druid/docs/operations/password-provider.md

---
id: password-provider
title: "Password providers"
---

<!--
  ~ Licensed to the Apache Software Foundation (ASF) under one
  ~ or more contributor license agreements.  See the NOTICE file
  ~ distributed with this work for additional information
  ~ regarding copyright ownership.  The ASF licenses this file
  ~ to you under the Apache License, Version 2.0 (the
  ~ "License"); you may not use this file except in compliance
  ~ with the License.  You may obtain a copy of the License at
  ~
  ~   http://www.apache.org/licenses/LICENSE-2.0
  ~
  ~ Unless required by applicable law or agreed to in writing,
  ~ software distributed under the License is distributed on an
  ~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  ~ KIND, either express or implied.  See the License for the
  ~ specific language governing permissions and limitations
  ~ under the License.
  -->


Passwords help secure Apache Druid systems such as the metadata store and the keystore that contains server certificates, and so on.

These passwords have corresponding runtime properties associated with them, for example `druid.metadata.storage.connector.password` corresponds to the metadata store password.

By default users can directly set the passwords in plaintext for runtime properties. For example, `druid.metadata.storage.connector.password=pwd` sets the password to be used by Druid to connect to the metadata store to `pwd`. Alternatively, users can can set passwords as environment variables.

Environment variable passwords allow users to avoid exposing passwords in the `runtime.properties` file. 

You can set an environment variable password as in the following example: 

```json
druid.metadata.storage.connector.password={ "type": "environment", "variable": "METADATA_STORAGE_PASSWORD" }
```

The values are described below.

|Field|Type|Description|Required|
|-----|----|-----------|--------|
|`type`|String|password provider type|Yes: `environment`|
|`variable`|String|environment variable to read password from|Yes|

Another option that provides even greater control is to securely fetch passwords at runtime using a custom extension of the `PasswordProvider` interface that is registered at Druid process startup.

For more information, see [Adding a new Password Provider implementation](../development/modules.md#adding-a-new-password-provider-implementation).

To use this implementation, simply set the relevant password runtime property similarly to how was shown for the environment variable password: 

```json
druid.metadata.storage.connector.password={ "type": "<registered_password_provider_name>", "<jackson_property>": "<value>", ... }
```
Front Matter header needs to be on the first line for md to be rendered properly by jekyll (#6733) 2018-12-13 14:47:20 -05:00			`---`
Docusaurus build framework + ingestion doc refresh. (#8311) * Docusaurus build framework + ingestion doc refresh. * stick to npm instead of yarn * fix typos * restore some _bin * Adjustments. * detect and fix redirect anchors * update anchor lint * Web-console: remove specific column filters (#8343) * add clear filter * update tool kit * remove usless check * auto run * add % * Fix resource leak (#8337) * Fix resource leak * Patch comments * Enable Spotbugs NP_NONNULL_RETURN_VIOLATION (#8234) * Fixes from PR review. * Fix more anchors. * Preamble nix. * Fix more anchors, headers * clean up placeholder page * add to website lint to travis config * better broken link checking * travis fix * Fixed more broken links * better redirects * unfancy catch * fix LGTM error * link fixes * fix md issues * Addl fixes 2019-08-21 00:48:59 -04:00			`id: password-provider`
			`title: "Password providers"`
Front Matter header needs to be on the first line for md to be rendered properly by jekyll (#6733) 2018-12-13 14:47:20 -05:00			`---`

add missing license headers, in particular to MD files; clean up RAT … (#6563) * add missing license headers, in particular to MD files; clean up RAT exclusions * revert inadvertent doc changes * docs * cr changes * fix modified druid-production.svg 2018-11-13 12:38:37 -05:00			`<!--`
			`~ Licensed to the Apache Software Foundation (ASF) under one`
			`~ or more contributor license agreements. See the NOTICE file`
			`~ distributed with this work for additional information`
			`~ regarding copyright ownership. The ASF licenses this file`
			`~ to you under the Apache License, Version 2.0 (the`
			`~ "License"); you may not use this file except in compliance`
			`~ with the License. You may obtain a copy of the License at`
			`~`
			`~ http://www.apache.org/licenses/LICENSE-2.0`
			`~`
			`~ Unless required by applicable law or agreed to in writing,`
			`~ software distributed under the License is distributed on an`
			`~ "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY`
			`~ KIND, either express or implied. See the License for the`
			`~ specific language governing permissions and limitations`
			`~ under the License.`
			`-->`

TLS support (#4270) 2017-07-06 20:40:12 -04:00
Security overview documentation (#10339) * initial file * initial file * security overview added * ldap added * spacing adjustments * nits * security graphics and doc review * Update docs/operations/security-overview.md Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> * Update docs/operations/security-user-auth.md Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> * Update docs/operations/security-overview.md Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> * Update docs/operations/security-overview.md Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> * updates frm review * review comments * finish up review and light edits * broken links * spell check Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> 2020-11-19 18:24:58 -05:00			`Passwords help secure Apache Druid systems such as the metadata store and the keystore that contains server certificates, and so on.`
TLS support (#4270) 2017-07-06 20:40:12 -04:00
Security overview documentation (#10339) * initial file * initial file * security overview added * ldap added * spacing adjustments * nits * security graphics and doc review * Update docs/operations/security-overview.md Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> * Update docs/operations/security-user-auth.md Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> * Update docs/operations/security-overview.md Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> * Update docs/operations/security-overview.md Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> * updates frm review * review comments * finish up review and light edits * broken links * spell check Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> 2020-11-19 18:24:58 -05:00			These passwords have corresponding runtime properties associated with them, for example `druid.metadata.storage.connector.password` corresponds to the metadata store password.
TLS support (#4270) 2017-07-06 20:40:12 -04:00
Security overview documentation (#10339) * initial file * initial file * security overview added * ldap added * spacing adjustments * nits * security graphics and doc review * Update docs/operations/security-overview.md Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> * Update docs/operations/security-user-auth.md Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> * Update docs/operations/security-overview.md Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> * Update docs/operations/security-overview.md Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> * updates frm review * review comments * finish up review and light edits * broken links * spell check Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> 2020-11-19 18:24:58 -05:00			By default users can directly set the passwords in plaintext for runtime properties. For example, `druid.metadata.storage.connector.password=pwd` sets the password to be used by Druid to connect to the metadata store to `pwd`. Alternatively, users can can set passwords as environment variables.

			Environment variable passwords allow users to avoid exposing passwords in the `runtime.properties` file.

			`You can set an environment variable password as in the following example:`
TLS support (#4270) 2017-07-06 20:40:12 -04:00
			```json
Update password-provider.md (#9857) 2020-06-10 12:32:49 -04:00			`druid.metadata.storage.connector.password={ "type": "environment", "variable": "METADATA_STORAGE_PASSWORD" }`
TLS support (#4270) 2017-07-06 20:40:12 -04:00			```

			`The values are described below.`

			`\|Field\|Type\|Description\|Required\|`
			`\|-----\|----\|-----------\|--------\|`
			\|`type`\|String\|password provider type\|Yes: `environment`\|
			\|`variable`\|String\|environment variable to read password from\|Yes\|

Security overview documentation (#10339) * initial file * initial file * security overview added * ldap added * spacing adjustments * nits * security graphics and doc review * Update docs/operations/security-overview.md Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> * Update docs/operations/security-user-auth.md Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> * Update docs/operations/security-overview.md Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> * Update docs/operations/security-overview.md Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> * updates frm review * review comments * finish up review and light edits * broken links * spell check Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> 2020-11-19 18:24:58 -05:00			Another option that provides even greater control is to securely fetch passwords at runtime using a custom extension of the `PasswordProvider` interface that is registered at Druid process startup.

			`For more information, see [Adding a new Password Provider implementation](../development/modules.md#adding-a-new-password-provider-implementation).`
TLS support (#4270) 2017-07-06 20:40:12 -04:00
Security overview documentation (#10339) * initial file * initial file * security overview added * ldap added * spacing adjustments * nits * security graphics and doc review * Update docs/operations/security-overview.md Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> * Update docs/operations/security-user-auth.md Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> * Update docs/operations/security-overview.md Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> * Update docs/operations/security-overview.md Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> * updates frm review * review comments * finish up review and light edits * broken links * spell check Co-authored-by: Jonathan Wei <jon-wei@users.noreply.github.com> 2020-11-19 18:24:58 -05:00			`To use this implementation, simply set the relevant password runtime property similarly to how was shown for the environment variable password:`
TLS support (#4270) 2017-07-06 20:40:12 -04:00
			```json
Update password-provider.md (#9857) 2020-06-10 12:32:49 -04:00			`druid.metadata.storage.connector.password={ "type": "<registered_password_provider_name>", "<jackson_property>": "<value>", ... }`
add missing license headers, in particular to MD files; clean up RAT … (#6563) * add missing license headers, in particular to MD files; clean up RAT exclusions * revert inadvertent doc changes * docs * cr changes * fix modified druid-production.svg 2018-11-13 12:38:37 -05:00			```