Druid auth basic/kerberos

hi team,

im really new to druid by seeing druid docs im unable to setup druid basic auth/kerberos with tranquility

can you please tell me how to setup druid auth with kerberos/basic with END-TO-END step process we really need it.

i tried with basic auth but im unable to download druid-basic-security extenstion can you tell me where can i find this extension

i followed this link to setup basic auth

https://github.com/druid-io/druid/blob/master/docs/content/development/extensions-core/druid-basic-security.md

is there any proper setup process for druid kerberos like initally what to install how to use kerberos and setup with druid, reading those kerberos properties in druid’s doc doesnt give enough knowledge to setup druid

any proper step process to setup druid auth

Hi Sai,

The druid-basic-security extension is only in master currently, it’s not part of 0.11.0. It will be included in the next release, 0.12.0.

For now the only included authentication implementations are the default “allow everything” and kerberos.

We don’t have a general kerberos cluster setup guide, so you’ll need to find that elsewhere online.

After your kerberos is set up, you would need to create two principals for the Druid cluster itself, one for the druid “internalClientPrincipal” and the other for the “serverPrincipal”. The principal for “serverPrincipal” needs to have the format HTTP/@ where is the host of the druid machine.

After that, you should be able to authenticate with your other user principals.

hi Jonathan,
im able to setup kerberose with client and server, i would like to configure multiple CLIENTS with ONE DRUID SERVER using KERBEROS EXTENSION is there any way to do it?

Regards,

sai

hi,
im able to setup kerberos and configure with druid 0.10.0 but still druid says unauthorized and giving 401 status

these are my druid properrties

common.properties

druid.hadoop.security.kerberos.principal = user@ECN.COM

druid.hadoop.security.kerberos.keytab = /etc/krb5.keytab

druid.hadoop.security.spnego.principal = HTTP/_HOST@ECN.COM

druid.hadoop.security.spnego.keytab = /etc/krb5.keytab

using my kerberos client im able to get ticket to my client

by using command “kinit -k -t <path_to_keytab_file> user@REALM.COM” it is successfuly login to kerberos/druid host

but when i used to send druid query from my client it say 401 unauthorised

by using command “curl --negotiate -u:anyUser -b ~/cookies.txt -c ~/cookies.txt -X POST -H’Content-Type: application/json’ http://broker-host:port/druid/v2/?pretty -d @query.json

Error 401

HTTP ERROR: 401

Problem accessing /druid/v2/. Reason:

    


Powered by Jetty:// 9.3.16.v20170120


what is this spnego principal is that kerberos host principal?

how do i create this spnego principal?

The SPNEGO principal is the service principal name of the Druid service that clients connect to.

If I were trying to connect to a Druid broker at hostname “DRUID-BROKER.EXAMPLE.COM” under the “EXAMPLE.COM” kerberos realm, the SPNEGO principal would be HTTP/DRUID-BROKER.EXAMPLE.COM@EXAMPLE.COM

These links might be helpful:

https://gerardnico.com/wiki/spnego

https://gerardnico.com/wiki/security/kerberos/spn

https://serverfault.com/questions/350782/can-someone-please-explain-windows-service-principle-names-spns-without-oversi/350791#350791

Hi Sai,

Can you let me know how did you setup basic authentication. I need to setup first basic then ldap setup on Druid server.

Thanks,

Ashish