Kerberos authentication with basic authorizer

Hi

I’m testing authentication and authorization in druid cluster. The scenario is Kerberos authentication with basic authorizer
I configured Kerberos authentication as below

druid.auth.authenticatorChain=[“KerberosAuthenticator”]

druid.auth.authenticator.KerberosAuthenticator.type=kerberos

druid.auth.authenticator.KerberosAuthenticator.serverPrincipal=HTTP/_HOST@REALM.XX

druid.auth.authenticator.KerberosAuthenticator.serverKeytab=/etc/security/keytabs/http.service.keytab

druid.auth.authenticator.KerberosAuthenticator.authorizerName=AuthorizerName

druid.auth.authenticator.kerberos.authToLocal=RULE:1:$1@$0s/@.*//

DEFAULT

druid.auth.authenticator.KerberosAuthenticator.cookieSignatureSecret=secretString

druid.escalator.type=kerberos

druid.escalator.internalClientPrincipal=username@REALM.XX

druid.escalator.internalClientKeytab=/etc/security/keytabs/username.keytab

druid.escalator.authorizerName=AuthorizerName

And I configured basic authorization as below

druid.auth.authorizers=[“AuthorizerName”]

druid.auth.authorizer.AuthorizerName.type=basic

druid.auth.authorizer.AuthorizerName.initialAdminUser=username

druid.auth.authorizer.AuthorizerName.initialAdminRole=admin

When I start the services I see that the authentication is successful and I get a valid ticket. but then it can’t get the user role mapping

While testing, I was running the following request

curl --negotiate -u : -H ‘Content-Type: application/json’ http://coodinatorHos:port/db/AuthorizerName/users

And got the following response

Access-Check-Result: Allowed:false, Message:

And the logs (router) are showing the following

2020-01-22T13:23:46,012 INFO [main] org.apache.druid.security.basic.authentication.db.cache.CoordinatorPollingBasicAuthenticatorCacheManager - Starting DefaultBasicAuthenticatorCacheManager.

2020-01-22T13:23:46,017 INFO [main] org.apache.druid.security.basic.authentication.db.cache.CoordinatorPollingBasicAuthenticatorCacheManager - Started DefaultBasicAuthenticatorCacheManager.

2020-01-22T13:23:46,017 INFO [main] org.apache.druid.java.util.common.lifecycle.Lifecycle$AnnotationBasedHandler - Invoking start method[public void org.apache.druid.security.basic.authorization.db.cache.CoordinatorPollingBasicAuthorizerCacheManager.start()] on object[org.apache.druid.security.basic.authorization.db.cache.CoordinatorPollingBasicAuthorizerCacheManager@45297e7].

2020-01-22T13:23:46,017 INFO [main] org.apache.druid.security.basic.authorization.db.cache.CoordinatorPollingBasicAuthorizerCacheManager - Starting CoordinatorPollingBasicAuthorizerCacheManager.

2020-01-22T13:23:46,136 INFO [NodeTypeWatcher[COORDINATOR]] org.apache.druid.curator.discovery.CuratorDruidNodeDiscoveryProvider$NodeTypeWatcher - Node[hostname:8081:DiscoveryDruidNode{druidNode=DruidNode{serviceName=‘druid/coordinator’, host=‘hostname’, bindOnHost=false, port=-1, plaintextPort=8081, enablePlaintextPort=true, tlsPort=-1, enableTlsPort=false}, nodeType=‘COORDINATOR’, services={}}] appeared.

2020-01-22T13:23:46,136 INFO [NodeTypeWatcher[COORDINATOR]] org.apache.druid.curator.discovery.CuratorDruidNodeDiscoveryProvider$NodeTypeWatcher - Received INITIALIZED in node watcher.

2020-01-22T13:23:46,207 WARN [main] org.apache.hadoop.util.NativeCodeLoader - Unable to load native-hadoop library for your platform… using builtin-java classes where applicable

2020-01-22T13:23:46,263 INFO [main] org.apache.druid.security.kerberos.DruidKerberosUtil - trying to authenticate user [username@REALM.XX] with keytab [/etc/security/keytabs/username.keytab]

2020-01-22T13:23:46,444 INFO [main] org.apache.hadoop.security.UserGroupInformation - Login successful for user username@REALM.XX using keytab file /etc/security/keytabs/username.keytab

2020-01-22T13:23:46,840 WARN [main] org.apache.druid.java.util.common.RetryUtils - Retrying (1 of 9) in 1,229ms.

com.fasterxml.jackson.core.JsonParseException: Input does not start with Smile format header (first byte = 0x41) and parser has REQUIRE_HEADER enabled: can not parse

at [Source: N/A; line: -1, column: -1]

2020-01-22T13:27:56,292 ERROR [main] org.apache.druid.security.basic.authorization.db.cache.CoordinatorPollingBasicAuthorizerCacheManager - Encountered exception while fetching user and role map for authorizer [AuthorizerName]: {class=org.apache.druid.security.basic.authorization.db.cache.CoordinatorPollingBasicAuthorizerCacheManager, exceptionType=class com.fasterxml.jackson.core.JsonParseException, exceptionMessage=Input does not start with Smile format header (first byte = 0x41) and parser has REQUIRE_HEADER enabled: can not parse

at [Source: N/A; line: -1, column: -1]}

I’m pretty sure that I’m missing something in the configuration, but went along the docs and I cannot see anything obvious. Did anyone faced this same issue?

I also check in the data base and the entries in the druid_config table for the authorizer are created.

Paula

Hi ,

Not sure about the exact reason . But i feel this error is while authorizing the user in the internal communication.

Can you cross check if druid.escalator properties are correct ?

I have the escalator properties for kerberos, and I followed the steps in the documentation.
Should this be defined fot the basic authorizer instead?

Hi Paula,
Sorry for the delay in replying to this. Could you please send me complete config. I will try to reproduce in my setup.

Thanks

Tijo Thomas

Hi Paula,

Please also send the relevant part of the logs from co ordinator as well. You will see the failure reason from co ordinator also .

Thanks & Regards

Hi
I don’t have the logs anymore because i tier the cluster down and rebuilt it again. But the configuration was the same as the one i posted above.

But my tests with Kerberos authenticator and basic authorizer were not successful. If you have any hints to give me regarding this would be very appreciated.

I cannot find any examples that reproduce this scenario.

Thaks

Paula