Google Git
Sign in
apache / druid-website / refs/heads/20docs / . / docs / 0.14.0-incubating / operations / tls-support.html
blob: f59c6859368866314b5a6d68eee812cf3f7f6993 [file] [log] [blame]
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<meta name="description" content="Apache Druid">
<meta name="keywords" content="druid,kafka,database,analytics,streaming,real-time,real time,apache,open source">
<meta name="author" content="Apache Software Foundation">
<title>Druid | TLS Support</title>
<link rel="alternate" type="application/atom+xml" href="/feed">
<link rel="shortcut icon" href="/img/favicon.png">
<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.7.2/css/all.css" integrity="sha384-fnmOCqbTlWIlj8LyTjo7mOUStjsKC4pOpQbqyi7RrhN7udi9RwhKkMHpvLbHG9Sr" crossorigin="anonymous">
<link href='//fonts.googleapis.com/css?family=Open+Sans+Condensed:300,700,300italic|Open+Sans:300italic,400italic,600italic,400,300,600,700' rel='stylesheet' type='text/css'>
<link rel="stylesheet" href="/css/bootstrap-pure.css?v=1.1">
<link rel="stylesheet" href="/css/base.css?v=1.1">
<link rel="stylesheet" href="/css/header.css?v=1.1">
<link rel="stylesheet" href="/css/footer.css?v=1.1">
<link rel="stylesheet" href="/css/syntax.css?v=1.1">
<link rel="stylesheet" href="/css/docs.css?v=1.1">
<script>
(function() {
var cx = '000162378814775985090:molvbm0vggm';
var gcse = document.createElement('script');
gcse.type = 'text/javascript';
gcse.async = true;
gcse.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') +
'//cse.google.com/cse.js?cx=' + cx;
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(gcse, s);
})();
</script>
</head>
<body>
<!-- Start page_header include -->
<script src="//ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>
<div class="top-navigator">
<div class="container">
<div class="left-cont">
<a class="logo" href="/"><span class="druid-logo"></span></a>
</div>
<div class="right-cont">
<ul class="links">
<li class=""><a href="/technology">Technology</a></li>
<li class=""><a href="/use-cases">Use Cases</a></li>
<li class=""><a href="/druid-powered">Powered By</a></li>
<li class=""><a href="/docs/latest/design/">Docs</a></li>
<li class=""><a href="/community/">Community</a></li>
<li class="header-dropdown">
<a>Apache</a>
<div class="header-dropdown-menu">
<a href="https://www.apache.org/" target="_blank">Foundation</a>
<a href="https://www.apache.org/events/current-event" target="_blank">Events</a>
<a href="https://www.apache.org/licenses/" target="_blank">License</a>
<a href="https://www.apache.org/foundation/thanks.html" target="_blank">Thanks</a>
<a href="https://www.apache.org/security/" target="_blank">Security</a>
<a href="https://www.apache.org/foundation/sponsorship.html" target="_blank">Sponsorship</a>
</div>
</li>
<li class=" button-link"><a href="/downloads.html">Download</a></li>
</ul>
</div>
</div>
<div class="action-button menu-icon">
<span class="fa fa-bars"></span> MENU
</div>
<div class="action-button menu-icon-close">
<span class="fa fa-times"></span> MENU
</div>
</div>
<script type="text/javascript">
var $menu = $('.right-cont');
var $menuIcon = $('.menu-icon');
var $menuIconClose = $('.menu-icon-close');
function showMenu() {
$menu.fadeIn(100);
$menuIcon.fadeOut(100);
$menuIconClose.fadeIn(100);
}
$menuIcon.click(showMenu);
function hideMenu() {
$menu.fadeOut(100);
$menuIconClose.fadeOut(100);
$menuIcon.fadeIn(100);
}
$menuIconClose.click(hideMenu);
$(window).resize(function() {
if ($(window).width() >= 840) {
$menu.fadeIn(100);
$menuIcon.fadeOut(100);
$menuIconClose.fadeOut(100);
}
else {
$menu.fadeOut(100);
$menuIcon.fadeIn(100);
$menuIconClose.fadeOut(100);
}
});
</script>
<!-- Stop page_header include -->
<div class="container doc-container">
<p> Looking for the <a href="/docs/0.19.0/">latest stable documentation</a>?</p>
<div class="row">
<div class="col-md-9 doc-content">
<p>
<a class="btn btn-default btn-xs visible-xs-inline-block visible-sm-inline-block" href="#toc">Table of Contents</a>
</p>
<!--
~ Licensed to the Apache Software Foundation (ASF) under one
~ or more contributor license agreements. See the NOTICE file
~ distributed with this work for additional information
~ regarding copyright ownership. The ASF licenses this file
~ to you under the Apache License, Version 2.0 (the
~ "License"); you may not use this file except in compliance
~ with the License. You may obtain a copy of the License at
~
~ http://www.apache.org/licenses/LICENSE-2.0
~
~ Unless required by applicable law or agreed to in writing,
~ software distributed under the License is distributed on an
~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
~ KIND, either express or implied. See the License for the
~ specific language governing permissions and limitations
~ under the License.
-->
<h1 id="tls-support">TLS Support</h1>
<h1 id="general-configuration">General Configuration</h1>
<table><thead>
<tr>
<th>Property</th>
<th>Description</th>
<th>Default</th>
</tr>
</thead><tbody>
<tr>
<td><code>druid.enablePlaintextPort</code></td>
<td>Enable/Disable HTTP connector.</td>
<td><code>true</code></td>
</tr>
<tr>
<td><code>druid.enableTlsPort</code></td>
<td>Enable/Disable HTTPS connector.</td>
<td><code>false</code></td>
</tr>
</tbody></table>
<p>Although not recommended but both HTTP and HTTPS connectors can be enabled at a time and respective ports are configurable using <code>druid.plaintextPort</code>
and <code>druid.tlsPort</code> properties on each process. Please see <code>Configuration</code> section of individual processes to check the valid and default values for these ports.</p>
<h1 id="jetty-server-tls-configuration">Jetty Server TLS Configuration</h1>
<p>Apache Druid (incubating) uses Jetty as an embedded web server. To get familiar with TLS/SSL in general and related concepts like Certificates etc.
reading this <a href="http://www.eclipse.org/jetty/documentation/9.4.x/configuring-ssl.html">Jetty documentation</a> might be helpful.
To get more in depth knowledge of TLS/SSL support in Java in general, please refer to this <a href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html">guide</a>.
The documentation <a href="http://www.eclipse.org/jetty/documentation/9.4.x/configuring-ssl.html#configuring-sslcontextfactory">here</a>
can help in understanding TLS/SSL configurations listed below. This <a href="http://docs.oracle.com/javase/8/docs/technotes/guides/security/StandardNames.html">document</a> lists all the possible
values for the below mentioned configs among others provided by Java implementation.</p>
<table><thead>
<tr>
<th>Property</th>
<th>Description</th>
<th>Default</th>
<th>Required</th>
</tr>
</thead><tbody>
<tr>
<td><code>druid.server.https.keyStorePath</code></td>
<td>The file path or URL of the TLS/SSL Key store.</td>
<td>none</td>
<td>yes</td>
</tr>
<tr>
<td><code>druid.server.https.keyStoreType</code></td>
<td>The type of the key store.</td>
<td>none</td>
<td>yes</td>
</tr>
<tr>
<td><code>druid.server.https.certAlias</code></td>
<td>Alias of TLS/SSL certificate for the connector.</td>
<td>none</td>
<td>yes</td>
</tr>
<tr>
<td><code>druid.server.https.keyStorePassword</code></td>
<td>The <a href="../operations/password-provider.html">Password Provider</a> or String password for the Key Store.</td>
<td>none</td>
<td>yes</td>
</tr>
</tbody></table>
<p>The following table contains configuration options related to client certificate authentication.</p>
<table><thead>
<tr>
<th>Property</th>
<th>Description</th>
<th>Default</th>
<th>Required</th>
</tr>
</thead><tbody>
<tr>
<td><code>druid.server.https.requireClientCertificate</code></td>
<td>If set to true, clients must identify themselves by providing a TLS certificate. If <code>requireClientCertificate</code> is false, the rest of the options in this table are ignored.</td>
<td>false</td>
<td>no</td>
</tr>
<tr>
<td><code>druid.server.https.trustStoreType</code></td>
<td>The type of the trust store containing certificates used to validate client certificates. Not needed if <code>requireClientCertificate</code> is false.</td>
<td><code>java.security.KeyStore.getDefaultType()</code></td>
<td>no</td>
</tr>
<tr>
<td><code>druid.server.https.trustStorePath</code></td>
<td>The file path or URL of the trust store containing certificates used to validate client certificates. Not needed if <code>requireClientCertificate</code> is false.</td>
<td>none</td>
<td>yes, only if <code>requireClientCertificate</code> is true</td>
</tr>
<tr>
<td><code>druid.server.https.trustStoreAlgorithm</code></td>
<td>Algorithm to be used by TrustManager to validate client certificate chains. Not needed if <code>requireClientCertificate</code> is false.</td>
<td><code>javax.net.ssl.TrustManagerFactory.getDefaultAlgorithm()</code></td>
<td>no</td>
</tr>
<tr>
<td><code>druid.server.https.trustStorePassword</code></td>
<td>The <a href="../operations/password-provider.html">Password Provider</a> or String password for the Trust Store. Not needed if <code>requireClientCertificate</code> is false.</td>
<td>none</td>
<td>no</td>
</tr>
<tr>
<td><code>druid.server.https.validateHostnames</code></td>
<td>If set to true, check that the client&#39;s hostname matches the CN/subjectAltNames in the client certificate. Not used if <code>requireClientCertificate</code> is false.</td>
<td>true</td>
<td>no</td>
</tr>
<tr>
<td><code>druid.server.https.crlPath</code></td>
<td>Specifies a path to a file containing static <a href="https://en.wikipedia.org/wiki/Certificate_revocation_list">Certificate Revocation Lists</a>, used to check if a client certificate has been revoked. Not used if <code>requireClientCertificate</code> is false.</td>
<td>null</td>
<td>no</td>
</tr>
</tbody></table>
<p>The following table contains non-mandatory advanced configuration options, use caution.</p>
<table><thead>
<tr>
<th>Property</th>
<th>Description</th>
<th>Default</th>
<th>Required</th>
</tr>
</thead><tbody>
<tr>
<td><code>druid.server.https.keyManagerFactoryAlgorithm</code></td>
<td>Algorithm to use for creating KeyManager, more details <a href="https://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#KeyManager">here</a>.</td>
<td><code>javax.net.ssl.KeyManagerFactory.getDefaultAlgorithm()</code></td>
<td>no</td>
</tr>
<tr>
<td><code>druid.server.https.keyManagerPassword</code></td>
<td>The <a href="../operations/password-provider.html">Password Provider</a> or String password for the Key Manager.</td>
<td>none</td>
<td>no</td>
</tr>
<tr>
<td><code>druid.server.https.includeCipherSuites</code></td>
<td>List of cipher suite names to include. You can either use the exact cipher suite name or a regular expression.</td>
<td>Jetty&#39;s default include cipher list</td>
<td>no</td>
</tr>
<tr>
<td><code>druid.server.https.excludeCipherSuites</code></td>
<td>List of cipher suite names to exclude. You can either use the exact cipher suite name or a regular expression.</td>
<td>Jetty&#39;s default exclude cipher list</td>
<td>no</td>
</tr>
<tr>
<td><code>druid.server.https.includeProtocols</code></td>
<td>List of exact protocols names to include.</td>
<td>Jetty&#39;s default include protocol list</td>
<td>no</td>
</tr>
<tr>
<td><code>druid.server.https.excludeProtocols</code></td>
<td>List of exact protocols names to exclude.</td>
<td>Jetty&#39;s default exclude protocol list</td>
<td>no</td>
</tr>
</tbody></table>
<h1 id="druids-internal-communication-over-tls">Druid&#39;s internal communication over TLS</h1>
<p>Whenever possible Druid processes will use HTTPS to talk to each other. To enable this communication Druid&#39;s HttpClient needs to
be configured with a proper <a href="http://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLContext.html">SSLContext</a> that is able
to validate the Server Certificates, otherwise communication will fail.</p>
<p>Since, there are various ways to configure SSLContext, by default, Druid looks for an instance of SSLContext Guice binding
while creating the HttpClient. This binding can be achieved writing a <a href="../development/extensions.html">Druid extension</a>
which can provide an instance of SSLContext. Druid comes with a simple extension present <a href="../development/extensions-core/simple-client-sslcontext.html">here</a>
which should be useful enough for most simple cases, see <a href="./including-extensions.html">this</a> for how to include extensions.
If this extension does not satisfy the requirements then please follow the extension <a href="https://github.com/apache/incubator-druid/tree/master/extensions-core/simple-client-sslcontext">implementation</a>
to create your own extension.</p>
<h1 id="upgrading-clients-that-interact-with-overlord-or-coordinator">Upgrading Clients that interact with Overlord or Coordinator</h1>
<p>When Druid Coordinator/Overlord have both HTTP and HTTPS enabled and Client sends request to non-leader process, then Client is always redirected to the HTTPS endpoint on leader process.
So, Clients should be first upgraded to be able to handle redirect to HTTPS. Then Druid Overlord/Coordinator should be upgraded and configured to run both HTTP and HTTPS ports. Then Client configuration should be changed to refer to Druid Coordinator/Overlord via the HTTPS endpoint and then HTTP port on Druid Coordinator/Overlord should be disabled.</p>
<h1 id="custom-tls-certificate-checks">Custom TLS certificate checks</h1>
<p>Druid supports custom certificate check extensions. Please refer to the <code>org.apache.druid.server.security.TLSCertificateChecker</code> interface for details on the methods to be implemented.</p>
<p>To use a custom TLS certificate checker, specify the following property:</p>
<table><thead>
<tr>
<th>Property</th>
<th>Description</th>
<th>Default</th>
<th>Required</th>
</tr>
</thead><tbody>
<tr>
<td><code>druid.tls.certificateChecker</code></td>
<td>Type name of custom TLS certificate checker, provided by extensions. Please refer to extension documentation for the type name that should be specified.</td>
<td>&quot;default&quot;</td>
<td>no</td>
</tr>
</tbody></table>
<p>The default checker delegates to the standard trust manager and performs no additional actions or checks.</p>
<p>If using a non-default certificate checker, please refer to the extension documentation for additional configuration properties needed.</p>
</div>
<div class="col-md-3">
<div class="searchbox">
<gcse:searchbox-only></gcse:searchbox-only>
</div>
<div id="toc" class="nav toc hidden-print">
</div>
</div>
</div>
</div>
<!-- Start page_footer include -->
<footer class="druid-footer">
<div class="container">
<div class="text-center">
<p>
<a href="/technology">Technology</a>&ensp;·&ensp;
<a href="/use-cases">Use Cases</a>&ensp;·&ensp;
<a href="/druid-powered">Powered by Druid</a>&ensp;·&ensp;
<a href="/docs/latest/">Docs</a>&ensp;·&ensp;
<a href="/community/">Community</a>&ensp;·&ensp;
<a href="/downloads.html">Download</a>&ensp;·&ensp;
<a href="/faq">FAQ</a>
</p>
</div>
<div class="text-center">
<a title="Join the user group" href="https://groups.google.com/forum/#!forum/druid-user" target="_blank"><span class="fa fa-comments"></span></a>&ensp;·&ensp;
<a title="Follow Druid" href="https://twitter.com/druidio" target="_blank"><span class="fab fa-twitter"></span></a>&ensp;·&ensp;
<a title="GitHub" href="https://github.com/apache/druid" target="_blank"><span class="fab fa-github"></span></a>
</div>
<div class="text-center license">
Copyright © 2020 <a href="https://www.apache.org/" target="_blank">Apache Software Foundation</a>.<br>
Except where otherwise noted, licensed under <a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>.<br>
Apache Druid, Druid, and the Druid logo are either registered trademarks or trademarks of The Apache Software Foundation in the United States and other countries.
</div>
</div>
</footer>
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-131010415-1"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-131010415-1');
</script>
<script>
function trackDownload(type, url) {
ga('send', 'event', 'download', type, url);
}
</script>
<script src="//code.jquery.com/jquery.min.js"></script>
<script src="//maxcdn.bootstrapcdn.com/bootstrap/3.2.0/js/bootstrap.min.js"></script>
<script src="/assets/js/druid.js"></script>
<!-- stop page_footer include -->
<script>
$(function() {
$(".toc").load("/docs/0.14.0-incubating/toc.html");
// There is no way to tell when .gsc-input will be async loaded into the page so just try to set a placeholder until it works
var tries = 0;
var timer = setInterval(function() {
tries++;
if (tries > 300) clearInterval(timer);
var searchInput = $('input.gsc-input');
if (searchInput.length) {
searchInput.attr('placeholder', 'Search');
clearInterval(timer);
}
}, 100);
});
</script>
</body>
</html>