| <!doctype html> |
| <html lang="en" dir="ltr" class="docs-wrapper docs-doc-page docs-version-current plugin-docs plugin-id-default docs-doc-id-operations/security-user-auth"> |
| <head> |
| <meta charset="UTF-8"> |
| <meta name="generator" content="Docusaurus v2.4.1"> |
| <title data-rh="true">User authentication and authorization | Apache® Druid</title><meta data-rh="true" name="viewport" content="width=device-width,initial-scale=1"><meta data-rh="true" name="twitter:card" content="summary_large_image"><meta data-rh="true" property="og:image" content="https://druid.apache.org/img/druid_nav.png"><meta data-rh="true" name="twitter:image" content="https://druid.apache.org/img/druid_nav.png"><meta data-rh="true" property="og:url" content="https://druid.apache.org/docs/latest/operations/security-user-auth"><meta data-rh="true" name="docusaurus_locale" content="en"><meta data-rh="true" name="docsearch:language" content="en"><meta data-rh="true" name="docusaurus_version" content="current"><meta data-rh="true" name="docusaurus_tag" content="docs-default-current"><meta data-rh="true" name="docsearch:version" content="current"><meta data-rh="true" name="docsearch:docusaurus_tag" content="docs-default-current"><meta data-rh="true" property="og:title" content="User authentication and authorization | Apache® Druid"><meta data-rh="true" name="description" content="<!--"><meta data-rh="true" property="og:description" content="<!--"><link data-rh="true" rel="icon" href="/img/favicon.png"><link data-rh="true" rel="canonical" href="https://druid.apache.org/docs/latest/operations/security-user-auth"><link data-rh="true" rel="alternate" href="https://druid.apache.org/docs/latest/operations/security-user-auth" hreflang="en"><link data-rh="true" rel="alternate" href="https://druid.apache.org/docs/latest/operations/security-user-auth" hreflang="x-default"><link rel="preconnect" href="https://www.google-analytics.com"> |
| <link rel="preconnect" href="https://www.googletagmanager.com"> |
| <script async src="https://www.googletagmanager.com/gtag/js?id=UA-131010415-1"></script> |
| <script>function gtag(){dataLayer.push(arguments)}window.dataLayer=window.dataLayer||[],gtag("js",new Date),gtag("config","UA-131010415-1",{})</script> |
| |
| |
| |
| |
| <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.7.2/css/all.css"> |
| <script src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.4/clipboard.min.js"></script><link rel="stylesheet" href="/assets/css/styles.f80751b3.css"> |
| <link rel="preload" href="/assets/js/runtime~main.dc5f839a.js" as="script"> |
| <link rel="preload" href="/assets/js/main.a03dfc13.js" as="script"> |
| </head> |
| <body class="navigation-with-keyboard"> |
| <script>!function(){function t(t){document.documentElement.setAttribute("data-theme",t)}var e=function(){var t=null;try{t=new URLSearchParams(window.location.search).get("docusaurus-theme")}catch(t){}return t}()||function(){var t=null;try{t=localStorage.getItem("theme")}catch(t){}return t}();t(null!==e?e:"light")}()</script><div id="__docusaurus"> |
| <div role="region" aria-label="Skip to main content"><a class="skipToContent_fXgn" href="#__docusaurus_skipToContent_fallback">Skip to main content</a></div><nav aria-label="Main" class="navbar navbar--fixed-top navbar--dark"><div class="navbar__inner"><div class="navbar__items"><button aria-label="Toggle navigation bar" aria-expanded="false" class="navbar__toggle clean-btn" type="button"><svg width="30" height="30" viewBox="0 0 30 30" aria-hidden="true"><path stroke="currentColor" stroke-linecap="round" stroke-miterlimit="10" stroke-width="2" d="M4 7h22M4 15h22M4 23h22"></path></svg></button><a class="navbar__brand" href="/"><div class="navbar__logo"><img src="/img/druid_nav.png" alt="Apache® Druid" class="themedImage_ToTc themedImage--light_HNdA"><img src="/img/druid_nav.png" alt="Apache® Druid" class="themedImage_ToTc themedImage--dark_i4oU"></div></a></div><div class="navbar__items navbar__items--right"><a class="navbar__item navbar__link" href="/technology">Technology</a><a class="navbar__item navbar__link" href="/use-cases">Use Cases</a><a class="navbar__item navbar__link" href="/druid-powered">Powered By</a><a class="navbar__item navbar__link" href="/docs/latest/design/">Docs</a><a class="navbar__item navbar__link" href="/community/">Community</a><div class="navbar__item dropdown dropdown--hoverable dropdown--right"><a href="#" aria-haspopup="true" aria-expanded="false" role="button" class="navbar__link">Apache®</a><ul class="dropdown__menu"><li><a href="https://www.apache.org/" target="_blank" rel="noopener noreferrer" class="dropdown__link">Foundation<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://apachecon.com/?ref=druid.apache.org" target="_blank" rel="noopener noreferrer" class="dropdown__link">Events<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/licenses/" target="_blank" rel="noopener noreferrer" class="dropdown__link">License<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/foundation/thanks.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Thanks<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/security/" target="_blank" rel="noopener noreferrer" class="dropdown__link">Security<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li><li><a href="https://www.apache.org/foundation/sponsorship.html" target="_blank" rel="noopener noreferrer" class="dropdown__link">Sponsorship<svg width="12" height="12" aria-hidden="true" viewBox="0 0 24 24" class="iconExternalLink_nPIU"><path fill="currentColor" d="M21 13v10h-21v-19h12v2h-10v15h17v-8h2zm3-12h-10.988l4.035 4-6.977 7.07 2.828 2.828 6.977-7.07 4.125 4.172v-11z"></path></svg></a></li></ul></div><a class="navbar__item navbar__link" href="/downloads/">Download</a><div class="searchBox_ZlJk"><div class="navbar__search"><span aria-label="expand searchbar" role="button" class="search-icon" tabindex="0"></span><input type="search" id="search_input_react" placeholder="Loading..." aria-label="Search" class="navbar__search-input search-bar" disabled=""></div></div></div></div><div role="presentation" class="navbar-sidebar__backdrop"></div></nav><div id="__docusaurus_skipToContent_fallback" class="main-wrapper mainWrapper_z2l0 docsWrapper_BCFX"><button aria-label="Scroll back to top" class="clean-btn theme-back-to-top-button backToTopButton_sjWU" type="button"></button><div class="docPage__5DB"><aside class="theme-doc-sidebar-container docSidebarContainer_b6E3"><div class="sidebarViewport_Xe31"><div class="sidebar_njMd"><nav aria-label="Docs sidebar" class="menu thin-scrollbar menu_SIkG"><ul class="theme-doc-sidebar-menu menu__list"><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/latest/design/">Getting started</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/latest/tutorials/tutorial-msq-extern">Tutorials</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/latest/design/architecture">Design</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/latest/ingestion/">Ingestion</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/latest/data-management/">Data management</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/latest/querying/sql">Querying</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/latest/api-reference/">API reference</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/latest/configuration/">Configuration</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret menu__link--active" aria-expanded="true" href="/docs/latest/operations/web-console">Operations</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/web-console">Web console</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/java">Java runtime</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/durable-storage">Durable storage</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret menu__link--active" aria-expanded="true" tabindex="0" href="/docs/latest/operations/security-overview">Security</a></div><ul style="display:block;overflow:visible;height:auto" class="menu__list"><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/security-overview">Security overview</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link menu__link--active" aria-current="page" tabindex="0" href="/docs/latest/operations/security-user-auth">User authentication and authorization</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/auth-ldap">LDAP auth</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/password-provider">Password providers</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/dynamic-config-provider">Dynamic Config Providers</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-3 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/tls-support">TLS support</a></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/docs/latest/operations/basic-cluster-tuning">Performance tuning</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/docs/latest/operations/request-logging">Monitoring</a></div></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/high-availability">High availability</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/rolling-updates">Rolling updates</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/rule-configuration">Using rules to drop and retain data</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/migrate-from-firehose">Migrate from firehose</a></li><li class="theme-doc-sidebar-item-link theme-doc-sidebar-item-link-level-2 menu__list-item"><a class="menu__link" tabindex="0" href="/docs/latest/operations/other-hadoop">Working with different versions of Apache Hadoop</a></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-2 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" tabindex="0" href="/docs/latest/operations/dump-segment">Misc</a></div></li></ul></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/latest/development/overview">Development</a></div></li><li class="theme-doc-sidebar-item-category theme-doc-sidebar-item-category-level-1 menu__list-item menu__list-item--collapsed"><div class="menu__list-item-collapsible"><a class="menu__link menu__link--sublist menu__link--sublist-caret" aria-expanded="false" href="/docs/latest/misc/papers-and-talks">Misc</a></div></li></ul></nav></div></div></aside><main class="docMainContainer_gTbr"><div class="container padding-top--md padding-bottom--lg"><div class="row"><div class="col docItemCol_VOVn"><div class="docItemContainer_Djhp"><article><nav class="theme-doc-breadcrumbs breadcrumbsContainer_Z_bl" aria-label="Breadcrumbs"><ul class="breadcrumbs" itemscope="" itemtype="https://schema.org/BreadcrumbList"><li class="breadcrumbs__item"><a aria-label="Home page" class="breadcrumbs__link" href="/"><svg viewBox="0 0 24 24" class="breadcrumbHomeIcon_YNFT"><path d="M10 19v-5h4v5c0 .55.45 1 1 1h3c.55 0 1-.45 1-1v-7h1.7c.46 0 .68-.57.33-.87L12.67 3.6c-.38-.34-.96-.34-1.34 0l-8.36 7.53c-.34.3-.13.87.33.87H5v7c0 .55.45 1 1 1h3c.55 0 1-.45 1-1z" fill="currentColor"></path></svg></a></li><li class="breadcrumbs__item"><span class="breadcrumbs__link">Operations</span><meta itemprop="position" content="1"></li><li class="breadcrumbs__item"><span class="breadcrumbs__link">Security</span><meta itemprop="position" content="2"></li><li itemscope="" itemprop="itemListElement" itemtype="https://schema.org/ListItem" class="breadcrumbs__item breadcrumbs__item--active"><span class="breadcrumbs__link" itemprop="name">User authentication and authorization</span><meta itemprop="position" content="3"></li></ul></nav><div class="tocCollapsible_ETCw theme-doc-toc-mobile tocMobile_ITEo"><button type="button" class="clean-btn tocCollapsibleButton_TO0P">On this page</button></div><div class="theme-doc-markdown markdown"><header><h1>User authentication and authorization</h1></header><p>This document describes the Druid security model that extensions use to enable user authentication and authorization services to Druid. </p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="authentication-and-authorization-model">Authentication and authorization model<a href="#authentication-and-authorization-model" class="hash-link" aria-label="Direct link to Authentication and authorization model" title="Direct link to Authentication and authorization model"></a></h2><p>At the center of the Druid user authentication and authorization model are <em>resources</em> and <em>actions</em>. A resource is something that authenticated users are trying to access or modify. An action is something that users are trying to do. </p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="resource-types">Resource types<a href="#resource-types" class="hash-link" aria-label="Direct link to Resource types" title="Direct link to Resource types"></a></h3><p>Druid uses the following resource types:</p><ul><li>DATASOURCE <!-- -->–<!-- --> Each Druid table (i.e., <code>tables</code> in the <code>druid</code> schema in SQL) is a resource.</li><li>CONFIG <!-- -->–<!-- --> Configuration resources exposed by the cluster components. </li><li>EXTERNAL <!-- -->–<!-- --> External data read through the <a href="/docs/latest/multi-stage-query/concepts#extern">EXTERN function</a> in SQL.</li><li>STATE <!-- -->–<!-- --> Cluster-wide state resources.</li><li>SYSTEM_TABLE <!-- -->–<!-- --> when the Broker property <code>druid.sql.planner.authorizeSystemTablesDirectly</code> is true, then Druid uses this resource type to authorize the system tables in the <code>sys</code> schema in SQL.</li></ul><p>For specific resources associated with the resource types, see <a href="#defining-permissions">Defining permissions</a> and the corresponding endpoint descriptions in <a href="/docs/latest/api-reference/">API reference</a>.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="actions">Actions<a href="#actions" class="hash-link" aria-label="Direct link to Actions" title="Direct link to Actions"></a></h3><p>Users perform one of the following actions on resources:</p><ul><li>READ <!-- -->–<!-- --> Used for read-only operations.</li><li>WRITE <!-- -->–<!-- --> Used for operations that are not read-only.</li></ul><p>WRITE permission on a resource does not include READ permission. If a user requires both READ and WRITE permissions on a resource, you must grant them both explicitly. For instance, a user with only <code>DATASOURCE READ</code> permission |
| might have access to an API or a system schema record that a user with <code>DATASOURCE WRITE</code> permission would not have access to.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="user-types">User types<a href="#user-types" class="hash-link" aria-label="Direct link to User types" title="Direct link to User types"></a></h3><p>In practice, most deployments will only need to define two classes of users: </p><ul><li>Administrators, who have WRITE action permissions on all resource types. These users will add datasources and administer the system. </li><li>Data users, who only need READ access to DATASOURCE. These users should access Query APIs only through an API gateway. Other APIs and permissions include functionality that should be limited to server admins. </li></ul><p>It is important to note that WRITE access to DATASOURCE grants a user broad access. For instance, such users will have access to the Druid file system, S3 buckets, and credentials, among other things. As such, the ability to add and manage datasources should be allocated selectively to administrators. </p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="default-user-accounts">Default user accounts<a href="#default-user-accounts" class="hash-link" aria-label="Direct link to Default user accounts" title="Direct link to Default user accounts"></a></h2><h3 class="anchor anchorWithStickyNavbar_LWe7" id="authenticator">Authenticator<a href="#authenticator" class="hash-link" aria-label="Direct link to Authenticator" title="Direct link to Authenticator"></a></h3><p>If <code>druid.auth.authenticator.<authenticator-name>.initialAdminPassword</code> is set, a default admin user named "admin" will be created, with the specified initial password. If this configuration is omitted, the "admin" user will not be created.</p><p>If <code>druid.auth.authenticator.<authenticator-name>.initialInternalClientPassword</code> is set, a default internal system user named "druid_system" will be created, with the specified initial password. If this configuration is omitted, the "druid_system" user will not be created.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="authorizer">Authorizer<a href="#authorizer" class="hash-link" aria-label="Direct link to Authorizer" title="Direct link to Authorizer"></a></h3><p>Each Authorizer will always have a default "admin" and "druid_system" user with full privileges.</p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="defining-permissions">Defining permissions<a href="#defining-permissions" class="hash-link" aria-label="Direct link to Defining permissions" title="Direct link to Defining permissions"></a></h2><p>You define permissions that you then grant to user groups. |
| Permissions are defined by resource type, action, and resource name. |
| This section describes the resource names available for each resource type.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="datasource"><code>DATASOURCE</code><a href="#datasource" class="hash-link" aria-label="Direct link to datasource" title="Direct link to datasource"></a></h3><p>Resource names for this type are datasource names. Specifying a datasource permission allows the administrator to grant users access to specific datasources.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="config"><code>CONFIG</code><a href="#config" class="hash-link" aria-label="Direct link to config" title="Direct link to config"></a></h3><p>There are two possible resource names for the "CONFIG" resource type, "CONFIG" and "security". Granting a user access to CONFIG resources allows them to access the following endpoints.</p><p>"CONFIG" resource name covers the following endpoints:</p><table><thead><tr><th>Endpoint</th><th>Process Type</th></tr></thead><tbody><tr><td><code>/druid/coordinator/v1/config</code></td><td>coordinator</td></tr><tr><td><code>/druid/indexer/v1/worker</code></td><td>overlord</td></tr><tr><td><code>/druid/indexer/v1/worker/history</code></td><td>overlord</td></tr><tr><td><code>/druid/worker/v1/disable</code></td><td>middleManager</td></tr><tr><td><code>/druid/worker/v1/enable</code></td><td>middleManager</td></tr></tbody></table><p>"security" resource name covers the following endpoint:</p><table><thead><tr><th>Endpoint</th><th>Process Type</th></tr></thead><tbody><tr><td><code>/druid-ext/basic-security/authentication</code></td><td>coordinator</td></tr><tr><td><code>/druid-ext/basic-security/authorization</code></td><td>coordinator</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="external"><code>EXTERNAL</code><a href="#external" class="hash-link" aria-label="Direct link to external" title="Direct link to external"></a></h3><p>The EXTERNAL resource type only accepts the resource name "EXTERNAL". |
| Granting a user access to EXTERNAL resources allows them to run queries that include |
| the <a href="/docs/latest/multi-stage-query/concepts#extern">EXTERN function</a> in SQL |
| to read external data.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="state"><code>STATE</code><a href="#state" class="hash-link" aria-label="Direct link to state" title="Direct link to state"></a></h3><p>There is only one possible resource name for the "STATE" config resource type, "STATE". Granting a user access to STATE resources allows them to access the following endpoints.</p><p>"STATE" resource name covers the following endpoints:</p><table><thead><tr><th>Endpoint</th><th>Process Type</th></tr></thead><tbody><tr><td><code>/druid/coordinator/v1</code></td><td>coordinator</td></tr><tr><td><code>/druid/coordinator/v1/rules</code></td><td>coordinator</td></tr><tr><td><code>/druid/coordinator/v1/rules/history</code></td><td>coordinator</td></tr><tr><td><code>/druid/coordinator/v1/servers</code></td><td>coordinator</td></tr><tr><td><code>/druid/coordinator/v1/tiers</code></td><td>coordinator</td></tr><tr><td><code>/druid/broker/v1</code></td><td>broker</td></tr><tr><td><code>/druid/v2/candidates</code></td><td>broker</td></tr><tr><td><code>/druid/indexer/v1/leader</code></td><td>overlord</td></tr><tr><td><code>/druid/indexer/v1/isLeader</code></td><td>overlord</td></tr><tr><td><code>/druid/indexer/v1/action</code></td><td>overlord</td></tr><tr><td><code>/druid/indexer/v1/workers</code></td><td>overlord</td></tr><tr><td><code>/druid/indexer/v1/scaling</code></td><td>overlord</td></tr><tr><td><code>/druid/worker/v1/enabled</code></td><td>middleManager</td></tr><tr><td><code>/druid/worker/v1/tasks</code></td><td>middleManager</td></tr><tr><td><code>/druid/worker/v1/task/{taskid}/shutdown</code></td><td>middleManager</td></tr><tr><td><code>/druid/worker/v1/task/{taskid}/log</code></td><td>middleManager</td></tr><tr><td><code>/druid/historical/v1</code></td><td>historical</td></tr><tr><td><code>/druid-internal/v1/segments/</code></td><td>historical</td></tr><tr><td><code>/druid-internal/v1/segments/</code></td><td>peon</td></tr><tr><td><code>/druid-internal/v1/segments/</code></td><td>realtime</td></tr><tr><td><code>/status</code></td><td>all process types</td></tr></tbody></table><h3 class="anchor anchorWithStickyNavbar_LWe7" id="system_table"><code>SYSTEM_TABLE</code><a href="#system_table" class="hash-link" aria-label="Direct link to system_table" title="Direct link to system_table"></a></h3><p>Resource names for this type are system schema table names in the <code>sys</code> schema in SQL, for example <code>sys.segments</code> and <code>sys.server_segments</code>. Druid only enforces authorization for <code>SYSTEM_TABLE</code> resources when the Broker property <code>druid.sql.planner.authorizeSystemTablesDirectly</code> is true.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="http-methods">HTTP methods<a href="#http-methods" class="hash-link" aria-label="Direct link to HTTP methods" title="Direct link to HTTP methods"></a></h3><p>For information on what HTTP methods are supported on a particular request endpoint, refer to <a href="/docs/latest/api-reference/">API reference</a>.</p><p><code>GET</code> requests require READ permissions, while <code>POST</code> and <code>DELETE</code> requests require WRITE permissions.</p><h3 class="anchor anchorWithStickyNavbar_LWe7" id="sql-permissions">SQL permissions<a href="#sql-permissions" class="hash-link" aria-label="Direct link to SQL permissions" title="Direct link to SQL permissions"></a></h3><p>Queries on Druid datasources require DATASOURCE READ permissions for the specified datasource.</p><p>Queries to access external data through the <a href="/docs/latest/multi-stage-query/concepts#extern">EXTERN function</a> require EXTERNAL READ permissions.</p><p>Queries on <a href="/docs/latest/querying/sql-metadata-tables#information-schema">INFORMATION_SCHEMA tables</a> return information about datasources that the caller has DATASOURCE READ access to. Other |
| datasources are omitted.</p><p>Queries on the <a href="/docs/latest/querying/sql-metadata-tables#system-schema">system schema tables</a> require the following permissions:</p><ul><li><code>segments</code>: Druid filters segments according to DATASOURCE READ permissions.</li><li><code>servers</code>: The user requires STATE READ permissions.</li><li><code>server_segments</code>: The user requires STATE READ permissions. Druid filters segments according to DATASOURCE READ permissions.</li><li><code>tasks</code>: Druid filters tasks according to DATASOURCE READ permissions.</li><li><code>supervisors</code>: Druid filters supervisors according to DATASOURCE READ permissions.</li></ul><p>When the Broker property <code>druid.sql.planner.authorizeSystemTablesDirectly</code> is true, users also require <code>SYSTEM_TABLE</code> authorization on a system schema table to query it.</p><h2 class="anchor anchorWithStickyNavbar_LWe7" id="configuration-propagation">Configuration propagation<a href="#configuration-propagation" class="hash-link" aria-label="Direct link to Configuration propagation" title="Direct link to Configuration propagation"></a></h2><p>To prevent excessive load on the Coordinator, the Authenticator and Authorizer user/role Druid metadata store state is cached on each Druid process.</p><p>Each process will periodically poll the Coordinator for the latest Druid metadata store state, controlled by the <code>druid.auth.basic.common.pollingPeriod</code> and <code>druid.auth.basic.common.maxRandomDelay</code> properties.</p><p>When a configuration update occurs, the Coordinator can optionally notify each process with the updated Druid metadata store state. This behavior is controlled by the <code>enableCacheNotifications</code> and <code>cacheNotificationTimeout</code> properties on Authenticators and Authorizers.</p><p>Note that because of the caching, changes made to the user/role Druid metadata store may not be immediately reflected at each Druid process.</p></div></article><nav class="pagination-nav docusaurus-mt-lg" aria-label="Docs pages"><a class="pagination-nav__link pagination-nav__link--prev" href="/docs/latest/operations/security-overview"><div class="pagination-nav__sublabel">Previous</div><div class="pagination-nav__label">Security overview</div></a><a class="pagination-nav__link pagination-nav__link--next" href="/docs/latest/operations/auth-ldap"><div class="pagination-nav__sublabel">Next</div><div class="pagination-nav__label">LDAP auth</div></a></nav></div></div><div class="col col--3"><div class="tableOfContents_bqdL thin-scrollbar theme-doc-toc-desktop"><ul class="table-of-contents table-of-contents__left-border"><li><a href="#authentication-and-authorization-model" class="table-of-contents__link toc-highlight">Authentication and authorization model</a><ul><li><a href="#resource-types" class="table-of-contents__link toc-highlight">Resource types</a></li><li><a href="#actions" class="table-of-contents__link toc-highlight">Actions</a></li><li><a href="#user-types" class="table-of-contents__link toc-highlight">User types</a></li></ul></li><li><a href="#default-user-accounts" class="table-of-contents__link toc-highlight">Default user accounts</a><ul><li><a href="#authenticator" class="table-of-contents__link toc-highlight">Authenticator</a></li><li><a href="#authorizer" class="table-of-contents__link toc-highlight">Authorizer</a></li></ul></li><li><a href="#defining-permissions" class="table-of-contents__link toc-highlight">Defining permissions</a><ul><li><a href="#datasource" class="table-of-contents__link toc-highlight"><code>DATASOURCE</code></a></li><li><a href="#config" class="table-of-contents__link toc-highlight"><code>CONFIG</code></a></li><li><a href="#external" class="table-of-contents__link toc-highlight"><code>EXTERNAL</code></a></li><li><a href="#state" class="table-of-contents__link toc-highlight"><code>STATE</code></a></li><li><a href="#system_table" class="table-of-contents__link toc-highlight"><code>SYSTEM_TABLE</code></a></li><li><a href="#http-methods" class="table-of-contents__link toc-highlight">HTTP methods</a></li><li><a href="#sql-permissions" class="table-of-contents__link toc-highlight">SQL permissions</a></li></ul></li><li><a href="#configuration-propagation" class="table-of-contents__link toc-highlight">Configuration propagation</a></li></ul></div></div></div></div></main></div></div><footer class="footer"><div class="container container-fluid"><div class="footer__bottom text--center"><div class="margin-bottom--sm"><img src="/img/favicon.png" class="themedImage_ToTc themedImage--light_HNdA footer__logo"><img src="/img/favicon.png" class="themedImage_ToTc themedImage--dark_i4oU footer__logo"></div><div class="footer__copyright">Copyright © 2023 Apache Software Foundation. Except where otherwise noted, licensed under CC BY-SA 4.0. Apache Druid, Druid, and the Druid logo are either registered trademarks or trademarks of The Apache Software Foundation in the United States and other countries.</div></div></div></footer></div> |
| <script src="/assets/js/runtime~main.dc5f839a.js"></script> |
| <script src="/assets/js/main.a03dfc13.js"></script> |
| </body> |
| </html> |
