Enabling Kerberos in Druid

Enabling Kerberos for Druid in Ambari triggers an automatic update of the necessary Kerberos configurations in Druid, ensuring a simple and efficient integration of security measures.

To enable Kerberos in Druid, the following updates are necessary:

Include druid-kerberos in the loaded extensions list found in advanced druid-common under druid.extensions.loadList.
Add the following configurations to custom druid-common. Here are the Kerberos configurations specific to Druid:

Config
    
​x
 
druid.auth.authenticatorChain=["kerberos"]druid.auth.authenticator.kerberos.type=kerberosdruid.auth.authenticator.kerberos.cookieSignatureSecret=cookie-signature-secretdruid.auth.authenticator.kerberos.serverKeytab=/etc/security/keytabs/spnego.service.keytabdruid.auth.authenticator.kerberos.serverPrincipal=<Default values added by Amabri HTTP/_HOST@ADSRE.COM >druid.auth.authenticator.kerberos.authToLocal=<This value will be added by ambari by-defaut>​druid.hadoop.security.authentication=kerberosdruid.hadoop.security.kerberos.keytab=<druid.headless.keytab location>druid.hadoop.security.kerberos.principal=<Druid-kerberos-Principle-name>​druid.escalator.type=kerberosdruid.escalator.internalClientPrincipal=<Druid-kerberos-Principle-name >druid.escalator.internalClientKeytab=/etc/security/keytabs/druid.headless.keytab​druid.escalator.authorizerName=<basic/ldapauth>
Copy

Presented below is an illustrative example:

Config
    
 
druid.auth.authenticatorChain=["kerberos"]druid.auth.authenticator.kerberos.type=kerberosdruid.auth.authenticator.kerberos.cookieSignatureSecret=cookie-signature-secretdruid.auth.authenticator.kerberos.serverKeytab=/etc/security/keytabs/spnego.service.keytabdruid.auth.authenticator.kerberos.serverPrincipal=HTTP/_HOST@ADSRE.COMdruid.auth.authenticator.kerberos.authToLocal=<This value will be added by ambari by-defaut>​druid.hadoop.security.authentication=kerberosdruid.hadoop.security.kerberos.keytab=/etc/security/keytabs/druid.headless.keytabdruid.hadoop.security.kerberos.principal=druid-odp_focal@ADSRE.COM​druid.escalator.type=kerberosdruid.escalator.internalClientPrincipal=druid-odp_focal@ADSRE.COMdruid.escalator.internalClientKeytab=/etc/security/keytabs/druid.headless.keytabdruid.escalator.authorizerName=basic
Copy

Last updated on Feb 29, 2024

Was this page helpful?