Druid Ldap/basic/kerberos setup

Hello Team,

I need to setup the ldap setup on my druid server. Let me know what is the procedure to setup. if not what is the proceudre the to setup basic authentiation.

I have gone through the below link :

https://github.com/apache/incubator-druid/blob/e874da7cea6db590e88ff847b47dfc2ad878baad/docs/content/development/extensions-core/druid-basic-security.md

But after

Coordinator Security API

I am not able to understand anything.

Pleas explain how to access these APIs or where to setup these.

Thanks,

Ashish

Druid currently doesn’t support ldap authentication.You can track the issue here.
To get started with the extension , add the following lines to your common.runtime.properties file.
#extensions
druid.extensions.loadList=[“druid-basic-security”]

#The below lines create two default users admin and druid_system with the respective passwords.

druid.auth.authenticatorChain=[“MyBasicAuthenticator”]
druid.auth.authenticator.MyBasicAuthenticator.type=basic
druid.auth.authenticator.MyBasicAuthenticator.initialAdminPassword=password1
druid.auth.authenticator.MyBasicAuthenticator.initialInternalClientPassword=password2
druid.auth.authenticator.MyBasicAuthenticator.authorizerName=MyBasicAuthorizer

#authorizer
druid.auth.authorizers=[“MyBasicAuthorizer”]
druid.auth.authorizer.MyBasicAuthorizer.type=basic

Escalator - This defines which user the internal nodes in a cluster should use to communicate with each other.

druid.escalator.type=basic
druid.escalator.internalClientUsername=druid_system
druid.escalator.internalClientPassword=password2
druid.escalator.authorizerName=MyBasicAuthorizer

And restart all your nodes.Now when you try to access the coordinator UI or the overlord UI you will be prompted for username and password.
When you enter your username and password(in this case ,user is “admin” and password is “password1” ) ,
In the backend the followling things take place
First step is to verify whether you are valid user and have entered the correct credentials.
If yes, the request is forwarded to Authorizer which check whether you have permission to view the information.
Now let’s say you want to create a user who has access to view only a specific datasource (let’s say “wikipedia”).

#To create a user named “wiki” , send a post request to the below endpoint (curl -X POST link)

http://coordinator_ip:port/druid-ext/basic-security/authentication/db/MyBasicAuthenticator/users/wiki

#To set the password of the user as wiki@123

http://coordinator_ip:port/druid-ext/basic-security/authentication/db/MyBasicAuthenticator/users/wiki/credentials
#with body

{
“password”: “wiki@123”
}

#Above requests create user at authenticator.
#To create user at authorizer, send post request to

http://coordinator_ip:port/druid-ext/basic-security/authorization/db/MyBasicAuthorizer/users/wiki

#now set permissions for the user

http://coordinator_ip:port/druid-ext/basic-security/authorization/db/MyBasicAuthorizer/roles/wiki/permissions

#the body will contain the following info

[

            {
                "resource":
                        {    "name":"wikipedia","type":"DATASOURCE"},
                "action":"READ"
               
            }

]

#The wiki user will be able to see only the information about wikipedia datasource on coordinator UI.
#And also view ingestion tasks for the wikipedia datasource on the overlord UI.

There are other resource types which can be used for providing certain endpoints of coordinator and middle manger.
hope this helps.