sjWU" type="button"></button><div class="docPage__5DB"><main class="docMainContainer_gTbr docMainContainerEnhanced_Uz_u"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_VOVn"><div class="docItemContainer_Djhp"><article><div class="tocCollapsible_ETCw theme-doc-toc-mobile tocMobile_ITEo"><button type="button" class="clean-btn tocCollapsibleButton_TO0P">On this page</button></div><div class="theme-doc-markdown markdown"><header><h1>Druid pac4j based Security extension</h1></header><p>Apache Druid Extension to enable <a href="https://openid.net/connect/" target="_blank" rel="noopener noreferrer">OpenID Connect</a> based Authentication for Druid Processes using <a href="https://github.com/pac4j/pac4j" target="_blank" rel="noopener noreferrer">pac4j</a> as the underlying client library.
 This can be used  with any authentication server that supports same e.g. <a href="https://developer.okta.com/" target="_blank" rel="noopener noreferrer">Okta</a>.
 The pac4j authenticator should only be used at the router node to enable a group of users in existing authentication server to interact with Druid cluster, using the <a href="/docs/latest/operations/web-console">web console</a>. </p><p>This extension also provides a JWT authenticator that validates <a href="https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken" target="_blank" rel="noopener noreferrer">ID Tokens</a> associated with a request. ID Tokens are attached to the request under the <code>Authorization</code> header with the bearer token prefix - <code>Bearer </code>. This authenticator is intended for services to talk to Druid by initially authenticating with an OIDC server to retrieve the ID Token which is then attached to every Druid request.</p><p>This extension does not support JDBC client authentication.</p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="configuration">Configuration<a href="#configuration" class="hash-link" aria-label="Direct link to Configuration" title="Direct link to Configuration"></a></h2><h3 class="anchor anchorWithStickyNavbar_LWe7" id="creating-an-authenticator">Creating an Authenticator<a href="#creating-an-authenticator" class="hash-link" aria-label="Direct link to Creating an Authenticator" title="Direct link to Creating an Authenticator"></a></h3><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">#Create a pac4j web user authenticator</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticatorChain=[&quot;pac4j&quot;]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.pac4j.type=pac4j</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">#Create a JWT token authenticator</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticatorChain=[&quot;jwt&quot;]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.jwt.type=jwt</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><h3 class="anchor anchorWithStickyNavbar_LWe7" id="properties">Properties<a href="#properties" class="hash-link" aria-label="Direct link to Properties" title="Direct link to Properties"></a></h3><table><thead><tr><th>Property</th><th>Description</th><th>Default</th><th>required</th></tr></thead><tbody><tr><td><code>druid.auth.pac4j.cookiePassphrase</code></td><td>passphrase for encrypting the cookies used to manage authentication session with browser. It can be provided as plaintext string or The <a href="/docs/latest/operations/password-provider">Password Provider</a>.</td><td>none</td><td>Yes</td></tr><tr><td><code>druid.auth.pac4j.readTimeout</code></td><td>Socket connect and read timeout duration used when communicating with authentication server</td><td>PT5S</td><td>No</td></tr><tr><td><code>druid.auth.pac4j.enableCustomSslContext</code></td><td>Whether to use custom SSLContext setup via <a href="/docs/latest/development/extensions-core/simple-client-sslcontext">simple-client-sslcontext</a> extension which must be added to extensions list when this property is set to true.</td><td>false</td><td>No</td></tr><tr><td><code>druid.auth.pac4j.oidc.clientID</code></td><td>OAuth Client Application id.</td><td>none</td><td>Yes</td></tr><tr><td><code>druid.auth.pac4j.oidc.clientSecret</code></td><td>OAuth Client Application secret. It can be provided as plaintext string or The <a href="/docs/latest/operations/password-provider">Password Provider</a>.</td><td>none</td><td>Yes</td></tr><tr><td><code>druid.auth.pac4j.oidc.discoveryURI</code></td><td>discovery URI for fetching OP metadata <a href="http://openid.net/specs/openid-connect-discovery-1_0.html" target="_blank" rel="noopener noreferrer">see this</a>.</td><td>none</td><td>Yes</td></tr><tr><td><code>druid.auth.pac4j.oidc.oidcClaim</code></td><td><a href="https://openid.net/specs/openid-connect-core-1_0.html#Claims" target="_blank" rel="noopener noreferrer">claim</a> that will be extracted from the ID Token after validation.</td><td>name</td><td>No</td></tr><tr><td><code>druid.auth.pac4j.oidc.scope</code></td><td>scope is used by an application during authentication to authorize access to a user&#x27;s details</td><td><code>openid profile email</code></td><td>No</td></tr></tbody></table></div></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages"></nav></div></div><div class="col col--3"><div class="tableOfContents_bqdL thin-scrollbar theme-doc-toc-desktop"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#configuration" class="table-of-contents__link toc-highlight">Configuration</a><ul><li><a href="#creating-an-authenticator" class="table-of-contents__link toc-highlight">Creating an Authenticator</a></li><li><a href="#properties" class="table-of-contents__link toc-highlight">Properties</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer"><div class="container container-fluid"><div class="footer__bottom text--center"><div class="margin-bottom--sm"><img src="/img/favicon.png" class="themedImage_ToTc themedImage--light_HNdA footer__logo"><img src="/img/favicon.png" class="themedImage_ToTc themedImage--dark_i4oU footer__logo"></div><div class="footer__copyright">Copyright © 2023 Apache Software Foundation. Except where otherwise noted, licensed under CC BY-SA 4.0. Apache Druid, Druid, and the Druid logo are either registered trademarks or trademarks of The Apache Software Foundation in the United States and other countries.</div></div></div></footer></div>
 <script src="/assets/js/runtime~main.26d714fb.js"></script>
 <script src="/assets/js/main.bd54ee66.js"></script>
 </body>
 </html>
	<!doctype html>
	<html lang="en" dir="ltr" class="docs-wrapper docs-doc-page docs-version-current plugin-docs plugin-id-default docs-doc-id-development/extensions-core/druid-pac4j">
	<head>
	<meta charset="UTF-8">
	<meta name="generator" content="Docusaurus v2.4.1">
	<title data-rh="true">Druid pac4j based Security extension \| Apache® Druid</title><meta data-rh="true" name="viewport" content="width=device-width,initial-scale=1"><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" property="og:image" content="https://druid.apache.org/img/druid_nav.png"><meta data-rh="true" name="twitter:image" content="https://druid.apache.org/img/druid_nav.png"><meta data-rh="true" property="og:url" content="https://druid.apache.org/docs/latest/development/extensions-core/druid-pac4j"><meta data-rh="true" name="docusaurus_locale" content="en"><meta data-rh="true" name="docsearch:language" content="en"><meta data-rh="true" name="docusaurus_version" content="current"><meta data-rh="true" name="docusaurus_tag" content="docs-default-current"><meta data-rh="true" name="docsearch:version" content="current"><meta data-rh="true" name="docsearch:docusaurus_tag" content="docs-default-current"><meta data-rh="true" property="og:title" content="Druid pac4j based Security extension \| Apache® Druid"><meta data-rh="true" name="description" content="<!--"><meta data-rh="true" property="og:description" content="<!--"><link data-rh="true" rel="icon" href="/img/favicon.png"><link data-rh="true" rel="canonical" href="https://druid.apache.org/docs/latest/development/extensions-core/druid-pac4j"><link data-rh="true" rel="alternate" href="https://druid.apache.org/docs/latest/development/extensions-core/druid-pac4j" hreflang="en"><link data-rh="true" rel="alternate" href="https://druid.apache.org/docs/latest/development/extensions-core/druid-pac4j" hreflang="x-default"><link rel="preconnect" href="https://www.google-analytics.com">
	<link rel="preconnect" href="https://www.googletagmanager.com">
	<script async src="https://www.googletagmanager.com/gtag/js?id=UA-131010415-1"></script>
	<script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer\|\|[],gtag("js",new Date),gtag("config","UA-131010415-1",{})</script>




	<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.7.2/css/all.css">
	<script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.4/clipboard.min.js"></script><link rel="stylesheet" href="/assets/css/styles.546f39eb.css">
	<link rel="preload" href="/assets/js/runtime~main.26d714fb.js" as="script">
	<link rel="preload" href="/assets/js/main.bd54ee66.js" as="script">
	</head>
	<body class="navigation-with-keyboard">
	<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=new URLSearchParams(window.location.search).get("docusaurus-theme")}catch(t){}return t}()\|\|function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
	<div role="region" aria-label="Skip to main content"><a class="skipToContent_fXgn" href="#__docusaurus_skipToContent_fallback">Skip to main content</a></div><nav aria-label="Main" class="navbar navbar--fixed-top navbar--dark"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Toggle navigation bar" aria-expanded="false" class="navbar__toggle clean-btn" type="button"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/"><div class="navbar__logo"><img src="/img/druid_nav.png" alt="Apache® Druid" class="themedImage_ToTc themedImage--light_HNdA"><img src="/img/druid_nav.png" alt="Apache® Druid" class="themedImage_ToTc themedImage--dark_i4oU"></div></a></div><div class="navbar__items navbar__items--right"><a class="navbar__item navbar__link" href="/technology">Technology</a><a class="navbar__item navbar__link" href="/use-cases">Use Cases</a><a class="navbar__item navbar__link" href="/druid-powered">Powered By</a><a class="navbar__item navbar__link" href="/docs/latest/design/">Docs</a><a class="navbar__item navbar__link" href="/community/">Community</a><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a href="#" aria-haspopup="true" aria-expanded="false" role="button" class="navbar__link">Apache®</a><ul class="dropdown__menu"><li><a href="https://www.apache.org/" target="_blank" rel="noopener noreferrer" class="dropdown__link">Foundation<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://apachecon.com/?ref=druid.apache.org" target="_blank" rel="noopener noreferrer" class="dropdown__link">Events<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/licenses/" target="_blank" rel="noopener noreferrer" class="dropdown__link">License<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/foundation/thanks.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Thanks<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/security/" target="_blank" rel="noopener noreferrer" class="dropdown__link">Security<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/foundation/sponsorship.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Sponsorship<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li></ul></div><a class="navbar__item navbar__link" href="/downloads/">Download</a><div class="searchBox_ZlJk"><div class="navbar__search"><span aria-label="expand searchbar" role="button" class="search-icon" tabindex="0"></span><input type="search" id="search_input_react" placeholder="Loading..." aria-label="Search" class="navbar__search-input search-bar" disabled=""></div></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div id="__docusaurus_skipToContent_fallback" class="main-wrapper mainWrapper_z2l0 docsWrapper_BCFX"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_sjWU" type="button"></button><div class="docPage__5DB"><main class="docMainContainer_gTbr docMainContainerEnhanced_Uz_u"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_VOVn"><div class="docItemContainer_Djhp"><article><div class="tocCollapsible_ETCw theme-doc-toc-mobile tocMobile_ITEo"><button type="button" class="clean-btn tocCollapsibleButton_TO0P">On this page</button></div><div class="theme-doc-markdown markdown"><header><h1>Druid pac4j based Security extension</h1></header><p>Apache Druid Extension to enable <a href="https://openid.net/connect/" target="_blank" rel="noopener noreferrer">OpenID Connect</a> based Authentication for Druid Processes using <a href="https://github.com/pac4j/pac4j" target="_blank" rel="noopener noreferrer">pac4j</a> as the underlying client library.
	This can be used with any authentication server that supports same e.g. <a href="https://developer.okta.com/" target="_blank" rel="noopener noreferrer">Okta</a>.
	The pac4j authenticator should only be used at the router node to enable a group of users in existing authentication server to interact with Druid cluster, using the <a href="/docs/latest/operations/web-console">web console</a>. </p><p>This extension also provides a JWT authenticator that validates <a href="https://openid.net/specs/openid-connect-core-1_0.html#CodeIDToken" target="_blank" rel="noopener noreferrer">ID Tokens</a> associated with a request. ID Tokens are attached to the request under the <code>Authorization</code> header with the bearer token prefix - <code>Bearer </code>. This authenticator is intended for services to talk to Druid by initially authenticating with an OIDC server to retrieve the ID Token which is then attached to every Druid request.</p><p>This extension does not support JDBC client authentication.</p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="configuration">Configuration<a href="#configuration" class="hash-link" aria-label="Direct link to Configuration" title="Direct link to Configuration"></a></h2><h3 class="anchor anchorWithStickyNavbar_LWe7" id="creating-an-authenticator">Creating an Authenticator<a href="#creating-an-authenticator" class="hash-link" aria-label="Direct link to Creating an Authenticator" title="Direct link to Creating an Authenticator"></a></h3><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">#Create a pac4j web user authenticator</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticatorChain=["pac4j"]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.pac4j.type=pac4j</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">#Create a JWT token authenticator</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticatorChain=["jwt"]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.jwt.type=jwt</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><h3 class="anchor anchorWithStickyNavbar_LWe7" id="properties">Properties<a href="#properties" class="hash-link" aria-label="Direct link to Properties" title="Direct link to Properties"></a></h3><table><thead><tr><th>Property</th><th>Description</th><th>Default</th><th>required</th></tr></thead><tbody><tr><td><code>druid.auth.pac4j.cookiePassphrase</code></td><td>passphrase for encrypting the cookies used to manage authentication session with browser. It can be provided as plaintext string or The <a href="/docs/latest/operations/password-provider">Password Provider</a>.</td><td>none</td><td>Yes</td></tr><tr><td><code>druid.auth.pac4j.readTimeout</code></td><td>Socket connect and read timeout duration used when communicating with authentication server</td><td>PT5S</td><td>No</td></tr><tr><td><code>druid.auth.pac4j.enableCustomSslContext</code></td><td>Whether to use custom SSLContext setup via <a href="/docs/latest/development/extensions-core/simple-client-sslcontext">simple-client-sslcontext</a> extension which must be added to extensions list when this property is set to true.</td><td>false</td><td>No</td></tr><tr><td><code>druid.auth.pac4j.oidc.clientID</code></td><td>OAuth Client Application id.</td><td>none</td><td>Yes</td></tr><tr><td><code>druid.auth.pac4j.oidc.clientSecret</code></td><td>OAuth Client Application secret. It can be provided as plaintext string or The <a href="/docs/latest/operations/password-provider">Password Provider</a>.</td><td>none</td><td>Yes</td></tr><tr><td><code>druid.auth.pac4j.oidc.discoveryURI</code></td><td>discovery URI for fetching OP metadata <a href="http://openid.net/specs/openid-connect-discovery-1_0.html" target="_blank" rel="noopener noreferrer">see this</a>.</td><td>none</td><td>Yes</td></tr><tr><td><code>druid.auth.pac4j.oidc.oidcClaim</code></td><td><a href="https://openid.net/specs/openid-connect-core-1_0.html#Claims" target="_blank" rel="noopener noreferrer">claim</a> that will be extracted from the ID Token after validation.</td><td>name</td><td>No</td></tr><tr><td><code>druid.auth.pac4j.oidc.scope</code></td><td>scope is used by an application during authentication to authorize access to a user's details</td><td><code>openid profile email</code></td><td>No</td></tr></tbody></table></div></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages"></nav></div></div><div class="col col--3"><div class="tableOfContents_bqdL thin-scrollbar theme-doc-toc-desktop"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#configuration" class="table-of-contents__link toc-highlight">Configuration</a><ul><li><a href="#creating-an-authenticator" class="table-of-contents__link toc-highlight">Creating an Authenticator</a></li><li><a href="#properties" class="table-of-contents__link toc-highlight">Properties</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer"><div class="container container-fluid"><div class="footer__bottom text--center"><div class="margin-bottom--sm"><img src="/img/favicon.png" class="themedImage_ToTc themedImage--light_HNdA footer__logo"><img src="/img/favicon.png" class="themedImage_ToTc themedImage--dark_i4oU footer__logo"></div><div class="footer__copyright">Copyright © 2023 Apache Software Foundation. Except where otherwise noted, licensed under CC BY-SA 4.0. Apache Druid, Druid, and the Druid logo are either registered trademarks or trademarks of The Apache Software Foundation in the United States and other countries.</div></div></div></footer></div>
	<script src="/assets/js/runtime~main.26d714fb.js"></script>
	<script src="/assets/js/main.bd54ee66.js"></script>
	</body>
	</html>