| <!doctype html> |
| <html lang="en" dir="ltr" class="docs-wrapper docs-doc-page docs-version-current plugin-docs plugin-id-default docs-doc-id-development/extensions-core/druid-kerberos"> |
| <head> |
| <meta charset="UTF-8"> |
| <meta name="generator" content="Docusaurus v2.4.1"> |
| <title data-rh="true">Kerberos | Apache® Druid</title><meta data-rh="true" name="viewport" content="width=device-width,initial-scale=1"><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" property="og:image" content="https://druid.apache.org/img/druid_nav.png"><meta data-rh="true" name="twitter:image" content="https://druid.apache.org/img/druid_nav.png"><meta data-rh="true" property="og:url" content="https://druid.apache.org/docs/27.0.0/development/extensions-core/druid-kerberos"><meta data-rh="true" name="docusaurus_locale" content="en"><meta data-rh="true" name="docsearch:language" content="en"><meta data-rh="true" name="docusaurus_version" content="current"><meta data-rh="true" name="docusaurus_tag" content="docs-default-current"><meta data-rh="true" name="docsearch:version" content="current"><meta data-rh="true" name="docsearch:docusaurus_tag" content="docs-default-current"><meta data-rh="true" property="og:title" content="Kerberos | Apache® Druid"><meta data-rh="true" name="description" content="<!--"><meta data-rh="true" property="og:description" content="<!--"><link data-rh="true" rel="icon" href="/img/favicon.png"><link data-rh="true" rel="canonical" href="https://druid.apache.org/docs/27.0.0/development/extensions-core/druid-kerberos"><link data-rh="true" rel="alternate" href="https://druid.apache.org/docs/27.0.0/development/extensions-core/druid-kerberos" hreflang="en"><link data-rh="true" rel="alternate" href="https://druid.apache.org/docs/27.0.0/development/extensions-core/druid-kerberos" hreflang="x-default"><link rel="preconnect" href="https://www.google-analytics.com"> |
| <link rel="preconnect" href="https://www.googletagmanager.com"> |
| <script async src="https://www.googletagmanager.com/gtag/js?id=UA-131010415-1"></script> |
| <script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],gtag("js",new Date),gtag("config","UA-131010415-1",{})</script> |
| |
| |
| |
| |
| <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.7.2/css/all.css"> |
| <script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.4/clipboard.min.js"></script><link rel="stylesheet" href="/assets/css/styles.f80751b3.css"> |
| <link rel="preload" href="/assets/js/runtime~main.5371e784.js" as="script"> |
| <link rel="preload" href="/assets/js/main.832012d1.js" as="script"> |
| </head> |
| <body class="navigation-with-keyboard"> |
| <script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=new URLSearchParams(window.location.search).get("docusaurus-theme")}catch(t){}return t}()||function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus"> |
| <div role="region" aria-label="Skip to main content"><a class="skipToContent_fXgn" href="#__docusaurus_skipToContent_fallback">Skip to main content</a></div><nav aria-label="Main" class="navbar navbar--fixed-top navbar--dark"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Toggle navigation bar" aria-expanded="false" class="navbar__toggle clean-btn" type="button"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/"><div class="navbar__logo"><img src="/img/druid_nav.png" alt="Apache® Druid" class="themedImage_ToTc themedImage--light_HNdA"><img src="/img/druid_nav.png" alt="Apache® Druid" class="themedImage_ToTc themedImage--dark_i4oU"></div></a></div><div class="navbar__items navbar__items--right"><a class="navbar__item navbar__link" href="/technology">Technology</a><a class="navbar__item navbar__link" href="/use-cases">Use Cases</a><a class="navbar__item navbar__link" href="/druid-powered">Powered By</a><a class="navbar__item navbar__link" href="/docs/27.0.0/design/">Docs</a><a class="navbar__item navbar__link" href="/community/">Community</a><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a href="#" aria-haspopup="true" aria-expanded="false" role="button" class="navbar__link">Apache®</a><ul class="dropdown__menu"><li><a href="https://www.apache.org/" target="_blank" rel="noopener noreferrer" class="dropdown__link">Foundation<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://apachecon.com/?ref=druid.apache.org" target="_blank" rel="noopener noreferrer" class="dropdown__link">Events<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/licenses/" target="_blank" rel="noopener noreferrer" class="dropdown__link">License<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/foundation/thanks.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Thanks<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/security/" target="_blank" rel="noopener noreferrer" class="dropdown__link">Security<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/foundation/sponsorship.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Sponsorship<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li></ul></div><a class="navbar__item navbar__link" href="/downloads/">Download</a><div class="searchBox_ZlJk"><div class="navbar__search"><span aria-label="expand searchbar" role="button" class="search-icon" tabindex="0"></span><input type="search" id="search_input_react" placeholder="Loading..." aria-label="Search" class="navbar__search-input search-bar" disabled=""></div></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div id="__docusaurus_skipToContent_fallback" class="main-wrapper mainWrapper_z2l0 docsWrapper_BCFX"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_sjWU" type="button"></button><div class="docPage__5DB"><main class="docMainContainer_gTbr docMainContainerEnhanced_Uz_u"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_VOVn"><div class="docItemContainer_Djhp"><article><div class="tocCollapsible_ETCw theme-doc-toc-mobile tocMobile_ITEo"><button type="button" class="clean-btn tocCollapsibleButton_TO0P">On this page</button></div><div class="theme-doc-markdown markdown"><header><h1>Kerberos</h1></header><p>Apache Druid Extension to enable Authentication for Druid Processes using Kerberos. |
| This extension adds an Authenticator which is used to protect HTTP Endpoints using the simple and protected GSSAPI negotiation mechanism <a href="https://en.wikipedia.org/wiki/SPNEGO" target="_blank" rel="noopener noreferrer">SPNEGO</a>. |
| Make sure to <a href="/docs/27.0.0/configuration/extensions#loading-extensions">include</a> <code>druid-kerberos</code> in the extensions load list.</p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="configuration">Configuration<a href="#configuration" class="hash-link" aria-label="Direct link to Configuration" title="Direct link to Configuration"></a></h2><h3 class="anchor anchorWithStickyNavbar_LWe7" id="creating-an-authenticator">Creating an Authenticator<a href="#creating-an-authenticator" class="hash-link" aria-label="Direct link to Creating an Authenticator" title="Direct link to Creating an Authenticator"></a></h3><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticatorChain=["MyKerberosAuthenticator"]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.MyKerberosAuthenticator.type=kerberos</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>To use the Kerberos authenticator, add an authenticator with type <code>kerberos</code> to the authenticatorChain. The example above uses the name "MyKerberosAuthenticator" for the Authenticator.</p><p>Configuration of the named authenticator is assigned through properties with the form:</p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.<authenticatorName>.<authenticatorProperty></span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>The configuration examples in the rest of this document will use "kerberos" as the name of the authenticator being configured.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="properties">Properties<a href="#properties" class="hash-link" aria-label="Direct link to Properties" title="Direct link to Properties"></a></h3><table><thead><tr><th>Property</th><th>Possible Values</th><th>Description</th><th>Default</th><th>required</th></tr></thead><tbody><tr><td><code>druid.auth.authenticator.kerberos.serverPrincipal</code></td><td><code>HTTP/_HOST@EXAMPLE.COM</code></td><td>SPNEGO service principal used by druid processes</td><td>empty</td><td>Yes</td></tr><tr><td><code>druid.auth.authenticator.kerberos.serverKeytab</code></td><td><code>/etc/security/keytabs/spnego.service.keytab</code></td><td>SPNego service keytab used by druid processes</td><td>empty</td><td>Yes</td></tr><tr><td><code>druid.auth.authenticator.kerberos.authToLocal</code></td><td><code>RULE:[1:$1@$0](druid@EXAMPLE.COM)s/.*/druid DEFAULT</code></td><td>It allows you to set a general rule for mapping principal names to local user names. It will be used if there is not an explicit mapping for the principal name that is being translated.</td><td>DEFAULT</td><td>No</td></tr><tr><td><code>druid.auth.authenticator.kerberos.cookieSignatureSecret</code></td><td><code>secretString</code></td><td>Secret used to sign authentication cookies. It is advisable to explicitly set it, if you have multiple druid nodes running on same machine with different ports as the Cookie Specification does not guarantee isolation by port.</td><td>Random value</td><td>No</td></tr><tr><td><code>druid.auth.authenticator.kerberos.authorizerName</code></td><td>Depends on available authorizers</td><td>Authorizer that requests should be directed to</td><td>Empty</td><td>Yes</td></tr></tbody></table><p>As a note, it is required that the SPNego principal in use by the druid processes must start with HTTP (This specified by <a href="https://tools.ietf.org/html/rfc4559" target="_blank" rel="noopener noreferrer">RFC-4559</a>) and must be of the form "HTTP/_HOST@REALM". |
| The special string _HOST will be replaced automatically with the value of config <code>druid.host</code></p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="druidauthauthenticatorkerberosexcludedpaths"><code>druid.auth.authenticator.kerberos.excludedPaths</code><a href="#druidauthauthenticatorkerberosexcludedpaths" class="hash-link" aria-label="Direct link to druidauthauthenticatorkerberosexcludedpaths" title="Direct link to druidauthauthenticatorkerberosexcludedpaths"></a></h3><p>In older releases, the Kerberos authenticator had an <code>excludedPaths</code> property that allowed the user to specify a list of paths where authentication checks should be skipped. This property has been removed from the Kerberos authenticator because the path exclusion functionality is now handled across all authenticators/authorizers by setting <code>druid.auth.unsecuredPaths</code>, as described in the <a href="/docs/27.0.0/operations/auth">main auth documentation</a>.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="auth-to-local-syntax">Auth to Local Syntax<a href="#auth-to-local-syntax" class="hash-link" aria-label="Direct link to Auth to Local Syntax" title="Direct link to Auth to Local Syntax"></a></h3><p><code>druid.auth.authenticator.kerberos.authToLocal</code> allows you to set a general rules for mapping principal names to local user names. |
| The syntax for mapping rules is <code>RULE:\[n:string](regexp)s/pattern/replacement/g</code>. The integer n indicates how many components the target principal should have. If this matches, then a string will be formed from string, substituting the realm of the principal for $0 and the nth component of the principal for $n. e.g. if the principal was druid/admin then <code>\[2:$2$1suffix]</code> would result in the string <code>admindruidsuffix</code>. |
| If this string matches regexp, then the s//<!-- -->[<!-- -->g] substitution command will be run over the string. The optional g will cause the substitution to be global over the string, instead of replacing only the first match in the string. |
| If required, multiple rules can be joined by newline character and specified as a String.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="increasing-http-header-size-for-large-spnego-negotiate-header">Increasing HTTP Header size for large SPNEGO negotiate header<a href="#increasing-http-header-size-for-large-spnego-negotiate-header" class="hash-link" aria-label="Direct link to Increasing HTTP Header size for large SPNEGO negotiate header" title="Direct link to Increasing HTTP Header size for large SPNEGO negotiate header"></a></h3><p>In Active Directory environment, SPNEGO token in the Authorization header includes PAC (Privilege Access Certificate) information, |
| which includes all security groups for the user. In some cases when the user belongs to many security groups the header to grow beyond what druid can handle by default. |
| In such cases, max request header size that druid can handle can be increased by setting <code>druid.server.http.maxRequestHeaderSize</code> (default 8KiB) and <code>druid.router.http.maxRequestBufferSize</code> (default 8KiB).</p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="configuring-kerberos-escalated-client">Configuring Kerberos Escalated Client<a href="#configuring-kerberos-escalated-client" class="hash-link" aria-label="Direct link to Configuring Kerberos Escalated Client" title="Direct link to Configuring Kerberos Escalated Client"></a></h2><p>Druid internal processes communicate with each other using an escalated http Client. A Kerberos enabled escalated HTTP Client can be configured by following properties -</p><table><thead><tr><th>Property</th><th>Example Values</th><th>Description</th><th>Default</th><th>required</th></tr></thead><tbody><tr><td><code>druid.escalator.type</code></td><td><code>kerberos</code></td><td>Type of Escalator client used for internal process communication.</td><td>n/a</td><td>Yes</td></tr><tr><td><code>druid.escalator.internalClientPrincipal</code></td><td><code>druid@EXAMPLE.COM</code></td><td>Principal user name, used for internal process communication</td><td>n/a</td><td>Yes</td></tr><tr><td><code>druid.escalator.internalClientKeytab</code></td><td><code>/etc/security/keytabs/druid.keytab</code></td><td>Path to keytab file used for internal process communication</td><td>n/a</td><td>Yes</td></tr><tr><td><code>druid.escalator.authorizerName</code></td><td><code>MyBasicAuthorizer</code></td><td>Authorizer that requests should be directed to.</td><td>n/a</td><td>Yes</td></tr></tbody></table><h2 class="anchor anchorWithStickyNavbar_LWe7" id="accessing-druid-http-end-points-when-kerberos-security-is-enabled">Accessing Druid HTTP end points when kerberos security is enabled<a href="#accessing-druid-http-end-points-when-kerberos-security-is-enabled" class="hash-link" aria-label="Direct link to Accessing Druid HTTP end points when kerberos security is enabled" title="Direct link to Accessing Druid HTTP end points when kerberos security is enabled"></a></h2><ol><li><p>To access druid HTTP endpoints via curl user will need to first login using <code>kinit</code> command as follows -</p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">kinit -k -t <path_to_keytab_file> user@REALM.COM</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div></li><li><p>Once the login is successful verify that login is successful using <code>klist</code> command</p></li><li><p>Now you can access druid HTTP endpoints using curl command as follows -</p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">curl --negotiate -u:anyUser -b ~/cookies.txt -c ~/cookies.txt -X POST -H'Content-Type: application/json' <HTTP_END_POINT></span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>e.g to send a query from file <code>query.json</code> to the Druid Broker use this command -</p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">curl --negotiate -u:anyUser -b ~/cookies.txt -c ~/cookies.txt -X POST -H'Content-Type: application/json' http://broker-host:port/druid/v2/?pretty -d @query.json</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>Note: Above command will authenticate the user first time using SPNego negotiate mechanism and store the authentication cookie in file. For subsequent requests the cookie will be used for authentication.</p></li></ol><h2 class="anchor anchorWithStickyNavbar_LWe7" id="accessing-coordinator-or-overlord-console-from-web-browser">Accessing Coordinator or Overlord console from web browser<a href="#accessing-coordinator-or-overlord-console-from-web-browser" class="hash-link" aria-label="Direct link to Accessing Coordinator or Overlord console from web browser" title="Direct link to Accessing Coordinator or Overlord console from web browser"></a></h2><p>To access Coordinator/Overlord console from browser you will need to configure your browser for SPNego authentication as follows -</p><ol><li>Safari - No configurations required.</li><li>Firefox - Open firefox and follow these steps -<ol><li>Go to <code>about:config</code> and search for <code>network.negotiate-auth.trusted-uris</code>.</li><li>Double-click and add the following values: <code>"http://druid-coordinator-hostname:ui-port"</code> and <code>"http://druid-overlord-hostname:port"</code></li></ol></li><li>Google Chrome - From the command line run following commands -<ol><li><code>google-chrome --auth-server-whitelist="druid-coordinator-hostname" --auth-negotiate-delegate-whitelist="druid-coordinator-hostname"</code></li><li><code>google-chrome --auth-server-whitelist="druid-overlord-hostname" --auth-negotiate-delegate-whitelist="druid-overlord-hostname"</code></li></ol></li><li>Internet Explorer -<ol><li>Configure trusted websites to include <code>"druid-coordinator-hostname"</code> and <code>"druid-overlord-hostname"</code></li><li>Allow negotiation for the UI website.</li></ol></li></ol><h2 class="anchor anchorWithStickyNavbar_LWe7" id="sending-queries-programmatically">Sending Queries programmatically<a href="#sending-queries-programmatically" class="hash-link" aria-label="Direct link to Sending Queries programmatically" title="Direct link to Sending Queries programmatically"></a></h2><p>Many HTTP client libraries, such as Apache Commons <a href="https://hc.apache.org/" target="_blank" rel="noopener noreferrer">HttpComponents</a>, already have support for performing SPNEGO authentication. You can use any of the available HTTP client library to communicate with druid cluster.</p></div></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages"></nav></div></div><div class="col col--3"><div class="tableOfContents_bqdL thin-scrollbar theme-doc-toc-desktop"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#configuration" class="table-of-contents__link toc-highlight">Configuration</a><ul><li><a href="#creating-an-authenticator" class="table-of-contents__link toc-highlight">Creating an Authenticator</a></li><li><a href="#properties" class="table-of-contents__link toc-highlight">Properties</a></li><li><a href="#druidauthauthenticatorkerberosexcludedpaths" class="table-of-contents__link toc-highlight"><code>druid.auth.authenticator.kerberos.excludedPaths</code></a></li><li><a href="#auth-to-local-syntax" class="table-of-contents__link toc-highlight">Auth to Local Syntax</a></li><li><a href="#increasing-http-header-size-for-large-spnego-negotiate-header" class="table-of-contents__link toc-highlight">Increasing HTTP Header size for large SPNEGO negotiate header</a></li></ul></li><li><a href="#configuring-kerberos-escalated-client" class="table-of-contents__link toc-highlight">Configuring Kerberos Escalated Client</a></li><li><a href="#accessing-druid-http-end-points-when-kerberos-security-is-enabled" class="table-of-contents__link toc-highlight">Accessing Druid HTTP end points when kerberos security is enabled</a></li><li><a href="#accessing-coordinator-or-overlord-console-from-web-browser" class="table-of-contents__link toc-highlight">Accessing Coordinator or Overlord console from web browser</a></li><li><a href="#sending-queries-programmatically" class="table-of-contents__link toc-highlight">Sending Queries programmatically</a></li></ul></div></div></div></div></main></div></div><footer class="footer"><div class="container container-fluid"><div class="footer__bottom text--center"><div class="margin-bottom--sm"><img src="/img/favicon.png" class="themedImage_ToTc themedImage--light_HNdA footer__logo"><img src="/img/favicon.png" class="themedImage_ToTc themedImage--dark_i4oU footer__logo"></div><div class="footer__copyright">Copyright © 2023 Apache Software Foundation. Except where otherwise noted, licensed under CC BY-SA 4.0. Apache Druid, Druid, and the Druid logo are either registered trademarks or trademarks of The Apache Software Foundation in the United States and other countries.</div></div></div></footer></div> |
| <script src="/assets/js/runtime~main.5371e784.js"></script> |
| <script src="/assets/js/main.832012d1.js"></script> |
| </body> |
| </html> |
