Setting up basic-auth roles and permissions in Druid

Druid basic-auth setup.md

Setting up basic auth users & permissions in Druid

Configuring Druid for basic-auth

Note: This gist does not cover enabling TLS for Druid. Remember that basic-auth is useless without TLS. The purpose of this guide is to set up users, roles and permissions for testing.

• Add the basic-auth extension to Druid in the common.runtime.properties file, e.g. in conf-quickstart/druid/_common/common.runtime.properties:

druid.extensions.loadList=["druid-basic-security", "druid-histogram", "druid-datasketches", "druid-kafka-indexing-service", "imply-utility-belt"]

• Set up the basic Authenticator, Authorizer, and Escalator config in the same common.runtime.properties:

# Druid basic security
druid.auth.authenticatorChain=["MyBasicMetadataAuthenticator"]

druid.auth.authenticator.MyBasicMetadataAuthenticator.type=basic
druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword=password1
druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword=password2
druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type=metadata
druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure=false
druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName=MyBasicMetadataAuthorizer

# Escalator
druid.escalator.type=basic
druid.escalator.internalClientUsername=druid_system
druid.escalator.internalClientPassword=password2
druid.escalator.authorizerName=MyBasicMetadataAuthorizer

druid.auth.authorizers=["MyBasicMetadataAuthorizer"]

druid.auth.authorizer.MyBasicMetadataAuthorizer.type=basic

Congrats, your Druid is now ready to set up some basic RBAC

Creating users, roles, and permissions

This shared Postman collection will provide you with some preconfigured endpoints to make this easier: https://www.getpostman.com/collections/9598d40f58cabda202e5

Important note: This is all done via the Co-ordinator API, which lives on port 8081 for non-TLS connections and port 8281 for secured connections.

Create authenticator users and credentials

• POST to http://localhost:8081/druid-ext/basic-security/authentication/db/MyBasicMetadataAuthenticator/users/<USERNAME> to create the user
• POST to http://localhost:8081/druid-ext/basic-security/authentication/db/MyBasicMetadataAuthenticator/users/<USERNAME>/credentials to set the user's password. The password payload is of the form:

{
  "password": "password"
}

Create authorizer users

Authorizer users need to be manually created to match authenticator users. For each user you created above, create a corresponding authorizer user:

• POST to http://localhost:8081/druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/users/<USERNAME>

Create authorizer roles

Next, create the roles you will use to control permissions

• POST to http://localhost:8081/druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/roles/<ROLENAME>

Assign roles to users

Next, link the users to the roles you want them to be assigned to:

• POST to http://localhost:8081/druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/users/<USERNAME>/roles/<ROLENAME>

Set up your role permissions

Finally, attach permissions to the roles to control how they can interact with Druid:

• Post to http://localhost:8081/druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/roles/<ROLENAME>/permissions

Payload is of the form:

[
{
  "resource": {
    "name": "<PATTERN>",
    "type": "DATASOURCE"
  },
  "action": "READ"
},
{
    "resource": {
        "name": "STATE",
        "type": "STATE"
    },
    "action": "READ"
}
]

Note that for Pivot users to be able to create data cubes, they will need read access to the datasource as well as read access to the Druid STATE entity

Congratulations, you now have permissioned roles with associated users in Druid!

How to set TLS https://gist.github.com/gianm/4ebe7861fae67a46758011d27e7364b1