Google Git
Sign in
apache / druid-website / 3fdf21574ad4312851884f6a200cb8209fb38719 / . / docs / 0.21.0 / operations / security-overview.html
blob: 75157617fbfeb3dec8e795880157ec7aff1b3220 [file] [log] [blame]
<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta http-equiv="X-UA-Compatible" content="IE=edge"/><title>Security overview · Apache Druid</title><meta name="viewport" content="width=device-width"/><link rel="canonical" href="https://druid.apache.org/docs/0.21.0/operations/security-overview.html"/><meta name="generator" content="Docusaurus"/><meta name="description" content="&lt;!--"/><meta name="docsearch:language" content="en"/><meta name="docsearch:version" content="0.21.0" /><meta property="og:title" content="Security overview · Apache Druid"/><meta property="og:type" content="website"/><meta property="og:url" content="https://druid.apache.org/index.html"/><meta property="og:description" content="&lt;!--"/><meta property="og:image" content="https://druid.apache.org/img/druid_nav.png"/><meta name="twitter:card" content="summary"/><meta name="twitter:image" content="https://druid.apache.org/img/druid_nav.png"/><link rel="shortcut icon" href="/img/favicon.png"/><link rel="stylesheet" href="https://cdn.jsdelivr.net/docsearch.js/1/docsearch.min.css"/><link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.12.0/styles/default.min.css"/><script async="" src="https://www.googletagmanager.com/gtag/js?id=UA-131010415-1"></script><script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments); }
gtag('js', new Date());
gtag('config', 'UA-131010415-1');
</script><link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.7.2/css/all.css"/><link rel="stylesheet" href="/css/code-block-buttons.css"/><script type="text/javascript" src="https://cdnjs.cloudflare.com/ajax/libs/clipboard.js/2.0.4/clipboard.min.js"></script><script type="text/javascript" src="/js/code-block-buttons.js"></script><script src="/js/scrollSpy.js"></script><link rel="stylesheet" href="/css/main.css"/><script src="/js/codetabs.js"></script></head><body class="sideNavVisible separateOnPageNav"><div class="fixedHeaderContainer"><div class="headerWrapper wrapper"><header><a href="/"><img class="logo" src="/img/druid_nav.png" alt="Apache Druid"/></a><div class="navigationWrapper navigationSlider"><nav class="slidingNav"><ul class="nav-site nav-site-internal"><li class=""><a href="/technology" target="_self">Technology</a></li><li class=""><a href="/use-cases" target="_self">Use Cases</a></li><li class=""><a href="/druid-powered" target="_self">Powered By</a></li><li class="siteNavGroupActive"><a href="/docs/0.21.0/design/index.html" target="_self">Docs</a></li><li class=""><a href="/community/" target="_self">Community</a></li><li class=""><a href="https://www.apache.org" target="_self">Apache</a></li><li class=""><a href="/downloads.html" target="_self">Download</a></li><li class="navSearchWrapper reactNavSearchWrapper"><input type="text" id="search_input_react" placeholder="Search" title="Search"/></li></ul></nav></div></header></div></div><div class="navPusher"><div class="docMainWrapper wrapper"><div class="docsNavContainer" id="docsNav"><nav class="toc"><div class="toggleNav"><section class="navWrapper wrapper"><div class="navBreadcrumb wrapper"><div class="navToggle" id="navToggler"><div class="hamburger-menu"><div class="line1"></div><div class="line2"></div><div class="line3"></div></div></div><h2><i></i><span>Security</span></h2><div class="tocToggler" id="tocToggler"><i class="icon-toc"></i></div></div><div class="navGroups"><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Getting started<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><li class="navListItem"><a class="navItem" href="/docs/0.21.0/design/index.html">Introduction to Apache Druid</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/tutorials/index.html">Quickstart</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/tutorials/docker.html">Docker</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/single-server.html">Single server deployment</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/tutorials/cluster.html">Clustered deployment</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Tutorials<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><li class="navListItem"><a class="navItem" href="/docs/0.21.0/tutorials/tutorial-batch.html">Loading files natively</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/tutorials/tutorial-kafka.html">Load from Apache Kafka</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/tutorials/tutorial-batch-hadoop.html">Load from Apache Hadoop</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/tutorials/tutorial-query.html">Querying data</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/tutorials/tutorial-rollup.html">Roll-up</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/tutorials/tutorial-retention.html">Configuring data retention</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/tutorials/tutorial-update-data.html">Updating existing data</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/tutorials/tutorial-compaction.html">Compacting segments</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/tutorials/tutorial-delete-data.html">Deleting data</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/tutorials/tutorial-ingestion-spec.html">Writing an ingestion spec</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/tutorials/tutorial-transform-spec.html">Transforming input data</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/tutorials/tutorial-kerberos-hadoop.html">Kerberized HDFS deep storage</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Design<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><li class="navListItem"><a class="navItem" href="/docs/0.21.0/design/architecture.html">Design</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/design/segments.html">Segments</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/design/processes.html">Processes and servers</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/dependencies/deep-storage.html">Deep storage</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/dependencies/metadata-storage.html">Metadata storage</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/dependencies/zookeeper.html">ZooKeeper</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Ingestion<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><li class="navListItem"><a class="navItem" href="/docs/0.21.0/ingestion/index.html">Ingestion</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/ingestion/data-formats.html">Data formats</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/ingestion/schema-design.html">Schema design tips</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/ingestion/data-management.html">Data management</a></li><div class="navGroup subNavGroup"><h4 class="navGroupSubcategoryTitle">Stream ingestion</h4><ul><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/kafka-ingestion.html">Apache Kafka</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/kinesis-ingestion.html">Amazon Kinesis</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/ingestion/tranquility.html">Tranquility</a></li></ul></div><div class="navGroup subNavGroup"><h4 class="navGroupSubcategoryTitle">Batch ingestion</h4><ul><li class="navListItem"><a class="navItem" href="/docs/0.21.0/ingestion/native-batch.html">Native batch</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/ingestion/hadoop.html">Hadoop-based</a></li></ul></div><li class="navListItem"><a class="navItem" href="/docs/0.21.0/ingestion/tasks.html">Task reference</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/ingestion/faq.html">Troubleshooting FAQ</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Querying<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/sql.html">Druid SQL</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/querying.html">Native queries</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/query-execution.html">Query execution</a></li><div class="navGroup subNavGroup"><h4 class="navGroupSubcategoryTitle">Concepts</h4><ul><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/datasource.html">Datasources</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/joins.html">Joins</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/lookups.html">Lookups</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/multi-value-dimensions.html">Multi-value dimensions</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/multitenancy.html">Multitenancy</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/caching.html">Query caching</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/query-context.html">Context parameters</a></li></ul></div><div class="navGroup subNavGroup"><h4 class="navGroupSubcategoryTitle">Native query types</h4><ul><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/timeseriesquery.html">Timeseries</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/topnquery.html">TopN</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/groupbyquery.html">GroupBy</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/scan-query.html">Scan</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/searchquery.html">Search</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/timeboundaryquery.html">TimeBoundary</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/segmentmetadataquery.html">SegmentMetadata</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/datasourcemetadataquery.html">DatasourceMetadata</a></li></ul></div><div class="navGroup subNavGroup"><h4 class="navGroupSubcategoryTitle">Native query components</h4><ul><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/filters.html">Filters</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/granularities.html">Granularities</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/dimensionspecs.html">Dimensions</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/aggregations.html">Aggregations</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/post-aggregations.html">Post-aggregations</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/misc/math-expr.html">Expressions</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/having.html">Having filters (groupBy)</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/limitspec.html">Sorting and limiting (groupBy)</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/topnmetricspec.html">Sorting (topN)</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/sorting-orders.html">String comparators</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/virtual-columns.html">Virtual columns</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/geo.html">Spatial filters</a></li></ul></div></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Configuration<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><li class="navListItem"><a class="navItem" href="/docs/0.21.0/configuration/index.html">Configuration reference</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions.html">Extensions</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/configuration/logging.html">Logging</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Operations<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/druid-console.html">Web console</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/getting-started.html">Getting started with Apache Druid</a></li><div class="navGroup subNavGroup"><h4 class="navGroupSubcategoryTitle">Security</h4><ul><li class="navListItem navListItemActive"><a class="navItem" href="/docs/0.21.0/operations/security-overview.html">Security overview</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/security-user-auth.html">User authentication and authorization</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/auth-ldap.html">LDAP auth</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/password-provider.html">Password providers</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/tls-support.html">TLS support</a></li></ul></div><div class="navGroup subNavGroup"><h4 class="navGroupSubcategoryTitle">Performance tuning</h4><ul><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/basic-cluster-tuning.html">Basic cluster tuning</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/segment-optimization.html">Segment Size Optimization</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/http-compression.html">HTTP compression</a></li></ul></div><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/api-reference.html">API reference</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/high-availability.html">High availability</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/rolling-updates.html">Rolling updates</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/rule-configuration.html">Retaining or automatically dropping data</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/metrics.html">Metrics</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/alerts.html">Alerts</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/other-hadoop.html">Working with different versions of Apache Hadoop</a></li><div class="navGroup subNavGroup"><h4 class="navGroupSubcategoryTitle">Misc</h4><ul><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/management-uis.html">Legacy Management UIs</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/dump-segment.html">dump-segment tool</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/reset-cluster.html">reset-cluster tool</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/insert-segment-to-db.html">insert-segment-to-db tool</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/pull-deps.html">pull-deps tool</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/deep-storage-migration.html">Deep storage migration</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/export-metadata.html">Export Metadata Tool</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/metadata-migration.html">Metadata Migration</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/operations/use_sbt_to_build_fat_jar.html">Content for build.sbt</a></li></ul></div></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Development<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/overview.html">Developing on Druid</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/modules.html">Creating extensions</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/javascript.html">JavaScript functionality</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/build.html">Build from source</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/versioning.html">Versioning</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/experimental.html">Experimental features</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Misc<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><li class="navListItem"><a class="navItem" href="/docs/0.21.0/misc/papers-and-talks.html">Papers</a></li></ul></div><div class="navGroup"><h3 class="navGroupCategoryTitle collapsible">Hidden<span class="arrow"><svg width="24" height="24" viewBox="0 0 24 24"><path fill="#565656" d="M7.41 15.41L12 10.83l4.59 4.58L18 14l-6-6-6 6z"></path><path d="M0 0h24v24H0z" fill="none"></path></svg></span></h3><ul class="hide"><li class="navListItem"><a class="navItem" href="/docs/0.21.0/comparisons/druid-vs-elasticsearch.html">Apache Druid vs Elasticsearch</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/comparisons/druid-vs-key-value.html">Apache Druid vs. Key/Value Stores (HBase/Cassandra/OpenTSDB)</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/comparisons/druid-vs-kudu.html">Apache Druid vs Kudu</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/comparisons/druid-vs-redshift.html">Apache Druid vs Redshift</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/comparisons/druid-vs-spark.html">Apache Druid vs Spark</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/comparisons/druid-vs-sql-on-hadoop.html">Apache Druid vs SQL-on-Hadoop</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/design/auth.html">Authentication and Authorization</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/design/broker.html">Broker</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/design/coordinator.html">Coordinator Process</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/design/historical.html">Historical Process</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/design/indexer.html">Indexer Process</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/design/indexing-service.html">Indexing Service</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/design/middlemanager.html">MiddleManager Process</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/design/overlord.html">Overlord Process</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/design/router.html">Router Process</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/design/peons.html">Peons</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/approximate-histograms.html">Approximate Histogram aggregators</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/avro.html">Apache Avro</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/azure.html">Microsoft Azure</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/bloom-filter.html">Bloom Filter</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/datasketches-extension.html">DataSketches extension</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/datasketches-hll.html">DataSketches HLL Sketch module</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/datasketches-quantiles.html">DataSketches Quantiles Sketch module</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/datasketches-theta.html">DataSketches Theta Sketch module</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/datasketches-tuple.html">DataSketches Tuple Sketch module</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/druid-basic-security.html">Basic Security</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/druid-kerberos.html">Kerberos</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/druid-lookups.html">Cached Lookup Module</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/druid-ranger-security.html">Apache Ranger Security</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/google.html">Google Cloud Storage</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/hdfs.html">HDFS</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/kafka-extraction-namespace.html">Apache Kafka Lookups</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/lookups-cached-global.html">Globally Cached Lookups</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/mysql.html">MySQL Metadata Store</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/orc.html">ORC Extension</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/druid-pac4j.html">Druid pac4j based Security extension</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/parquet.html">Apache Parquet Extension</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/postgresql.html">PostgreSQL Metadata Store</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/protobuf.html">Protobuf</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/s3.html">S3-compatible</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/simple-client-sslcontext.html">Simple SSLContext Provider Module</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/stats.html">Stats aggregator</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-core/test-stats.html">Test Stats Aggregators</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-contrib/ambari-metrics-emitter.html">Ambari Metrics Emitter</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-contrib/cassandra.html">Apache Cassandra</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-contrib/cloudfiles.html">Rackspace Cloud Files</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-contrib/distinctcount.html">DistinctCount Aggregator</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-contrib/graphite.html">Graphite Emitter</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-contrib/influx.html">InfluxDB Line Protocol Parser</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-contrib/influxdb-emitter.html">InfluxDB Emitter</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-contrib/kafka-emitter.html">Kafka Emitter</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-contrib/materialized-view.html">Materialized View</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-contrib/momentsketch-quantiles.html">Moment Sketches for Approximate Quantiles module</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-contrib/moving-average-query.html">Moving Average Query</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-contrib/opentsdb-emitter.html">OpenTSDB Emitter</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-contrib/redis-cache.html">Druid Redis Cache</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-contrib/sqlserver.html">Microsoft SQLServer</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-contrib/statsd.html">StatsD Emitter</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-contrib/tdigestsketch-quantiles.html">T-Digest Quantiles Sketch module</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-contrib/thrift.html">Thrift</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-contrib/time-min-max.html">Timestamp Min/Max aggregators</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-contrib/gce-extensions.html">GCE Extensions</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/development/extensions-contrib/aliyun-oss.html">Aliyun OSS</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/hll-old.html">Cardinality/HyperUnique aggregators</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/querying/select-query.html">Select</a></li><li class="navListItem"><a class="navItem" href="/docs/0.21.0/ingestion/standalone-realtime.html">Realtime Process</a></li></ul></div></div></section></div><script>
var coll = document.getElementsByClassName('collapsible');
var checkActiveCategory = true;
for (var i = 0; i < coll.length; i++) {
var links = coll[i].nextElementSibling.getElementsByTagName('*');
if (checkActiveCategory){
for (var j = 0; j < links.length; j++) {
if (links[j].classList.contains('navListItemActive')){
coll[i].nextElementSibling.classList.toggle('hide');
coll[i].childNodes[1].classList.toggle('rotate');
checkActiveCategory = false;
break;
}
}
}
coll[i].addEventListener('click', function() {
var arrow = this.childNodes[1];
arrow.classList.toggle('rotate');
var content = this.nextElementSibling;
content.classList.toggle('hide');
});
}
document.addEventListener('DOMContentLoaded', function() {
createToggler('#navToggler', '#docsNav', 'docsSliderActive');
createToggler('#tocToggler', 'body', 'tocActive');
var headings = document.querySelector('.toc-headings');
headings && headings.addEventListener('click', function(event) {
var el = event.target;
while(el !== headings){
if (el.tagName === 'A') {
document.body.classList.remove('tocActive');
break;
} else{
el = el.parentNode;
}
}
}, false);
function createToggler(togglerSelector, targetSelector, className) {
var toggler = document.querySelector(togglerSelector);
var target = document.querySelector(targetSelector);
if (!toggler) {
return;
}
toggler.onclick = function(event) {
event.preventDefault();
target.classList.toggle(className);
};
}
});
</script></nav></div><div class="container mainContainer docsContainer"><div class="wrapper"><div class="post"><header class="postHeader"><a class="edit-page-link button" href="https://github.com/apache/druid/edit/master/docs/operations/security-overview.md" target="_blank" rel="noreferrer noopener">Edit</a><h1 id="__docusaurus" class="postHeaderTitle">Security overview</h1></header><article><div><span><!--
~ Licensed to the Apache Software Foundation (ASF) under one
~ or more contributor license agreements. See the NOTICE file
~ distributed with this work for additional information
~ regarding copyright ownership. The ASF licenses this file
~ to you under the Apache License, Version 2.0 (the
~ "License"); you may not use this file except in compliance
~ with the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->
<h2><a class="anchor" aria-hidden="true" id="overview"></a><a href="#overview" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Overview</h2>
<p>By default, security features in Druid are disabled, which simplifies the initial deployment experience. However, security features must be configured in a production deployment. These features including TLS, authentication, and authorization.</p>
<p>To implement Druid security, you configure authenticators and authorizers. Authenticators control the way user identities are verified, while authorizers map the authenticated users (via user roles) to the datasources they are permitted to access. Consequently, implementing Druid security also involves consideration of your datasource scheme, given they represent the granularity at which data access permissions are allocated.</p>
<p>The following graphic depicts the course of request through the authentication process:</p>
<p><img src="../assets/security-model-1.png" alt="Druid security check flow" title="Druid security check flow"></p>
<p>This document gives you an overview of security features in Druid and how to configure them, and some best practices for securing Druid.</p>
<h2><a class="anchor" aria-hidden="true" id="best-practices"></a><a href="#best-practices" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Best practices</h2>
<ul>
<li>Do not expose the Druid Console without authentication on untrusted networks. Access to the console effectively confers access the file system on the installation machine, via file browsers in the UI. You should use an API gateway that restricts who can connect from untrusted networks, whitelist the specific APIs that your users need to access, and implements account lockout and throttling features.</li>
<li>Grant users the minimum permissions necessary to perform their functions. For instance, do not allow user who only need to query data to write to data sources or view state.</li>
<li>Disable JavaScript, as noted in the <a href="https://druid.apache.org/docs/latest/development/javascript.html#security">Security section</a> of the JavaScript guide.</li>
<li>Run Druid as an unprivileged Unix user on the installation machine (not root).
<blockquote>
<p>This is an important point! Administrator users on Druid have the same permission as the Unix user account it is running under. If the Druid process is running under the root user account in the OS, then Administrator users on Druid can read/write all files that the root account has access to, including sensitive files such as <code>/etc/passwd</code>.</p>
</blockquote></li>
</ul>
<p>You can configure authentication and authorization to control access to the the Druid APIs. The first step is enabling TLS for the cluster nodes. Then configure users, roles, and permissions, as described in the following sections.</p>
<p>The configuration settings mentioned below are primarily located in the <code>common.runtime.properties</code> file. Note that you need to make the configuration changes on each Druid server in the cluster.</p>
<h2><a class="anchor" aria-hidden="true" id="enable-tls"></a><a href="#enable-tls" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Enable TLS</h2>
<p>The first step in securing Druid is enabling TLS. You can enable TLS to secure external client connections to Druid as well as connections between cluster nodes.</p>
<p>The configuration steps are:</p>
<ol>
<li>Enable TLS by adding <code>druid.enableTlsPort=true</code> to <code>common.runtime.properties</code> on each node in the Druid cluster.</li>
<li>Disable the non-TLS port by setting <code>druid.enablePlaintextPort</code> to <code>false</code>.</li>
<li>Follow the steps in <a href="https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html#understanding-certificates-and-keys">Understanding Certificates and Keys</a> to generate or import a key and certificate.</li>
<li>Configure the keystore and truststore settings in <code>common.runtime.properties</code>. The file should look something like this:</li>
</ol>
<pre><code class="hljs"><span class="hljs-attr">druid.enablePlaintextPort</span>=<span class="hljs-literal">false</span>
<span class="hljs-attr">druid.enableTlsPort</span>=<span class="hljs-literal">true</span>
<span class="hljs-attr">druid.server.https.keyStoreType</span>=jks
<span class="hljs-attr">druid.server.https.keyStorePath</span>=imply-keystore.jks
<span class="hljs-attr">druid.server.https.keyStorePassword</span>=secret123 <span class="hljs-comment"># replace with your own password</span>
<span class="hljs-attr">druid.server.https.certAlias</span>=druid
<span class="hljs-attr">druid.client.https.protocol</span>=TLSv1.<span class="hljs-number">2</span>
<span class="hljs-attr">druid.client.https.trustStoreType</span>=jks
<span class="hljs-attr">druid.client.https.trustStorePath</span>=imply-truststore.jks
<span class="hljs-attr">druid.client.https.trustStorePassword</span>=secret123 <span class="hljs-comment"># replace with your own password</span>
</code></pre>
<ol start="4">
<li>Add the <code>simple-client-sslcontext</code> extension to <code>druid.extensions.loadList</code> in <code>common.runtime.properties</code>. This enables TLS for Druid nodes acting as clients.</li>
<li>Restart the cluster.</li>
</ol>
<p>For more information, see <a href="/docs/0.21.0/operations/tls-support.html">TLS support</a> and <a href="/docs/0.21.0/development/extensions-core/simple-client-sslcontext.html">Simple SSLContext Provider Module</a>.</p>
<p>Druid uses Jetty as its embedded web server. Therefore you refer to <a href="https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html">Understanding Certificates and Keys</a> for complete instructions.</p>
<h2><a class="anchor" aria-hidden="true" id="enable-an-authenticator"></a><a href="#enable-an-authenticator" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Enable an authenticator</h2>
<p>To authenticate requests in Druid, you configure an Authenticator. Authenticator extensions exist for HTTP basic authentication, LDAP, and Kerberos.</p>
<p>The following takes you through sample configuration steps for enabling basic auth:</p>
<ol>
<li><p>Add the <code>druid-basic-security</code> extension to <code>druid.extensions.loadList</code> in <code>common.runtime.properties</code>. For the quickstart installation, for example, the properties file is at <code>conf/druid/cluster/_common</code>:</p>
<pre><code class="hljs"><span class="hljs-attr">druid.extensions.loadList</span>=[<span class="hljs-string">"druid-basic-security"</span>, <span class="hljs-string">"druid-histogram"</span>, <span class="hljs-string">"druid-datasketches"</span>, <span class="hljs-string">"druid-kafka-indexing-service"</span>, <span class="hljs-string">"imply-utility-belt"</span>]
</code></pre></li>
<li><p>Configure the basic Authenticator, Authorizer, and Escalator settings in the same common.runtime.properties file. For example:</p>
<pre><code class="hljs"><span class="hljs-comment"># Druid basic security</span>
<span class="hljs-attr">druid.auth.authenticatorChain</span>=[<span class="hljs-string">"MyBasicMetadataAuthenticator"</span>]
<span class="hljs-attr">druid.auth.authenticator.MyBasicMetadataAuthenticator.type</span>=basic
<span class="hljs-attr">druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword</span>=password1
<span class="hljs-attr">druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword</span>=password2
<span class="hljs-attr">druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type</span>=metadata
<span class="hljs-attr">druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure</span>=<span class="hljs-literal">false</span>
<span class="hljs-attr">druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName</span>=MyBasicMetadataAuthorizer
<span class="hljs-comment"># Escalator</span>
<span class="hljs-attr">druid.escalator.type</span>=basic
<span class="hljs-attr">druid.escalator.internalClientUsername</span>=druid_system
<span class="hljs-attr">druid.escalator.internalClientPassword</span>=password2
<span class="hljs-attr">druid.escalator.authorizerName</span>=MyBasicMetadataAuthorizer
<span class="hljs-attr">druid.auth.authorizers</span>=[<span class="hljs-string">"MyBasicMetadataAuthorizer"</span>]
<span class="hljs-attr">druid.auth.authorizer.MyBasicMetadataAuthorizer.type</span>=basic
</code></pre></li>
<li><p>Restart the cluster.</p></li>
</ol>
<p>See <a href="/docs/0.21.0/design/auth.html">Authentication and Authorization</a> for more information about the Authenticator, Escalator, and Authorizer concepts. See <a href="/docs/0.21.0/development/extensions-core/druid-basic-security.html">Basic Security</a> for more information about the extension used in the examples above, and <a href="/docs/0.21.0/development/extensions-core/druid-kerberos.html">Kerberos</a> for Kerberos authentication.</p>
<h2><a class="anchor" aria-hidden="true" id="enable-authorizers"></a><a href="#enable-authorizers" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Enable authorizers</h2>
<p>After enabling the basic auth extension, you can add users, roles, and permissions via the Druid Coordinator <code>user</code> endpoint. Note that you cannot assign permissions directly to individual users. They must be assigned through roles.</p>
<p>The following diagram depicts the authorization model, and the relationship between users, roles, permissions, and resources.</p>
<p><img src="../assets/security-model-2.png" alt="Druid Security model" title="Druid security model"></p>
<p>The following steps walk through a sample setup procedure:</p>
<blockquote>
<p>The default Coordinator API port is 8081 for non-TLS connections and 8281 for secured connections.</p>
</blockquote>
<ol>
<li>Create a user by issuing a POST request to <code>druid-ext/basic-security/authentication/db/MyBasicMetadataAuthenticator/users/&lt;USERNAME&gt;</code>, replacing USERNAME with the new username. For example:</li>
</ol>
<pre><code class="hljs"> curl -u <span class="hljs-string">admin:</span>password -XPOST <span class="hljs-string">https:</span><span class="hljs-comment">//my-coordinator-ip:8281/druid-ext/basic-security/authentication/db/basic/users/myname</span>
</code></pre>
<blockquote>
<p>If you have TLS enabled, be sure to adjust the curl command accordingly. For example, if your Druid servers use self-signed certificates, you may choose to include the <code>insecure</code> curl option to forgo certificate checking for the curl command.</p>
</blockquote>
<ol start="2">
<li>Add a credential for the user by issuing a POST to <code>druid-ext/basic-security/authentication/db/MyBasicMetadataAuthenticator/users/&lt;USERNAME&gt;/credentials</code>. For example:
<pre><code class="hljs">curl -u admin:password -H<span class="hljs-string">'Content-Type: application/json'</span> -XPOST --data-binary @pass.json https:<span class="hljs-regexp">//my</span>-coordinator-ip:<span class="hljs-number">8281</span><span class="hljs-regexp">/druid-ext/</span>basic-security<span class="hljs-regexp">/authentication/</span>db<span class="hljs-regexp">/basic/u</span>sers<span class="hljs-regexp">/myname/</span>credentials
</code></pre>
The password is conveyed in the <code>pass.json</code> file in the following form:
<pre><code class="hljs">{
<span class="hljs-attr">"password"</span>: <span class="hljs-string">"password"</span>
}
</code></pre></li>
<li>For each authenticator user you create, create a corresponding authorizer user by issuing a POST request to <code>druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/users/&lt;USERNAME&gt;</code>. For example:
<pre><code class="hljs">curl -u <span class="hljs-keyword">admin</span>:<span class="hljs-keyword">password</span> -XPOST https://my-coordinator-ip:<span class="hljs-number">8281</span>/druid-ext/basic-<span class="hljs-keyword">security</span>/<span class="hljs-keyword">authorization</span>/db/basic/users/myname
</code></pre></li>
<li>Create authorizer roles to control permissions by issuing a POST request to <code>druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/roles/&lt;ROLENAME&gt;</code>. For example:
<pre><code class="hljs">curl -u <span class="hljs-keyword">admin</span>:<span class="hljs-keyword">password</span> -XPOST https://my-coordinator-ip:<span class="hljs-number">8281</span>/druid-ext/basic-<span class="hljs-keyword">security</span>/<span class="hljs-keyword">authorization</span>/db/basic/roles/myrole
</code></pre></li>
<li>Assign roles to users by issuing a POST request to <code>druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/users/&lt;USERNAME&gt;/roles/&lt;ROLENAME&gt;</code>. For example:
<pre><code class="hljs">curl -u <span class="hljs-keyword">admin</span>:<span class="hljs-keyword">password</span> -XPOST https://my-coordinator-ip:<span class="hljs-number">8281</span>/druid-ext/basic-<span class="hljs-keyword">security</span>/<span class="hljs-keyword">authorization</span>/db/basic/users/myname/roles/myrole | jq
</code></pre></li>
<li>Finally, attach permissions to the roles to control how they can interact with Druid at <code>druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/roles/&lt;ROLENAME&gt;/permissions</code>.
For example:
<pre><code class="hljs">curl -u admin:password -H<span class="hljs-string">'Content-Type: application/json'</span> -XPOST --data-binary @perms.json https:<span class="hljs-regexp">//my</span>-coordinator-ip:<span class="hljs-number">8281</span><span class="hljs-regexp">/druid-ext/</span>basic-security<span class="hljs-regexp">/authorization/</span>db<span class="hljs-regexp">/basic/</span>roles<span class="hljs-regexp">/myrole/</span>permissions
</code></pre>
The payload of <code>perms.json</code> should be in the form:
<pre><code class="hljs">[
{
<span class="hljs-attr">"resource"</span>: {
<span class="hljs-attr">"name"</span>: <span class="hljs-string">"&lt;PATTERN&gt;"</span>,
<span class="hljs-attr">"type"</span>: <span class="hljs-string">"DATASOURCE"</span>
},
<span class="hljs-attr">"action"</span>: <span class="hljs-string">"READ"</span>
},
{
<span class="hljs-attr">"resource"</span>: {
<span class="hljs-attr">"name"</span>: <span class="hljs-string">"STATE"</span>,
<span class="hljs-attr">"type"</span>: <span class="hljs-string">"STATE"</span>
},
<span class="hljs-attr">"action"</span>: <span class="hljs-string">"READ"</span>
}
]
</code></pre></li>
</ol>
<h2><a class="anchor" aria-hidden="true" id="configuring-an-ldap-authenticator"></a><a href="#configuring-an-ldap-authenticator" aria-hidden="true" class="hash-link"><svg class="hash-link-icon" aria-hidden="true" height="16" version="1.1" viewBox="0 0 16 16" width="16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a>Configuring an LDAP authenticator</h2>
<p>As an alternative to using the basic metadata authenticator, as shown in the previous section, you can use LDAP to authenticate users. The following steps provide an overview of the setup steps. For more information on these settings, see <a href="/docs/0.21.0/development/extensions-core/druid-basic-security.html#properties-for-ldap-user-authentication">Properties for LDAP user authentication</a>.</p>
<ol>
<li><p>In <code>common.runtime.properties</code>, add LDAP to the authenticator chain in the order in which you want requests to be evaluated. For example:</p>
<pre><code class="hljs"><span class="hljs-comment"># Druid basic security</span>
<span class="hljs-attr">druid.auth.authenticatorChain</span>=[<span class="hljs-string">"ldap"</span>, <span class="hljs-string">"MyBasicMetadataAuthenticator"</span>]
</code></pre></li>
<li><p>Configure LDAP settings in <code>common.runtime.properties</code> as appropriate for your LDAP scheme and system. For example:</p>
<pre><code class="hljs"><span class="hljs-attr">druid.auth.authenticator.ldap.type</span>=basic
<span class="hljs-attr">druid.auth.authenticator.ldap.enableCacheNotifications</span>=<span class="hljs-literal">true</span>
<span class="hljs-attr">druid.auth.authenticator.ldap.credentialsValidator.type</span>=ldap
<span class="hljs-attr">druid.auth.authenticator.ldap.credentialsValidator.url</span>=ldap://ad_host:<span class="hljs-number">389</span>
<span class="hljs-attr">druid.auth.authenticator.ldap.credentialsValidator.bindUser</span>=ad_admin_user
<span class="hljs-attr">druid.auth.authenticator.ldap.credentialsValidator.bindPassword</span>=ad_admin_password
<span class="hljs-attr">druid.auth.authenticator.ldap.credentialsValidator.baseDn</span>=dc=example,dc=com
<span class="hljs-attr">druid.auth.authenticator.ldap.credentialsValidator.userSearch</span>=(&amp;(sAMAccountName=%s)(objectClass=user))
<span class="hljs-attr">druid.auth.authenticator.ldap.credentialsValidator.userAttribute</span>=sAMAccountName
<span class="hljs-attr">druid.auth.authenticator.ldap.authorizerName</span>=ldapauth
<span class="hljs-attr">druid.escalator.type</span>=basic
<span class="hljs-attr">druid.escalator.internalClientUsername</span>=ad_interal_user
<span class="hljs-attr">druid.escalator.internalClientPassword</span>=Welcome123
<span class="hljs-attr">druid.escalator.authorizerName</span>=ldapauth
<span class="hljs-attr">druid.auth.authorizers</span>=[<span class="hljs-string">"ldapauth"</span>]
<span class="hljs-attr">druid.auth.authorizer.ldapauth.type</span>=basic
<span class="hljs-attr">druid.auth.authorizer.ldapauth.initialAdminUser</span>=&lt;ad_initial_admin_user&gt;
<span class="hljs-attr">druid.auth.authorizer.ldapauth.initialAdminRole</span>=admin
<span class="hljs-attr">druid.auth.authorizer.ldapauth.roleProvider.type</span>=ldap
</code></pre></li>
<li><p>Use the Druid API to create the group mapping and allocate initial roles. For example, using curl and given a group named <code>group1</code> in the directory, run:</p>
<pre><code class="hljs">curl -i -v -H "Content-Type: application/json" -u <span class="hljs-type">internal</span> -X POST -d @groupmap.json http://localhost:<span class="hljs-number">8081</span>/druid-ext/basic-<span class="hljs-keyword">security</span>/<span class="hljs-keyword">authorization</span>/db/ldapauth/groupMappings/group1map
</code></pre>
<p>The <code>groupmap.json</code> file contents would be something like:</p>
<pre><code class="hljs">{
<span class="hljs-attr">"name"</span>: <span class="hljs-string">"group1map"</span>,
<span class="hljs-attr">"groupPattern"</span>: <span class="hljs-string">"CN=group1,CN=Users,DC=example,DC=com"</span>,
<span class="hljs-attr">"roles"</span>: [
<span class="hljs-string">"readRole"</span>
]
}
</code></pre></li>
<li><p>Check if the group mapping is created successfully by executing the following API. This lists all group mappings.</p>
<pre><code class="hljs">curl -i -v -H <span class="hljs-string">"Content-Type: application/json"</span> -u internal -X GET http:<span class="hljs-regexp">//</span>localhost:<span class="hljs-number">8081</span><span class="hljs-regexp">/druid-ext/</span>basic-security<span class="hljs-regexp">/authorization/</span>db<span class="hljs-regexp">/ldapauth/g</span>roupMappings
</code></pre>
<p>Alternatively, to check the details of a specific group mapping, use the following API:</p>
<pre><code class="hljs">curl -i -v -H "Content-Type: application/json" -u <span class="hljs-type">internal</span> -X <span class="hljs-keyword">GET</span> http://localhost:<span class="hljs-number">8081</span>/druid-ext/basic-<span class="hljs-keyword">security</span>/<span class="hljs-keyword">authorization</span>/db/ldapauth/groupMappings/group1map
</code></pre></li>
<li><p>To add additional roles to the group mapping, use the following API:</p>
<pre><code class="hljs">curl -i -v -H "Content-Type: application/json" -u <span class="hljs-type">internal</span> -X POST http://localhost:<span class="hljs-number">8081</span>/druid-ext/basic-<span class="hljs-keyword">security</span>/<span class="hljs-keyword">authorization</span>/db/ldapauth/groupMappings/group1/roles/&lt;newrole&gt;
</code></pre></li>
<li><p>Add the LDAP user to Druid. To add a user, use the following authentication API:</p>
<pre><code class="hljs">curl -i -v -H <span class="hljs-string">"Content-Type: application/json"</span> -u <span class="hljs-keyword">internal</span> -X POST http:<span class="hljs-comment">//localhost:8081/druid-ext/basic-security/authentication/db/ldap/users/&lt;ad_user&gt; </span>
</code></pre></li>
<li><p>Use the following command to assign the role to a user:</p>
<pre><code class="hljs">curl -i -v -H "Content-Type: application/json" -u <span class="hljs-type">internal</span> -X POST http://localhost:<span class="hljs-number">8081</span>/druid-ext/basic-<span class="hljs-keyword">security</span>/<span class="hljs-keyword">authorization</span>/db/ldapauth/users/&lt;ad_user&gt;/roles/&lt;rolename&gt;
</code></pre></li>
</ol>
<p>Congratulations, you have configured permissions for user-assigned roles in Druid!</p>
</span></div></article></div><div class="docs-prevnext"><a class="docs-prev button" href="/docs/0.21.0/operations/getting-started.html"><span class="arrow-prev"></span><span>Getting started with Apache Druid</span></a><a class="docs-next button" href="/docs/0.21.0/operations/security-user-auth.html"><span>User authentication and authorization</span><span class="arrow-next"></span></a></div></div></div><nav class="onPageNav"><ul class="toc-headings"><li><a href="#overview">Overview</a></li><li><a href="#best-practices">Best practices</a></li><li><a href="#enable-tls">Enable TLS</a></li><li><a href="#enable-an-authenticator">Enable an authenticator</a></li><li><a href="#enable-authorizers">Enable authorizers</a></li><li><a href="#configuring-an-ldap-authenticator">Configuring an LDAP authenticator</a></li></ul></nav></div><footer class="nav-footer druid-footer" id="footer"><div class="container"><div class="text-center"><p><a href="/technology">Technology</a> · <a href="/use-cases">Use Cases</a> · <a href="/druid-powered">Powered by Druid</a> · <a href="/docs/0.21.0/latest">Docs</a> · <a href="/community/">Community</a> · <a href="/downloads.html">Download</a> · <a href="/faq">FAQ</a></p></div><div class="text-center"><a title="Join the user group" href="https://groups.google.com/forum/#!forum/druid-user" target="_blank"><span class="fa fa-comments"></span></a> · <a title="Follow Druid" href="https://twitter.com/druidio" target="_blank"><span class="fab fa-twitter"></span></a> · <a title="Download via Apache" href="https://www.apache.org/dyn/closer.cgi?path=/incubator/druid/{{ site.druid_versions[0].versions[0].version }}/apache-druid-{{ site.druid_versions[0].versions[0].version }}-bin.tar.gz" target="_blank"><span class="fas fa-feather"></span></a> · <a title="GitHub" href="https://github.com/apache/druid" target="_blank"><span class="fab fa-github"></span></a></div><div class="text-center license">Copyright © 2019 <a href="https://www.apache.org/" target="_blank">Apache Software Foundation</a>.<br/>Except where otherwise noted, licensed under <a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>.<br/>Apache Druid, Druid, and the Druid logo are either registered trademarks or trademarks of The Apache Software Foundation in the United States and other countries.</div></div></footer></div><script type="text/javascript" src="https://cdn.jsdelivr.net/docsearch.js/1/docsearch.min.js"></script><script>
document.addEventListener('keyup', function(e) {
if (e.target !== document.body) {
return;
}
// keyCode for '/' (slash)
if (e.keyCode === 191) {
const search = document.getElementById('search_input_react');
search && search.focus();
}
});
</script><script>
var search = docsearch({
apiKey: '2de99082a9f38e49dfaa059bbe4c901d',
indexName: 'apache_druid',
inputSelector: '#search_input_react',
algoliaOptions: {"facetFilters":["language:en","version:0.21.0"]}
});
</script></body></html>