This is an automated email from the ASF dual-hosted git repository.
techdocsmith pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push:
new bea18dc9e4 Update basic auth examples (#13750)
bea18dc9e4 is described below
commit bea18dc9e432994c64811a5077fa45c51cb71ca5
Author: Suneet Saldanha <[email protected]>
AuthorDate: Fri Feb 3 14:45:48 2023 -0800
Update basic auth examples (#13750)
---
docs/operations/security-overview.md | 24 +++++++++---------------
1 file changed, 9 insertions(+), 15 deletions(-)
diff --git a/docs/operations/security-overview.md
b/docs/operations/security-overview.md
index 3fa80e24ad..3b1e8c32b1 100644
--- a/docs/operations/security-overview.md
+++ b/docs/operations/security-overview.md
@@ -150,16 +150,16 @@ An example configuration:
# Druid basic security
druid.auth.authenticatorChain=["MyBasicMetadataAuthenticator"]
druid.auth.authenticator.MyBasicMetadataAuthenticator.type=basic
-
+
# Default password for 'admin' user, should be changed for production.
druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword=password1
# Default password for internal 'druid_system' user, should be changed for
production.
druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword=password2
-
+
# Uses the metadata store for storing users, you can use authentication API
to create new users and grant permissions
druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type=metadata
-
+
# If true and the request credential doesn't exists in this credentials
store, the request will proceed to next Authenticator in the chain.
druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure=false
@@ -196,35 +196,29 @@ The following steps walk through a sample setup procedure:
1. Create a user by issuing a POST request to
`druid-ext/basic-security/authentication/db/MyBasicMetadataAuthenticator/users/<USERNAME>`,
replacing USERNAME with the *new* username you are trying to create. For
example:
```
- curl -u admin:password1 -XPOST
https://my-coordinator-ip:8281/druid-ext/basic-security/authentication/db/basic/users/myname
+ curl -u admin:password1 -XPOST
https://my-coordinator-ip:8281/druid-ext/basic-security/authentication/db/MyBasicMetadataAuthenticator/users/myname
```
> If you have TLS enabled, be sure to adjust the curl command accordingly.
For example, if your Druid servers use self-signed certificates, you may choose
to include the `insecure` curl option to forgo certificate checking for the
curl command.
2. Add a credential for the user by issuing a POST to
`druid-ext/basic-security/authentication/db/MyBasicMetadataAuthenticator/users/<USERNAME>/credentials`.
For example:
```
- curl -u admin:password1 -H'Content-Type: application/json' -XPOST
--data-binary @pass.json
https://my-coordinator-ip:8281/druid-ext/basic-security/authentication/db/basic/users/myname/credentials
- ```
- The password is conveyed in the `pass.json` file in the following form:
- ```
- {
- "password": "myname_password"
- }
+ curl -u admin:password1 -H'Content-Type: application/json' -XPOST
https://my-coordinator-ip:8281/druid-ext/basic-security/authentication/db/MyBasicMetadataAuthenticator/users/myname/credentials
--data-raw '{"password": "my_password"}'
```
2. For each authenticator user you create, create a corresponding authorizer
user by issuing a POST request to
`druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/users/<USERNAME>`.
For example:
```
- curl -u admin:password1 -XPOST
https://my-coordinator-ip:8281/druid-ext/basic-security/authorization/db/basic/users/myname
+ curl -u admin:password1 -XPOST
https://my-coordinator-ip:8281/druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/users/myname
```
3. Create authorizer roles to control permissions by issuing a POST request to
`druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/roles/<ROLENAME>`.
For example:
```
- curl -u admin:password1 -XPOST
https://my-coordinator-ip:8281/druid-ext/basic-security/authorization/db/basic/roles/myrole
+ curl -u admin:password1 -XPOST
https://my-coordinator-ip:8281/druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/roles/myrole
```
4. Assign roles to users by issuing a POST request to
`druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/users/<USERNAME>/roles/<ROLENAME>`.
For example:
```
- curl -u admin:password1 -XPOST
https://my-coordinator-ip:8281/druid-ext/basic-security/authorization/db/basic/users/myname/roles/myrole
| jq
+ curl -u admin:password1 -XPOST
https://my-coordinator-ip:8281/druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/users/myname/roles/myrole
| jq
```
5. Finally, attach permissions to the roles to control how they can interact
with Druid at
`druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/roles/<ROLENAME>/permissions`.
For example:
```
- curl -u admin:password1 -H'Content-Type: application/json' -XPOST
--data-binary @perms.json
https://my-coordinator-ip:8281/druid-ext/basic-security/authorization/db/basic/roles/myrole/permissions
+ curl -u admin:password1 -H'Content-Type: application/json' -XPOST
--data-binary @perms.json
https://my-coordinator-ip:8281/druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/roles/myrole/permissions
```
The payload of `perms.json` should be in the form:
```
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
