Apache
/
druid
mirror of https://github.com/apache/druid.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
druid/docs/development/extensions-core/druid-pac4j.md

3.7 KiB
Raw Blame History

id title
druid-pac4j Druid pac4j based Security extension

Apache Druid Extension to enable OpenID Connect based Authentication for Druid Processes using pac4j as the underlying client library. This can be used with any authentication server that supports same e.g. Okta. The pac4j authenticator should only be used at the router node to enable a group of users in existing authentication server to interact with Druid cluster, using the web console.

This extension also provides a JWT authenticator that validates ID Tokens associated with a request. ID Tokens are attached to the request under the Authorization header with the bearer token prefix - Bearer . This authenticator is intended for services to talk to Druid by initially authenticating with an OIDC server to retrieve the ID Token which is then attached to every Druid request.

This extension does not support JDBC client authentication.

Configuration

Creating an Authenticator

#Create a pac4j web user authenticator
druid.auth.authenticatorChain=["pac4j"]
druid.auth.authenticator.pac4j.type=pac4j

#Create a JWT token authenticator
druid.auth.authenticatorChain=["jwt"]
druid.auth.authenticator.jwt.type=jwt

Properties

Property Description Default required
druid.auth.pac4j.cookiePassphrase passphrase for encrypting the cookies used to manage authentication session with browser. It can be provided as plaintext string or The Password Provider. none Yes
druid.auth.pac4j.readTimeout Socket connect and read timeout duration used when communicating with authentication server PT5S No
druid.auth.pac4j.enableCustomSslContext Whether to use custom SSLContext setup via simple-client-sslcontext extension which must be added to extensions list when this property is set to true. false No
druid.auth.pac4j.oidc.clientID OAuth Client Application id. none Yes
druid.auth.pac4j.oidc.clientSecret OAuth Client Application secret. It can be provided as plaintext string or The Password Provider. none Yes
druid.auth.pac4j.oidc.discoveryURI discovery URI for fetching OP metadata see this. none Yes
druid.auth.pac4j.oidc.oidcClaim claim that will be extracted from the ID Token after validation. name No
druid.auth.pac4j.oidc.scope scope is used by an application during authentication to authorize access to a user's details openid profile email No