writer-jill commented on code in PR #13245: URL: https://github.com/apache/druid/pull/13245#discussion_r1011650055
########## docs/operations/auth-ldap.md: ########## @@ -22,182 +23,279 @@ title: "LDAP auth" ~ under the License. --> +You can use [Lightweight Directory Access Protocol (LDAP)](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol) to secure access to Apache Druid. This topic describes how to set up Druid authentication and authorization with LDAP and LDAP over TLS (LDAPS). The examples on this page show the configuration for an Active Directory LDAP system. -This page describes how to set up Druid user authentication and authorization through LDAP. The first step is to enable LDAP authentication and authorization for Druid. You then map an LDAP group to roles and assign permissions to roles. +The first step is to enable LDAP authentication and authorization for Druid. You then map an LDAP group to Druid roles and assign permissions to those roles. After you've completed this configuration you can optionally choose to enable LDAPS to make LDAP traffic confidential and secure. -## Enable LDAP in Druid +## Prerequisites -Before starting, verify that the active directory is reachable from the Druid Master servers. Command line tools such as `ldapsearch` and `ldapwhoami`, which are included with OpenLDAP, are useful for this testing. +Before you start to configure LDAP for Druid, test your LDAP connection and perform a sample search. -### Check the connection +### Check your LDAP connection -First test that the basic connection and user credential works. For example, given a user `[email protected]`, try: +Verify that your LDAP connection is working by testing it with user credentials. For example, the following command tests the connection for the user `[email protected]`. Insert your LDAP server IP address and substitute `389` for the port number of your LDAP instance, if different. ```bash -ldapwhoami -vv -H ldap://<ip_address>:389 -D"[email protected]" -W +ldapwhoami -vv -H ldap://ip_address:389 -D "[email protected]" -W ``` -Enter the password associated with the user when prompted and verify that the command succeeded. If it didn't, try the following troubleshooting steps: +Enter the password for the user when prompted and verify that the command succeeded. If it failed, check the following: -* Verify that you've used the correct port for your LDAP instance. By default, the LDAP port is 389, but double-check with your LDAP admin if unable to connect. -* Check whether a network firewall is not preventing connections to the LDAP port. -* Check whether LDAP clients need to be specifically whitelisted at the LDAP server to be able to reach it. If so, add the Druid Coordinator server to the AD whitelist. +- Make sure you're using the correct port for your LDAP instance. +- Check whether a network firewall is preventing connections to the LDAP port. +- Review your LDAP implementation details to see whether you need to specifically whitelist LDAP clients at the LDAP server. If so, add the Druid Coordinator server to the whitelist. +### Test your LDAP search -### Check the search criteria +Once your LDAP connection is working, search for a user. For example, the following command searches for the user myuser in an Active Directory system. The `sAMAccountName` attribute is specific to Active Directory and contains the authenticated user identity: -After verifying basic connectivity, check your search criteria. For example, the command for searching for user `[email protected] ` is as follows: +```bash +ldapsearch -x -W -H ldap://ip_address:389 -D "cn=admin,dc=example,dc=com" -b "dc=example,dc=com" "(sAMAccountName=myuser)" + +``` + +The `memberOf` attribute in the results shows the groups the user belongs to. For example, the following response shows that the user is a member of the `group1` group: ```bash -ldapsearch -x -W -H ldap://<ldap_server> -D"[email protected]" -b "dc=example,dc=com" "(sAMAccountName=uuser1)" +memberOf: cn=group1,ou=groups,dc=example,dc=com ``` -Note the `memberOf` attribute in the results; it shows the groups that the user belongs to. You will use this value to map the LDAP group to the Druid roles later. This attribute may be implemented differently on different types of LDAP servers. For instance, some LDAP servers may support recursive groupings, and some may not. Some LDAP server implementations may not have any object classes that contain this attribute altogether. If your LDAP server does not use the `memberOf` attribute, then Druid will not be able to determine a user's group membership using LDAP. The sAMAccountName attribute used in this example contains the authenticated user identity. This is an attribute of an object class specific to Microsoft Active Directory. The object classes and attribute used in your LDAP server may be different. +You use this information to map the LDAP group to Druid roles in a later step. + +> Druid uses the `memberOf` attribute to determine a group's membership using LDAP. If your LDAP server implementation doesn't include this attribute, you must complete some additional steps when you [map LDAP groups to Druid roles](). -## Configure Druid user authentication with LDAP/Active Directory +## Configure Druid for LDAP authentication -1. Enable the `druid-basic-security` extension in the `common.runtime.properties` file. See [Security Overview](security-overview.md) for details. -2. As a best practice, create a user in LDAP to be used for internal communication with Druid. -3. In `common.runtime.properties`, update LDAP-related properties, as shown in the following listing: - ``` - druid.auth.authenticatorChain=["ldap"] - druid.auth.authenticator.ldap.type=basic - druid.auth.authenticator.ldap.enableCacheNotifications=true - druid.auth.authenticator.ldap.credentialsValidator.type=ldap - druid.auth.authenticator.ldap.credentialsValidator.url=ldap://<AD host>:<AD port> - druid.auth.authenticator.ldap.credentialsValidator.bindUser=<AD admin user, e.g.: [email protected]> - druid.auth.authenticator.ldap.credentialsValidator.bindPassword=<AD admin password> - druid.auth.authenticator.ldap.credentialsValidator.baseDn=<base dn, e.g.: dc=example,dc=com> - druid.auth.authenticator.ldap.credentialsValidator.userSearch=<The LDAP search, e.g.: (&(sAMAccountName=%s)(objectClass=user))> - druid.auth.authenticator.ldap.credentialsValidator.userAttribute=sAMAccountName - druid.auth.authenticator.ldap.authorizerName=ldapauth - druid.escalator.type=basic - druid.escalator.internalClientUsername=<AD internal user, e.g.: [email protected]> - druid.escalator.internalClientPassword=Welcome123 - druid.escalator.authorizerName=ldapauth - druid.auth.authorizers=["ldapauth"] - druid.auth.authorizer.ldapauth.type=basic - druid.auth.authorizer.ldapauth.initialAdminUser=AD user who acts as the initial admin user, e.g.: [email protected]> - druid.auth.authorizer.ldapauth.initialAdminRole=admin - druid.auth.authorizer.ldapauth.roleProvider.type=ldap +To configure Druid to use LDAP authentication, follow these steps. See [Configuration reference](../configuration/index.md) for the location of the configuration files. + +1. Create a user in your LDAP system that you'll use for internal communication with Druid. See [Security overview](./security-overview.md) for more information. +In the example below, the LDAP user is `[email protected]`. + +2. Enable the `druid-basic-security` extension in the `common.runtime.properties` file. + +3. In the `common.runtime.properties` file, add the following lines for LDAP properties and substitute the values for your own. See [Druid basic security](../development/extensions-core/druid-basic-security.md#properties-for-ldap-user-authentication) for details about these properties. + ``` + druid.auth.authenticatorChain=["ldap"] + druid.auth.authenticator.ldap.type=basic + druid.auth.authenticator.ldap.enableCacheNotifications=true + druid.auth.authenticator.ldap.credentialsValidator.type=ldap + druid.auth.authenticator.ldap.credentialsValidator.url=ldap://ip_address:port + druid.auth.authenticator.ldap.credentialsValidator.bindUser=administra...@example.com + druid.auth.authenticator.ldap.credentialsValidator.bindPassword=adminpassword + druid.auth.authenticator.ldap.credentialsValidator.baseDn=dc=example,dc=com + druid.auth.authenticator.ldap.credentialsValidator.userSearch=(&(sAMAccountName=%s)(objectClass=user)) + druid.auth.authenticator.ldap.credentialsValidator.userAttribute=sAMAccountName + druid.auth.authenticator.ldap.authorizerName=ldapauth + druid.escalator.type=basic + [email protected] + druid.escalator.internalClientPassword=internaluserpassword + druid.escalator.authorizerName=ldapauth + druid.auth.authorizers=["ldapauth"] + druid.auth.authorizer.ldapauth.type=basic + druid.auth.authorizer.ldapauth.initialAdminUser=inter...@example.com + druid.auth.authorizer.ldapauth.initialAdminRole=admin + druid.auth.authorizer.ldapauth.roleProvider.type=ldap + ``` + Note the following: - Notice that the LDAP user created in the previous step, `[email protected]`, serves as the internal client user and the initial admin user. + - `bindUser`: A user for connecting to LDAP. + - `userSearch`: Your LDAP search syntax. + - `userAttribute`: The user search attribute. + - `[email protected]` is the LDAP user you created in step 1. In the example it serves as both the internal client user and the initial admin user. -## Use LDAP groups to assign roles + > In the above example, the [Druid escalator](../development/extensions-core/druid-basic-security.md#escalator) and LDAP initial admin user are set to the same user - [email protected]. If the escalator is set to a different user, you must follow steps 4 and 5 to create the group mapping and allocate initial roles before the rest of the cluster can function. -You can map LDAP groups to a role in Druid. Members in the group get access to the permissions of the corresponding role. +4. Save your group mapping to a JSON file. An example file `groupmap.json` looks like this: + + ``` + { + "name": "group1map", + "groupPattern": "CN=group1,CN=Users,DC=example,DC=com", + "roles": [ + "readRole" + ] + } + ``` + In the example, the LDAP group `group1` maps to Druid role `readRole` and the name of the mapping is `group1map`. +5. Use the Druid API to create the group mapping and allocate initial roles according to your JSON file. The following example uses curl to create the mapping defined in `groupmap.json` for the LDAP group `group1`: + + ``` + curl -i -v -H "Content-Type: application/json" -u internal -X POST -d @groupmap.json http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map + ``` +6. Check that the group mapping was created successfully. The following example request lists all group mappings: + + ``` + curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings + ``` -### Step 1: Create a role +## Map LDAP groups to Druid roles -First create the role in Druid using the Druid REST API. +Once you've completed the initial setup and mapping, you can map more LDAP groups to Druid roles. Members of an LDAP group get access to the permissions of the corresponding Druid role. -Creating a role involves submitting a POST request to the Coordinator process. +### Step 1: Create a Druid role -The following REST APIs to create the role to read access for datasource, config, state. +To create a Druid role, you submit a POST request to the Coordinator process using the Druid REST API. -> As mentioned, the REST API calls need to address the Coordinator node. The examples used below use localhost as the Coordinator host and 8081 as the port. Adjust these settings according to your deployment. +The examples below use `localhost` as the Coordinator host and `8081` as the port. Amend these properties according to the details of your deployment. -Call the following API to create role `readRole` . +Example request to create a role named `readRole`: ``` -curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles/readRole +curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles/readRole ``` -Check that the role has been created successfully by entering the following: +Check that the role was created successfully. The following example request lists all roles: ``` -curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles +curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles ``` +### Step 2: Add permissions to the Druid role -### Step 2: Add permissions to a role - -You can now add one or more permission to the role. The following example adds read-only access to a `wikipedia` data source. +Once you have a Druid role you can add permissions to it. The following example adds read-only access to a `wikipedia` data source. Given the following JSON in a file named `perm.json`: ``` -[{ "resource": { "name": "wikipedia", "type": "DATASOURCE" }, "action": "READ" } -,{ "resource": { "name": ".*", "type": "STATE" }, "action": "READ" }, -{ "resource": {"name": ".*", "type": "CONFIG"}, "action": "READ"}] -``` - -The following command associates the permissions in the JSON file with the role - -``` -curl -i -v -H "Content-Type: application/json" -u internal -X POST [email protected] http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles/readRole/permissions +[ + { "resource": { "name": "wikipedia", "type": "DATASOURCE" }, "action": "READ" }, + { "resource": { "name": ".*", "type": "STATE" }, "action": "READ" }, + { "resource": {"name": ".*", "type": "CONFIG"}, "action": "READ"} +] ``` -Note that the STATE and CONFIG permissions in `perm.json` are needed to see the data source in the web console. If only querying permissions are needed, the READ action is sufficient: +The following request associates the permissions in the JSON file with the `readRole` role: ``` -[{ "resource": { "name": "wikipedia", "type": "DATASOURCE" }, "action": "READ" }] +curl -i -v -H "Content-Type: application/json" -u internal -X POST [email protected] http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles/readRole/permissions ``` -You can also provide the name in the form of regular expression. For example, to give access to all data sources starting with `wiki`, specify the name as `{ "name": "wiki.*", .....`. +Druid users need the `STATE` and `CONFIG` permissions to view the data source in the Druid console. If you only want to assign querying permissions you can apply just the `READ` permission with the first line in the `perm.json` file. +You can also provide the data source name in the form of a regular expression. For example, to give access to all data sources starting with `wiki`, you would specify the data source name as `{ "name": "wiki.*" }` . -### Step 3: Create group Mapping +### Step 3: Create the group mapping -The following shows an example of a group to role mapping. It assumes that a group named `group1` exists in the directory. Also assuming the following role mapping in a file named `groupmap.json`: +You can now map an LDAP group to the Druid role. The following example request creates a mapping with name `group1map`. It assumes that a group named `group1` exists in the directory. ``` { - "name": "group1map", - "groupPattern": "CN=group1,CN=Users,DC=example,DC=com", - "roles": [ - "readRole" - ] + "name": "group1map", + "groupPattern": "CN=group1,CN=Users,DC=example,DC=com", + "roles": [ + "readRole" + ] } ``` -You can configure the mapping as follows: +The following example request configures the mapping—the role mapping is in the file `groupmap.json`. See [Configure Druid for LDAP authentication](#configure-druid-for-ldap-authentication) for the contents of an example file. ``` -curl -i -v -H "Content-Type: application/json" -u internal -X POST -d @groupmap.json http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map +curl -i -v -H "Content-Type: application/json" -u internal -X POST -d @groupmap.json http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map ``` -To check whether the group mapping was created successfully, run the following command: +To check whether the group mapping was created successfully, the following request lists all group mappings: ``` -curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings +curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings ``` -To check the details of a specific group mapping, use the following: +The following example request returns the details of the `group1map` group: ``` -curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map +curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map ``` -To add additional roles to the group mapping, use the following API: +The following example request adds the role `queryRole` to the `group1map` mapping: ``` -curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1/roles/<newrole> +curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1/roles/queryrole Review Comment: Updated. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
