Google Git
Sign in
apache / druid-website-src / fe9bf43cbd4ee63e6f11002e4c741eef24c6d2e3 / . / published_versions / docs / 27.0.0 / development / extensions-core / druid-ranger-security / index.html
blob: 2687d6398312c9fae0f1ec035a664eb91e9af341 [file] [log] [blame]
<!doctype html>
<html lang="en" dir="ltr" class="docs-wrapper docs-doc-page docs-version-current plugin-docs plugin-id-default docs-doc-id-development/extensions-core/druid-ranger-security">
<head>
<meta charset="UTF-8">
<meta name="generator" content="Docusaurus v2.4.1">
<title data-rh="true">Apache Ranger Security | Apache® Druid</title><meta data-rh="true" name="viewport" content="width=device-width,initial-scale=1"><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" property="og:image" content="https://druid.apache.org/img/druid_nav.png"><meta data-rh="true" name="twitter:image" content="https://druid.apache.org/img/druid_nav.png"><meta data-rh="true" property="og:url" content="https://druid.apache.org/docs/27.0.0/development/extensions-core/druid-ranger-security"><meta data-rh="true" name="docusaurus_locale" content="en"><meta data-rh="true" name="docsearch:language" content="en"><meta data-rh="true" name="docusaurus_version" content="current"><meta data-rh="true" name="docusaurus_tag" content="docs-default-current"><meta data-rh="true" name="docsearch:version" content="current"><meta data-rh="true" name="docsearch:docusaurus_tag" content="docs-default-current"><meta data-rh="true" property="og:title" content="Apache Ranger Security | Apache® Druid"><meta data-rh="true" name="description" content="&lt;!--"><meta data-rh="true" property="og:description" content="&lt;!--"><link data-rh="true" rel="icon" href="/img/favicon.png"><link data-rh="true" rel="canonical" href="https://druid.apache.org/docs/27.0.0/development/extensions-core/druid-ranger-security"><link data-rh="true" rel="alternate" href="https://druid.apache.org/docs/27.0.0/development/extensions-core/druid-ranger-security" hreflang="en"><link data-rh="true" rel="alternate" href="https://druid.apache.org/docs/27.0.0/development/extensions-core/druid-ranger-security" hreflang="x-default"><link rel="preconnect" href="https://www.google-analytics.com">
<link rel="preconnect" href="https://www.googletagmanager.com">
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-131010415-1"></script>
<script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],gtag("js",new Date),gtag("config","UA-131010415-1",{})</script>
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.7.2/css/all.css">
<script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.4/clipboard.min.js"></script><link rel="stylesheet" href="/assets/css/styles.f80751b3.css">
<link rel="preload" href="/assets/js/runtime~main.5371e784.js" as="script">
<link rel="preload" href="/assets/js/main.832012d1.js" as="script">
</head>
<body class="navigation-with-keyboard">
<script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=new URLSearchParams(window.location.search).get("docusaurus-theme")}catch(t){}return t}()||function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus">
<div role="region" aria-label="Skip to main content"><a class="skipToContent_fXgn" href="#__docusaurus_skipToContent_fallback">Skip to main content</a></div><nav aria-label="Main" class="navbar navbar--fixed-top navbar--dark"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Toggle navigation bar" aria-expanded="false" class="navbar__toggle clean-btn" type="button"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/"><div class="navbar__logo"><img src="/img/druid_nav.png" alt="Apache® Druid" class="themedImage_ToTc themedImage--light_HNdA"><img src="/img/druid_nav.png" alt="Apache® Druid" class="themedImage_ToTc themedImage--dark_i4oU"></div></a></div><div class="navbar__items navbar__items--right"><a class="navbar__item navbar__link" href="/technology">Technology</a><a class="navbar__item navbar__link" href="/use-cases">Use Cases</a><a class="navbar__item navbar__link" href="/druid-powered">Powered By</a><a class="navbar__item navbar__link" href="/docs/27.0.0/design/">Docs</a><a class="navbar__item navbar__link" href="/community/">Community</a><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a href="#" aria-haspopup="true" aria-expanded="false" role="button" class="navbar__link">Apache®</a><ul class="dropdown__menu"><li><a href="https://www.apache.org/" target="_blank" rel="noopener noreferrer" class="dropdown__link">Foundation<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://apachecon.com/?ref=druid.apache.org" target="_blank" rel="noopener noreferrer" class="dropdown__link">Events<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/licenses/" target="_blank" rel="noopener noreferrer" class="dropdown__link">License<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/foundation/thanks.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Thanks<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/security/" target="_blank" rel="noopener noreferrer" class="dropdown__link">Security<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/foundation/sponsorship.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Sponsorship<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li></ul></div><a class="navbar__item navbar__link" href="/downloads/">Download</a><div class="searchBox_ZlJk"><div class="navbar__search"><span aria-label="expand searchbar" role="button" class="search-icon" tabindex="0"></span><input type="search" id="search_input_react" placeholder="Loading..." aria-label="Search" class="navbar__search-input search-bar" disabled=""></div></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div id="__docusaurus_skipToContent_fallback" class="main-wrapper mainWrapper_z2l0 docsWrapper_BCFX"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_sjWU" type="button"></button><div class="docPage__5DB"><main class="docMainContainer_gTbr docMainContainerEnhanced_Uz_u"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_VOVn"><div class="docItemContainer_Djhp"><article><div class="tocCollapsible_ETCw theme-doc-toc-mobile tocMobile_ITEo"><button type="button" class="clean-btn tocCollapsibleButton_TO0P">On this page</button></div><div class="theme-doc-markdown markdown"><header><h1>Apache Ranger Security</h1></header><p>This Apache Druid extension adds an Authorizer which implements access control for Druid, backed by <a href="https://ranger.apache.org/" target="_blank" rel="noopener noreferrer">Apache Ranger</a>. Please see <a href="/docs/27.0.0/operations/auth">Authentication and Authorization</a> for more information on the basic facilities this extension provides.</p><p>Make sure to <a href="/docs/27.0.0/configuration/extensions#loading-extensions">include</a> <code>druid-ranger-security</code> in the extensions load list.</p><div class="theme-admonition theme-admonition-info alert alert--info admonition_LlT9"><div class="admonitionHeading_tbUL"><span class="admonitionIcon_kALy"><svg viewBox="0 0 14 16"><path fill-rule="evenodd" d="M7 2.3c3.14 0 5.7 2.56 5.7 5.7s-2.56 5.7-5.7 5.7A5.71 5.71 0 0 1 1.3 8c0-3.14 2.56-5.7 5.7-5.7zM7 1C3.14 1 0 4.14 0 8s3.14 7 7 7 7-3.14 7-7-3.14-7-7-7zm1 3H6v5h2V4zm0 6H6v2h2v-2z"></path></svg></span>info</div><div class="admonitionContent_S0QG"><p> The latest release of Apache Ranger is at the time of writing version 2.0. This version has a dependency on <code>log4j 1.2.17</code> which has a vulnerability if you configure it to use a <code>SocketServer</code> (CVE-2019-17571). Next to that, it also includes Kafka 2.0.0 which has 2 known vulnerabilities (CVE-2019-12399, CVE-2018-17196). Kafka can be used by the audit component in Ranger, but is not required.</p></div></div><h2 class="anchor anchorWithStickyNavbar_LWe7" id="configuration">Configuration<a href="#configuration" class="hash-link" aria-label="Direct link to Configuration" title="Direct link to Configuration"></a></h2><p>Support for Apache Ranger authorization consists of three elements: </p><ul><li>configuring the extension in Apache Druid</li><li>configuring the connection to Apache Ranger</li><li>providing the service definition for Druid to Apache Ranger</li></ul><h3 class="anchor anchorWithStickyNavbar_LWe7" id="enabling-the-extension">Enabling the extension<a href="#enabling-the-extension" class="hash-link" aria-label="Direct link to Enabling the extension" title="Direct link to Enabling the extension"></a></h3><p>Ensure that you have a valid authenticator chain and escalator set in your <code>common.runtime.properties</code>. For every authenticator your wish to use the authorizer for, set <code>druid.auth.authenticator.&lt;authenticatorName&gt;.authorizerName</code> to the name you will give the authorizer, e.g. <code>ranger</code>. </p><p>Then add the following and amend to your needs (in case you need to use multiple authorizers):</p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authorizers=[&quot;ranger&quot;]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authorizer.ranger.type=ranger</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><p>The following is an example that showcases using <code>druid-basic-security</code> for authentication and <code>druid-ranger-security</code> for authorization.</p><div class="codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-text codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticatorChain=[&quot;basic&quot;]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.basic.type=basic</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.basic.initialAdminPassword=password1</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.basic.initialInternalClientPassword=password2</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.basic.credentialsValidator.type=metadata</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.basic.skipOnFailure=false</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.basic.enableCacheNotifications=true</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authenticator.basic.authorizerName=ranger</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authorizers=[&quot;ranger&quot;]</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.auth.authorizer.ranger.type=ranger</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain" style="display:inline-block"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"># Escalator</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.escalator.type=basic</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.escalator.internalClientUsername=druid_system</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.escalator.internalClientPassword=password2</span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain">druid.escalator.authorizerName=ranger</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div><div class="theme-admonition theme-admonition-info alert alert--info admonition_LlT9"><div class="admonitionHeading_tbUL"><span class="admonitionIcon_kALy"><svg viewBox="0 0 14 16"><path fill-rule="evenodd" d="M7 2.3c3.14 0 5.7 2.56 5.7 5.7s-2.56 5.7-5.7 5.7A5.71 5.71 0 0 1 1.3 8c0-3.14 2.56-5.7 5.7-5.7zM7 1C3.14 1 0 4.14 0 8s3.14 7 7 7 7-3.14 7-7-3.14-7-7-7zm1 3H6v5h2V4zm0 6H6v2h2v-2z"></path></svg></span>info</div><div class="admonitionContent_S0QG"><p> Contrary to the documentation of <code>druid-basic-auth</code> Ranger does not automatically provision a highly privileged system user, you will need to do this yourself. This system user in the case of <code>druid-basic-auth</code> is named <code>druid_system</code> and for the escalator it is configurable, as shown above. Make sure to take note of these user names and configure <code>READ</code> access to <code>state:STATE</code> and to <code>config:security</code> in your ranger policies, otherwise system services will not work properly.</p></div></div><h4 class="anchor anchorWithStickyNavbar_LWe7" id="properties-to-configure-the-extension-in-apache-druid">Properties to configure the extension in Apache Druid<a href="#properties-to-configure-the-extension-in-apache-druid" class="hash-link" aria-label="Direct link to Properties to configure the extension in Apache Druid" title="Direct link to Properties to configure the extension in Apache Druid"></a></h4><table><thead><tr><th>Property</th><th>Description</th><th>Default</th><th>required</th></tr></thead><tbody><tr><td><code>druid.auth.ranger.keytab</code></td><td>Defines the keytab to be used while authenticating against Apache Ranger to obtain policies and provide auditing</td><td>null</td><td>No</td></tr><tr><td><code>druid.auth.ranger.principal</code></td><td>Defines the principal to be used while authenticating against Apache Ranger to obtain policies and provide auditing</td><td>null</td><td>No</td></tr><tr><td><code>druid.auth.ranger.use_ugi</code></td><td>Determines if groups that the authenticated user belongs to should be obtained from Hadoop&#x27;s <code>UserGroupInformation</code></td><td>null</td><td>No</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="configuring-the-connection-to-apache-ranger">Configuring the connection to Apache Ranger<a href="#configuring-the-connection-to-apache-ranger" class="hash-link" aria-label="Direct link to Configuring the connection to Apache Ranger" title="Direct link to Configuring the connection to Apache Ranger"></a></h3><p>The Apache Ranger authorization extension will read several configuration files. Discussing the contents of those files is beyond the scope of this document. Depending on your needs you will need to create them. The minimum you will need to have is a <code>ranger-druid-security.xml</code> file that you will need to put in the classpath (e.g. <code>_common</code>). For auditing, the configuration is in <code>ranger-druid-audit.xml</code>.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="adding-the-service-definition-for-apache-druid-to-apache-ranger">Adding the service definition for Apache Druid to Apache Ranger<a href="#adding-the-service-definition-for-apache-druid-to-apache-ranger" class="hash-link" aria-label="Direct link to Adding the service definition for Apache Druid to Apache Ranger" title="Direct link to Adding the service definition for Apache Druid to Apache Ranger"></a></h3><p>At the time of writing of this document Apache Ranger (2.0) does not include an out of the box service and service definition for Druid. You can add the service definition to Apache Ranger by entering the following command:</p><p><code>curl -u &lt;user&gt;:&lt;password&gt; -d &quot;@ranger-servicedef-druid.json&quot; -X POST -H &quot;Accept: application/json&quot; -H &quot;Content-Type: application/json&quot; http://localhost:6080/service/public/v2/api/servicedef/</code></p><p>You should get back <code>json</code> describing the service definition you just added. You can now go to the web interface of Apache Ranger which should now include a widget for &quot;Druid&quot;. Click the plus sign and create the new service. Ensure your service name is equal to what you configured in <code>ranger-druid-security.xml</code>.</p><h4 class="anchor anchorWithStickyNavbar_LWe7" id="configuring-apache-ranger-policies">Configuring Apache Ranger policies<a href="#configuring-apache-ranger-policies" class="hash-link" aria-label="Direct link to Configuring Apache Ranger policies" title="Direct link to Configuring Apache Ranger policies"></a></h4><p>When installing a new Druid service in Apache Ranger for the first time, Ranger will provision the policies to allow the administrative user <code>read/write</code> access to all properties and data sources. You might want to limit this. Do not forget to add the correct policies for the <code>druid_system</code> user and the <code>internalClientUserName</code> of the escalator.</p><div class="theme-admonition theme-admonition-info alert alert--info admonition_LlT9"><div class="admonitionHeading_tbUL"><span class="admonitionIcon_kALy"><svg viewBox="0 0 14 16"><path fill-rule="evenodd" d="M7 2.3c3.14 0 5.7 2.56 5.7 5.7s-2.56 5.7-5.7 5.7A5.71 5.71 0 0 1 1.3 8c0-3.14 2.56-5.7 5.7-5.7zM7 1C3.14 1 0 4.14 0 8s3.14 7 7 7 7-3.14 7-7-3.14-7-7-7zm1 3H6v5h2V4zm0 6H6v2h2v-2z"></path></svg></span>info</div><div class="admonitionContent_S0QG"><p> Loading new data sources requires <code>write</code> access to the <code>datasource</code> prior to the loading itself. So if you want to create a datasource <code>wikipedia</code> you are required to have an <code>allow</code> policy inside Apache Ranger before trying to load the spec.</p></div></div><h2 class="anchor anchorWithStickyNavbar_LWe7" id="usage">Usage<a href="#usage" class="hash-link" aria-label="Direct link to Usage" title="Direct link to Usage"></a></h2><h3 class="anchor anchorWithStickyNavbar_LWe7" id="http-methods">HTTP methods<a href="#http-methods" class="hash-link" aria-label="Direct link to HTTP methods" title="Direct link to HTTP methods"></a></h3><p>For information on what HTTP methods are supported for a particular request endpoint, please refer to the <a href="/docs/27.0.0/api-reference/">API documentation</a>.</p><p>GET requires READ permission, while POST and DELETE require WRITE permission.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="sql-permissions">SQL Permissions<a href="#sql-permissions" class="hash-link" aria-label="Direct link to SQL Permissions" title="Direct link to SQL Permissions"></a></h3><p>Queries on Druid datasources require DATASOURCE READ permissions for the specified datasource.</p><p>Queries on the <a href="/docs/27.0.0/querying/sql-metadata-tables#information-schema">INFORMATION_SCHEMA tables</a> will return information about datasources that the caller has DATASOURCE READ access to. Other datasources will be omitted.</p><p>Queries on the <a href="/docs/27.0.0/querying/sql-metadata-tables#system-schema">system schema tables</a> require the following permissions:</p><ul><li><code>segments</code>: Segments will be filtered based on DATASOURCE READ permissions.</li><li><code>servers</code>: The user requires STATE READ permissions.</li><li><code>server_segments</code>: The user requires STATE READ permissions and segments will be filtered based on DATASOURCE READ permissions.</li><li><code>tasks</code>: Tasks will be filtered based on DATASOURCE READ permissions.</li></ul><h3 class="anchor anchorWithStickyNavbar_LWe7" id="debugging">Debugging<a href="#debugging" class="hash-link" aria-label="Direct link to Debugging" title="Direct link to Debugging"></a></h3><p>If you face difficulty grasping why access is denied to certain elements, and the <code>audit</code> section in Apache Ranger does not give you any detail, you can enable debug logging for <code>org.apache.druid.security.ranger</code>. To do so add the following in your <code>log4j2.xml</code>:</p><div class="language-xml codeBlockContainer_Ckt0 theme-code-block" style="--prism-color:#bfc7d5;--prism-background-color:#292d3e"><div class="codeBlockContent_biex"><pre tabindex="0" class="prism-code language-xml codeBlock_bY9V thin-scrollbar"><code class="codeBlockLines_e6Vv"><span class="token-line" style="color:#bfc7d5"><span class="token comment" style="color:rgb(105, 112, 152);font-style:italic">&lt;!-- Set level=&quot;debug&quot; to see access requests to Apache Ranger --&gt;</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token tag punctuation" style="color:rgb(199, 146, 234)">&lt;</span><span class="token tag" style="color:rgb(255, 85, 114)">Logger</span><span class="token tag" style="color:rgb(255, 85, 114)"> </span><span class="token tag attr-name" style="color:rgb(255, 203, 107)">name</span><span class="token tag attr-value punctuation attr-equals" style="color:rgb(199, 146, 234)">=</span><span class="token tag attr-value punctuation" style="color:rgb(199, 146, 234)">&quot;</span><span class="token tag attr-value" style="color:rgb(255, 85, 114)">org.apache.druid.security</span><span class="token tag attr-value punctuation" style="color:rgb(199, 146, 234)">&quot;</span><span class="token tag" style="color:rgb(255, 85, 114)"> </span><span class="token tag attr-name" style="color:rgb(255, 203, 107)">level</span><span class="token tag attr-value punctuation attr-equals" style="color:rgb(199, 146, 234)">=</span><span class="token tag attr-value punctuation" style="color:rgb(199, 146, 234)">&quot;</span><span class="token tag attr-value" style="color:rgb(255, 85, 114)">debug</span><span class="token tag attr-value punctuation" style="color:rgb(199, 146, 234)">&quot;</span><span class="token tag" style="color:rgb(255, 85, 114)"> </span><span class="token tag attr-name" style="color:rgb(255, 203, 107)">additivity</span><span class="token tag attr-value punctuation attr-equals" style="color:rgb(199, 146, 234)">=</span><span class="token tag attr-value punctuation" style="color:rgb(199, 146, 234)">&quot;</span><span class="token tag attr-value" style="color:rgb(255, 85, 114)">false</span><span class="token tag attr-value punctuation" style="color:rgb(199, 146, 234)">&quot;</span><span class="token tag punctuation" style="color:rgb(199, 146, 234)">&gt;</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"> </span><span class="token tag punctuation" style="color:rgb(199, 146, 234)">&lt;</span><span class="token tag" style="color:rgb(255, 85, 114)">Appender-ref</span><span class="token tag" style="color:rgb(255, 85, 114)"> </span><span class="token tag attr-name" style="color:rgb(255, 203, 107)">ref</span><span class="token tag attr-value punctuation attr-equals" style="color:rgb(199, 146, 234)">=</span><span class="token tag attr-value punctuation" style="color:rgb(199, 146, 234)">&quot;</span><span class="token tag attr-value" style="color:rgb(255, 85, 114)">Console</span><span class="token tag attr-value punctuation" style="color:rgb(199, 146, 234)">&quot;</span><span class="token tag punctuation" style="color:rgb(199, 146, 234)">/&gt;</span><span class="token plain"></span><br></span><span class="token-line" style="color:#bfc7d5"><span class="token plain"></span><span class="token tag punctuation" style="color:rgb(199, 146, 234)">&lt;/</span><span class="token tag" style="color:rgb(255, 85, 114)">Logger</span><span class="token tag punctuation" style="color:rgb(199, 146, 234)">&gt;</span><br></span></code></pre><div class="buttonGroup__atx"><button type="button" aria-label="Copy code to clipboard" title="Copy" class="clean-btn"><span class="copyButtonIcons_eSgA" aria-hidden="true"><svg viewBox="0 0 24 24" class="copyButtonIcon_y97N"><path fill="currentColor" d="M19,21H8V7H19M19,5H8A2,2 0 0,0 6,7V21A2,2 0 0,0 8,23H19A2,2 0 0,0 21,21V7A2,2 0 0,0 19,5M16,1H4A2,2 0 0,0 2,3V17H4V3H16V1Z"></path></svg><svg viewBox="0 0 24 24" class="copyButtonSuccessIcon_LjdS"><path fill="currentColor" d="M21,7L9,19L3.5,13.5L4.91,12.09L9,16.17L19.59,5.59L21,7Z"></path></svg></span></button></div></div></div></div></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages"></nav></div></div><div class="col col--3"><div class="tableOfContents_bqdL thin-scrollbar theme-doc-toc-desktop"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#configuration" class="table-of-contents__link toc-highlight">Configuration</a><ul><li><a href="#enabling-the-extension" class="table-of-contents__link toc-highlight">Enabling the extension</a></li><li><a href="#configuring-the-connection-to-apache-ranger" class="table-of-contents__link toc-highlight">Configuring the connection to Apache Ranger</a></li><li><a href="#adding-the-service-definition-for-apache-druid-to-apache-ranger" class="table-of-contents__link toc-highlight">Adding the service definition for Apache Druid to Apache Ranger</a></li></ul></li><li><a href="#usage" class="table-of-contents__link toc-highlight">Usage</a><ul><li><a href="#http-methods" class="table-of-contents__link toc-highlight">HTTP methods</a></li><li><a href="#sql-permissions" class="table-of-contents__link toc-highlight">SQL Permissions</a></li><li><a href="#debugging" class="table-of-contents__link toc-highlight">Debugging</a></li></ul></li></ul></div></div></div></div></main></div></div><footer class="footer"><div class="container container-fluid"><div class="footer__bottom text--center"><div class="margin-bottom--sm"><img src="/img/favicon.png" class="themedImage_ToTc themedImage--light_HNdA footer__logo"><img src="/img/favicon.png" class="themedImage_ToTc themedImage--dark_i4oU footer__logo"></div><div class="footer__copyright">Copyright © 2023 Apache Software Foundation. Except where otherwise noted, licensed under CC BY-SA 4.0. Apache Druid, Druid, and the Druid logo are either registered trademarks or trademarks of The Apache Software Foundation in the United States and other countries.</div></div></div></footer></div>
<script src="/assets/js/runtime~main.5371e784.js"></script>
<script src="/assets/js/main.832012d1.js"></script>
</body>
</html>