Druid

Overview

Following the installation of Druid through Ambari UI, you can strengthen security by introducing authentication or authorization features as per your requirements.

Enabling Kerberos in Druid

Enabling Kerberos for Druid in Ambari triggers an automatic update of the necessary Kerberos configurations in Druid, ensuring a simple and efficient integration of security measures.

To enable Kerberos in Druid, the following updates are necessary:

  1. Include "druid-kerberos" in the loaded extensions list found in Advanced Druid-Common under "druid.extensions.loadList”.

  2. Add the following configurations to Custom Druid-Common. Here are the Kerberos configurations specific to Druid:

druid.auth.authenticatorChain=["kerberos"] druid.auth.authenticator.kerberos.type=kerberos druid.auth.authenticator.kerberos.cookieSignatureSecret=cookie-signature-secret druid.auth.authenticator.kerberos.serverKeytab=/etc/security/keytabs/spnego.service.keytab druid.auth.authenticator.kerberos.serverPrincipal=<Default values added by Amabri HTTP/_HOST@ADSRE.COM > druid.auth.authenticator.kerberos.authToLocal=<This value will be added by ambari by-defaut> druid.hadoop.security.authentication=kerberos druid.hadoop.security.kerberos.keytab=<druid.headless.keytab location> druid.hadoop.security.kerberos.principal=<Druid-kerberos-Principle-name> druid.escalator.type=kerberos druid.escalator.internalClientPrincipal=<Druid-kerberos-Principle-name > druid.escalator.internalClientKeytab=/etc/security/keytabs/druid.headless.keytab druid.escalator.authorizerName=<basic/ldapauth>

Presented below is an illustrative example:

druid.auth.authenticatorChain=["kerberos"] druid.auth.authenticator.kerberos.type=kerberos druid.auth.authenticator.kerberos.cookieSignatureSecret=cookie-signature-secret druid.auth.authenticator.kerberos.serverKeytab=/etc/security/keytabs/spnego.service.keytab druid.auth.authenticator.kerberos.serverPrincipal=HTTP/_HOST@ADSRE.COM druid.auth.authenticator.kerberos.authToLocal=<This value will be added by ambari by-defaut> druid.hadoop.security.authentication=kerberos druid.hadoop.security.kerberos.keytab=/etc/security/keytabs/druid.headless.keytab druid.hadoop.security.kerberos.principal=druid-odp_focal@ADSRE.COM druid.escalator.type=kerberos druid.escalator.internalClientPrincipal=druid-odp_focal@ADSRE.COM druid.escalator.internalClientKeytab=/etc/security/keytabs/druid.headless.keytab druid.escalator.authorizerName=basic

Enabling LDAP on Druid

To enable authentication and authorization for Druid, incorporate the provided configurations into the Custom Druid-Common settings.

Here are the Kerberos configurations specific to Druid.

druid.auth.authenticator.ldap.authorizerName=ldapauth druid.auth.authenticator.ldap.credentialsValidator.baseDn=<base-dn> druid.auth.authenticator.ldap.credentialsValidator.bindPassword=<bindPassword> druid.auth.authenticator.ldap.credentialsValidator.bindUser=<bindUser> druid.auth.authenticator.ldap.credentialsValidator.type=ldap druid.auth.authenticator.ldap.credentialsValidator.url=ldap://<ldap_host>:<port> druid.auth.authenticator.ldap.credentialsValidator.userAttribute=<userAttribute> druid.auth.authenticator.ldap.credentialsValidator.userSearch=<userSearch> druid.auth.authenticator.ldap.enableCacheNotifications=true druid.auth.authenticator.ldap.type=basic druid.auth.authenticatorChain=["ldap"] druid.auth.authorizer.ldap.roleProvider.ldapGroupAttribute=<ldapGroup-Attribute> druid.auth.authorizer.ldapauth.initialAdminRole=admin druid.auth.authorizer.ldapauth.initialAdminUser=admin druid.auth.authorizer.ldapauth.roleProvider.type=ldap druid.auth.authorizer.ldapauth.type=basic druid.auth.authorizers=["ldapauth"] druid.escalator.type=basic druid.escalator.authorizerName=ldapauth druid.escalator.internalClientUsername=<internal-Client-Username> druid.escalator.internalClientPassword=<internal-Client-Password>

Presented below is an illustrative example.

druid.auth.authenticator.ldap.authorizerName=ldapauth druid.auth.authenticator.ldap.credentialsValidator.baseDn=dc=hadoop,dc=apache,dc=org druid.auth.authenticator.ldap.credentialsValidator.bindPassword=admin-password druid.auth.authenticator.ldap.credentialsValidator.bindUser=uid=admin,ou=people,dc=hadoop,dc=apache,dc=org druid.auth.authenticator.ldap.credentialsValidator.type=ldap druid.auth.authenticator.ldap.credentialsValidator.url=ldap://<ldap_host>:33389 druid.auth.authenticator.ldap.credentialsValidator.userAttribute=uid druid.auth.authenticator.ldap.credentialsValidator.userSearch=(&(cn=%s)(objectClass=inetOrgPerson)) druid.auth.authenticator.ldap.enableCacheNotifications=true druid.auth.authenticator.ldap.type=basic druid.auth.authenticatorChain=["ldap"] druid.auth.authorizer.ldap.roleProvider.ldapGroupAttribute=member druid.auth.authorizer.ldapauth.initialAdminRole=admin druid.auth.authorizer.ldapauth.initialAdminUser=admin druid.auth.authorizer.ldapauth.roleProvider.type=ldap druid.auth.authorizer.ldapauth.type=basic druid.auth.authorizers=["ldapauth"] druid.escalator.type=basic druid.escalator.authorizerName=ldapauth druid.escalator.internalClientUsername=internal@example.com druid.escalator.internalClientPassword=internaluserpassword


  Last updated