Apache
/
druid
mirror of https://github.com/apache/druid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Update LDAP configuration docs (#13245) 

* Update LDAP configuration docs

* Updated after review

* Update auth-ldap.md

Updated.

* Update auth-ldap.md

* Updated spelling file

* Update docs/operations/auth-ldap.md

Co-authored-by: Charles Smith <techdocsmith@gmail.com>

* Update docs/operations/auth-ldap.md

Co-authored-by: Charles Smith <techdocsmith@gmail.com>

* Update docs/operations/auth-ldap.md

Co-authored-by: Charles Smith <techdocsmith@gmail.com>

* Update auth-ldap.md

Co-authored-by: Charles Smith <techdocsmith@gmail.com>
This commit is contained in:
Jill Osborne 2022-11-29 17:26:32 +00:00 committed by GitHub
parent 79df11c16c
commit 5c520e0cf9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 547 additions and 256 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

420
docs/development/extensions-core/druid-basic-security.md
View File

@ -53,12 +53,29 @@ To set the value for the configuration properties, add them to the common runtim
### General properties
|Property|Description|Default|required|
|--------|-----------|-------|--------|
|`druid.auth.basic.common.pollingPeriod`|Defines in milliseconds how often processes should poll the Coordinator for the current Druid metadata store authenticator/authorizer state.|60000|No|
|`druid.auth.basic.common.maxRandomDelay`|Defines in milliseconds the amount of random delay to add to the pollingPeriod, to spread polling requests across time.|6000|No|
|`druid.auth.basic.common.maxSyncRetries`|Determines how many times a service will retry if the authentication/authorization Druid metadata store state sync with the Coordinator fails.|10|No|
|`druid.auth.basic.common.cacheDirectory`|If defined, snapshots of the basic Authenticator and Authorizer Druid metadata store caches will be stored on disk in this directory. If this property is defined, when a service is starting, it will attempt to initialize its caches from these on-disk snapshots, if the service is unable to initialize its state by communicating with the Coordinator.|null|No|
**`druid.auth.basic.common.pollingPeriod`**
Defines in milliseconds how often processes should poll the Coordinator for the current Druid metadata store authenticator/authorizer state.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: 60000
**`druid.auth.basic.common.maxRandomDelay`**
Defines in milliseconds the amount of random delay to add to the pollingPeriod, to spread polling requests across time.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: 6000
**`druid.auth.basic.common.maxSyncRetries`**
Determines how many times a service will retry if the authentication/authorization Druid metadata store state sync with the Coordinator fails.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: 10
**`druid.auth.basic.common.cacheDirectory`**
If defined, snapshots of the basic Authenticator and Authorizer Druid metadata store caches will be stored on disk in this directory. If this property is defined, when a service is starting, it will attempt to initialize its caches from these on-disk snapshots, if the service is unable to initialize its state by communicating with the Coordinator.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: null
### Authenticator
@ -96,16 +113,55 @@ The remaining examples of authenticator configuration use either `MyBasicMetadat
#### Properties for Druid metadata store user authentication
|Property|Description|Default|required|
|--------|-----------|-------|--------|
|`druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword`|Initial [Password Provider](../../operations/password-provider.md) for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will not affect its password.|null|No|
|`druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword`|Initial [Password Provider](../../operations/password-provider.md) for the default internal system user, used for internal process communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will not affect its password.|null|No|
|`druid.auth.authenticator.MyBasicMetadataAuthenticator.enableCacheNotifications`|If true, the Coordinator will notify Druid processes whenever a configuration change to this Authenticator occurs, allowing them to immediately update their state without waiting for polling.|true|No|
|`druid.auth.authenticator.MyBasicMetadataAuthenticator.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No|
|`druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialIterations`|Number of iterations to use for password hashing. See [Credential iterations and API performance](#credential-iterations-and-api-performance)|10000|No|
|`druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type`|The type of credentials store (metadata) to validate requests credentials.|metadata|No|
|`druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure`|If true and the request credential doesn't exists or isn't fully configured in the credentials store, the request will proceed to next Authenticator in the chain.|false|No|
|`druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName`|Authorizer that requests should be directed to|N/A|Yes|
**`druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword`**
Initial [Password Provider](../../operations/password-provider.md) for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will not affect its password.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: null
**`druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword`**
Initial [Password Provider](../../operations/password-provider.md) for the default internal system user, used for internal process communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will not affect its password.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: null
**`druid.auth.authenticator.MyBasicMetadataAuthenticator.enableCacheNotifications`**
If true, the Coordinator will notify Druid processes whenever a configuration change to this Authenticator occurs, allowing them to immediately update their state without waiting for polling.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: True
**`druid.auth.authenticator.MyBasicMetadataAuthenticator.cacheNotificationTimeout`**
The timeout in milliseconds for the cache notifications.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: 5000
**`druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialIterations`**
Number of iterations to use for password hashing. See [Credential iterations and API performance](#credential-iterations-and-api-performance)<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: 10000
**`druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type`**
The type of credentials store (metadata) to validate requests credentials.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: metadata
**`druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure`**
If true and the request credential doesn't exists or isn't fully configured in the credentials store, the request will proceed to next Authenticator in the chain.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: false
**`druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName`**
Authorizer that requests should be directed to.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: Yes<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: N/A
##### Credential iterations and API performance
@ -121,25 +177,107 @@ If Druid uses the default credentials validator (i.e., `credentialsValidator.typ
#### Properties for LDAP user authentication
|Property|Description|Default|required|
|--------|-----------|-------|--------|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.initialAdminPassword`|Initial [Password Provider](../../operations/password-provider.md) for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will not affect its password.|null|No|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.initialInternalClientPassword`|Initial [Password Provider](../../operations/password-provider.md) for the default internal system user, used for internal process communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will not affect its password.|null|No|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.enableCacheNotifications`|If true, the Coordinator will notify Druid processes whenever a configuration change to this Authenticator occurs, allowing them to immediately update their state without waiting for polling.|true|No|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialIterations`|Number of iterations to use for password hashing.|10000|No|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.type`|The type of credentials store (ldap) to validate requests credentials.|metadata|No|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.url`|URL of the LDAP server.|null|Yes|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.bindUser`|LDAP bind user username.|null|Yes|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.bindPassword`|[Password Provider](../../operations/password-provider.md) LDAP bind user password.|null|Yes|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.baseDn`|The point from where the LDAP server will search for users.|null|Yes|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.userSearch`|The filter/expression to use for the search. For example, (&(sAMAccountName=%s)(objectClass=user))|null|Yes|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.userAttribute`|The attribute id identifying the attribute that will be returned as part of the search. For example, sAMAccountName. |null|Yes|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialVerifyDuration`|The duration in seconds for how long valid credentials are verifiable within the cache when not requested.|600|No|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialMaxDuration`|The max duration in seconds for valid credentials that can reside in cache regardless of how often they are requested.|3600|No|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialCacheSize`|The valid credentials cache size. The cache uses a LRU policy.|100|No|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.skipOnFailure`|If true and the request credential doesn't exists or isn't fully configured in the credentials store, the request will proceed to next Authenticator in the chain.|false|No|
|`druid.auth.authenticator.MyBasicLDAPAuthenticator.authorizerName`|Authorizer that requests should be directed to.|N/A|Yes|
**`druid.auth.authenticator.MyBasicLDAPAuthenticator.initialAdminPassword`**
Initial [Password Provider](../../operations/password-provider.md) for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will not affect its password.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: null
**`druid.auth.authenticator.MyBasicLDAPAuthenticator.initialInternalClientPassword`**
Initial [Password Provider](../../operations/password-provider.md) for the default internal system user, used for internal process communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will not affect its password.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: null
**`druid.auth.authenticator.MyBasicLDAPAuthenticator.enableCacheNotifications`**
If true, the Coordinator will notify Druid processes whenever a configuration change to this Authenticator occurs, allowing them to immediately update their state without waiting for polling.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: true
**`druid.auth.authenticator.MyBasicLDAPAuthenticator.cacheNotificationTimeout`**
The timeout in milliseconds for the cache notifications.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: 5000
**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialIterations`**
Number of iterations to use for password hashing.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: 10000
**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.type`**
The type of credentials store (ldap) to validate requests credentials.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: metadata
**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.url`**
URL of the LDAP server.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: Yes<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: null
**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.bindUser`**
LDAP bind user username.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: Yes<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: null
**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.bindPassword`**
[Password Provider](../../operations/password-provider.md) LDAP bind user password.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: Yes<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: null
**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.baseDn`**
The point from where the LDAP server will search for users.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: Yes<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: null
**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.userSearch`**
The filter/expression to use for the search. For example, (&(sAMAccountName=%s)(objectClass=user))<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: Yes<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: null
**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.userAttribute`**
The attribute id identifying the attribute that will be returned as part of the search. For example, sAMAccountName.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: Yes<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: null
**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialVerifyDuration`**
The duration in seconds for how long valid credentials are verifiable within the cache when not requested.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: 600
**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialMaxDuration`**
The max duration in seconds for valid credentials that can reside in cache regardless of how often they are requested.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: 3600
**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialCacheSize`**
The valid credentials cache size. The cache uses a LRU policy.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: 100
**`druid.auth.authenticator.MyBasicLDAPAuthenticator.skipOnFailure`**
If true and the request credential doesn't exists or isn't fully configured in the credentials store, the request will proceed to next Authenticator in the chain.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: false
**`druid.auth.authenticator.MyBasicLDAPAuthenticator.authorizerName`**
Authorizer that requests should be directed to.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: Yes<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: N/A
### Escalator
@ -155,11 +293,24 @@ druid.escalator.authorizerName=MyBasicMetadataAuthorizer
```
#### Properties
|Property|Description|Default|required|
|--------|-----------|-------|--------|
|`druid.escalator.internalClientUsername`|The escalator will use this username for requests made as the internal system user.|n/a|Yes|
|`druid.escalator.internalClientPassword`|The escalator will use this [Password Provider](../../operations/password-provider.md) for requests made as the internal system user.|n/a|Yes|
|`druid.escalator.authorizerName`|Authorizer that requests should be directed to.|n/a|Yes|
**`druid.escalator.internalClientUsername`**
The escalator will use this username for requests made as the internal system user.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: Yes<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: N/A
**`druid.escalator.internalClientPassword`**
The escalator will use this [Password Provider](../../operations/password-provider.md) for requests made as the internal system user.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: Yes<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: N/A
**`druid.escalator.authorizerName`**
Authorizer that requests should be directed to.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: Yes<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: N/A
### Authorizer
@ -182,24 +333,131 @@ druid.auth.authorizer.MyBasicMetadataAuthorizer.type=basic
The examples in the rest of this article use `MyBasicMetadataAuthorizer` or `MyBasicLDAPAuthorizer` as the authorizer name.
#### Properties for Druid metadata store user authorization
|Property|Description|Default|required|
|--------|-----------|-------|--------|
|`druid.auth.authorizer.MyBasicMetadataAuthorizer.enableCacheNotifications`|If true, the Coordinator will notify Druid processes whenever a configuration change to this Authorizer occurs, allowing them to immediately update their state without waiting for polling.|true|No|
|`druid.auth.authorizer.MyBasicMetadataAuthorizer.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No|
|`druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminUser`|The initial admin user with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned.|admin|No|
|`druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminRole`|The initial admin role to create if it doesn't already exists.|admin|No|
|`druid.auth.authorizer.MyBasicMetadataAuthorizer.roleProvider.type`|The type of role provider to authorize requests credentials.|metadata|No
**`druid.auth.authorizer.MyBasicMetadataAuthorizer.enableCacheNotifications`**
If true, the Coordinator will notify Druid processes whenever a configuration change to this Authorizer occurs, allowing them to immediately update their state without waiting for polling.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: true
**`druid.auth.authorizer.MyBasicMetadataAuthorizer.cacheNotificationTimeout`**
The timeout in milliseconds for the cache notifications.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: 5000
**`druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminUser`**
The initial admin user with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: admin
**`druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminRole`**
The initial admin role to create if it doesn't already exists.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: admin
**`druid.auth.authorizer.MyBasicMetadataAuthorizer.roleProvider.type`**
The type of role provider to authorize requests credentials.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: metadata
#### Properties for LDAP user authorization
|Property|Description|Default|required|
|--------|-----------|-------|--------|
|`druid.auth.authorizer.MyBasicLDAPAuthorizer.enableCacheNotifications`|If true, the Coordinator will notify Druid processes whenever a configuration change to this Authorizer occurs, allowing them to immediately update their state without waiting for polling.|true|No|
|`druid.auth.authorizer.MyBasicLDAPAuthorizer.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No|
|`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminUser`|The initial admin user with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned.|admin|No|
|`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminRole`|The initial admin role to create if it doesn't already exists.|admin|No|
|`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminGroupMapping`|The initial admin group mapping with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned. The name of this initial admin group mapping will be set to adminGroupMapping|null|No|
|`druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.type`|The type of role provider (ldap) to authorize requests credentials.|metadata|No
|`druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.groupFilters`|Array of LDAP group filters used to filter out the allowed set of groups returned from LDAP search. Filters can be begin with *, or end with ,* to provide configurational flexibility to limit or filter allowed set of groups available to LDAP Authorizer.|null|No|
**`druid.auth.authorizer.MyBasicLDAPAuthorizer.enableCacheNotifications`**
If true, the Coordinator will notify Druid processes whenever a configuration change to this Authorizer occurs, allowing them to immediately update their state without waiting for polling.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: true
**`druid.auth.authorizer.MyBasicLDAPAuthorizer.cacheNotificationTimeout`**
The timeout in milliseconds for the cache notifications.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: 5000
**`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminUser`**
The initial admin user with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: admin
**`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminRole`**
The initial admin role to create if it doesn't already exists.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: admin
**`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminGroupMapping`**
The initial admin group mapping with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned. The name of this initial admin group mapping will be set to adminGroupMapping<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: null
**`druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.type`**
The type of role provider (ldap) to authorize requests credentials.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: metadata
**`druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.groupFilters`**
Array of LDAP group filters used to filter out the allowed set of groups returned from LDAP search. Filters can be begin with *, or end with ,* to provide configurational flexibility to limit or filter allowed set of groups available to LDAP Authorizer.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: null
#### Properties for LDAPS
Use the following properties to configure Druid authentication with LDAP over TLS (LDAPS). See [Configure LDAP authentication](../../operations/auth-ldap.md) for more information.
**`druid.auth.basic.ssl.protocol`**
SSL protocol to use. The TLS version is 1.2.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: Yes<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: tls
**`druid.auth.basic.ssl.trustStorePath`**
Path to the trust store file.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: Yes<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: N/A
**`druid.auth.basic.ssl.trustStorePassword`**
Password to access the trust store file.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: Yes<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: N/A
**`druid.auth.basic.ssl.trustStoreType`**
Format of the trust store file. For Java the format is jks.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: jks
**`druid.auth.basic.ssl.trustStoreAlgorithm`**
Algorithm used by the trust manager to validate certificate chains.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: N/A
**`druid.auth.basic.ssl.trustStorePassword`**
Password details that enable access to the truststore.<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Required**: No<br>
&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;**Default**: N/A
Example LDAPS configuration:
```json
druid.auth.basic.ssl.protocol=tls
druid.auth.basic.ssl.trustStorePath=/usr/local/druid-path/certs/truststore.jks
druid.auth.basic.ssl.trustStorePassword=xxxxx
druid.auth.basic.ssl.trustStoreType=jks
druid.auth.basic.ssl.trustStoreAlgorithm=PKIX
```
You can configure `druid.auth.basic.ssl.trustStorePassword` to be a plain text password or you can set the password as an environment variable. See [Password providers](../../operations/password-provider.md) for more information.
## Usage
@ -213,19 +471,19 @@ Root path: `/druid-ext/basic-security/authentication`
Each API endpoint includes {authenticatorName}, specifying which Authenticator instance is being configured.
##### User/Credential Management
`GET(/druid-ext/basic-security/authentication/db/{authenticatorName}/users)`
`GET(/druid-ext/basic-security/authentication/db/{authenticatorName}/users)`<br>
Return a list of all user names.
`GET(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName})`
`GET(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName})`<br>
Return the name and credentials information of the user with name {userName}
`POST(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName})`
`POST(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName})`<br>
Create a new user with name {userName}
`DELETE(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName})`
`DELETE(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName})`<br>
Delete the user with name {userName}
`POST(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName}/credentials)`
`POST(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName}/credentials)`<br>
Assign a password used for HTTP basic authentication for {userName}
Content: JSON password request object
@ -238,20 +496,20 @@ Example request body:
```
##### Cache Load Status
`GET(/druid-ext/basic-security/authentication/loadStatus)`
`GET(/druid-ext/basic-security/authentication/loadStatus)`<br>
Return the current load status of the local caches of the authentication Druid metadata store.
#### Authorization API
Root path: `/druid-ext/basic-security/authorization`
Root path: `/druid-ext/basic-security/authorization`<br>
Each API endpoint includes {authorizerName}, specifying which Authorizer instance is being configured.
##### User Creation/Deletion
`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/users)`
`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/users)`<br>
Return a list of all user names.
`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})`
`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})`<br>
Return the name and role information of the user with name {userName}
Example output:
@ -338,20 +596,20 @@ The `resourceNamePattern` is a compiled version of the resource name regex. It i
}
```
`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})`
`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})`<br>
Create a new user with name {userName}
`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})`
`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})`<br>
Delete the user with name {userName}
##### Group mapping Creation/Deletion
`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings)`
`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings)`<br>
Return a list of all group mappings.
`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName})`
`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName})`<br>
Return the group mapping and role information of the group mapping with name {groupMappingName}
`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName})`
`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName})`<br>
Create a new group mapping with name {groupMappingName}
Content: JSON group mapping object
Example request body:
@ -366,14 +624,14 @@ Example request body:
}
```
`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName})`
`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName})`<br>
Delete the group mapping with name {groupMappingName}
#### Role Creation/Deletion
`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/roles)`
`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/roles)`<br>
Return a list of all role names.
`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName})`
`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName})`<br>
Return name and permissions for the role named {roleName}.
Example output:
@ -427,30 +685,30 @@ Example output:
```
`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName})`
`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName})`<br>
Create a new role with name {roleName}.
Content: username string
`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName})`
`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName})`<br>
Delete the role with name {roleName}.
#### Role Assignment
`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}/roles/{roleName})`
`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}/roles/{roleName})`<br>
Assign role {roleName} to user {userName}.
`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}/roles/{roleName})`
`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}/roles/{roleName})`<br>
Unassign role {roleName} from user {userName}
`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}/roles/{roleName})`
`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}/roles/{roleName})`<br>
Assign role {roleName} to group mapping {groupMappingName}.
`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}/roles/{roleName})`
`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}/roles/{roleName})`<br>
Unassign role {roleName} from group mapping {groupMappingName}
#### Permissions
`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName}/permissions)`
`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName}/permissions)`<br>
Set the permissions of {roleName}. This replaces the previous set of permissions on the role.
Content: List of JSON Resource-Action objects, e.g.:
@ -479,5 +737,5 @@ The "name" field for resources in the permission definitions are regexes used to
Please see [Defining permissions](../../operations/security-user-auth.md#defining-permissions) for more details.
##### Cache Load Status
`GET(/druid-ext/basic-security/authorization/loadStatus)`
`GET(/druid-ext/basic-security/authorization/loadStatus)`<br>
Return the current load status of the local caches of the authorization Druid metadata store.

305
docs/operations/auth-ldap.md
View File

@ -1,6 +1,7 @@
---
id: auth-ldap
title: "LDAP auth"
title: "Configure LDAP authentication"
sidebar_label: "LDAP auth"
---
<!--
@ -22,182 +23,284 @@ title: "LDAP auth"
~ under the License.
-->
You can use [Lightweight Directory Access Protocol (LDAP)](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol) to secure access to Apache Druid. This topic describes how to set up Druid authentication and authorization with LDAP and LDAP over TLS (LDAPS). The examples on this page show the configuration for an Active Directory LDAP system.
This page describes how to set up Druid user authentication and authorization through LDAP. The first step is to enable LDAP authentication and authorization for Druid. You then map an LDAP group to roles and assign permissions to roles.
The first step is to enable LDAP authentication and authorization for Druid. You then map an LDAP group to Druid roles and assign permissions to those roles. After you've completed this configuration you can optionally choose to enable LDAPS to make LDAP traffic confidential and secure.
## Enable LDAP in Druid
## Prerequisites
Before starting, verify that the active directory is reachable from the Druid Master servers. Command line tools such as `ldapsearch` and `ldapwhoami`, which are included with OpenLDAP, are useful for this testing. 
Before you start to configure LDAP for Druid, test your LDAP connection and perform a sample search.
### Check the connection
### Check your LDAP connection
First test that the basic connection and user credential works. For example, given a user `uuser1@example.com`, try:
Test your LDAP connection to verify it works with user credentials. Later in the process you [configure Druid for LDAP authentication](#configure-druid-for-ldap-authentication) with this user as the `bindUser`.
The following example command tests the connection for the user `myuser@example.com`. Insert your LDAP server IP address. Modify the port number of your LDAP instance if it listens on a port other than `389`.
```bash
ldapwhoami -vv -H ldap://<ip_address>:389  -D"uuser1@example.com" -W
ldapwhoami -vv -H ldap://ip_address:389 -D "myuser@example.com" -W
```
Enter the password associated with the user when prompted and verify that the command succeeded. If it didn't, try the following troubleshooting steps:
Enter the password for the user when prompted and verify that the command succeeded. If it failed, check the following:
* Verify that you've used the correct port for your LDAP instance. By default, the LDAP port is 389, but double-check with your LDAP admin if unable to connect.
* Check whether a network firewall is not preventing connections to the LDAP port.
* Check whether LDAP clients need to be specifically whitelisted at the LDAP server to be able to reach it. If so, add the Druid Coordinator server to the AD whitelist.
- Make sure you're using the correct port for your LDAP instance.
- Check if a network firewall is preventing connections to the LDAP port.
- Review your LDAP implementation details to see whether you need to specifically allow LDAP clients at the LDAP server. If so, add the Druid Coordinator server to the allow list.
### Test your LDAP search
### Check the search criteria
After verifying basic connectivity, check your search criteria. For example, the command for searching for user `uuser1@example.com ` is as follows:
Once your LDAP connection is working, search for a user. For example, the following command searches for the user `myuser` in an Active Directory system. The `sAMAccountName` attribute is specific to Active Directory and contains the authenticated user identity:
```bash
ldapsearch -x -W -H ldap://<ldap_server>  -D"uuser1@example.com" -b "dc=example,dc=com" "(sAMAccountName=uuser1)"
ldapsearch -x -W -H ldap://ip_address:389 -D "cn=admin,dc=example,dc=com" -b "dc=example,dc=com" "(sAMAccountName=myuser)" +
```
Note the `memberOf` attribute in the results; it shows the groups that the user belongs to. You will use this value to map the LDAP group to the Druid roles later. This attribute may be implemented differently on different types of LDAP servers. For instance, some LDAP servers may support recursive groupings, and some may not. Some LDAP server implementations may not have any object classes that contain this attribute altogether. If your LDAP server does not use the `memberOf` attribute, then Druid will not be able to determine a user's group membership using LDAP. The sAMAccountName attribute used in this example contains the authenticated user identity. This is an attribute of an object class specific to Microsoft Active Directory. The object classes and attribute used in your LDAP server may be different.
The `memberOf` attribute in the results shows the groups the user belongs to. For example, the following response shows that the user is a member of the `mygroup` group:
## Configure Druid user authentication with LDAP/Active Directory 
```bash
memberOf: cn=mygroup,ou=groups,dc=example,dc=com
```
1. Enable the `druid-basic-security` extension in the `common.runtime.properties` file. See [Security Overview](security-overview.md) for details.
2. As a best practice, create a user in LDAP to be used for internal communication with Druid.
3. In `common.runtime.properties`, update LDAP-related properties, as shown in the following listing: 
```
druid.auth.authenticatorChain=["ldap"]
druid.auth.authenticator.ldap.type=basic
druid.auth.authenticator.ldap.enableCacheNotifications=true
druid.auth.authenticator.ldap.credentialsValidator.type=ldap
druid.auth.authenticator.ldap.credentialsValidator.url=ldap://<AD host>:<AD port>
druid.auth.authenticator.ldap.credentialsValidator.bindUser=<AD admin user, e.g.: Administrator@example.com>
druid.auth.authenticator.ldap.credentialsValidator.bindPassword=<AD admin password>
druid.auth.authenticator.ldap.credentialsValidator.baseDn=<base dn, e.g.: dc=example,dc=com>
druid.auth.authenticator.ldap.credentialsValidator.userSearch=<The LDAP search, e.g.: (&(sAMAccountName=%s)(objectClass=user))>
druid.auth.authenticator.ldap.credentialsValidator.userAttribute=sAMAccountName
druid.auth.authenticator.ldap.authorizerName=ldapauth
druid.escalator.type=basic
druid.escalator.internalClientUsername=<AD internal user, e.g.: internal@example.com>
druid.escalator.internalClientPassword=Welcome123
druid.escalator.authorizerName=ldapauth
druid.auth.authorizers=["ldapauth"]
druid.auth.authorizer.ldapauth.type=basic
druid.auth.authorizer.ldapauth.initialAdminUser=AD user who acts as the initial admin user, e.g.: internal@example.com>
druid.auth.authorizer.ldapauth.initialAdminRole=admin
druid.auth.authorizer.ldapauth.roleProvider.type=ldap
You use this information to map the LDAP group to Druid roles in a later step.
> Druid uses the `memberOf` attribute to determine a group's membership using LDAP. If your LDAP server implementation doesn't include this attribute, you must complete some additional steps when you [map LDAP groups to Druid roles](#map-ldap-groups-to-druid-roles).
## Configure Druid for LDAP authentication
To configure Druid to use LDAP authentication, follow these steps. See [Configuration reference](../configuration/index.md) for the location of the configuration files.
1. Create a user in your LDAP system that you'll use both for internal communication with Druid and as the LDAP initial admin user. See [Security overview](./security-overview.md) for more information.
In the example below, the LDAP user is `internal@example.com`.
2. Enable the `druid-basic-security` extension in the `common.runtime.properties` file.
3. In the `common.runtime.properties` file, add the following lines for LDAP properties and substitute the values for your own. See [Druid basic security](../development/extensions-core/druid-basic-security.md#properties-for-ldap-user-authentication) for details about these properties.
```
druid.auth.authenticatorChain=["ldap"]
druid.auth.authenticator.ldap.type=basic
druid.auth.authenticator.ldap.enableCacheNotifications=true
druid.auth.authenticator.ldap.credentialsValidator.type=ldap
druid.auth.authenticator.ldap.credentialsValidator.url=ldap://ip_address:port
druid.auth.authenticator.ldap.credentialsValidator.bindUser=administrator@example.com
druid.auth.authenticator.ldap.credentialsValidator.bindPassword=adminpassword
druid.auth.authenticator.ldap.credentialsValidator.baseDn=dc=example,dc=com
druid.auth.authenticator.ldap.credentialsValidator.userSearch=(&(sAMAccountName=%s)(objectClass=user))
druid.auth.authenticator.ldap.credentialsValidator.userAttribute=sAMAccountName
druid.auth.authenticator.ldap.authorizerName=ldapauth
druid.escalator.type=basic
druid.escalator.internalClientUsername=internal@example.com
druid.escalator.internalClientPassword=internaluserpassword
druid.escalator.authorizerName=ldapauth
druid.auth.authorizers=["ldapauth"]
druid.auth.authorizer.ldapauth.type=basic
druid.auth.authorizer.ldapauth.initialAdminUser=internal@example.com
druid.auth.authorizer.ldapauth.initialAdminRole=admin
druid.auth.authorizer.ldapauth.roleProvider.type=ldap
```
Note the following:
- `bindUser`: A user for connecting to LDAP. This should be the same user you used to [test your LDAP search](#test-your-ldap-search).
- `userSearch`: Your LDAP search syntax.
- `userAttribute`: The user search attribute.
- `internal@example.com` is the LDAP user you created in step 1. In the example it serves as both the internal client user and the initial admin user.
> In the above example, the [Druid escalator](../development/extensions-core/druid-basic-security.md#escalator) and LDAP initial admin user are set to the same user - `internal@example.com`. If the escalator is set to a different user, you must follow steps 4 and 5 to create the group mapping and allocate initial roles before the rest of the cluster can function.
4. Save your group mapping to a JSON file. An example file `groupmap.json` looks like this:
```
{
"name": "mygroupmap",
"groupPattern": "CN=mygroup,CN=Users,DC=example,DC=com",
"roles": [
"readRole"
]
}
```
In the example, the LDAP group `mygroup` maps to Druid role `readRole` and the name of the mapping is `mygroupmap`.
5. Use the Druid API to create the group mapping and allocate initial roles according to your JSON file. The following example uses curl to create the mapping defined in `groupmap.json` for the LDAP group `mygroup`:
```
curl -i -v -H "Content-Type: application/json" -u internal -X POST -d @groupmap.json http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/mygroupmap
```
6. Check that the group mapping was created successfully. The following example request lists all group mappings:
```
curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings
```
Notice that the LDAP user created in the previous step, `internal@example.com`, serves as the internal client user and the initial admin user.
## Map LDAP groups to Druid roles
## Use LDAP groups to assign roles
Once you've completed the initial setup and mapping, you can map more LDAP groups to Druid roles. Members of an LDAP group get access to the permissions of the corresponding Druid role.
You can map LDAP groups to a role in Druid. Members in the group get access to the permissions of the corresponding role. 
### Create a Druid role
To create a Druid role, you can submit a POST request to the Coordinator process using the Druid REST API or you can use the Druid console.
### Step 1: Create a role
The examples below use `localhost` as the Coordinator host and `8081` as the port. Amend these properties according to the details of your deployment.
First create the role in Druid using the Druid REST API.
Creating a role involves submitting a POST request to the Coordinator process. 
The following REST APIs to create the role to read access for datasource, config, state.
> As mentioned, the REST API calls need to address the Coordinator node. The examples used below use localhost as the Coordinator host and 8081 as the port. Adjust these settings according to your deployment.
Call the following API to create role `readRole` . 
Example request to create a role named `readRole`:
```
curl -i -v  -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles/readRole
curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles/readRole
```
Check that the role has been created successfully by entering the following:
Check that Druid created the role successfully. The following example request lists all roles:
```
curl -i -v  -H "Content-Type: application/json" -u internal -X GET  http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles
curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles
```
### Add permissions to the Druid role
### Step 2: Add permissions to a role 
You can now add one or more permission to the role. The following example adds read-only access to a `wikipedia` data source.  
Once you have a Druid role you can add permissions to it. The following example adds read-only access to a `wikipedia` data source.
Given the following JSON in a file named `perm.json`:
```
[{ "resource": { "name": "wikipedia", "type": "DATASOURCE" }, "action": "READ" }
,{ "resource": { "name": ".*", "type": "STATE" }, "action": "READ" },
{ "resource": {"name": ".*", "type": "CONFIG"}, "action": "READ"}]
[
{ "resource": { "name": "wikipedia", "type": "DATASOURCE" }, "action": "READ" },
{ "resource": { "name": ".*", "type": "STATE" }, "action": "READ" },
{ "resource": {"name": ".*", "type": "CONFIG"}, "action": "READ"}
]
```
The following command associates the permissions in the JSON file with the role
The following request associates the permissions in the JSON file with the `readRole` role:
```
curl -i -v  -H "Content-Type: application/json" -u internal -X POST -d@perm.json  http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles/readRole/permissions
curl -i -v -H "Content-Type: application/json" -u internal -X POST -d@perm.json http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles/readRole/permissions
```
Note that the STATE and CONFIG permissions in `perm.json` are needed to see the data source in the web console. If only querying permissions are needed, the READ action is sufficient:
Druid users need the `STATE` and `CONFIG` permissions to view the data source in the Druid console. If you only want to assign querying permissions you can apply just the `READ` permission with the first line in the `perm.json` file.
```
[{ "resource": { "name": "wikipedia", "type": "DATASOURCE" }, "action": "READ" }]
```
You can also provide the data source name in the form of a regular expression. For example, to give access to all data sources starting with `wiki`, you would specify the data source name as `{ "name": "wiki.*" }` .
You can also provide the name in the form of regular expression. For example, to give access to all data sources starting with `wiki`, specify the name as  `{ "name": "wiki.*", .....`.
### Create the group mapping
### Step 3: Create group Mapping 
The following shows an example of a group to role mapping. It assumes that a group named `group1` exists in the directory. Also assuming the following role mapping in a file named `groupmap.json`:
You can now map an LDAP group to the Druid role. The following example request creates a mapping with name `mygroupmap`. It assumes that a group named `mygroup` exists in the directory.
```
{
    "name": "group1map",
    "groupPattern": "CN=group1,CN=Users,DC=example,DC=com",
    "roles": [
        "readRole"
    ]
"name": "mygroupmap",
"groupPattern": "CN=mygroup,CN=Users,DC=example,DC=com",
"roles": [
"readRole"
]
}
```
You can configure the mapping as follows:
The following example request configures the mapping&mdash;the role mapping is in the file `groupmap.json`. See [Configure Druid for LDAP authentication](#configure-druid-for-ldap-authentication) for the contents of an example file.
```
curl -i -v  -H "Content-Type: application/json" -u internal -X POST -d @groupmap.json http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map
curl -i -v -H "Content-Type: application/json" -u internal -X POST -d @groupmap.json http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/mygroupmap
```
To check whether the group mapping was created successfully, run the following command:
To check whether the group mapping was created successfully, the following request lists all group mappings:
```
curl -i -v  -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings
curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings
```
To check the details of a specific group mapping, use the following:
The following example request returns the details of the `mygroupmap` group:
```
curl -i -v  -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map
curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/mygroupmap
```
To add additional roles to the group mapping, use the following API:
The following example request adds the role `queryRole` to the `mygroupmap` mapping:
```
curl -i -v  -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1/roles/<newrole> 
curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/mygroup/roles/queryrole
```
In the next two steps you will be creating a user, and assigning previously created roles to it. These steps are only needed in the following cases:
- Your LDAP server does not support the `memberOf` attribute, or
- You want to configure a user with additional roles that are not mapped to the group(s) that the user is a member of
If this is not the case for your scenario, you can skip these steps.
### Add an LDAP user to Druid and assign a role
### Step 4. Create a user
You only need to complete this step if:
- Your LDAP user doesn't belong to any of your LDAP groups, or
- You want to configure a user with additional Druid roles that are not mapped to the LDAP groups that the user belongs to.
Once LDAP is enabled, only user passwords are verified with LDAP. You add the LDAP user to Druid as follows: 
Example request to add the LDAP user `myuser` to Druid:
```
curl -i -v  -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authentication/db/ldap/users/<AD user> 
curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authentication/db/ldap/users/myuser
```
### Step 5. Assign the role to the user
The following command shows how to assign a role to a user:
Example request to assign the `myuser` user to the `queryRole` role:
```
curl -i -v  -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/users/<AD user>/roles/<rolename> 
curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authentication/db/ldap/users/myuser/roles/queryRole
```
For more information about security and the basic security extension, see [Security Overview](security-overview.md).
## Enable LDAP over TLS (LDAPS)
Once you've configured LDAP authentication in Druid, you can optionally make LDAP traffic confidential and secure by using Transport Layer Security (TLS)&mdash;previously Secure Socket Layer(SSL)&mdash;technology.
Configuring LDAPS establishes trust between Druid and the LDAP server.
## Prerequisites
Before you start to set up LDAPS in Druid, you must [configure Druid for LDAP authentication](#configure-druid-for-ldap-authentication). You also need:
- A certificate issued by a public certificate authority (CA) or a self-signed certificate by an internal CA.
- The root certificate for the CA that signed the certificate for the LDAP server. If you're using a common public CA, the certificate may already be in the Java truststore. Otherwise you need to import the certificate for the CA.
## Configure Druid for LDAPS
Complete the following steps to set up LDAPS for Druid. See [Configuration reference](../configuration/index.md) for the location of the configuration files.
1. Import the CA certificate for your LDAP server or a self-signed certificate into the truststore location saved as `druid.client.https.trustStorePath` in your `common.runtime.properties` file.
```
keytool -import -trustcacerts -keystore path/to/cacerts -storepass truststorepassword -alias aliasName -file path/to/certificate.cer
```
Replace `path/to/cacerts` with the path to your truststore, `truststorepassword` with your truststore password, `aliasName` with an alias name for the keystore, and `path/to/certificate.cer` with the location and name of your certificate. For example:
```
keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre/lib/security/cacerts -storepass mypassword -alias myAlias -file /etc/ssl/certs/my-certificate.cer
```
2. If the root certificate for the CA isn't already in the Java truststore, import it:
```
keytool -importcert -keystore path/to/cacerts -storepass truststorepassword -alias aliasName -file path/to/certificate.cer
```
Replace `path/to/cacerts` with the path to your truststore, `truststorepassword` with your truststore password, `aliasName` with an alias name for the keystore, and `path/to/certificate.cer` with the location and name of your certificate. For example:
```
keytool -importcert -keystore /Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre/lib/security/cacerts -storepass mypassword -alias myAlias -file /etc/ssl/certs/my-certificate.cer
```
3. In your `common.runtime.properties` file, add the following lines to the LDAP configuration section, substituting your own truststore path and password:
```
druid.auth.basic.ssl.trustStorePath=/Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre/lib/security/cacerts
druid.auth.basic.ssl.protocol=TLS
druid.auth.basic.ssl.trustStorePassword=xxxxxx
```
See [Druid basic security](../development/extensions-core/druid-basic-security.md#properties-for-ldaps) for details about these properties.
4. You can optionally configure additional LDAPS properties in the `common.runtime.properties` file. See [Druid basic security](../development/extensions-core/druid-basic-security.md#properties-for-ldaps) for more information.
5. Restart Druid.
## Troubleshooting tips
The following are some ideas to help you troubleshoot issues with LDAP and LDAPS.
### Check the coordinator logs
If your LDAP connection isn't working, check the coordinator logs. See [Logging](../configuration/logging.md) for details.
### Check the Druid escalator configuration
If the coordinator is working but the rest of the cluster isn't, check the escalator configuration. See the [Configuration reference](../configuration/index.md) for details. You can also check other service logs to see why the services are unable to fetch authorization details from the coordinator.
### Check your LDAP server response time
If a user can log in to the Druid console but the landing page shows a 401 error, check your LDAP server response time. In a large organization with a high number of LDAP users, LDAP may be slow to respond, and this can result in a connection timeout.

75
docs/operations/security-overview.md
View File

@ -250,80 +250,7 @@ The following steps walk through a sample setup procedure:
## Configuring an LDAP authenticator
As an alternative to using the basic metadata authenticator, you can use LDAP to authenticate users. The following steps provide an overview of the setup procedure. For more information on these settings, see [Properties for LDAP user authentication](../development/extensions-core/druid-basic-security.md#properties-for-ldap-user-authentication).
1. In `common.runtime.properties`, add LDAP to the authenticator chain in the order in which you want requests to be evaluated. For example:
```
# Druid basic security
druid.auth.authenticatorChain=["ldap", "MyBasicMetadataAuthenticator"]
```
2. Configure LDAP settings in `common.runtime.properties` as appropriate for your LDAP scheme and system. For example:
```
druid.auth.authenticator.ldap.type=basic
druid.auth.authenticator.ldap.enableCacheNotifications=true
druid.auth.authenticator.ldap.credentialsValidator.type=ldap
druid.auth.authenticator.ldap.credentialsValidator.url=ldap://ad_host:389
druid.auth.authenticator.ldap.credentialsValidator.bindUser=ad_admin_user
druid.auth.authenticator.ldap.credentialsValidator.bindPassword=ad_admin_password
druid.auth.authenticator.ldap.credentialsValidator.baseDn=dc=example,dc=com
druid.auth.authenticator.ldap.credentialsValidator.userSearch=(&(sAMAccountName=%s)(objectClass=user))
druid.auth.authenticator.ldap.credentialsValidator.userAttribute=sAMAccountName
druid.auth.authenticator.ldap.authorizerName=ldapauth
druid.escalator.type=basic
druid.escalator.internalClientUsername=ad_interal_user
druid.escalator.internalClientPassword=Welcome123
druid.escalator.authorizerName=ldapauth
druid.auth.authorizers=["ldapauth"]
druid.auth.authorizer.ldapauth.type=basic
druid.auth.authorizer.ldapauth.initialAdminUser=<ad_initial_admin_user>
druid.auth.authorizer.ldapauth.initialAdminRole=admin
druid.auth.authorizer.ldapauth.roleProvider.type=ldap
```
3. Use the Druid API to create the group mapping and allocate initial roles. For example, using curl and given a group named `group1` in the directory, run:
```
curl -i -v -H "Content-Type: application/json" -u internal -X POST -d @groupmap.json http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map
```
The `groupmap.json` file contents would be something like:
```
{
"name": "group1map",
"groupPattern": "CN=group1,CN=Users,DC=example,DC=com",
"roles": [
"readRole"
]
}
```
4. Check if the group mapping is created successfully by executing the following API. This lists all group mappings.
```
curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings
```
Alternatively, to check the details of a specific group mapping, use the following API:
```
curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map
```
5. To add additional roles to the group mapping, use the following API:
```
curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1/roles/<newrole>
```
6. Add the LDAP user to Druid. To add a user, use the following authentication API:
```
curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authentication/db/ldap/users/<ad_user>
```
7. Use the following command to assign the role to a user:
```
curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/users/<ad_user>/roles/<rolename>
```
Congratulations, you have configured permissions for user-assigned roles in Druid!
As an alternative to using the basic metadata authenticator, you can use LDAP to authenticate users. See [Configure LDAP authentication](./auth-ldap.md) for information on configuring Druid for LDAP and LDAPS.
## Druid security trust model
Within Druid's trust model there users can have different authorization levels:

3
website/.spelling
View File

@ -129,6 +129,7 @@ JDK
JDK7
JDK8
JKS
jks
JMX
JRE
JS
@ -147,6 +148,7 @@ Kerberos
KeyStores
Kinesis
Kubernetes
LDAPS
LRU
LZ4
LZO
@ -203,6 +205,7 @@ SYSTEM_TABLE
TCP
TGT
TLS
tls
TopN
TopNs
UI