Druid
Overview
Following the installation of Druid through Ambari UI, you can strengthen security by introducing authentication or authorization features as per your requirements.
Enabling Kerberos in Druid
Enabling Kerberos for Druid in Ambari triggers an automatic update of the necessary Kerberos configurations in Druid, ensuring a simple and efficient integration of security measures.
To enable Kerberos in Druid, the following updates are necessary:
- Include "druid-kerberos" in the loaded extensions list found in Advanced Druid-Common under "druid.extensions.loadList”.
- Add the following configurations to Custom Druid-Common. Here are the Kerberos configurations specific to Druid:
x
druid.auth.authenticatorChain=["kerberos"]druid.auth.authenticator.kerberos.type=kerberosdruid.auth.authenticator.kerberos.cookieSignatureSecret=cookie-signature-secretdruid.auth.authenticator.kerberos.serverKeytab=/etc/security/keytabs/spnego.service.keytabdruid.auth.authenticator.kerberos.serverPrincipal=<Default values added by Amabri HTTP/_HOST@ADSRE.COM >druid.auth.authenticator.kerberos.authToLocal=<This value will be added by ambari by-defaut>druid.hadoop.security.authentication=kerberosdruid.hadoop.security.kerberos.keytab=<druid.headless.keytab location>druid.hadoop.security.kerberos.principal=<Druid-kerberos-Principle-name>druid.escalator.type=kerberosdruid.escalator.internalClientPrincipal=<Druid-kerberos-Principle-name >druid.escalator.internalClientKeytab=/etc/security/keytabs/druid.headless.keytabdruid.escalator.authorizerName=<basic/ldapauth>Presented below is an illustrative example:
druid.auth.authenticatorChain=["kerberos"]druid.auth.authenticator.kerberos.type=kerberosdruid.auth.authenticator.kerberos.cookieSignatureSecret=cookie-signature-secretdruid.auth.authenticator.kerberos.serverKeytab=/etc/security/keytabs/spnego.service.keytabdruid.auth.authenticator.kerberos.serverPrincipal=HTTP/_HOST@ADSRE.COMdruid.auth.authenticator.kerberos.authToLocal=<This value will be added by ambari by-defaut>druid.hadoop.security.authentication=kerberosdruid.hadoop.security.kerberos.keytab=/etc/security/keytabs/druid.headless.keytabdruid.hadoop.security.kerberos.principal=druid-odp_focal@ADSRE.COMdruid.escalator.type=kerberosdruid.escalator.internalClientPrincipal=druid-odp_focal@ADSRE.COMdruid.escalator.internalClientKeytab=/etc/security/keytabs/druid.headless.keytabdruid.escalator.authorizerName=basicEnabling LDAP on Druid
To enable authentication and authorization for Druid, incorporate the provided configurations into the Custom Druid-Common settings.
Here are the Kerberos configurations specific to Druid.
druid.auth.authenticator.ldap.authorizerName=ldapauthdruid.auth.authenticator.ldap.credentialsValidator.baseDn=<base-dn>druid.auth.authenticator.ldap.credentialsValidator.bindPassword=<bindPassword>druid.auth.authenticator.ldap.credentialsValidator.bindUser=<bindUser>druid.auth.authenticator.ldap.credentialsValidator.type=ldapdruid.auth.authenticator.ldap.credentialsValidator.url=ldap://<ldap_host>:<port>druid.auth.authenticator.ldap.credentialsValidator.userAttribute=<userAttribute>druid.auth.authenticator.ldap.credentialsValidator.userSearch=<userSearch>druid.auth.authenticator.ldap.enableCacheNotifications=truedruid.auth.authenticator.ldap.type=basicdruid.auth.authenticatorChain=["ldap"]druid.auth.authorizer.ldap.roleProvider.ldapGroupAttribute=<ldapGroup-Attribute>druid.auth.authorizer.ldapauth.initialAdminRole=admindruid.auth.authorizer.ldapauth.initialAdminUser=admindruid.auth.authorizer.ldapauth.roleProvider.type=ldapdruid.auth.authorizer.ldapauth.type=basicdruid.auth.authorizers=["ldapauth"]druid.escalator.type=basicdruid.escalator.authorizerName=ldapauthdruid.escalator.internalClientUsername=<internal-Client-Username>druid.escalator.internalClientPassword=<internal-Client-Password>Presented below is an illustrative example.
druid.auth.authenticator.ldap.authorizerName=ldapauthdruid.auth.authenticator.ldap.credentialsValidator.baseDn=dc=hadoop,dc=apache,dc=orgdruid.auth.authenticator.ldap.credentialsValidator.bindPassword=admin-passworddruid.auth.authenticator.ldap.credentialsValidator.bindUser=uid=admin,ou=people,dc=hadoop,dc=apache,dc=orgdruid.auth.authenticator.ldap.credentialsValidator.type=ldapdruid.auth.authenticator.ldap.credentialsValidator.url=ldap://<ldap_host>:33389druid.auth.authenticator.ldap.credentialsValidator.userAttribute=uiddruid.auth.authenticator.ldap.credentialsValidator.userSearch=(&(cn=%s)(objectClass=inetOrgPerson))druid.auth.authenticator.ldap.enableCacheNotifications=truedruid.auth.authenticator.ldap.type=basicdruid.auth.authenticatorChain=["ldap"]druid.auth.authorizer.ldap.roleProvider.ldapGroupAttribute=memberdruid.auth.authorizer.ldapauth.initialAdminRole=admindruid.auth.authorizer.ldapauth.initialAdminUser=admindruid.auth.authorizer.ldapauth.roleProvider.type=ldapdruid.auth.authorizer.ldapauth.type=basicdruid.auth.authorizers=["ldapauth"]druid.escalator.type=basicdruid.escalator.authorizerName=ldapauthdruid.escalator.internalClientUsername=internal@example.comdruid.escalator.internalClientPassword=internaluserpasswordWas this page helpful?