Apache Druid
  • Technology
  • Use Cases
  • Powered By
  • Docs
  • Community
  • Apache
  • Download

›Security

Getting started

  • Introduction to Apache Druid
  • Quickstart
  • Docker
  • Single server deployment
  • Clustered deployment

Tutorials

  • Loading files natively
  • Load from Apache Kafka
  • Load from Apache Hadoop
  • Querying data
  • Roll-up
  • Configuring data retention
  • Updating existing data
  • Compacting segments
  • Deleting data
  • Writing an ingestion spec
  • Transforming input data
  • Kerberized HDFS deep storage

Design

  • Design
  • Segments
  • Processes and servers
  • Deep storage
  • Metadata storage
  • ZooKeeper

Ingestion

  • Ingestion
  • Data formats
  • Data model
  • Data rollup
  • Partitioning
  • Ingestion spec
  • Schema design tips
  • Data management
  • Compaction
  • Stream ingestion

    • Apache Kafka
    • Amazon Kinesis

    Batch ingestion

    • Native batch
    • Hadoop-based
  • Task reference
  • Troubleshooting FAQ

Querying

  • Druid SQL
  • Native queries
  • Query execution
  • Concepts

    • Datasources
    • Joins
    • Lookups
    • Multi-value dimensions
    • Multitenancy
    • Query caching
    • Using query caching
    • Context parameters

    Native query types

    • Timeseries
    • TopN
    • GroupBy
    • Scan
    • Search
    • TimeBoundary
    • SegmentMetadata
    • DatasourceMetadata

    Native query components

    • Filters
    • Granularities
    • Dimensions
    • Aggregations
    • Post-aggregations
    • Expressions
    • Having filters (groupBy)
    • Sorting and limiting (groupBy)
    • Sorting (topN)
    • String comparators
    • Virtual columns
    • Spatial filters

Configuration

  • Configuration reference
  • Extensions
  • Logging

Operations

  • Web console
  • Getting started with Apache Druid
  • Security

    • Security overview
    • User authentication and authorization
    • LDAP auth
    • Password providers
    • Dynamic Config Providers
    • TLS support

    Performance tuning

    • Basic cluster tuning
    • Segment Size Optimization
    • HTTP compression
    • Automated metadata cleanup
  • API reference
  • High availability
  • Rolling updates
  • Retaining or automatically dropping data
  • Metrics
  • Alerts
  • Working with different versions of Apache Hadoop
  • Misc

    • Legacy Management UIs
    • dump-segment tool
    • reset-cluster tool
    • insert-segment-to-db tool
    • pull-deps tool
    • Deep storage migration
    • Export Metadata Tool
    • Metadata Migration
    • Content for build.sbt

Development

  • Developing on Druid
  • Creating extensions
  • JavaScript functionality
  • Build from source
  • Versioning
  • Experimental features

Misc

  • Papers

Hidden

  • Apache Druid vs Elasticsearch
  • Apache Druid vs. Key/Value Stores (HBase/Cassandra/OpenTSDB)
  • Apache Druid vs Kudu
  • Apache Druid vs Redshift
  • Apache Druid vs Spark
  • Apache Druid vs SQL-on-Hadoop
  • Authentication and Authorization
  • Broker
  • Coordinator Process
  • Historical Process
  • Indexer Process
  • Indexing Service
  • MiddleManager Process
  • Overlord Process
  • Router Process
  • Peons
  • Approximate Histogram aggregators
  • Apache Avro
  • Microsoft Azure
  • Bloom Filter
  • DataSketches extension
  • DataSketches HLL Sketch module
  • DataSketches Quantiles Sketch module
  • DataSketches Theta Sketch module
  • DataSketches Tuple Sketch module
  • Basic Security
  • Kerberos
  • Cached Lookup Module
  • Apache Ranger Security
  • Google Cloud Storage
  • HDFS
  • Apache Kafka Lookups
  • Globally Cached Lookups
  • MySQL Metadata Store
  • ORC Extension
  • Druid pac4j based Security extension
  • Apache Parquet Extension
  • PostgreSQL Metadata Store
  • Protobuf
  • S3-compatible
  • Simple SSLContext Provider Module
  • Stats aggregator
  • Test Stats Aggregators
  • Druid AWS RDS Module
  • Kubernetes
  • Ambari Metrics Emitter
  • Apache Cassandra
  • Rackspace Cloud Files
  • DistinctCount Aggregator
  • Graphite Emitter
  • InfluxDB Line Protocol Parser
  • InfluxDB Emitter
  • Kafka Emitter
  • Materialized View
  • Moment Sketches for Approximate Quantiles module
  • Moving Average Query
  • OpenTSDB Emitter
  • Druid Redis Cache
  • Microsoft SQLServer
  • StatsD Emitter
  • T-Digest Quantiles Sketch module
  • Thrift
  • Timestamp Min/Max aggregators
  • GCE Extensions
  • Aliyun OSS
  • Prometheus Emitter
  • kubernetes
  • Cardinality/HyperUnique aggregators
  • Select
  • Realtime Process
Edit

User authentication and authorization

This document describes the Druid security model that extensions use to enable user authentication and authorization services to Druid.

Authentication and authorization model

At the center of the Druid user authentication and authorization model are resources and actions. A resource is something that authenticated users are trying to access or modify. An action is something that users are trying to do.

There are three resource types:

  • DATASOURCE – Each Druid table (i.e., tables in the druid schema in SQL) is a resource.
  • CONFIG – Configuration resources exposed by the cluster components.
  • STATE – Cluster-wide state resources.

For specific resources associated with the types, see the endpoint list below and corresponding descriptions in API Reference.

There are two actions:

  • READ – Used for read-only operations.
  • WRITE – Used for operations that are not read-only.

In practice, most deployments will only need to define two classes of users:

  • Administrators, who have WRITE action permissions on all resource types. These users will add datasources and administer the system.
  • Data users, who only need READ access to DATASOURCE. These users should access Query APIs only through an API gateway. Other APIs and permissions include functionality that should be limited to server admins.

It is important to note that WRITE access to DATASOURCE grants a user broad access. For instance, such users will have access to the Druid file system, S3 buckets, and credentials, among other things. As such, the ability to add and manage datasources should be allocated selectively to administrators.

Default user accounts

Authenticator

If druid.auth.authenticator.<authenticator-name>.initialAdminPassword is set, a default admin user named "admin" will be created, with the specified initial password. If this configuration is omitted, the "admin" user will not be created.

If druid.auth.authenticator.<authenticator-name>.initialInternalClientPassword is set, a default internal system user named "druid_system" will be created, with the specified initial password. If this configuration is omitted, the "druid_system" user will not be created.

Authorizer

Each Authorizer will always have a default "admin" and "druid_system" user with full privileges.

Defining permissions

There are two action types in Druid: READ and WRITE

There are three resource types in Druid: DATASOURCE, CONFIG, and STATE.

DATASOURCE

Resource names for this type are datasource names. Specifying a datasource permission allows the administrator to grant users access to specific datasources.

CONFIG

There are two possible resource names for the "CONFIG" resource type, "CONFIG" and "security". Granting a user access to CONFIG resources allows them to access the following endpoints.

"CONFIG" resource name covers the following endpoints:

EndpointProcess Type
/druid/coordinator/v1/configcoordinator
/druid/indexer/v1/workeroverlord
/druid/indexer/v1/worker/historyoverlord
/druid/worker/v1/disablemiddleManager
/druid/worker/v1/enablemiddleManager

"security" resource name covers the following endpoint:

EndpointProcess Type
/druid-ext/basic-security/authenticationcoordinator
/druid-ext/basic-security/authorizationcoordinator

STATE

There is only one possible resource name for the "STATE" config resource type, "STATE". Granting a user access to STATE resources allows them to access the following endpoints.

"STATE" resource name covers the following endpoints:

EndpointProcess Type
/druid/coordinator/v1coordinator
/druid/coordinator/v1/rulescoordinator
/druid/coordinator/v1/rules/historycoordinator
/druid/coordinator/v1/serverscoordinator
/druid/coordinator/v1/tierscoordinator
/druid/broker/v1broker
/druid/v2/candidatesbroker
/druid/indexer/v1/leaderoverlord
/druid/indexer/v1/isLeaderoverlord
/druid/indexer/v1/actionoverlord
/druid/indexer/v1/workersoverlord
/druid/indexer/v1/scalingoverlord
/druid/worker/v1/enabledmiddleManager
/druid/worker/v1/tasksmiddleManager
/druid/worker/v1/task/{taskid}/shutdownmiddleManager
/druid/worker/v1/task/{taskid}/logmiddleManager
/druid/historical/v1historical
/druid-internal/v1/segments/historical
/druid-internal/v1/segments/peon
/druid-internal/v1/segments/realtime
/statusall process types

HTTP methods

For information on what HTTP methods are supported on a particular request endpoint, please refer to the API documentation.

GET requires READ permission, while POST and DELETE require WRITE permission.

SQL Permissions

Queries on Druid datasources require DATASOURCE READ permissions for the specified datasource.

Queries on the INFORMATION_SCHEMA tables will return information about datasources that the caller has DATASOURCE READ access to. Other datasources will be omitted.

Queries on the system schema tables require the following permissions:

  • segments: Segments will be filtered based on DATASOURCE READ permissions.
  • servers: The user requires STATE READ permissions.
  • server_segments: The user requires STATE READ permissions and segments will be filtered based on DATASOURCE READ permissions.
  • tasks: Tasks will be filtered based on DATASOURCE READ permissions.

Configuration Propagation

To prevent excessive load on the Coordinator, the Authenticator and Authorizer user/role Druid metadata store state is cached on each Druid process.

Each process will periodically poll the Coordinator for the latest Druid metadata store state, controlled by the druid.auth.basic.common.pollingPeriod and druid.auth.basic.common.maxRandomDelay properties.

When a configuration update occurs, the Coordinator can optionally notify each process with the updated Druid metadata store state. This behavior is controlled by the enableCacheNotifications and cacheNotificationTimeout properties on Authenticators and Authorizers.

Note that because of the caching, changes made to the user/role Druid metadata store may not be immediately reflected at each Druid process.

← Security overviewLDAP auth →
  • Authentication and authorization model
  • Default user accounts
    • Authenticator
    • Authorizer
  • Defining permissions
    • DATASOURCE
    • CONFIG
    • STATE
    • HTTP methods
    • SQL Permissions
  • Configuration Propagation

Technology · Use Cases · Powered by Druid · Docs · Community · Download · FAQ

 ·  ·  · 
Copyright © 2019 Apache Software Foundation.
Except where otherwise noted, licensed under CC BY-SA 4.0.
Apache Druid, Druid, and the Druid logo are either registered trademarks or trademarks of The Apache Software Foundation in the United States and other countries.