docs/0.15.1-incubating/design/auth.html - druid-website - Git at Google

 <!DOCTYPE html>
 <html lang="en">
   <head>
     <meta charset="UTF-8" />
 <meta name="viewport" content="width=device-width, initial-scale=1.0">
 <meta name="description" content="Apache Druid">
 <meta name="keywords" content="druid,kafka,database,analytics,streaming,real-time,real time,apache,open source">
 <meta name="author" content="Apache Software Foundation">

 <title>Druid | Authentication and Authorization</title>

 <link rel="alternate" type="application/atom+xml" href="/feed">
 <link rel="shortcut icon" href="/img/favicon.png">

 <link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.7.2/css/all.css" integrity="sha384-fnmOCqbTlWIlj8LyTjo7mOUStjsKC4pOpQbqyi7RrhN7udi9RwhKkMHpvLbHG9Sr" crossorigin="anonymous">

 <link href='//fonts.googleapis.com/css?family=Open+Sans+Condensed:300,700,300italic|Open+Sans:300italic,400italic,600italic,400,300,600,700' rel='stylesheet' type='text/css'>

 <link rel="stylesheet" href="/css/bootstrap-pure.css?v=1.1">
 <link rel="stylesheet" href="/css/base.css?v=1.1">
 <link rel="stylesheet" href="/css/header.css?v=1.1">
 <link rel="stylesheet" href="/css/footer.css?v=1.1">
 <link rel="stylesheet" href="/css/syntax.css?v=1.1">
 <link rel="stylesheet" href="/css/docs.css?v=1.1">

 <script>
   (function() {
     var cx = '000162378814775985090:molvbm0vggm';
     var gcse = document.createElement('script');
     gcse.type = 'text/javascript';
     gcse.async = true;
     gcse.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') +
         '//cse.google.com/cse.js?cx=' + cx;
     var s = document.getElementsByTagName('script')[0];
     s.parentNode.insertBefore(gcse, s);
   })();
 </script>


   </head>

   <body>
     <!-- Start page_header include -->
 <script src="//ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>

 <div class="top-navigator">
   <div class="container">
     <div class="left-cont">
       <a class="logo" href="/"><span class="druid-logo"></span></a>
     </div>
     <div class="right-cont">
       <ul class="links">
         <li class=""><a href="/technology">Technology</a></li>
         <li class=""><a href="/use-cases">Use Cases</a></li>
         <li class=""><a href="/druid-powered">Powered By</a></li>
         <li class=""><a href="/docs/latest/design/">Docs</a></li>
         <li class=""><a href="/community/">Community</a></li>
         <li class="header-dropdown">
           <a>Apache</a>
           <div class="header-dropdown-menu">
             <a href="https://www.apache.org/" target="_blank">Foundation</a>
             <a href="https://www.apache.org/events/current-event" target="_blank">Events</a>
             <a href="https://www.apache.org/licenses/" target="_blank">License</a>
             <a href="https://www.apache.org/foundation/thanks.html" target="_blank">Thanks</a>
             <a href="https://www.apache.org/security/" target="_blank">Security</a>
             <a href="https://www.apache.org/foundation/sponsorship.html" target="_blank">Sponsorship</a>
           </div>
         </li>
         <li class=" button-link"><a href="/downloads.html">Download</a></li>
       </ul>
     </div>
   </div>
   <div class="action-button menu-icon">
     <span class="fa fa-bars"></span> MENU
   </div>
   <div class="action-button menu-icon-close">
     <span class="fa fa-times"></span> MENU
   </div>
 </div>

 <script type="text/javascript">
   var $menu = $('.right-cont');
   var $menuIcon = $('.menu-icon');
   var $menuIconClose = $('.menu-icon-close');

   function showMenu() {
     $menu.fadeIn(100);
     $menuIcon.fadeOut(100);
     $menuIconClose.fadeIn(100);
   }

   $menuIcon.click(showMenu);

   function hideMenu() {
     $menu.fadeOut(100);
     $menuIconClose.fadeOut(100);
     $menuIcon.fadeIn(100);
   }

   $menuIconClose.click(hideMenu);

   $(window).resize(function() {
     if ($(window).width() >= 840) {
       $menu.fadeIn(100);
       $menuIcon.fadeOut(100);
       $menuIconClose.fadeOut(100);
     }
     else {
       $menu.fadeOut(100);
       $menuIcon.fadeIn(100);
       $menuIconClose.fadeOut(100);
     }
   });
 </script>

 <!-- Stop page_header include -->


     <div class="container doc-container">


       <p> Looking for the <a href="/docs/0.19.0/">latest stable documentation</a>?</p>


       <div class="row">
         <div class="col-md-9 doc-content">
           <p>
             <a class="btn btn-default btn-xs visible-xs-inline-block visible-sm-inline-block" href="#toc">Table of Contents</a>
           </p>
           <!--
   ~ Licensed to the Apache Software Foundation (ASF) under one
   ~ or more contributor license agreements.  See the NOTICE file
   ~ distributed with this work for additional information
   ~ regarding copyright ownership.  The ASF licenses this file
   ~ to you under the Apache License, Version 2.0 (the
   ~ "License"); you may not use this file except in compliance
   ~ with the License.  You may obtain a copy of the License at
   ~
   ~   http://www.apache.org/licenses/LICENSE-2.0
   ~
   ~ Unless required by applicable law or agreed to in writing,
   ~ software distributed under the License is distributed on an
   ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
   ~ KIND, either express or implied.  See the License for the
   ~ specific language governing permissions and limitations
   ~ under the License.
   -->

 <h1 id="authentication-and-authorization">Authentication and Authorization</h1>

 <p>This document describes non-extension specific Apache Druid (incubating) authentication and authorization configurations.</p>

 <table><thead>
 <tr>
 <th>Property</th>
 <th>Type</th>
 <th>Description</th>
 <th>Default</th>
 <th>Required</th>
 </tr>
 </thead><tbody>
 <tr>
 <td><code>druid.auth.authenticatorChain</code></td>
 <td>JSON List of Strings</td>
 <td>List of Authenticator type names</td>
 <td>[&quot;allowAll&quot;]</td>
 <td>no</td>
 </tr>
 <tr>
 <td><code>druid.escalator.type</code></td>
 <td>String</td>
 <td>Type of the Escalator that should be used for internal Druid communications. This Escalator must use an authentication scheme that is supported by an Authenticator in <code>druid.auth.authenticationChain</code>.</td>
 <td>&quot;noop&quot;</td>
 <td>no</td>
 </tr>
 <tr>
 <td><code>druid.auth.authorizers</code></td>
 <td>JSON List of Strings</td>
 <td>List of Authorizer type names</td>
 <td>[&quot;allowAll&quot;]</td>
 <td>no</td>
 </tr>
 <tr>
 <td><code>druid.auth.unsecuredPaths</code></td>
 <td>List of Strings</td>
 <td>List of paths for which security checks will not be performed. All requests to these paths will be allowed.</td>
 <td>[]</td>
 <td>no</td>
 </tr>
 <tr>
 <td><code>druid.auth.allowUnauthenticatedHttpOptions</code></td>
 <td>Boolean</td>
 <td>If true, skip authentication checks for HTTP OPTIONS requests. This is needed for certain use cases, such as supporting CORS pre-flight requests. Note that disabling authentication checks for OPTIONS requests will allow unauthenticated users to determine what Druid endpoints are valid (by checking if the OPTIONS request returns a 200 instead of 404), so enabling this option may reveal information about server configuration, including information about what extensions are loaded (if those extensions add endpoints).</td>
 <td>false</td>
 <td>no</td>
 </tr>
 </tbody></table>

 <h2 id="enabling-authentication-authorizationloadinglookuptest">Enabling Authentication/AuthorizationLoadingLookupTest</h2>

 <h2 id="authenticator-chain">Authenticator Chain</h2>

 <p>Authentication decisions are handled by a chain of Authenticator instances. A request will be checked by Authenticators in the sequence defined by the <code>druid.auth.authenticatorChain</code>.</p>

 <p>Authenticator implementions are provided by extensions.</p>

 <p>For example, the following authentication chain definition enables the Kerberos and HTTP Basic authenticators, from the <code>druid-kerberos</code> and <code>druid-basic-security</code> core extensions, respectively:</p>
 <div class="highlight"><pre><code class="language-text" data-lang="text"><span></span>druid.auth.authenticatorChain=[&quot;kerberos&quot;, &quot;basic&quot;]
 </code></pre></div>
 <p>A request will pass through all Authenticators in the chain, until one of the Authenticators successfully authenticates the request or sends an HTTP error response. Authenticators later in the chain will be skipped after the first successful authentication or if the request is terminated with an error response.</p>

 <p>If no Authenticator in the chain successfully authenticated a request or sent an HTTP error response, an HTTP error response will be sent at the end of the chain.</p>

 <p>Druid includes two built-in Authenticators, one of which is used for the default unsecured configuration.</p>

 <h3 id="allowall-authenticator">AllowAll Authenticator</h3>

 <p>This built-in Authenticator authenticates all requests, and always directs them to an Authorizer named &quot;allowAll&quot;. It is not intended to be used for anything other than the default unsecured configuration.</p>

 <h3 id="anonymous-authenticator">Anonymous Authenticator</h3>

 <p>This built-in Authenticator authenticates all requests, and directs them to an Authorizer specified in the configuration by the user. It is intended to be used for adding a default level of access so
 the Anonymous Authenticator should be added to the end of the authentication chain. A request that reaches the Anonymous Authenticator at the end of the chain will succeed or fail depending on how the Authorizer linked to the Anonymous Authenticator is configured.</p>

 <table><thead>
 <tr>
 <th>Property</th>
 <th>Description</th>
 <th>Default</th>
 <th>Required</th>
 </tr>
 </thead><tbody>
 <tr>
 <td><code>druid.auth.authenticator.&lt;authenticatorName&gt;.authorizerName</code></td>
 <td>Authorizer that requests should be directed to.</td>
 <td>N/A</td>
 <td>Yes</td>
 </tr>
 <tr>
 <td><code>druid.auth.authenticator.&lt;authenticatorName&gt;.identity</code></td>
 <td>The identity of the requester.</td>
 <td>defaultUser</td>
 <td>No</td>
 </tr>
 </tbody></table>

 <p>To use the Anonymous Authenticator, add an authenticator with type <code>anonymous</code> to the authenticatorChain.</p>

 <p>For example, the following enables the Anonymous Authenticator with the <code>druid-basic-security</code> extension:</p>
 <div class="highlight"><pre><code class="language-text" data-lang="text"><span></span>druid.auth.authenticatorChain=[&quot;basic&quot;, &quot;anonymous&quot;]

 druid.auth.authenticator.anonymous.type=anonymous
 druid.auth.authenticator.anonymous.identity=defaultUser
 druid.auth.authenticator.anonymous.authorizerName=myBasicAuthorizer

 # ... usual configs for basic authentication would go here ...
 </code></pre></div>
 <h2 id="escalator">Escalator</h2>

 <p>The <code>druid.escalator.type</code> property determines what authentication scheme should be used for internal Druid cluster communications (such as when a Broker process communicates with Historical processes for query processing).</p>

 <p>The Escalator chosen for this property must use an authentication scheme that is supported by an Authenticator in <code>druid.auth.authenticationChain</code>. Authenticator extension implementors must also provide a corresponding Escalator implementation if they intend to use a particular authentication scheme for internal Druid communications.</p>

 <h3 id="noop-escalator">Noop Escalator</h3>

 <p>This built-in default Escalator is intended for use only with the default AllowAll Authenticator and Authorizer.</p>

 <h2 id="authorizers">Authorizers</h2>

 <p>Authorization decisions are handled by an Authorizer. The <code>druid.auth.authorizers</code> property determines what Authorizer implementations will be active.</p>

 <p>There are two built-in Authorizers, &quot;default&quot; and &quot;noop&quot;. Other implementations are provided by extensions.</p>

 <p>For example, the following authorizers definition enables the &quot;basic&quot; implementation from <code>druid-basic-security</code>:</p>
 <div class="highlight"><pre><code class="language-text" data-lang="text"><span></span>druid.auth.authorizers=[&quot;basic&quot;]
 </code></pre></div>
 <p>Only a single Authorizer will authorize any given request.</p>

 <p>Druid includes one built in authorizer:</p>

 <h3 id="allowall-authorizer">AllowAll Authorizer</h3>

 <p>The Authorizer with type name &quot;allowAll&quot; accepts all requests.</p>

 <h2 id="default-unsecured-configuration">Default Unsecured Configuration</h2>

 <p>When <code>druid.auth.authenticationChain</code> is left empty or unspecified, Druid will create an authentication chain with a single AllowAll Authenticator named &quot;allowAll&quot;.</p>

 <p>When <code>druid.auth.authorizers</code> is left empty or unspecified, Druid will create a single AllowAll Authorizer named &quot;allowAll&quot;.</p>

 <p>The default value of <code>druid.escalator.type</code> is &quot;noop&quot; to match the default unsecured Authenticator/Authorizer configurations.</p>

 <h2 id="authenticator-to-authorizer-routing">Authenticator to Authorizer Routing</h2>

 <p>When an Authenticator successfully authenticates a request, it must attach a AuthenticationResult to the request, containing an information about the identity of the requester, as well as the name of the Authorizer that should authorize the authenticated request.</p>

 <p>An Authenticator implementation should provide some means through configuration to allow users to select what Authorizer(s) the Authenticator should route requests to.</p>

 <h2 id="internal-system-user">Internal System User</h2>

 <p>Internal requests between Druid processes (non-user initiated communications) need to have authentication credentials attached. </p>

 <p>These requests should be run as an &quot;internal system user&quot;, an identity that represents the Druid cluster itself, with full access permissions.</p>

 <p>The details of how the internal system user is defined is left to extension implementations.</p>

 <h3 id="authorizer-internal-system-user-handling">Authorizer Internal System User Handling</h3>

 <p>Authorizers implementations must recognize and authorize an identity for the &quot;internal system user&quot;, with full access permissions.</p>

 <h3 id="authenticator-and-escalator-internal-system-user-handling">Authenticator and Escalator Internal System User Handling</h3>

 <p>An Authenticator implementation that is intended to support internal Druid communications must recognize credentials for the &quot;internal system user&quot;, as provided by a corresponding Escalator implementation.</p>

 <p>An Escalator must implement three methods related to the internal system user:</p>
 <div class="highlight"><pre><code class="language-java" data-lang="java"><span></span>  <span class="kd">public</span> <span class="n">HttpClient</span> <span class="nf">createEscalatedClient</span><span class="o">(</span><span class="n">HttpClient</span> <span class="n">baseClient</span><span class="o">);</span>

   <span class="kd">public</span> <span class="n">org</span><span class="o">.</span><span class="na">eclipse</span><span class="o">.</span><span class="na">jetty</span><span class="o">.</span><span class="na">client</span><span class="o">.</span><span class="na">HttpClient</span> <span class="nf">createEscalatedJettyClient</span><span class="o">(</span><span class="n">org</span><span class="o">.</span><span class="na">eclipse</span><span class="o">.</span><span class="na">jetty</span><span class="o">.</span><span class="na">client</span><span class="o">.</span><span class="na">HttpClient</span> <span class="n">baseClient</span><span class="o">);</span>

   <span class="kd">public</span> <span class="n">AuthenticationResult</span> <span class="nf">createEscalatedAuthenticationResult</span><span class="o">();</span>
 </code></pre></div>
 <p><code>createEscalatedClient</code> returns an wrapped HttpClient that attaches the credentials of the &quot;internal system user&quot; to requests.</p>

 <p><code>createEscalatedJettyClient</code> is similar to <code>createEscalatedClient</code>, except that it operates on a Jetty HttpClient.</p>

 <p><code>createEscalatedAuthenticationResult</code> returns an AuthenticationResult containing the identity of the &quot;internal system user&quot;.</p>

 <h2 id="reserved-name-configuration-property">Reserved Name Configuration Property</h2>

 <p>For extension implementers, please note that the following configuration properties are reserved for the names of Authenticators and Authorizers:</p>
 <div class="highlight"><pre><code class="language-text" data-lang="text"><span></span>druid.auth.authenticator.&lt;authenticator-name&gt;.name=&lt;authenticator-name&gt;
 druid.auth.authorizer.&lt;authorizer-name&gt;.name=&lt;authorizer-name&gt;
 </code></pre></div>
 <p>These properties provide the authenticator and authorizer names to the implementations as @JsonProperty parameters, potentially useful when multiple authenticators or authorizers of the same type are configured.</p>

         </div>
         <div class="col-md-3">
           <div class="searchbox">
             <gcse:searchbox-only></gcse:searchbox-only>
           </div>
           <div id="toc" class="nav toc hidden-print">
           </div>
         </div>
       </div>
     </div>

     <!-- Start page_footer include -->
 <footer class="druid-footer">
 <div class="container">
   <div class="text-center">
     <p>
     <a href="/technology">Technology</a>&ensp;·&ensp;
     <a href="/use-cases">Use Cases</a>&ensp;·&ensp;
     <a href="/druid-powered">Powered by Druid</a>&ensp;·&ensp;
     <a href="/docs/latest/">Docs</a>&ensp;·&ensp;
     <a href="/community/">Community</a>&ensp;·&ensp;
     <a href="/downloads.html">Download</a>&ensp;·&ensp;
     <a href="/faq">FAQ</a>
     </p>
   </div>
   <div class="text-center">
     <a title="Join the user group" href="https://groups.google.com/forum/#!forum/druid-user" target="_blank"><span class="fa fa-comments"></span></a>&ensp;·&ensp;
     <a title="Follow Druid" href="https://twitter.com/druidio" target="_blank"><span class="fab fa-twitter"></span></a>&ensp;·&ensp;
     <a title="GitHub" href="https://github.com/apache/druid" target="_blank"><span class="fab fa-github"></span></a>
   </div>
   <div class="text-center license">
     Copyright © 2020 <a href="https://www.apache.org/" target="_blank">Apache Software Foundation</a>.<br>
     Except where otherwise noted, licensed under <a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>.<br>
     Apache Druid, Druid, and the Druid logo are either registered trademarks or trademarks of The Apache Software Foundation in the United States and other countries.
   </div>
 </div>
 </footer>

 <script async src="https://www.googletagmanager.com/gtag/js?id=UA-131010415-1"></script>
 <script>
   window.dataLayer = window.dataLayer || [];
   function gtag(){dataLayer.push(arguments);}
   gtag('js', new Date());
   gtag('config', 'UA-131010415-1');
 </script>
 <script>
   function trackDownload(type, url) {
     ga('send', 'event', 'download', type, url);
   }
 </script>
 <script src="//code.jquery.com/jquery.min.js"></script>
 <script src="//maxcdn.bootstrapcdn.com/bootstrap/3.2.0/js/bootstrap.min.js"></script>
 <script src="/assets/js/druid.js"></script>
 <!-- stop page_footer include -->


     <script>
     $(function() {
       $(".toc").load("/docs/0.15.1-incubating/toc.html");

       // There is no way to tell when .gsc-input will be async loaded into the page so just try to set a placeholder until it works
       var tries = 0;
       var timer = setInterval(function() {
         tries++;
         if (tries > 300) clearInterval(timer);
         var searchInput = $('input.gsc-input');
         if (searchInput.length) {
           searchInput.attr('placeholder', 'Search');
           clearInterval(timer);
         }
       }, 100);
     });
     </script>
   </body>
 </html>
	<!DOCTYPE html>
	<html lang="en">
	<head>
	<meta charset="UTF-8" />
	<meta name="viewport" content="width=device-width, initial-scale=1.0">
	<meta name="description" content="Apache Druid">
	<meta name="keywords" content="druid,kafka,database,analytics,streaming,real-time,real time,apache,open source">
	<meta name="author" content="Apache Software Foundation">

	<title>Druid \| Authentication and Authorization</title>

	<link rel="alternate" type="application/atom+xml" href="/feed">
	<link rel="shortcut icon" href="/img/favicon.png">

	<link rel="stylesheet" href="https://use.fontawesome.com/releases/v5.7.2/css/all.css" integrity="sha384-fnmOCqbTlWIlj8LyTjo7mOUStjsKC4pOpQbqyi7RrhN7udi9RwhKkMHpvLbHG9Sr" crossorigin="anonymous">

	<link href='//fonts.googleapis.com/css?family=Open+Sans+Condensed:300,700,300italic\|Open+Sans:300italic,400italic,600italic,400,300,600,700' rel='stylesheet' type='text/css'>

	<link rel="stylesheet" href="/css/bootstrap-pure.css?v=1.1">
	<link rel="stylesheet" href="/css/base.css?v=1.1">
	<link rel="stylesheet" href="/css/header.css?v=1.1">
	<link rel="stylesheet" href="/css/footer.css?v=1.1">
	<link rel="stylesheet" href="/css/syntax.css?v=1.1">
	<link rel="stylesheet" href="/css/docs.css?v=1.1">

	<script>
	(function() {
	var cx = '000162378814775985090:molvbm0vggm';
	var gcse = document.createElement('script');
	gcse.type = 'text/javascript';
	gcse.async = true;
	gcse.src = (document.location.protocol == 'https:' ? 'https:' : 'http:') +
	'//cse.google.com/cse.js?cx=' + cx;
	var s = document.getElementsByTagName('script')[0];
	s.parentNode.insertBefore(gcse, s);
	})();
	</script>


	</head>

	<body>
	<!-- Start page_header include -->
	<script src="//ajax.googleapis.com/ajax/libs/jquery/2.2.4/jquery.min.js"></script>

	<div class="top-navigator">
	<div class="container">
	<div class="left-cont">
	<a class="logo" href="/"><span class="druid-logo"></span></a>
	</div>
	<div class="right-cont">
	<ul class="links">
	<li class=""><a href="/technology">Technology</a></li>
	<li class=""><a href="/use-cases">Use Cases</a></li>
	<li class=""><a href="/druid-powered">Powered By</a></li>
	<li class=""><a href="/docs/latest/design/">Docs</a></li>
	<li class=""><a href="/community/">Community</a></li>
	<li class="header-dropdown">
	<a>Apache</a>
	<div class="header-dropdown-menu">
	<a href="https://www.apache.org/" target="_blank">Foundation</a>
	<a href="https://www.apache.org/events/current-event" target="_blank">Events</a>
	<a href="https://www.apache.org/licenses/" target="_blank">License</a>
	<a href="https://www.apache.org/foundation/thanks.html" target="_blank">Thanks</a>
	<a href="https://www.apache.org/security/" target="_blank">Security</a>
	<a href="https://www.apache.org/foundation/sponsorship.html" target="_blank">Sponsorship</a>
	</div>
	</li>
	<li class=" button-link"><a href="/downloads.html">Download</a></li>
	</ul>
	</div>
	</div>
	<div class="action-button menu-icon">
	<span class="fa fa-bars"></span> MENU
	</div>
	<div class="action-button menu-icon-close">
	<span class="fa fa-times"></span> MENU
	</div>
	</div>

	<script type="text/javascript">
	var $menu = $('.right-cont');
	var $menuIcon = $('.menu-icon');
	var $menuIconClose = $('.menu-icon-close');

	function showMenu() {
	$menu.fadeIn(100);
	$menuIcon.fadeOut(100);
	$menuIconClose.fadeIn(100);
	}

	$menuIcon.click(showMenu);

	function hideMenu() {
	$menu.fadeOut(100);
	$menuIconClose.fadeOut(100);
	$menuIcon.fadeIn(100);
	}

	$menuIconClose.click(hideMenu);

	$(window).resize(function() {
	if ($(window).width() >= 840) {
	$menu.fadeIn(100);
	$menuIcon.fadeOut(100);
	$menuIconClose.fadeOut(100);
	}
	else {
	$menu.fadeOut(100);
	$menuIcon.fadeIn(100);
	$menuIconClose.fadeOut(100);
	}
	});
	</script>

	<!-- Stop page_header include -->


	<div class="container doc-container">




	<p> Looking for the <a href="/docs/0.19.0/">latest stable documentation</a>?</p>


	<div class="row">
	<div class="col-md-9 doc-content">
	<p>
	<a class="btn btn-default btn-xs visible-xs-inline-block visible-sm-inline-block" href="#toc">Table of Contents</a>
	</p>
	<!--
	~ Licensed to the Apache Software Foundation (ASF) under one
	~ or more contributor license agreements. See the NOTICE file
	~ distributed with this work for additional information
	~ regarding copyright ownership. The ASF licenses this file
	~ to you under the Apache License, Version 2.0 (the
	~ "License"); you may not use this file except in compliance
	~ with the License. You may obtain a copy of the License at
	~
	~ http://www.apache.org/licenses/LICENSE-2.0
	~
	~ Unless required by applicable law or agreed to in writing,
	~ software distributed under the License is distributed on an
	~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	~ KIND, either express or implied. See the License for the
	~ specific language governing permissions and limitations
	~ under the License.
	-->

	<h1 id="authentication-and-authorization">Authentication and Authorization</h1>

	<p>This document describes non-extension specific Apache Druid (incubating) authentication and authorization configurations.</p>

	<table><thead>
	<tr>
	<th>Property</th>
	<th>Type</th>
	<th>Description</th>
	<th>Default</th>
	<th>Required</th>
	</tr>
	</thead><tbody>
	<tr>
	<td><code>druid.auth.authenticatorChain</code></td>
	<td>JSON List of Strings</td>
	<td>List of Authenticator type names</td>
	<td>["allowAll"]</td>
	<td>no</td>
	</tr>
	<tr>
	<td><code>druid.escalator.type</code></td>
	<td>String</td>
	<td>Type of the Escalator that should be used for internal Druid communications. This Escalator must use an authentication scheme that is supported by an Authenticator in <code>druid.auth.authenticationChain</code>.</td>
	<td>"noop"</td>
	<td>no</td>
	</tr>
	<tr>
	<td><code>druid.auth.authorizers</code></td>
	<td>JSON List of Strings</td>
	<td>List of Authorizer type names</td>
	<td>["allowAll"]</td>
	<td>no</td>
	</tr>
	<tr>
	<td><code>druid.auth.unsecuredPaths</code></td>
	<td>List of Strings</td>
	<td>List of paths for which security checks will not be performed. All requests to these paths will be allowed.</td>
	<td>[]</td>
	<td>no</td>
	</tr>
	<tr>
	<td><code>druid.auth.allowUnauthenticatedHttpOptions</code></td>
	<td>Boolean</td>
	<td>If true, skip authentication checks for HTTP OPTIONS requests. This is needed for certain use cases, such as supporting CORS pre-flight requests. Note that disabling authentication checks for OPTIONS requests will allow unauthenticated users to determine what Druid endpoints are valid (by checking if the OPTIONS request returns a 200 instead of 404), so enabling this option may reveal information about server configuration, including information about what extensions are loaded (if those extensions add endpoints).</td>
	<td>false</td>
	<td>no</td>
	</tr>
	</tbody></table>

	<h2 id="enabling-authentication-authorizationloadinglookuptest">Enabling Authentication/AuthorizationLoadingLookupTest</h2>

	<h2 id="authenticator-chain">Authenticator Chain</h2>

	<p>Authentication decisions are handled by a chain of Authenticator instances. A request will be checked by Authenticators in the sequence defined by the <code>druid.auth.authenticatorChain</code>.</p>

	<p>Authenticator implementions are provided by extensions.</p>

	<p>For example, the following authentication chain definition enables the Kerberos and HTTP Basic authenticators, from the <code>druid-kerberos</code> and <code>druid-basic-security</code> core extensions, respectively:</p>
	<div class="highlight"><pre><code class="language-text" data-lang="text"><span></span>druid.auth.authenticatorChain=["kerberos", "basic"]
	</code></pre></div>
	<p>A request will pass through all Authenticators in the chain, until one of the Authenticators successfully authenticates the request or sends an HTTP error response. Authenticators later in the chain will be skipped after the first successful authentication or if the request is terminated with an error response.</p>

	<p>If no Authenticator in the chain successfully authenticated a request or sent an HTTP error response, an HTTP error response will be sent at the end of the chain.</p>

	<p>Druid includes two built-in Authenticators, one of which is used for the default unsecured configuration.</p>

	<h3 id="allowall-authenticator">AllowAll Authenticator</h3>

	<p>This built-in Authenticator authenticates all requests, and always directs them to an Authorizer named "allowAll". It is not intended to be used for anything other than the default unsecured configuration.</p>

	<h3 id="anonymous-authenticator">Anonymous Authenticator</h3>

	<p>This built-in Authenticator authenticates all requests, and directs them to an Authorizer specified in the configuration by the user. It is intended to be used for adding a default level of access so
	the Anonymous Authenticator should be added to the end of the authentication chain. A request that reaches the Anonymous Authenticator at the end of the chain will succeed or fail depending on how the Authorizer linked to the Anonymous Authenticator is configured.</p>

	<table><thead>
	<tr>
	<th>Property</th>
	<th>Description</th>
	<th>Default</th>
	<th>Required</th>
	</tr>
	</thead><tbody>
	<tr>
	<td><code>druid.auth.authenticator.<authenticatorName>.authorizerName</code></td>
	<td>Authorizer that requests should be directed to.</td>
	<td>N/A</td>
	<td>Yes</td>
	</tr>
	<tr>
	<td><code>druid.auth.authenticator.<authenticatorName>.identity</code></td>
	<td>The identity of the requester.</td>
	<td>defaultUser</td>
	<td>No</td>
	</tr>
	</tbody></table>

	<p>To use the Anonymous Authenticator, add an authenticator with type <code>anonymous</code> to the authenticatorChain.</p>

	<p>For example, the following enables the Anonymous Authenticator with the <code>druid-basic-security</code> extension:</p>
	<div class="highlight"><pre><code class="language-text" data-lang="text"><span></span>druid.auth.authenticatorChain=["basic", "anonymous"]

	druid.auth.authenticator.anonymous.type=anonymous
	druid.auth.authenticator.anonymous.identity=defaultUser
	druid.auth.authenticator.anonymous.authorizerName=myBasicAuthorizer

	# ... usual configs for basic authentication would go here ...
	</code></pre></div>
	<h2 id="escalator">Escalator</h2>

	<p>The <code>druid.escalator.type</code> property determines what authentication scheme should be used for internal Druid cluster communications (such as when a Broker process communicates with Historical processes for query processing).</p>

	<p>The Escalator chosen for this property must use an authentication scheme that is supported by an Authenticator in <code>druid.auth.authenticationChain</code>. Authenticator extension implementors must also provide a corresponding Escalator implementation if they intend to use a particular authentication scheme for internal Druid communications.</p>

	<h3 id="noop-escalator">Noop Escalator</h3>

	<p>This built-in default Escalator is intended for use only with the default AllowAll Authenticator and Authorizer.</p>

	<h2 id="authorizers">Authorizers</h2>

	<p>Authorization decisions are handled by an Authorizer. The <code>druid.auth.authorizers</code> property determines what Authorizer implementations will be active.</p>

	<p>There are two built-in Authorizers, "default" and "noop". Other implementations are provided by extensions.</p>

	<p>For example, the following authorizers definition enables the "basic" implementation from <code>druid-basic-security</code>:</p>
	<div class="highlight"><pre><code class="language-text" data-lang="text"><span></span>druid.auth.authorizers=["basic"]
	</code></pre></div>
	<p>Only a single Authorizer will authorize any given request.</p>

	<p>Druid includes one built in authorizer:</p>

	<h3 id="allowall-authorizer">AllowAll Authorizer</h3>

	<p>The Authorizer with type name "allowAll" accepts all requests.</p>

	<h2 id="default-unsecured-configuration">Default Unsecured Configuration</h2>

	<p>When <code>druid.auth.authenticationChain</code> is left empty or unspecified, Druid will create an authentication chain with a single AllowAll Authenticator named "allowAll".</p>

	<p>When <code>druid.auth.authorizers</code> is left empty or unspecified, Druid will create a single AllowAll Authorizer named "allowAll".</p>

	<p>The default value of <code>druid.escalator.type</code> is "noop" to match the default unsecured Authenticator/Authorizer configurations.</p>

	<h2 id="authenticator-to-authorizer-routing">Authenticator to Authorizer Routing</h2>

	<p>When an Authenticator successfully authenticates a request, it must attach a AuthenticationResult to the request, containing an information about the identity of the requester, as well as the name of the Authorizer that should authorize the authenticated request.</p>

	<p>An Authenticator implementation should provide some means through configuration to allow users to select what Authorizer(s) the Authenticator should route requests to.</p>

	<h2 id="internal-system-user">Internal System User</h2>

	<p>Internal requests between Druid processes (non-user initiated communications) need to have authentication credentials attached. </p>

	<p>These requests should be run as an "internal system user", an identity that represents the Druid cluster itself, with full access permissions.</p>

	<p>The details of how the internal system user is defined is left to extension implementations.</p>

	<h3 id="authorizer-internal-system-user-handling">Authorizer Internal System User Handling</h3>

	<p>Authorizers implementations must recognize and authorize an identity for the "internal system user", with full access permissions.</p>

	<h3 id="authenticator-and-escalator-internal-system-user-handling">Authenticator and Escalator Internal System User Handling</h3>

	<p>An Authenticator implementation that is intended to support internal Druid communications must recognize credentials for the "internal system user", as provided by a corresponding Escalator implementation.</p>

	<p>An Escalator must implement three methods related to the internal system user:</p>
	<div class="highlight"><pre><code class="language-java" data-lang="java"><span></span> <span class="kd">public</span> <span class="n">HttpClient</span> <span class="nf">createEscalatedClient</span><span class="o">(</span><span class="n">HttpClient</span> <span class="n">baseClient</span><span class="o">);</span>

	<span class="kd">public</span> <span class="n">org</span><span class="o">.</span><span class="na">eclipse</span><span class="o">.</span><span class="na">jetty</span><span class="o">.</span><span class="na">client</span><span class="o">.</span><span class="na">HttpClient</span> <span class="nf">createEscalatedJettyClient</span><span class="o">(</span><span class="n">org</span><span class="o">.</span><span class="na">eclipse</span><span class="o">.</span><span class="na">jetty</span><span class="o">.</span><span class="na">client</span><span class="o">.</span><span class="na">HttpClient</span> <span class="n">baseClient</span><span class="o">);</span>

	<span class="kd">public</span> <span class="n">AuthenticationResult</span> <span class="nf">createEscalatedAuthenticationResult</span><span class="o">();</span>
	</code></pre></div>
	<p><code>createEscalatedClient</code> returns an wrapped HttpClient that attaches the credentials of the "internal system user" to requests.</p>

	<p><code>createEscalatedJettyClient</code> is similar to <code>createEscalatedClient</code>, except that it operates on a Jetty HttpClient.</p>

	<p><code>createEscalatedAuthenticationResult</code> returns an AuthenticationResult containing the identity of the "internal system user".</p>

	<h2 id="reserved-name-configuration-property">Reserved Name Configuration Property</h2>

	<p>For extension implementers, please note that the following configuration properties are reserved for the names of Authenticators and Authorizers:</p>
	<div class="highlight"><pre><code class="language-text" data-lang="text"><span></span>druid.auth.authenticator.<authenticator-name>.name=<authenticator-name>
	druid.auth.authorizer.<authorizer-name>.name=<authorizer-name>
	</code></pre></div>
	<p>These properties provide the authenticator and authorizer names to the implementations as @JsonProperty parameters, potentially useful when multiple authenticators or authorizers of the same type are configured.</p>

	</div>
	<div class="col-md-3">
	<div class="searchbox">
	<gcse:searchbox-only></gcse:searchbox-only>
	</div>
	<div id="toc" class="nav toc hidden-print">
	</div>
	</div>
	</div>
	</div>

	<!-- Start page_footer include -->
	<footer class="druid-footer">
	<div class="container">
	<div class="text-center">
	<p>
	<a href="/technology">Technology</a>&ensp;·&ensp;
	<a href="/use-cases">Use Cases</a>&ensp;·&ensp;
	<a href="/druid-powered">Powered by Druid</a>&ensp;·&ensp;
	<a href="/docs/latest/">Docs</a>&ensp;·&ensp;
	<a href="/community/">Community</a>&ensp;·&ensp;
	<a href="/downloads.html">Download</a>&ensp;·&ensp;
	<a href="/faq">FAQ</a>
	</p>
	</div>
	<div class="text-center">
	<a title="Join the user group" href="https://groups.google.com/forum/#!forum/druid-user" target="_blank"><span class="fa fa-comments"></span></a>&ensp;·&ensp;
	<a title="Follow Druid" href="https://twitter.com/druidio" target="_blank"><span class="fab fa-twitter"></span></a>&ensp;·&ensp;
	<a title="GitHub" href="https://github.com/apache/druid" target="_blank"><span class="fab fa-github"></span></a>
	</div>
	<div class="text-center license">
	Copyright © 2020 <a href="https://www.apache.org/" target="_blank">Apache Software Foundation</a>.<br>
	Except where otherwise noted, licensed under <a rel="license" href="http://creativecommons.org/licenses/by-sa/4.0/">CC BY-SA 4.0</a>.<br>
	Apache Druid, Druid, and the Druid logo are either registered trademarks or trademarks of The Apache Software Foundation in the United States and other countries.
	</div>
	</div>
	</footer>

	<script async src="https://www.googletagmanager.com/gtag/js?id=UA-131010415-1"></script>
	<script>
	window.dataLayer = window.dataLayer \|\| [];
	function gtag(){dataLayer.push(arguments);}
	gtag('js', new Date());
	gtag('config', 'UA-131010415-1');
	</script>
	<script>
	function trackDownload(type, url) {
	ga('send', 'event', 'download', type, url);
	}
	</script>
	<script src="//code.jquery.com/jquery.min.js"></script>
	<script src="//maxcdn.bootstrapcdn.com/bootstrap/3.2.0/js/bootstrap.min.js"></script>
	<script src="/assets/js/druid.js"></script>
	<!-- stop page_footer include -->


	<script>
	$(function() {
	$(".toc").load("/docs/0.15.1-incubating/toc.html");

	// There is no way to tell when .gsc-input will be async loaded into the page so just try to set a placeholder until it works
	var tries = 0;
	var timer = setInterval(function() {
	tries++;
	if (tries > 300) clearInterval(timer);
	var searchInput = $('input.gsc-input');
	if (searchInput.length) {
	searchInput.attr('placeholder', 'Search');
	clearInterval(timer);
	}
	}, 100);
	});
	</script>
	</body>
	</html>