Kerberos in Druid

TROUBLESHOOTING Google Groups
#1

HI All,

I am currently working on enabling kerberos authentication for the single node Druid(0.16.0 version)

Questions.

  1. Is my understanding correct that kerberos does only authentication, and not authorization?

  2. If I need to use an authorizer to help with role based access, I should be using an authorizer with type basic? Are there any other options?

  3. To use authorizer of type basic, should I implement basic authentication too? Or can i create authorization user same as kerberos principal?

Thanks

Soumya

#2

I’m also interested in the answers for these questions.
Paula

#3

HI Soumya,

In my opinion:

  1. Yes : Kerberos is only for Authentication and not for authorization.

  2. Yes : You can use “basic” authorizer. Other options could be writing your own custom auth extension and use the same.
    https://druid.apache.org/docs/latest/development/modules.html

  3. No, If you are interested in Kerberos authentication, implementing the basic authentication is not required. The user name in the authorizer has to match the full principal string in your basic authorizer setup.

Thanks and Regards,

Vaibhav

#4

Hi Vaibhav,
Thanks for your reply

What do you mean with
“The user name in the authorizer has to match the full principal string in your basic authorizer setup.”

Is there a configuration to define the username. I didn’t find anything related to that

My definition are like this

druid.auth.authenticatorChain=[“KerberosAuthenticator”]

druid.auth.authenticator.KerberosAuthenticator.type=kerberos

druid.auth.authenticator.KerberosAuthenticator.serverPrincipal=HTTP/_HOST@REALM

druid.auth.authenticator.KerberosAuthenticator.serverKeytab=PATH_TO-KEYTAB

druid.auth.authenticator.KerberosAuthenticator.authorizerName=AllowAllAuthorizer

druid.auth.authorizers=[“AllowAllAuthorizer”]

druid.auth.authorizer.AllowAllAuthorizer.type=allowAll

Is there any extra confing that I should be considering?

Thanks

Paula

#5

Hi Paula,

You are using default authorizer “allowall” and it should work.

I was talking about the “basic” authorizer provided by “druid-basic-security” extension.

Please refer below for more information:
https://druid.apache.org/docs/latest/design/auth.html#authorizers
https://druid.apache.org/docs/latest/development/extensions-core/druid-basic-security.html#creating-an-authorizer

Thanks and Regards,

Vaibhav

#6

Hi Vaibhav,
Thanks.

Once I enable the kerberos authenticator with the default authorizer, the Druid Console is showing a lot of 403 Unauthorized errors in the panels.

I tried to look into the logs and couldn’t find anything that would give me a hint of what was happening.

When opening the browser console I see the following error (which is also logged in the router logs)

Failed to load resource: the server responded with a status of 403 (org.apache.hadoop.security.authentication.util.SignerException: Invalid signed text:)

``

Do you have any idea what might be missing in the config,

The authentication with the principal works fine, the authorisation part is the one that is failing.

Best

paula

#7

It seems that your browser is not configured to perform Kerberos authentication. You can check below link to verify and configure the browser:

http://woshub.com/enable-kerberos-authentication-in-browser/

Thanks and Regards,

Vaibhav

#8

I’m using safari. The documentation mentions that Safari doesn’t need to update any settings to work wit a secured environment.
https://druid.apache.org/docs/latest/development/extensions-core/druid-kerberos.html

Accessing Coordinator or Overlord console from web browser

To access Coordinator/Overlord console from browser you will need to configure your browser for SPNego authentication as follows -

  1. Safari - No configurations required.

  2. I will test in chrome with the security settings and see how it goes

Thanks

Paula