This is an automated email from the ASF dual-hosted git repository.
techdocsmith pushed a commit to branch 25.0.0
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/25.0.0 by this push:
new baf6ca427b LDAP docs backport (#13453)
baf6ca427b is described below
commit baf6ca427b0556049510a4a3a9d2836ddbbd4936
Author: Jill Osborne <[email protected]>
AuthorDate: Fri Dec 2 00:35:27 2022 +0000
LDAP docs backport (#13453)
* Update LDAP configuration docs
(cherry picked from commit e74bd89bab690dacf538c49cd8093e0e5075b3e5)
* Updated after review
(cherry picked from commit 882e0b2ccc451b40dc56b59c0fa1ddcbc92cc558)
* Update auth-ldap.md
Updated.
(cherry picked from commit d4f0797cee70c1bbf9a7bdfd903cb6d9266abdb0)
* Update auth-ldap.md
(cherry picked from commit fbec7b29278630fe16ccb1105fce7ab3142b9d3c)
* Updated spelling file
(cherry picked from commit ef5316b2640875f461fcbe8de3ff219a57d3b8eb)
* Update docs/operations/auth-ldap.md
Co-authored-by: Charles Smith <[email protected]>
(cherry picked from commit 1a9b42af992fe6797e84573c65a8d3ade3155c82)
* Update docs/operations/auth-ldap.md
Co-authored-by: Charles Smith <[email protected]>
(cherry picked from commit 1018d9a0f4d23d58acc7d4dcd4ba20d522a21791)
* Update docs/operations/auth-ldap.md
Co-authored-by: Charles Smith <[email protected]>
(cherry picked from commit dd81b3f7dea7aaa27f78394e21d61710354e53d9)
* Update auth-ldap.md
(cherry picked from commit f0655cfb81c27999980563685d08e3ba5a599bb1)
---
.../extensions-core/druid-basic-security.md | 420 +++++++++++++++++----
docs/operations/auth-ldap.md | 295 ++++++++++-----
docs/operations/security-overview.md | 75 +---
website/.spelling | 3 +
4 files changed, 542 insertions(+), 251 deletions(-)
diff --git a/docs/development/extensions-core/druid-basic-security.md
b/docs/development/extensions-core/druid-basic-security.md
index b6698b4f15..4e042b4405 100644
--- a/docs/development/extensions-core/druid-basic-security.md
+++ b/docs/development/extensions-core/druid-basic-security.md
@@ -53,12 +53,29 @@ To set the value for the configuration properties, add them
to the common runtim
### General properties
-|Property|Description|Default|required|
-|--------|-----------|-------|--------|
-|`druid.auth.basic.common.pollingPeriod`|Defines in milliseconds how often
processes should poll the Coordinator for the current Druid metadata store
authenticator/authorizer state.|60000|No|
-|`druid.auth.basic.common.maxRandomDelay`|Defines in milliseconds the amount
of random delay to add to the pollingPeriod, to spread polling requests across
time.|6000|No|
-|`druid.auth.basic.common.maxSyncRetries`|Determines how many times a service
will retry if the authentication/authorization Druid metadata store state sync
with the Coordinator fails.|10|No|
-|`druid.auth.basic.common.cacheDirectory`|If defined, snapshots of the basic
Authenticator and Authorizer Druid metadata store caches will be stored on disk
in this directory. If this property is defined, when a service is starting, it
will attempt to initialize its caches from these on-disk snapshots, if the
service is unable to initialize its state by communicating with the
Coordinator.|null|No|
+**`druid.auth.basic.common.pollingPeriod`**
+
+Defines in milliseconds how often processes should poll the Coordinator for
the current Druid metadata store authenticator/authorizer state.<br>
+ **Required**: No<br>
+ **Default**: 60000
+
+**`druid.auth.basic.common.maxRandomDelay`**
+
+Defines in milliseconds the amount of random delay to add to the
pollingPeriod, to spread polling requests across time.<br>
+ **Required**: No<br>
+ **Default**: 6000
+
+**`druid.auth.basic.common.maxSyncRetries`**
+
+Determines how many times a service will retry if the
authentication/authorization Druid metadata store state sync with the
Coordinator fails.<br>
+ **Required**: No<br>
+ **Default**: 10
+
+**`druid.auth.basic.common.cacheDirectory`**
+
+If defined, snapshots of the basic Authenticator and Authorizer Druid metadata
store caches will be stored on disk in this directory. If this property is
defined, when a service is starting, it will attempt to initialize its caches
from these on-disk snapshots, if the service is unable to initialize its state
by communicating with the Coordinator.<br>
+ **Required**: No<br>
+ **Default**: null
### Authenticator
@@ -96,16 +113,55 @@ The remaining examples of authenticator configuration use
either `MyBasicMetadat
#### Properties for Druid metadata store user authentication
-|Property|Description|Default|required|
-|--------|-----------|-------|--------|
-|`druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword`|Initial
[Password Provider](../../operations/password-provider.md) for the
automatically created default admin user. If no password is specified, the
default admin user will not be created. If the default admin user already
exists, setting this property will not affect its password.|null|No|
-|`druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword`|Initial
[Password Provider](../../operations/password-provider.md) for the default
internal system user, used for internal process communication. If no password
is specified, the default internal system user will not be created. If the
default internal system user already exists, setting this property will not
affect its password.|null|No|
-|`druid.auth.authenticator.MyBasicMetadataAuthenticator.enableCacheNotifications`|If
true, the Coordinator will notify Druid processes whenever a configuration
change to this Authenticator occurs, allowing them to immediately update their
state without waiting for polling.|true|No|
-|`druid.auth.authenticator.MyBasicMetadataAuthenticator.cacheNotificationTimeout`|The
timeout in milliseconds for the cache notifications.|5000|No|
-|`druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialIterations`|Number
of iterations to use for password hashing. See [Credential iterations and API
performance](#credential-iterations-and-api-performance)|10000|No|
-|`druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type`|The
type of credentials store (metadata) to validate requests
credentials.|metadata|No|
-|`druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure`|If true
and the request credential doesn't exists or isn't fully configured in the
credentials store, the request will proceed to next Authenticator in the
chain.|false|No|
-|`druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName`|Authorizer
that requests should be directed to|N/A|Yes|
+
+**`druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword`**
+
+Initial [Password Provider](../../operations/password-provider.md) for the
automatically created default admin user. If no password is specified, the
default admin user will not be created. If the default admin user already
exists, setting this property will not affect its password.<br>
+ **Required**: No<br>
+ **Default**: null
+
+**`druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword`**
+
+Initial [Password Provider](../../operations/password-provider.md) for the
default internal system user, used for internal process communication. If no
password is specified, the default internal system user will not be created. If
the default internal system user already exists, setting this property will not
affect its password.<br>
+ **Required**: No<br>
+ **Default**: null
+
+**`druid.auth.authenticator.MyBasicMetadataAuthenticator.enableCacheNotifications`**
+
+If true, the Coordinator will notify Druid processes whenever a configuration
change to this Authenticator occurs, allowing them to immediately update their
state without waiting for polling.<br>
+ **Required**: No<br>
+ **Default**: True
+
+**`druid.auth.authenticator.MyBasicMetadataAuthenticator.cacheNotificationTimeout`**
+
+The timeout in milliseconds for the cache notifications.<br>
+ **Required**: No<br>
+ **Default**: 5000
+
+**`druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialIterations`**
+
+Number of iterations to use for password hashing. See [Credential iterations
and API performance](#credential-iterations-and-api-performance)<br>
+ **Required**: No<br>
+ **Default**: 10000
+
+**`druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type`**
+
+The type of credentials store (metadata) to validate requests credentials.<br>
+ **Required**: No<br>
+ **Default**: metadata
+
+**`druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure`**
+
+If true and the request credential doesn't exists or isn't fully configured in
the credentials store, the request will proceed to next Authenticator in the
chain.<br>
+ **Required**: No<br>
+ **Default**: false
+
+**`druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName`**
+
+Authorizer that requests should be directed to.<br>
+ **Required**: Yes<br>
+ **Default**: N/A
+
##### Credential iterations and API performance
@@ -121,25 +177,107 @@ If Druid uses the default credentials validator (i.e.,
`credentialsValidator.typ
#### Properties for LDAP user authentication
-|Property|Description|Default|required|
-|--------|-----------|-------|--------|
-|`druid.auth.authenticator.MyBasicLDAPAuthenticator.initialAdminPassword`|Initial
[Password Provider](../../operations/password-provider.md) for the
automatically created default admin user. If no password is specified, the
default admin user will not be created. If the default admin user already
exists, setting this property will not affect its password.|null|No|
-|`druid.auth.authenticator.MyBasicLDAPAuthenticator.initialInternalClientPassword`|Initial
[Password Provider](../../operations/password-provider.md) for the default
internal system user, used for internal process communication. If no password
is specified, the default internal system user will not be created. If the
default internal system user already exists, setting this property will not
affect its password.|null|No|
-|`druid.auth.authenticator.MyBasicLDAPAuthenticator.enableCacheNotifications`|If
true, the Coordinator will notify Druid processes whenever a configuration
change to this Authenticator occurs, allowing them to immediately update their
state without waiting for polling.|true|No|
-|`druid.auth.authenticator.MyBasicLDAPAuthenticator.cacheNotificationTimeout`|The
timeout in milliseconds for the cache notifications.|5000|No|
-|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialIterations`|Number
of iterations to use for password hashing.|10000|No|
-|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.type`|The
type of credentials store (ldap) to validate requests credentials.|metadata|No|
-|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.url`|URL
of the LDAP server.|null|Yes|
-|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.bindUser`|LDAP
bind user username.|null|Yes|
-|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.bindPassword`|[Password
Provider](../../operations/password-provider.md) LDAP bind user
password.|null|Yes|
-|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.baseDn`|The
point from where the LDAP server will search for users.|null|Yes|
-|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.userSearch`|The
filter/expression to use for the search. For example,
(&(sAMAccountName=%s)(objectClass=user))|null|Yes|
-|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.userAttribute`|The
attribute id identifying the attribute that will be returned as part of the
search. For example, sAMAccountName. |null|Yes|
-|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialVerifyDuration`|The
duration in seconds for how long valid credentials are verifiable within the
cache when not requested.|600|No|
-|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialMaxDuration`|The
max duration in seconds for valid credentials that can reside in cache
regardless of how often they are requested.|3600|No|
-|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialCacheSize`|The
valid credentials cache size. The cache uses a LRU policy.|100|No|
-|`druid.auth.authenticator.MyBasicLDAPAuthenticator.skipOnFailure`|If true and
the request credential doesn't exists or isn't fully configured in the
credentials store, the request will proceed to next Authenticator in the
chain.|false|No|
-|`druid.auth.authenticator.MyBasicLDAPAuthenticator.authorizerName`|Authorizer
that requests should be directed to.|N/A|Yes|
+**`druid.auth.authenticator.MyBasicLDAPAuthenticator.initialAdminPassword`**
+
+Initial [Password Provider](../../operations/password-provider.md) for the
automatically created default admin user. If no password is specified, the
default admin user will not be created. If the default admin user already
exists, setting this property will not affect its password.<br>
+ **Required**: No<br>
+ **Default**: null
+
+**`druid.auth.authenticator.MyBasicLDAPAuthenticator.initialInternalClientPassword`**
+
+Initial [Password Provider](../../operations/password-provider.md) for the
default internal system user, used for internal process communication. If no
password is specified, the default internal system user will not be created. If
the default internal system user already exists, setting this property will not
affect its password.<br>
+ **Required**: No<br>
+ **Default**: null
+
+**`druid.auth.authenticator.MyBasicLDAPAuthenticator.enableCacheNotifications`**
+
+If true, the Coordinator will notify Druid processes whenever a configuration
change to this Authenticator occurs, allowing them to immediately update their
state without waiting for polling.<br>
+ **Required**: No<br>
+ **Default**: true
+
+**`druid.auth.authenticator.MyBasicLDAPAuthenticator.cacheNotificationTimeout`**
+
+The timeout in milliseconds for the cache notifications.<br>
+ **Required**: No<br>
+ **Default**: 5000
+
+**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialIterations`**
+
+Number of iterations to use for password hashing.<br>
+ **Required**: No<br>
+ **Default**: 10000
+
+**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.type`**
+
+The type of credentials store (ldap) to validate requests credentials.<br>
+ **Required**: No<br>
+ **Default**: metadata
+
+**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.url`**
+
+URL of the LDAP server.<br>
+ **Required**: Yes<br>
+ **Default**: null
+
+**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.bindUser`**
+
+LDAP bind user username.<br>
+ **Required**: Yes<br>
+ **Default**: null
+
+**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.bindPassword`**
+
+[Password Provider](../../operations/password-provider.md) LDAP bind user
password.<br>
+ **Required**: Yes<br>
+ **Default**: null
+
+**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.baseDn`**
+
+The point from where the LDAP server will search for users.<br>
+ **Required**: Yes<br>
+ **Default**: null
+
+**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.userSearch`**
+
+The filter/expression to use for the search. For example,
(&(sAMAccountName=%s)(objectClass=user))<br>
+ **Required**: Yes<br>
+ **Default**: null
+
+**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.userAttribute`**
+
+The attribute id identifying the attribute that will be returned as part of
the search. For example, sAMAccountName.<br>
+ **Required**: Yes<br>
+ **Default**: null
+
+**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialVerifyDuration`**
+
+The duration in seconds for how long valid credentials are verifiable within
the cache when not requested.<br>
+ **Required**: No<br>
+ **Default**: 600
+
+**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialMaxDuration`**
+
+The max duration in seconds for valid credentials that can reside in cache
regardless of how often they are requested.<br>
+ **Required**: No<br>
+ **Default**: 3600
+
+**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialCacheSize`**
+
+The valid credentials cache size. The cache uses a LRU policy.<br>
+ **Required**: No<br>
+ **Default**: 100
+
+**`druid.auth.authenticator.MyBasicLDAPAuthenticator.skipOnFailure`**
+
+If true and the request credential doesn't exists or isn't fully configured in
the credentials store, the request will proceed to next Authenticator in the
chain.<br>
+ **Required**: No<br>
+ **Default**: false
+
+**`druid.auth.authenticator.MyBasicLDAPAuthenticator.authorizerName`**
+
+Authorizer that requests should be directed to.<br>
+ **Required**: Yes<br>
+ **Default**: N/A
### Escalator
@@ -155,11 +293,24 @@ druid.escalator.authorizerName=MyBasicMetadataAuthorizer
```
#### Properties
-|Property|Description|Default|required|
-|--------|-----------|-------|--------|
-|`druid.escalator.internalClientUsername`|The escalator will use this username
for requests made as the internal system user.|n/a|Yes|
-|`druid.escalator.internalClientPassword`|The escalator will use this
[Password Provider](../../operations/password-provider.md) for requests made as
the internal system user.|n/a|Yes|
-|`druid.escalator.authorizerName`|Authorizer that requests should be directed
to.|n/a|Yes|
+
+**`druid.escalator.internalClientUsername`**
+
+The escalator will use this username for requests made as the internal system
user.<br>
+ **Required**: Yes<br>
+ **Default**: N/A
+
+**`druid.escalator.internalClientPassword`**
+
+The escalator will use this [Password
Provider](../../operations/password-provider.md) for requests made as the
internal system user.<br>
+ **Required**: Yes<br>
+ **Default**: N/A
+
+**`druid.escalator.authorizerName`**
+
+Authorizer that requests should be directed to.<br>
+ **Required**: Yes<br>
+ **Default**: N/A
### Authorizer
@@ -182,24 +333,131 @@
druid.auth.authorizer.MyBasicMetadataAuthorizer.type=basic
The examples in the rest of this article use `MyBasicMetadataAuthorizer` or
`MyBasicLDAPAuthorizer` as the authorizer name.
#### Properties for Druid metadata store user authorization
-|Property|Description|Default|required|
-|--------|-----------|-------|--------|
-|`druid.auth.authorizer.MyBasicMetadataAuthorizer.enableCacheNotifications`|If
true, the Coordinator will notify Druid processes whenever a configuration
change to this Authorizer occurs, allowing them to immediately update their
state without waiting for polling.|true|No|
-|`druid.auth.authorizer.MyBasicMetadataAuthorizer.cacheNotificationTimeout`|The
timeout in milliseconds for the cache notifications.|5000|No|
-|`druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminUser`|The
initial admin user with role defined in initialAdminRole property if specified,
otherwise the default admin role will be assigned.|admin|No|
-|`druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminRole`|The
initial admin role to create if it doesn't already exists.|admin|No|
-|`druid.auth.authorizer.MyBasicMetadataAuthorizer.roleProvider.type`|The type
of role provider to authorize requests credentials.|metadata|No
+
+**`druid.auth.authorizer.MyBasicMetadataAuthorizer.enableCacheNotifications`**
+
+If true, the Coordinator will notify Druid processes whenever a configuration
change to this Authorizer occurs, allowing them to immediately update their
state without waiting for polling.<br>
+ **Required**: No<br>
+ **Default**: true
+
+**`druid.auth.authorizer.MyBasicMetadataAuthorizer.cacheNotificationTimeout`**
+
+The timeout in milliseconds for the cache notifications.<br>
+ **Required**: No<br>
+ **Default**: 5000
+
+**`druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminUser`**
+
+The initial admin user with role defined in initialAdminRole property if
specified, otherwise the default admin role will be assigned.<br>
+ **Required**: No<br>
+ **Default**: admin
+
+**`druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminRole`**
+
+The initial admin role to create if it doesn't already exists.<br>
+ **Required**: No<br>
+ **Default**: admin
+
+**`druid.auth.authorizer.MyBasicMetadataAuthorizer.roleProvider.type`**
+
+The type of role provider to authorize requests credentials.<br>
+ **Required**: No<br>
+ **Default**: metadata
#### Properties for LDAP user authorization
-|Property|Description|Default|required|
-|--------|-----------|-------|--------|
-|`druid.auth.authorizer.MyBasicLDAPAuthorizer.enableCacheNotifications`|If
true, the Coordinator will notify Druid processes whenever a configuration
change to this Authorizer occurs, allowing them to immediately update their
state without waiting for polling.|true|No|
-|`druid.auth.authorizer.MyBasicLDAPAuthorizer.cacheNotificationTimeout`|The
timeout in milliseconds for the cache notifications.|5000|No|
-|`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminUser`|The initial
admin user with role defined in initialAdminRole property if specified,
otherwise the default admin role will be assigned.|admin|No|
-|`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminRole`|The initial
admin role to create if it doesn't already exists.|admin|No|
-|`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminGroupMapping`|The
initial admin group mapping with role defined in initialAdminRole property if
specified, otherwise the default admin role will be assigned. The name of this
initial admin group mapping will be set to adminGroupMapping|null|No|
-|`druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.type`|The type of
role provider (ldap) to authorize requests credentials.|metadata|No
-|`druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.groupFilters`|Array
of LDAP group filters used to filter out the allowed set of groups returned
from LDAP search. Filters can be begin with *, or end with ,* to provide
configurational flexibility to limit or filter allowed set of groups available
to LDAP Authorizer.|null|No|
+
+**`druid.auth.authorizer.MyBasicLDAPAuthorizer.enableCacheNotifications`**
+
+If true, the Coordinator will notify Druid processes whenever a configuration
change to this Authorizer occurs, allowing them to immediately update their
state without waiting for polling.<br>
+ **Required**: No<br>
+ **Default**: true
+
+**`druid.auth.authorizer.MyBasicLDAPAuthorizer.cacheNotificationTimeout`**
+
+The timeout in milliseconds for the cache notifications.<br>
+ **Required**: No<br>
+ **Default**: 5000
+
+**`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminUser`**
+
+The initial admin user with role defined in initialAdminRole property if
specified, otherwise the default admin role will be assigned.<br>
+ **Required**: No<br>
+ **Default**: admin
+
+**`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminRole`**
+
+The initial admin role to create if it doesn't already exists.<br>
+ **Required**: No<br>
+ **Default**: admin
+
+**`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminGroupMapping`**
+
+The initial admin group mapping with role defined in initialAdminRole property
if specified, otherwise the default admin role will be assigned. The name of
this initial admin group mapping will be set to adminGroupMapping<br>
+ **Required**: No<br>
+ **Default**: null
+
+**`druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.type`**
+
+The type of role provider (ldap) to authorize requests credentials.<br>
+ **Required**: No<br>
+ **Default**: metadata
+
+**`druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.groupFilters`**
+
+Array of LDAP group filters used to filter out the allowed set of groups
returned from LDAP search. Filters can be begin with *, or end with ,* to
provide configurational flexibility to limit or filter allowed set of groups
available to LDAP Authorizer.<br>
+ **Required**: No<br>
+ **Default**: null
+
+#### Properties for LDAPS
+
+Use the following properties to configure Druid authentication with LDAP over
TLS (LDAPS). See [Configure LDAP authentication](../../operations/auth-ldap.md)
for more information.
+
+**`druid.auth.basic.ssl.protocol`**
+
+SSL protocol to use. The TLS version is 1.2.<br>
+ **Required**: Yes<br>
+ **Default**: tls
+
+**`druid.auth.basic.ssl.trustStorePath`**
+
+Path to the trust store file.<br>
+ **Required**: Yes<br>
+ **Default**: N/A
+
+**`druid.auth.basic.ssl.trustStorePassword`**
+
+Password to access the trust store file.<br>
+ **Required**: Yes<br>
+ **Default**: N/A
+
+**`druid.auth.basic.ssl.trustStoreType`**
+
+Format of the trust store file. For Java the format is jks.<br>
+ **Required**: No<br>
+ **Default**: jks
+
+**`druid.auth.basic.ssl.trustStoreAlgorithm`**
+
+Algorithm used by the trust manager to validate certificate chains.<br>
+ **Required**: No<br>
+ **Default**: N/A
+
+**`druid.auth.basic.ssl.trustStorePassword`**
+
+Password details that enable access to the truststore.<br>
+ **Required**: No<br>
+ **Default**: N/A
+
+Example LDAPS configuration:
+
+```json
+druid.auth.basic.ssl.protocol=tls
+druid.auth.basic.ssl.trustStorePath=/usr/local/druid-path/certs/truststore.jks
+druid.auth.basic.ssl.trustStorePassword=xxxxx
+druid.auth.basic.ssl.trustStoreType=jks
+druid.auth.basic.ssl.trustStoreAlgorithm=PKIX
+```
+You can configure `druid.auth.basic.ssl.trustStorePassword` to be a plain text
password or you can set the password as an environment variable. See [Password
providers](../../operations/password-provider.md) for more information.
## Usage
@@ -213,19 +471,19 @@ Root path: `/druid-ext/basic-security/authentication`
Each API endpoint includes {authenticatorName}, specifying which Authenticator
instance is being configured.
##### User/Credential Management
-`GET(/druid-ext/basic-security/authentication/db/{authenticatorName}/users)`
+`GET(/druid-ext/basic-security/authentication/db/{authenticatorName}/users)`<br>
Return a list of all user names.
-`GET(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName})`
+`GET(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName})`<br>
Return the name and credentials information of the user with name {userName}
-`POST(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName})`
+`POST(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName})`<br>
Create a new user with name {userName}
-`DELETE(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName})`
+`DELETE(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName})`<br>
Delete the user with name {userName}
-`POST(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName}/credentials)`
+`POST(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName}/credentials)`<br>
Assign a password used for HTTP basic authentication for {userName}
Content: JSON password request object
@@ -238,20 +496,20 @@ Example request body:
```
##### Cache Load Status
-`GET(/druid-ext/basic-security/authentication/loadStatus)`
+`GET(/druid-ext/basic-security/authentication/loadStatus)`<br>
Return the current load status of the local caches of the authentication Druid
metadata store.
#### Authorization API
-Root path: `/druid-ext/basic-security/authorization`
+Root path: `/druid-ext/basic-security/authorization`<br>
Each API endpoint includes {authorizerName}, specifying which Authorizer
instance is being configured.
##### User Creation/Deletion
-`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/users)`
+`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/users)`<br>
Return a list of all user names.
-`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})`
+`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})`<br>
Return the name and role information of the user with name {userName}
Example output:
@@ -338,20 +596,20 @@ The `resourceNamePattern` is a compiled version of the
resource name regex. It i
}
```
-`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})`
+`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})`<br>
Create a new user with name {userName}
-`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})`
+`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})`<br>
Delete the user with name {userName}
##### Group mapping Creation/Deletion
-`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings)`
+`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings)`<br>
Return a list of all group mappings.
-`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName})`
+`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName})`<br>
Return the group mapping and role information of the group mapping with name
{groupMappingName}
-`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName})`
+`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName})`<br>
Create a new group mapping with name {groupMappingName}
Content: JSON group mapping object
Example request body:
@@ -366,14 +624,14 @@ Example request body:
}
```
-`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName})`
+`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName})`<br>
Delete the group mapping with name {groupMappingName}
#### Role Creation/Deletion
-`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/roles)`
+`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/roles)`<br>
Return a list of all role names.
-`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName})`
+`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName})`<br>
Return name and permissions for the role named {roleName}.
Example output:
@@ -427,30 +685,30 @@ Example output:
```
-`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName})`
+`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName})`<br>
Create a new role with name {roleName}.
Content: username string
-`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName})`
+`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName})`<br>
Delete the role with name {roleName}.
#### Role Assignment
-`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}/roles/{roleName})`
+`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}/roles/{roleName})`<br>
Assign role {roleName} to user {userName}.
-`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}/roles/{roleName})`
+`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}/roles/{roleName})`<br>
Unassign role {roleName} from user {userName}
-`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}/roles/{roleName})`
+`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}/roles/{roleName})`<br>
Assign role {roleName} to group mapping {groupMappingName}.
-`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}/roles/{roleName})`
+`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}/roles/{roleName})`<br>
Unassign role {roleName} from group mapping {groupMappingName}
#### Permissions
-`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName}/permissions)`
+`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName}/permissions)`<br>
Set the permissions of {roleName}. This replaces the previous set of
permissions on the role.
Content: List of JSON Resource-Action objects, e.g.:
@@ -479,5 +737,5 @@ The "name" field for resources in the permission
definitions are regexes used to
Please see [Defining
permissions](../../operations/security-user-auth.md#defining-permissions) for
more details.
##### Cache Load Status
-`GET(/druid-ext/basic-security/authorization/loadStatus)`
+`GET(/druid-ext/basic-security/authorization/loadStatus)`<br>
Return the current load status of the local caches of the authorization Druid
metadata store.
diff --git a/docs/operations/auth-ldap.md b/docs/operations/auth-ldap.md
index b9603a0c38..5a2d8b7e29 100644
--- a/docs/operations/auth-ldap.md
+++ b/docs/operations/auth-ldap.md
@@ -1,6 +1,7 @@
---
id: auth-ldap
-title: "LDAP auth"
+title: "Configure LDAP authentication"
+sidebar_label: "LDAP auth"
---
<!--
@@ -22,182 +23,284 @@ title: "LDAP auth"
~ under the License.
-->
+You can use [Lightweight Directory Access Protocol
(LDAP)](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol) to
secure access to Apache Druid. This topic describes how to set up Druid
authentication and authorization with LDAP and LDAP over TLS (LDAPS). The
examples on this page show the configuration for an Active Directory LDAP
system.
-This page describes how to set up Druid user authentication and authorization
through LDAP. The first step is to enable LDAP authentication and authorization
for Druid. You then map an LDAP group to roles and assign permissions to roles.
+The first step is to enable LDAP authentication and authorization for Druid.
You then map an LDAP group to Druid roles and assign permissions to those
roles. After you've completed this configuration you can optionally choose to
enable LDAPS to make LDAP traffic confidential and secure.
-## Enable LDAP in Druid
+## Prerequisites
-Before starting, verify that the active directory is reachable from the Druid
Master servers. Command line tools such as `ldapsearch` and `ldapwhoami`, which
are included with OpenLDAP, are useful for this testing.
+Before you start to configure LDAP for Druid, test your LDAP connection and
perform a sample search.
-### Check the connection
+### Check your LDAP connection
-First test that the basic connection and user credential works. For example,
given a user `[email protected]`, try:
+Test your LDAP connection to verify it works with user credentials. Later in
the process you [configure Druid for LDAP
authentication](#configure-druid-for-ldap-authentication) with this user as the
`bindUser`.
+
+The following example command tests the connection for the user
`[email protected]`. Insert your LDAP server IP address. Modify the port
number of your LDAP instance if it listens on a port other than `389`.
```bash
-ldapwhoami -vv -H ldap://<ip_address>:389 -D"[email protected]" -W
+ldapwhoami -vv -H ldap://ip_address:389 -D "[email protected]" -W
```
-Enter the password associated with the user when prompted and verify that the
command succeeded. If it didn't, try the following troubleshooting steps:
+Enter the password for the user when prompted and verify that the command
succeeded. If it failed, check the following:
+
+- Make sure you're using the correct port for your LDAP instance.
+- Check if a network firewall is preventing connections to the LDAP port.
+- Review your LDAP implementation details to see whether you need to
specifically allow LDAP clients at the LDAP server. If so, add the Druid
Coordinator server to the allow list.
-* Verify that you've used the correct port for your LDAP instance. By default,
the LDAP port is 389, but double-check with your LDAP admin if unable to
connect.
-* Check whether a network firewall is not preventing connections to the LDAP
port.
-* Check whether LDAP clients need to be specifically whitelisted at the LDAP
server to be able to reach it. If so, add the Druid Coordinator server to the
AD whitelist.
+### Test your LDAP search
+Once your LDAP connection is working, search for a user. For example, the
following command searches for the user `myuser` in an Active Directory system.
The `sAMAccountName` attribute is specific to Active Directory and contains the
authenticated user identity:
-### Check the search criteria
+```bash
+ldapsearch -x -W -H ldap://ip_address:389 -D "cn=admin,dc=example,dc=com" -b
"dc=example,dc=com" "(sAMAccountName=myuser)" +
+```
-After verifying basic connectivity, check your search criteria. For example,
the command for searching for user `[email protected] ` is as follows:
+The `memberOf` attribute in the results shows the groups the user belongs to.
For example, the following response shows that the user is a member of the
`mygroup` group:
```bash
-ldapsearch -x -W -H ldap://<ldap_server> -D"[email protected]" -b
"dc=example,dc=com" "(sAMAccountName=uuser1)"
+memberOf: cn=mygroup,ou=groups,dc=example,dc=com
```
-Note the `memberOf` attribute in the results; it shows the groups that the
user belongs to. You will use this value to map the LDAP group to the Druid
roles later. This attribute may be implemented differently on different types
of LDAP servers. For instance, some LDAP servers may support recursive
groupings, and some may not. Some LDAP server implementations may not have any
object classes that contain this attribute altogether. If your LDAP server does
not use the `memberOf` attribute, [...]
+You use this information to map the LDAP group to Druid roles in a later step.
+
+> Druid uses the `memberOf` attribute to determine a group's membership using
LDAP. If your LDAP server implementation doesn't include this attribute, you
must complete some additional steps when you [map LDAP groups to Druid
roles](#map-ldap-groups-to-druid-roles).
+
+## Configure Druid for LDAP authentication
+
+To configure Druid to use LDAP authentication, follow these steps. See
[Configuration reference](../configuration/index.md) for the location of the
configuration files.
+
+1. Create a user in your LDAP system that you'll use both for internal
communication with Druid and as the LDAP initial admin user. See [Security
overview](./security-overview.md) for more information.
+In the example below, the LDAP user is `[email protected]`.
-## Configure Druid user authentication with LDAP/Active Directory
+2. Enable the `druid-basic-security` extension in the
`common.runtime.properties` file.
-1. Enable the `druid-basic-security` extension in the
`common.runtime.properties` file. See [Security Overview](security-overview.md)
for details.
-2. As a best practice, create a user in LDAP to be used for internal
communication with Druid.
-3. In `common.runtime.properties`, update LDAP-related properties, as shown in
the following listing:
- ```
- druid.auth.authenticatorChain=["ldap"]
- druid.auth.authenticator.ldap.type=basic
- druid.auth.authenticator.ldap.enableCacheNotifications=true
- druid.auth.authenticator.ldap.credentialsValidator.type=ldap
- druid.auth.authenticator.ldap.credentialsValidator.url=ldap://<AD
host>:<AD port>
- druid.auth.authenticator.ldap.credentialsValidator.bindUser=<AD admin
user, e.g.: [email protected]>
- druid.auth.authenticator.ldap.credentialsValidator.bindPassword=<AD
admin password>
- druid.auth.authenticator.ldap.credentialsValidator.baseDn=<base dn,
e.g.: dc=example,dc=com>
- druid.auth.authenticator.ldap.credentialsValidator.userSearch=<The LDAP
search, e.g.: (&(sAMAccountName=%s)(objectClass=user))>
-
druid.auth.authenticator.ldap.credentialsValidator.userAttribute=sAMAccountName
- druid.auth.authenticator.ldap.authorizerName=ldapauth
- druid.escalator.type=basic
- druid.escalator.internalClientUsername=<AD internal user, e.g.:
[email protected]>
- druid.escalator.internalClientPassword=Welcome123
- druid.escalator.authorizerName=ldapauth
- druid.auth.authorizers=["ldapauth"]
- druid.auth.authorizer.ldapauth.type=basic
- druid.auth.authorizer.ldapauth.initialAdminUser=AD user who acts as the
initial admin user, e.g.: [email protected]>
- druid.auth.authorizer.ldapauth.initialAdminRole=admin
- druid.auth.authorizer.ldapauth.roleProvider.type=ldap
+3. In the `common.runtime.properties` file, add the following lines for LDAP
properties and substitute the values for your own. See [Druid basic
security](../development/extensions-core/druid-basic-security.md#properties-for-ldap-user-authentication)
for details about these properties.
+
+ ```
+ druid.auth.authenticatorChain=["ldap"]
+ druid.auth.authenticator.ldap.type=basic
+ druid.auth.authenticator.ldap.enableCacheNotifications=true
+ druid.auth.authenticator.ldap.credentialsValidator.type=ldap
+
druid.auth.authenticator.ldap.credentialsValidator.url=ldap://ip_address:port
+
druid.auth.authenticator.ldap.credentialsValidator.bindUser=administra...@example.com
+
druid.auth.authenticator.ldap.credentialsValidator.bindPassword=adminpassword
+ druid.auth.authenticator.ldap.credentialsValidator.baseDn=dc=example,dc=com
+
druid.auth.authenticator.ldap.credentialsValidator.userSearch=(&(sAMAccountName=%s)(objectClass=user))
+
druid.auth.authenticator.ldap.credentialsValidator.userAttribute=sAMAccountName
+ druid.auth.authenticator.ldap.authorizerName=ldapauth
+ druid.escalator.type=basic
+ [email protected]
+ druid.escalator.internalClientPassword=internaluserpassword
+ druid.escalator.authorizerName=ldapauth
+ druid.auth.authorizers=["ldapauth"]
+ druid.auth.authorizer.ldapauth.type=basic
+ druid.auth.authorizer.ldapauth.initialAdminUser=inter...@example.com
+ druid.auth.authorizer.ldapauth.initialAdminRole=admin
+ druid.auth.authorizer.ldapauth.roleProvider.type=ldap
```
+ Note the following:
- Notice that the LDAP user created in the previous step,
`[email protected]`, serves as the internal client user and the initial
admin user.
+ - `bindUser`: A user for connecting to LDAP. This should be the same user
you used to [test your LDAP search](#test-your-ldap-search).
+ - `userSearch`: Your LDAP search syntax.
+ - `userAttribute`: The user search attribute.
+ - `[email protected]` is the LDAP user you created in step 1. In the
example it serves as both the internal client user and the initial admin user.
-## Use LDAP groups to assign roles
+ > In the above example, the [Druid
escalator](../development/extensions-core/druid-basic-security.md#escalator)
and LDAP initial admin user are set to the same user - `[email protected]`.
If the escalator is set to a different user, you must follow steps 4 and 5 to
create the group mapping and allocate initial roles before the rest of the
cluster can function.
-You can map LDAP groups to a role in Druid. Members in the group get access to
the permissions of the corresponding role.
+4. Save your group mapping to a JSON file. An example file `groupmap.json`
looks like this:
+
+ ```
+ {
+ "name": "mygroupmap",
+ "groupPattern": "CN=mygroup,CN=Users,DC=example,DC=com",
+ "roles": [
+ "readRole"
+ ]
+ }
+ ```
+ In the example, the LDAP group `mygroup` maps to Druid role `readRole` and
the name of the mapping is `mygroupmap`.
+5. Use the Druid API to create the group mapping and allocate initial roles
according to your JSON file. The following example uses curl to create the
mapping defined in `groupmap.json` for the LDAP group `mygroup`:
+
+ ```
+ curl -i -v -H "Content-Type: application/json" -u internal -X POST -d
@groupmap.json
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/mygroupmap
+ ```
+6. Check that the group mapping was created successfully. The following
example request lists all group mappings:
-### Step 1: Create a role
+ ```
+ curl -i -v -H "Content-Type: application/json" -u internal -X GET
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings
+ ```
-First create the role in Druid using the Druid REST API.
+## Map LDAP groups to Druid roles
-Creating a role involves submitting a POST request to the Coordinator process.
+Once you've completed the initial setup and mapping, you can map more LDAP
groups to Druid roles. Members of an LDAP group get access to the permissions
of the corresponding Druid role.
-The following REST APIs to create the role to read access for datasource,
config, state.
+### Create a Druid role
-> As mentioned, the REST API calls need to address the Coordinator node. The
examples used below use localhost as the Coordinator host and 8081 as the port.
Adjust these settings according to your deployment.
+To create a Druid role, you can submit a POST request to the Coordinator
process using the Druid REST API or you can use the Druid console.
-Call the following API to create role `readRole` .
+The examples below use `localhost` as the Coordinator host and `8081` as the
port. Amend these properties according to the details of your deployment.
+
+Example request to create a role named `readRole`:
```
-curl -i -v -H "Content-Type: application/json" -u internal -X POST
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles/readRole
+curl -i -v -H "Content-Type: application/json" -u internal -X POST
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles/readRole
```
-Check that the role has been created successfully by entering the following:
+Check that Druid created the role successfully. The following example request
lists all roles:
```
-curl -i -v -H "Content-Type: application/json" -u internal -X GET
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles
+curl -i -v -H "Content-Type: application/json" -u internal -X GET
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles
```
+### Add permissions to the Druid role
-### Step 2: Add permissions to a role
-
-You can now add one or more permission to the role. The following example adds
read-only access to a `wikipedia` data source.
+Once you have a Druid role you can add permissions to it. The following
example adds read-only access to a `wikipedia` data source.
Given the following JSON in a file named `perm.json`:
```
-[{ "resource": { "name": "wikipedia", "type": "DATASOURCE" }, "action": "READ"
}
-,{ "resource": { "name": ".*", "type": "STATE" }, "action": "READ" },
-{ "resource": {"name": ".*", "type": "CONFIG"}, "action": "READ"}]
-```
-
-The following command associates the permissions in the JSON file with the
role
-
-```
-curl -i -v -H "Content-Type: application/json" -u internal -X POST
[email protected]
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles/readRole/permissions
+[
+ { "resource": { "name": "wikipedia", "type": "DATASOURCE" }, "action":
"READ" },
+ { "resource": { "name": ".*", "type": "STATE" }, "action": "READ" },
+ { "resource": {"name": ".*", "type": "CONFIG"}, "action": "READ"}
+]
```
-Note that the STATE and CONFIG permissions in `perm.json` are needed to see
the data source in the web console. If only querying permissions are needed,
the READ action is sufficient:
+The following request associates the permissions in the JSON file with the
`readRole` role:
```
-[{ "resource": { "name": "wikipedia", "type": "DATASOURCE" }, "action": "READ"
}]
+curl -i -v -H "Content-Type: application/json" -u internal -X POST
[email protected]
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles/readRole/permissions
```
-You can also provide the name in the form of regular expression. For example,
to give access to all data sources starting with `wiki`, specify the name as
`{ "name": "wiki.*", .....`.
+Druid users need the `STATE` and `CONFIG` permissions to view the data source
in the Druid console. If you only want to assign querying permissions you can
apply just the `READ` permission with the first line in the `perm.json` file.
+You can also provide the data source name in the form of a regular expression.
For example, to give access to all data sources starting with `wiki`, you would
specify the data source name as `{ "name": "wiki.*" }` .
-### Step 3: Create group Mapping
+### Create the group mapping
-The following shows an example of a group to role mapping. It assumes that a
group named `group1` exists in the directory. Also assuming the following role
mapping in a file named `groupmap.json`:
+You can now map an LDAP group to the Druid role. The following example request
creates a mapping with name `mygroupmap`. It assumes that a group named
`mygroup` exists in the directory.
```
{
- "name": "group1map",
- "groupPattern": "CN=group1,CN=Users,DC=example,DC=com",
- "roles": [
- "readRole"
- ]
+ "name": "mygroupmap",
+ "groupPattern": "CN=mygroup,CN=Users,DC=example,DC=com",
+ "roles": [
+ "readRole"
+ ]
}
```
-You can configure the mapping as follows:
+The following example request configures the mapping—the role mapping is
in the file `groupmap.json`. See [Configure Druid for LDAP
authentication](#configure-druid-for-ldap-authentication) for the contents of
an example file.
```
-curl -i -v -H "Content-Type: application/json" -u internal -X POST -d
@groupmap.json
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map
+curl -i -v -H "Content-Type: application/json" -u internal -X POST -d
@groupmap.json
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/mygroupmap
```
-To check whether the group mapping was created successfully, run the following
command:
+To check whether the group mapping was created successfully, the following
request lists all group mappings:
```
-curl -i -v -H "Content-Type: application/json" -u internal -X GET
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings
+curl -i -v -H "Content-Type: application/json" -u internal -X GET
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings
```
-To check the details of a specific group mapping, use the following:
+The following example request returns the details of the `mygroupmap` group:
```
-curl -i -v -H "Content-Type: application/json" -u internal -X GET
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map
+curl -i -v -H "Content-Type: application/json" -u internal -X GET
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/mygroupmap
```
-To add additional roles to the group mapping, use the following API:
+The following example request adds the role `queryRole` to the `mygroupmap`
mapping:
```
-curl -i -v -H "Content-Type: application/json" -u internal -X POST
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1/roles/<newrole>
+curl -i -v -H "Content-Type: application/json" -u internal -X POST
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/mygroup/roles/queryrole
```
-In the next two steps you will be creating a user, and assigning previously
created roles to it. These steps are only needed in the following cases:
-
- - Your LDAP server does not support the `memberOf` attribute, or
- - You want to configure a user with additional roles that are not mapped to
the group(s) that the user is a member of
-
- If this is not the case for your scenario, you can skip these steps.
+### Add an LDAP user to Druid and assign a role
-### Step 4. Create a user
+You only need to complete this step if:
+- Your LDAP user doesn't belong to any of your LDAP groups, or
+- You want to configure a user with additional Druid roles that are not mapped
to the LDAP groups that the user belongs to.
-Once LDAP is enabled, only user passwords are verified with LDAP. You add the
LDAP user to Druid as follows:
+Example request to add the LDAP user `myuser` to Druid:
```
-curl -i -v -H "Content-Type: application/json" -u internal -X POST
http://localhost:8081/druid-ext/basic-security/authentication/db/ldap/users/<AD
user>
+curl -i -v -H "Content-Type: application/json" -u internal -X POST
http://localhost:8081/druid-ext/basic-security/authentication/db/ldap/users/myuser
```
-### Step 5. Assign the role to the user
-
-The following command shows how to assign a role to a user:
+Example request to assign the `myuser` user to the `queryRole` role:
```
-curl -i -v -H "Content-Type: application/json" -u internal -X POST
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/users/<AD
user>/roles/<rolename>
+curl -i -v -H "Content-Type: application/json" -u internal -X POST
http://localhost:8081/druid-ext/basic-security/authentication/db/ldap/users/myuser/roles/queryRole
```
-For more information about security and the basic security extension, see
[Security Overview](security-overview.md).
+## Enable LDAP over TLS (LDAPS)
+
+Once you've configured LDAP authentication in Druid, you can optionally make
LDAP traffic confidential and secure by using Transport Layer Security
(TLS)—previously Secure Socket Layer(SSL)—technology.
+
+Configuring LDAPS establishes trust between Druid and the LDAP server.
+
+## Prerequisites
+
+Before you start to set up LDAPS in Druid, you must [configure Druid for LDAP
authentication](#configure-druid-for-ldap-authentication). You also need:
+
+- A certificate issued by a public certificate authority (CA) or a self-signed
certificate by an internal CA.
+- The root certificate for the CA that signed the certificate for the LDAP
server. If you're using a common public CA, the certificate may already be in
the Java truststore. Otherwise you need to import the certificate for the CA.
+
+## Configure Druid for LDAPS
+
+Complete the following steps to set up LDAPS for Druid. See [Configuration
reference](../configuration/index.md) for the location of the configuration
files.
+
+1. Import the CA certificate for your LDAP server or a self-signed certificate
into the truststore location saved as `druid.client.https.trustStorePath` in
your `common.runtime.properties` file.
+
+ ```
+ keytool -import -trustcacerts -keystore path/to/cacerts -storepass
truststorepassword -alias aliasName -file path/to/certificate.cer
+ ```
+
+ Replace `path/to/cacerts` with the path to your truststore,
`truststorepassword` with your truststore password, `aliasName` with an alias
name for the keystore, and `path/to/certificate.cer` with the location and name
of your certificate. For example:
+
+ ```
+ keytool -import -trustcacerts -keystore
/Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre/lib/security/cacerts
-storepass mypassword -alias myAlias -file /etc/ssl/certs/my-certificate.cer
+ ```
+
+2. If the root certificate for the CA isn't already in the Java truststore,
import it:
+
+ ```
+ keytool -importcert -keystore path/to/cacerts -storepass truststorepassword
-alias aliasName -file path/to/certificate.cer
+ ```
+
+ Replace `path/to/cacerts` with the path to your truststore,
`truststorepassword` with your truststore password, `aliasName` with an alias
name for the keystore, and `path/to/certificate.cer` with the location and name
of your certificate. For example:
+
+ ```
+ keytool -importcert -keystore
/Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre/lib/security/cacerts
-storepass mypassword -alias myAlias -file /etc/ssl/certs/my-certificate.cer
+ ```
+
+3. In your `common.runtime.properties` file, add the following lines to the
LDAP configuration section, substituting your own truststore path and password:
+
+ ```
+
druid.auth.basic.ssl.trustStorePath=/Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre/lib/security/cacerts
+ druid.auth.basic.ssl.protocol=TLS
+ druid.auth.basic.ssl.trustStorePassword=xxxxxx
+ ```
+
+ See [Druid basic
security](../development/extensions-core/druid-basic-security.md#properties-for-ldaps)
for details about these properties.
+
+4. You can optionally configure additional LDAPS properties in the
`common.runtime.properties` file. See [Druid basic
security](../development/extensions-core/druid-basic-security.md#properties-for-ldaps)
for more information.
+
+5. Restart Druid.
+
+
+## Troubleshooting tips
+
+The following are some ideas to help you troubleshoot issues with LDAP and
LDAPS.
+
+### Check the coordinator logs
+
+If your LDAP connection isn't working, check the coordinator logs. See
[Logging](../configuration/logging.md) for details.
+
+### Check the Druid escalator configuration
+
+If the coordinator is working but the rest of the cluster isn't, check the
escalator configuration. See the [Configuration
reference](../configuration/index.md) for details. You can also check other
service logs to see why the services are unable to fetch authorization details
from the coordinator.
+
+### Check your LDAP server response time
+
+If a user can log in to the Druid console but the landing page shows a 401
error, check your LDAP server response time. In a large organization with a
high number of LDAP users, LDAP may be slow to respond, and this can result in
a connection timeout.
diff --git a/docs/operations/security-overview.md
b/docs/operations/security-overview.md
index 028cff04f5..3fa80e24ad 100644
--- a/docs/operations/security-overview.md
+++ b/docs/operations/security-overview.md
@@ -250,80 +250,7 @@ The following steps walk through a sample setup procedure:
## Configuring an LDAP authenticator
-As an alternative to using the basic metadata authenticator, you can use LDAP
to authenticate users. The following steps provide an overview of the setup
procedure. For more information on these settings, see [Properties for LDAP
user
authentication](../development/extensions-core/druid-basic-security.md#properties-for-ldap-user-authentication).
-
-1. In `common.runtime.properties`, add LDAP to the authenticator chain in the
order in which you want requests to be evaluated. For example:
- ```
- # Druid basic security
- druid.auth.authenticatorChain=["ldap", "MyBasicMetadataAuthenticator"]
- ```
-
-2. Configure LDAP settings in `common.runtime.properties` as appropriate for
your LDAP scheme and system. For example:
- ```
- druid.auth.authenticator.ldap.type=basic
- druid.auth.authenticator.ldap.enableCacheNotifications=true
- druid.auth.authenticator.ldap.credentialsValidator.type=ldap
- druid.auth.authenticator.ldap.credentialsValidator.url=ldap://ad_host:389
- druid.auth.authenticator.ldap.credentialsValidator.bindUser=ad_admin_user
-
druid.auth.authenticator.ldap.credentialsValidator.bindPassword=ad_admin_password
- druid.auth.authenticator.ldap.credentialsValidator.baseDn=dc=example,dc=com
-
druid.auth.authenticator.ldap.credentialsValidator.userSearch=(&(sAMAccountName=%s)(objectClass=user))
-
druid.auth.authenticator.ldap.credentialsValidator.userAttribute=sAMAccountName
- druid.auth.authenticator.ldap.authorizerName=ldapauth
- druid.escalator.type=basic
- druid.escalator.internalClientUsername=ad_interal_user
- druid.escalator.internalClientPassword=Welcome123
- druid.escalator.authorizerName=ldapauth
- druid.auth.authorizers=["ldapauth"]
- druid.auth.authorizer.ldapauth.type=basic
- druid.auth.authorizer.ldapauth.initialAdminUser=<ad_initial_admin_user>
- druid.auth.authorizer.ldapauth.initialAdminRole=admin
- druid.auth.authorizer.ldapauth.roleProvider.type=ldap
- ```
-
-3. Use the Druid API to create the group mapping and allocate initial roles.
For example, using curl and given a group named `group1` in the directory, run:
- ```
- curl -i -v -H "Content-Type: application/json" -u internal -X POST -d
@groupmap.json
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map
- ```
- The `groupmap.json` file contents would be something like:
- ```
- {
- "name": "group1map",
- "groupPattern": "CN=group1,CN=Users,DC=example,DC=com",
- "roles": [
- "readRole"
- ]
- }
- ```
-4. Check if the group mapping is created successfully by executing the
following API. This lists all group mappings.
- ```
- curl -i -v -H "Content-Type: application/json" -u internal -X GET
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings
- ```
-
- Alternatively, to check the details of a specific group mapping, use the
following API:
- ```
- curl -i -v -H "Content-Type: application/json" -u internal -X GET
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map
- ```
-
-5. To add additional roles to the group mapping, use the following API:
- ```
- curl -i -v -H "Content-Type: application/json" -u internal -X POST
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1/roles/<newrole>
- ```
-
-6. Add the LDAP user to Druid. To add a user, use the following authentication
API:
- ```
- curl -i -v -H "Content-Type: application/json" -u internal -X POST
http://localhost:8081/druid-ext/basic-security/authentication/db/ldap/users/<ad_user>
- ```
-
-7. Use the following command to assign the role to a user:
- ```
- curl -i -v -H "Content-Type: application/json" -u internal -X POST
http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/users/<ad_user>/roles/<rolename>
- ```
-
-
-
-Congratulations, you have configured permissions for user-assigned roles in
Druid!
-
+As an alternative to using the basic metadata authenticator, you can use LDAP
to authenticate users. See [Configure LDAP authentication](./auth-ldap.md) for
information on configuring Druid for LDAP and LDAPS.
## Druid security trust model
Within Druid's trust model there users can have different authorization levels:
diff --git a/website/.spelling b/website/.spelling
index c2eb66104e..d02f4f8467 100644
--- a/website/.spelling
+++ b/website/.spelling
@@ -129,6 +129,7 @@ JDK
JDK7
JDK8
JKS
+jks
JMX
JRE
JS
@@ -147,6 +148,7 @@ Kerberos
KeyStores
Kinesis
Kubernetes
+LDAPS
LRU
LZ4
LZO
@@ -203,6 +205,7 @@ SYSTEM_TABLE
TCP
TGT
TLS
+tls
TopN
TopNs
UI
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
