Proposal for LDAP authentication/authorization within Druid
Issues/limitations with the existing Druid Basic Security extension:
1. Inability to authenticate requests using basic authentication with LDAP
as the credentials store. Basic Security extension limits clients to use the
internal database as the only credentials store option.
2. Basic Security extension does more than just providing the mechanism to
transport/process credentials supplied in http requests
3. Basic Security extension authorization limits clients to use internal
database as the only source to manage and lookup user roles. Inability to
retrieve user role information from an external source like LDAP. Inability to
map user groups, retrieved from LDAP for example, to roles.
Goals:
1. Expose the ability to authenticate HTTP requests with basic
authentication using LDAP as the credentials store to validate against.
2. Refactor the existing basic security extension authentication and
authorization implementation to be a bit more pluggable (database vs ldap or
something else, with database being the default)
3. Expose a LDAP role-based authorizer that allows druid users to be
authorized by enumerating user group/s fetched in LDAP, and group/s to role
mappings configured in the internal database
Proposal:
1. Refactor the existing basic security extension authenticator to make it
a bit more pluggable/configurable as to how to validate requests with basic
authentication credentials. Abstract out a CredentialsValidator interface for
use by BasicHTTPAuthenticator that will be used to select and configure the
credential store/s to use (database, ldap, etc).
2. CredentialsValidator interface will expose a validate method that takes
a username and password and give you back whether a user is valid (return an
AuthenticationResult).
3. Support multiple credential validators. Authenticate a local user to
the internal database and a ldap user at the same time, it’s common to have a
local user in the database that’s used as the system user within the cluster,
and ldap user for external access.
4. Refactor basis security extension authorizer (BasicRoleBasedAuthroizer)
and make it configurable for multiple sources of truth for assigning roles to
users/groups
5. Provide the ability to assign and lookup roles to groups instead of
just users in the database. Check local database first for user permissions. If
not, then check ldap and enumerate all groups and then follow set of rules
dynamically configured in database for how to map those set of groups on to set
of roles
6. Groups to role mappings in the database will be stored similar to the
current structure of how user to role mappings are stored.
[ Full content available at:
https://github.com/apache/incubator-druid/issues/6416 ]
This message was relayed via gitbox.apache.org for [email protected]
