From e74bd89bab690dacf538c49cd8093e0e5075b3e5 Mon Sep 17 00:00:00 2001 From: Jill Osborne Date: Thu, 20 Oct 2022 15:28:05 +0100 Subject: [PATCH 1/9] Update LDAP configuration docs --- .../extensions-core/druid-basic-security.md | 420 ++++++++++++++---- docs/operations/auth-ldap.md | 290 ++++++++---- docs/operations/security-overview.md | 75 +--- 3 files changed, 534 insertions(+), 251 deletions(-) diff --git a/docs/development/extensions-core/druid-basic-security.md b/docs/development/extensions-core/druid-basic-security.md index b6698b4f153d..565059cd2fe7 100644 --- a/docs/development/extensions-core/druid-basic-security.md +++ b/docs/development/extensions-core/druid-basic-security.md @@ -53,12 +53,29 @@ To set the value for the configuration properties, add them to the common runtim ### General properties -|Property|Description|Default|required| -|--------|-----------|-------|--------| -|`druid.auth.basic.common.pollingPeriod`|Defines in milliseconds how often processes should poll the Coordinator for the current Druid metadata store authenticator/authorizer state.|60000|No| -|`druid.auth.basic.common.maxRandomDelay`|Defines in milliseconds the amount of random delay to add to the pollingPeriod, to spread polling requests across time.|6000|No| -|`druid.auth.basic.common.maxSyncRetries`|Determines how many times a service will retry if the authentication/authorization Druid metadata store state sync with the Coordinator fails.|10|No| -|`druid.auth.basic.common.cacheDirectory`|If defined, snapshots of the basic Authenticator and Authorizer Druid metadata store caches will be stored on disk in this directory. If this property is defined, when a service is starting, it will attempt to initialize its caches from these on-disk snapshots, if the service is unable to initialize its state by communicating with the Coordinator.|null|No| +**`druid.auth.basic.common.pollingPeriod`** + +Defines in milliseconds how often processes should poll the Coordinator for the current Druid metadata store authenticator/authorizer state.
+         **Required**: No
+         **Default**: 60000 + +**`druid.auth.basic.common.maxRandomDelay`** + +Defines in milliseconds the amount of random delay to add to the pollingPeriod, to spread polling requests across time.
+         **Required**: No
+         **Default**: 6000 + +**`druid.auth.basic.common.maxSyncRetries`** + +Determines how many times a service will retry if the authentication/authorization Druid metadata store state sync with the Coordinator fails.
+         **Required**: No
+         **Default**: 10 + +**`druid.auth.basic.common.cacheDirectory`** + +If defined, snapshots of the basic Authenticator and Authorizer Druid metadata store caches will be stored on disk in this directory. If this property is defined, when a service is starting, it will attempt to initialize its caches from these on-disk snapshots, if the service is unable to initialize its state by communicating with the Coordinator.
+         **Required**: No
+         **Default**: null ### Authenticator @@ -96,16 +113,55 @@ The remaining examples of authenticator configuration use either `MyBasicMetadat #### Properties for Druid metadata store user authentication -|Property|Description|Default|required| -|--------|-----------|-------|--------| -|`druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword`|Initial [Password Provider](../../operations/password-provider.md) for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will not affect its password.|null|No| -|`druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword`|Initial [Password Provider](../../operations/password-provider.md) for the default internal system user, used for internal process communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will not affect its password.|null|No| -|`druid.auth.authenticator.MyBasicMetadataAuthenticator.enableCacheNotifications`|If true, the Coordinator will notify Druid processes whenever a configuration change to this Authenticator occurs, allowing them to immediately update their state without waiting for polling.|true|No| -|`druid.auth.authenticator.MyBasicMetadataAuthenticator.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No| -|`druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialIterations`|Number of iterations to use for password hashing. See [Credential iterations and API performance](#credential-iterations-and-api-performance)|10000|No| -|`druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type`|The type of credentials store (metadata) to validate requests credentials.|metadata|No| -|`druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure`|If true and the request credential doesn't exists or isn't fully configured in the credentials store, the request will proceed to next Authenticator in the chain.|false|No| -|`druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName`|Authorizer that requests should be directed to|N/A|Yes| + +**`druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword`** + +Initial [Password Provider](../../operations/password-provider.md) for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will not affect its password.
+         **Required**: No
+         **Default**: null + +**`druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword`** + +Initial [Password Provider](../../operations/password-provider.md) for the default internal system user, used for internal process communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will not affect its password.
+         **Required**: No
+         **Default**: null + +**`druid.auth.authenticator.MyBasicMetadataAuthenticator.enableCacheNotifications`** + +If true, the Coordinator will notify Druid processes whenever a configuration change to this Authenticator occurs, allowing them to immediately update their state without waiting for polling.
+         **Required**: No
+         **Default**: True + +**`druid.auth.authenticator.MyBasicMetadataAuthenticator.cacheNotificationTimeout`** + +The timeout in milliseconds for the cache notifications.
+         **Required**: No
+         **Default**: 5000 + +**`druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialIterations`** + +Number of iterations to use for password hashing. See [Credential iterations and API performance](#credential-iterations-and-api-performance)
+         **Required**: No
+         **Default**: 10000 + +**`druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type`** + +The type of credentials store (metadata) to validate requests credentials.
+         **Required**: No
+         **Default**: metadata + +**`druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure`** + +If true and the request credential doesn't exists or isn't fully configured in the credentials store, the request will proceed to next Authenticator in the chain.
+         **Required**: No
+         **Default**: false + +**`druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName`** + +Authorizer that requests should be directed to.
+         **Required**: Yes
+         **Default**: N/A + ##### Credential iterations and API performance @@ -121,25 +177,107 @@ If Druid uses the default credentials validator (i.e., `credentialsValidator.typ #### Properties for LDAP user authentication -|Property|Description|Default|required| -|--------|-----------|-------|--------| -|`druid.auth.authenticator.MyBasicLDAPAuthenticator.initialAdminPassword`|Initial [Password Provider](../../operations/password-provider.md) for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will not affect its password.|null|No| -|`druid.auth.authenticator.MyBasicLDAPAuthenticator.initialInternalClientPassword`|Initial [Password Provider](../../operations/password-provider.md) for the default internal system user, used for internal process communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will not affect its password.|null|No| -|`druid.auth.authenticator.MyBasicLDAPAuthenticator.enableCacheNotifications`|If true, the Coordinator will notify Druid processes whenever a configuration change to this Authenticator occurs, allowing them to immediately update their state without waiting for polling.|true|No| -|`druid.auth.authenticator.MyBasicLDAPAuthenticator.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No| -|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialIterations`|Number of iterations to use for password hashing.|10000|No| -|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.type`|The type of credentials store (ldap) to validate requests credentials.|metadata|No| -|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.url`|URL of the LDAP server.|null|Yes| -|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.bindUser`|LDAP bind user username.|null|Yes| -|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.bindPassword`|[Password Provider](../../operations/password-provider.md) LDAP bind user password.|null|Yes| -|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.baseDn`|The point from where the LDAP server will search for users.|null|Yes| -|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.userSearch`|The filter/expression to use for the search. For example, (&(sAMAccountName=%s)(objectClass=user))|null|Yes| -|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.userAttribute`|The attribute id identifying the attribute that will be returned as part of the search. For example, sAMAccountName. |null|Yes| -|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialVerifyDuration`|The duration in seconds for how long valid credentials are verifiable within the cache when not requested.|600|No| -|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialMaxDuration`|The max duration in seconds for valid credentials that can reside in cache regardless of how often they are requested.|3600|No| -|`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialCacheSize`|The valid credentials cache size. The cache uses a LRU policy.|100|No| -|`druid.auth.authenticator.MyBasicLDAPAuthenticator.skipOnFailure`|If true and the request credential doesn't exists or isn't fully configured in the credentials store, the request will proceed to next Authenticator in the chain.|false|No| -|`druid.auth.authenticator.MyBasicLDAPAuthenticator.authorizerName`|Authorizer that requests should be directed to.|N/A|Yes| +**`druid.auth.authenticator.MyBasicLDAPAuthenticator.initialAdminPassword`** + +Initial [Password Provider](../../operations/password-provider.md) for the automatically created default admin user. If no password is specified, the default admin user will not be created. If the default admin user already exists, setting this property will not affect its password.
+         **Required**: No
+         **Default**: null + +**`druid.auth.authenticator.MyBasicLDAPAuthenticator.initialInternalClientPassword`** + +Initial [Password Provider](../../operations/password-provider.md) for the default internal system user, used for internal process communication. If no password is specified, the default internal system user will not be created. If the default internal system user already exists, setting this property will not affect its password.
+         **Required**: No
+         **Default**: null + +**`druid.auth.authenticator.MyBasicLDAPAuthenticator.enableCacheNotifications`** + +If true, the Coordinator will notify Druid processes whenever a configuration change to this Authenticator occurs, allowing them to immediately update their state without waiting for polling.
+         **Required**: No
+         **Default**: true + +**`druid.auth.authenticator.MyBasicLDAPAuthenticator.cacheNotificationTimeout`** + +The timeout in milliseconds for the cache notifications.
+         **Required**: No
+         **Default**: 5000 + +**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialIterations`** + +Number of iterations to use for password hashing.
+         **Required**: No
+         **Default**: 10000 + +**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.type`** + +The type of credentials store (ldap) to validate requests credentials.
+         **Required**: No
+         **Default**: metadata + +**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.url`** + +URL of the LDAP server.
+         **Required**: Yes
+         **Default**: null + +**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.bindUser`** + +LDAP bind user username.
+         **Required**: Yes
+         **Default**: null + +**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.bindPassword`** + +[Password Provider](../../operations/password-provider.md) LDAP bind user password.
+         **Required**: Yes
+         **Default**: null + +**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.baseDn`** + +The point from where the LDAP server will search for users.
+         **Required**: Yes
+         **Default**: null + +**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.userSearch`** + +The filter/expression to use for the search. For example, (&(sAMAccountName=%s)(objectClass=user))
+         **Required**: Yes
+         **Default**: null + +**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.userAttribute`** + +The attribute id identifying the attribute that will be returned as part of the search. For example, sAMAccountName.
+         **Required**: Yes
+         **Default**: null + +**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialVerifyDuration`** + +The duration in seconds for how long valid credentials are verifiable within the cache when not requested.
+         **Required**: No
+         **Default**: 600 + +**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialMaxDuration`** + +The max duration in seconds for valid credentials that can reside in cache regardless of how often they are requested.
+         **Required**: No
+         **Default**: 3600 + +**`druid.auth.authenticator.MyBasicLDAPAuthenticator.credentialsValidator.credentialCacheSize`** + +The valid credentials cache size. The cache uses a LRU policy.
+         **Required**: No
+         **Default**: 100 + +**`druid.auth.authenticator.MyBasicLDAPAuthenticator.skipOnFailure`** + +If true and the request credential doesn't exists or isn't fully configured in the credentials store, the request will proceed to next Authenticator in the chain.
+         **Required**: No
+         **Default**: false + +**`druid.auth.authenticator.MyBasicLDAPAuthenticator.authorizerName`** + +Authorizer that requests should be directed to.
+         **Required**: Yes
+         **Default**: N/A ### Escalator @@ -155,11 +293,24 @@ druid.escalator.authorizerName=MyBasicMetadataAuthorizer ``` #### Properties -|Property|Description|Default|required| -|--------|-----------|-------|--------| -|`druid.escalator.internalClientUsername`|The escalator will use this username for requests made as the internal system user.|n/a|Yes| -|`druid.escalator.internalClientPassword`|The escalator will use this [Password Provider](../../operations/password-provider.md) for requests made as the internal system user.|n/a|Yes| -|`druid.escalator.authorizerName`|Authorizer that requests should be directed to.|n/a|Yes| + +**`druid.escalator.internalClientUsername`** + +The escalator will use this username for requests made as the internal system user.
+         **Required**: Yes
+         **Default**: N/A + +**`druid.escalator.internalClientPassword`** + +The escalator will use this [Password Provider](../../operations/password-provider.md) for requests made as the internal system user.
+         **Required**: Yes
+         **Default**: N/A + +**`druid.escalator.authorizerName`** + +Authorizer that requests should be directed to.
+         **Required**: Yes
+         **Default**: N/A ### Authorizer @@ -182,24 +333,131 @@ druid.auth.authorizer.MyBasicMetadataAuthorizer.type=basic The examples in the rest of this article use `MyBasicMetadataAuthorizer` or `MyBasicLDAPAuthorizer` as the authorizer name. #### Properties for Druid metadata store user authorization -|Property|Description|Default|required| -|--------|-----------|-------|--------| -|`druid.auth.authorizer.MyBasicMetadataAuthorizer.enableCacheNotifications`|If true, the Coordinator will notify Druid processes whenever a configuration change to this Authorizer occurs, allowing them to immediately update their state without waiting for polling.|true|No| -|`druid.auth.authorizer.MyBasicMetadataAuthorizer.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No| -|`druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminUser`|The initial admin user with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned.|admin|No| -|`druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminRole`|The initial admin role to create if it doesn't already exists.|admin|No| -|`druid.auth.authorizer.MyBasicMetadataAuthorizer.roleProvider.type`|The type of role provider to authorize requests credentials.|metadata|No + +**`druid.auth.authorizer.MyBasicMetadataAuthorizer.enableCacheNotifications`** + +If true, the Coordinator will notify Druid processes whenever a configuration change to this Authorizer occurs, allowing them to immediately update their state without waiting for polling.
+         **Required**: No
+         **Default**: true + +**`druid.auth.authorizer.MyBasicMetadataAuthorizer.cacheNotificationTimeout`** + +The timeout in milliseconds for the cache notifications.
+         **Required**: No
+         **Default**: 5000 + +**`druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminUser`** + +The initial admin user with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned.
+         **Required**: No
+         **Default**: admin + +**`druid.auth.authorizer.MyBasicMetadataAuthorizer.initialAdminRole`** + +The initial admin role to create if it doesn't already exists.
+         **Required**: No
+         **Default**: admin + +**`druid.auth.authorizer.MyBasicMetadataAuthorizer.roleProvider.type`** + +The type of role provider to authorize requests credentials.
+         **Required**: No
+         **Default**: metadata #### Properties for LDAP user authorization -|Property|Description|Default|required| -|--------|-----------|-------|--------| -|`druid.auth.authorizer.MyBasicLDAPAuthorizer.enableCacheNotifications`|If true, the Coordinator will notify Druid processes whenever a configuration change to this Authorizer occurs, allowing them to immediately update their state without waiting for polling.|true|No| -|`druid.auth.authorizer.MyBasicLDAPAuthorizer.cacheNotificationTimeout`|The timeout in milliseconds for the cache notifications.|5000|No| -|`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminUser`|The initial admin user with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned.|admin|No| -|`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminRole`|The initial admin role to create if it doesn't already exists.|admin|No| -|`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminGroupMapping`|The initial admin group mapping with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned. The name of this initial admin group mapping will be set to adminGroupMapping|null|No| -|`druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.type`|The type of role provider (ldap) to authorize requests credentials.|metadata|No -|`druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.groupFilters`|Array of LDAP group filters used to filter out the allowed set of groups returned from LDAP search. Filters can be begin with *, or end with ,* to provide configurational flexibility to limit or filter allowed set of groups available to LDAP Authorizer.|null|No| + +**`druid.auth.authorizer.MyBasicLDAPAuthorizer.enableCacheNotifications`** + +If true, the Coordinator will notify Druid processes whenever a configuration change to this Authorizer occurs, allowing them to immediately update their state without waiting for polling.
+         **Required**: No
+         **Default**: true + +**`druid.auth.authorizer.MyBasicLDAPAuthorizer.cacheNotificationTimeout`** + +The timeout in milliseconds for the cache notifications.
+         **Required**: No
+         **Default**: 5000 + +**`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminUser`** + +The initial admin user with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned.
+         **Required**: No
+         **Default**: admin + +**`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminRole`** + +The initial admin role to create if it doesn't already exists.
+         **Required**: No
+         **Default**: admin + +**`druid.auth.authorizer.MyBasicLDAPAuthorizer.initialAdminGroupMapping`** + +The initial admin group mapping with role defined in initialAdminRole property if specified, otherwise the default admin role will be assigned. The name of this initial admin group mapping will be set to adminGroupMapping
+         **Required**: No
+         **Default**: null + +**`druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.type`** + +The type of role provider (ldap) to authorize requests credentials.
+         **Required**: No
+         **Default**: metadata + +**`druid.auth.authorizer.MyBasicLDAPAuthorizer.roleProvider.groupFilters`** + +Array of LDAP group filters used to filter out the allowed set of groups returned from LDAP search. Filters can be begin with *, or end with ,* to provide configurational flexibility to limit or filter allowed set of groups available to LDAP Authorizer.
+         **Required**: No
+         **Default**: null + +#### Properties for LDAPS + +Use the following properties to configure Druid authentication with LDAP over TLS (LDAPS). See [Configure LDAP authentication](../../operations/auth-ldap.md) for more information. + +**`druid.auth.basic.ssl.protocol`** + +SSL protocol to use. The TLS version is 1.2.
+         **Required**: Yes
+         **Default**: tls + +**`druid.auth.basic.ssl.trustStorePath`** + +Path to the trust store file.
+         **Required**: Yes
+         **Default**: N/A + +**`druid.auth.basic.ssl.trustStorePassword`** + +Password to access the trust store file.
+         **Required**: Yes
+         **Default**: N/A + +**`druid.auth.basic.ssl.trustStoreType`** + +Format of the trust store file. For Java the format is jks.
+         **Required**: No
+         **Default**: jks + +**`druid.auth.basic.ssl.trustStoreAlgorithm`** + +Algorithm used by the trust manager to validate certificate chains.
+         **Required**: No
+         **Default**: N/A + +**`druid.auth.basic.ssl.trustStorePasswordProvider`** + +[Password provider](./operations/password-provider.md) that enables access to the trust store.
+         **Required**: No
+         **Default**: N/A + +Example LDAPS configuration: + +```json +druid.auth.basic.ssl.protocol=tls +druid.auth.basic.ssl.trustStorePath=/usr/local/druid-path/certs/truststore.jks +druid.auth.basic.ssl.trustStorePassword=xxxxx +druid.auth.basic.ssl.trustStoreType=jks +druid.auth.basic.ssl.trustStoreAlgorithm=PKIX +druid.auth.basic.ssl.trustStorePasswordProvider=myPasswordProvider +``` ## Usage @@ -213,19 +471,19 @@ Root path: `/druid-ext/basic-security/authentication` Each API endpoint includes {authenticatorName}, specifying which Authenticator instance is being configured. ##### User/Credential Management -`GET(/druid-ext/basic-security/authentication/db/{authenticatorName}/users)` +`GET(/druid-ext/basic-security/authentication/db/{authenticatorName}/users)`
Return a list of all user names. -`GET(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName})` +`GET(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName})`
Return the name and credentials information of the user with name {userName} -`POST(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName})` +`POST(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName})`
Create a new user with name {userName} -`DELETE(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName})` +`DELETE(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName})`
Delete the user with name {userName} -`POST(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName}/credentials)` +`POST(/druid-ext/basic-security/authentication/db/{authenticatorName}/users/{userName}/credentials)`
Assign a password used for HTTP basic authentication for {userName} Content: JSON password request object @@ -238,20 +496,20 @@ Example request body: ``` ##### Cache Load Status -`GET(/druid-ext/basic-security/authentication/loadStatus)` +`GET(/druid-ext/basic-security/authentication/loadStatus)`
Return the current load status of the local caches of the authentication Druid metadata store. #### Authorization API -Root path: `/druid-ext/basic-security/authorization` +Root path: `/druid-ext/basic-security/authorization`
Each API endpoint includes {authorizerName}, specifying which Authorizer instance is being configured. ##### User Creation/Deletion -`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/users)` +`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/users)`
Return a list of all user names. -`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})` +`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})`
Return the name and role information of the user with name {userName} Example output: @@ -338,20 +596,20 @@ The `resourceNamePattern` is a compiled version of the resource name regex. It i } ``` -`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})` +`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})`
Create a new user with name {userName} -`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})` +`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName})`
Delete the user with name {userName} ##### Group mapping Creation/Deletion -`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings)` +`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings)`
Return a list of all group mappings. -`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName})` +`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName})`
Return the group mapping and role information of the group mapping with name {groupMappingName} -`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName})` +`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName})`
Create a new group mapping with name {groupMappingName} Content: JSON group mapping object Example request body: @@ -366,14 +624,14 @@ Example request body: } ``` -`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName})` +`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName})`
Delete the group mapping with name {groupMappingName} #### Role Creation/Deletion -`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/roles)` +`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/roles)`
Return a list of all role names. -`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName})` +`GET(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName})`
Return name and permissions for the role named {roleName}. Example output: @@ -427,30 +685,30 @@ Example output: ``` -`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName})` +`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName})`
Create a new role with name {roleName}. Content: username string -`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName})` +`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName})`
Delete the role with name {roleName}. #### Role Assignment -`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}/roles/{roleName})` +`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}/roles/{roleName})`
Assign role {roleName} to user {userName}. -`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}/roles/{roleName})` +`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/users/{userName}/roles/{roleName})`
Unassign role {roleName} from user {userName} -`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}/roles/{roleName})` +`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}/roles/{roleName})`
Assign role {roleName} to group mapping {groupMappingName}. -`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}/roles/{roleName})` +`DELETE(/druid-ext/basic-security/authorization/db/{authorizerName}/groupMappings/{groupMappingName}/roles/{roleName})`
Unassign role {roleName} from group mapping {groupMappingName} #### Permissions -`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName}/permissions)` +`POST(/druid-ext/basic-security/authorization/db/{authorizerName}/roles/{roleName}/permissions)`
Set the permissions of {roleName}. This replaces the previous set of permissions on the role. Content: List of JSON Resource-Action objects, e.g.: @@ -479,5 +737,5 @@ The "name" field for resources in the permission definitions are regexes used to Please see [Defining permissions](../../operations/security-user-auth.md#defining-permissions) for more details. ##### Cache Load Status -`GET(/druid-ext/basic-security/authorization/loadStatus)` +`GET(/druid-ext/basic-security/authorization/loadStatus)`
Return the current load status of the local caches of the authorization Druid metadata store. diff --git a/docs/operations/auth-ldap.md b/docs/operations/auth-ldap.md index b9603a0c38fd..bb4ae15253eb 100644 --- a/docs/operations/auth-ldap.md +++ b/docs/operations/auth-ldap.md @@ -1,6 +1,7 @@ --- id: auth-ldap -title: "LDAP auth" +title: "Configure LDAP authentication" +sidebar_label: "LDAP auth" --- +You can use [Lightweight Directory Access Protocol (LDAP)](https://en.wikipedia.org/wiki/Lightweight_Directory_Access_Protocol) to secure access to Apache Druid. This topic describes how to set up Druid authentication and authorization with LDAP and LDAP over TLS (LDAPS). The examples on this page show the configuration for an Active Directory LDAP system. -This page describes how to set up Druid user authentication and authorization through LDAP. The first step is to enable LDAP authentication and authorization for Druid. You then map an LDAP group to roles and assign permissions to roles. +The first step is to enable LDAP authentication and authorization for Druid. You then map an LDAP group to Druid roles and assign permissions to those roles. After you've completed this configuration you can optionally choose to enable LDAPS to make LDAP traffic confidential and secure. -## Enable LDAP in Druid +## Prerequisites -Before starting, verify that the active directory is reachable from the Druid Master servers. Command line tools such as `ldapsearch` and `ldapwhoami`, which are included with OpenLDAP, are useful for this testing.  +Before you start to configure LDAP for Druid, test your LDAP connection and perform a sample search. -### Check the connection +### Check your LDAP connection -First test that the basic connection and user credential works. For example, given a user `uuser1@example.com`, try: +Verify that your LDAP connection is working by testing it with user credentials. For example, the following command tests the connection for the user `myuser@example.com`. Insert your LDAP server IP address and substitute `389` for the port number of your LDAP instance, if different. ```bash -ldapwhoami -vv -H ldap://:389  -D"uuser1@example.com" -W +ldapwhoami -vv -H ldap://ip_address:389 -D "myuser@example.com" -W ``` -Enter the password associated with the user when prompted and verify that the command succeeded. If it didn't, try the following troubleshooting steps: +Enter the password for the user when prompted and verify that the command succeeded. If it failed, check the following: -* Verify that you've used the correct port for your LDAP instance. By default, the LDAP port is 389, but double-check with your LDAP admin if unable to connect. -* Check whether a network firewall is not preventing connections to the LDAP port. -* Check whether LDAP clients need to be specifically whitelisted at the LDAP server to be able to reach it. If so, add the Druid Coordinator server to the AD whitelist. +- Make sure you're using the correct port for your LDAP instance. +- Check whether a network firewall is preventing connections to the LDAP port. +- Review your LDAP implementation details to see whether you need to specifically whitelist LDAP clients at the LDAP server. If so, add the Druid Coordinator server to the whitelist. +### Test your LDAP search -### Check the search criteria +Once your LDAP connection is working, search for a user. For example, the following command searches for the user myuser in an Active Directory system. The `sAMAccountName` attribute is specific to Active Directory and contains the authenticated user identity: -After verifying basic connectivity, check your search criteria. For example, the command for searching for user `uuser1@example.com ` is as follows: +```bash +ldapsearch -x -W -H ldap://ip_address:389 -D "cn=admin,dc=example,dc=com" -b "dc=example,dc=com" "(sAMAccountName=myuser)" + +``` + +The `memberOf` attribute in the results shows the groups the user belongs to. For example, the following response shows that the user is a member of the `group1` group: ```bash -ldapsearch -x -W -H ldap://  -D"uuser1@example.com" -b "dc=example,dc=com" "(sAMAccountName=uuser1)" +memberOf: cn=group1,ou=groups,dc=example,dc=com ``` -Note the `memberOf` attribute in the results; it shows the groups that the user belongs to. You will use this value to map the LDAP group to the Druid roles later. This attribute may be implemented differently on different types of LDAP servers. For instance, some LDAP servers may support recursive groupings, and some may not. Some LDAP server implementations may not have any object classes that contain this attribute altogether. If your LDAP server does not use the `memberOf` attribute, then Druid will not be able to determine a user's group membership using LDAP. The sAMAccountName attribute used in this example contains the authenticated user identity. This is an attribute of an object class specific to Microsoft Active Directory. The object classes and attribute used in your LDAP server may be different. +You use this information to map the LDAP group to Druid roles in a later step. + +> Druid uses the `memberOf` attribute to determine a group's membership using LDAP. If your LDAP server implementation doesn't include this attribute, you must complete some additional steps when you [map LDAP groups to Druid roles](). -## Configure Druid user authentication with LDAP/Active Directory  +## Configure Druid for LDAP authentication -1. Enable the `druid-basic-security` extension in the `common.runtime.properties` file. See [Security Overview](security-overview.md) for details. -2. As a best practice, create a user in LDAP to be used for internal communication with Druid. -3. In `common.runtime.properties`, update LDAP-related properties, as shown in the following listing:  - ``` - druid.auth.authenticatorChain=["ldap"] - druid.auth.authenticator.ldap.type=basic - druid.auth.authenticator.ldap.enableCacheNotifications=true - druid.auth.authenticator.ldap.credentialsValidator.type=ldap - druid.auth.authenticator.ldap.credentialsValidator.url=ldap://: - druid.auth.authenticator.ldap.credentialsValidator.bindUser= - druid.auth.authenticator.ldap.credentialsValidator.bindPassword= - druid.auth.authenticator.ldap.credentialsValidator.baseDn= - druid.auth.authenticator.ldap.credentialsValidator.userSearch= - druid.auth.authenticator.ldap.credentialsValidator.userAttribute=sAMAccountName - druid.auth.authenticator.ldap.authorizerName=ldapauth - druid.escalator.type=basic - druid.escalator.internalClientUsername= - druid.escalator.internalClientPassword=Welcome123 - druid.escalator.authorizerName=ldapauth - druid.auth.authorizers=["ldapauth"] - druid.auth.authorizer.ldapauth.type=basic - druid.auth.authorizer.ldapauth.initialAdminUser=AD user who acts as the initial admin user, e.g.: internal@example.com> - druid.auth.authorizer.ldapauth.initialAdminRole=admin - druid.auth.authorizer.ldapauth.roleProvider.type=ldap +To configure Druid to use LDAP authentication, follow these steps. See [Configuration reference](../configuration/index.md) for the location of the configuration files. + +1. Create a user in your LDAP system that you'll use for internal communication with Druid. See [Security overview](./security-overview.md) for more information. +In the example below, the LDAP user is `internal@example.com`. + +2. Enable the `druid-basic-security` extension in the `common.runtime.properties` file. + +3. In the `common.runtime.properties` file, add the following lines for LDAP properties and substitute the values for your own. See [Druid basic security](../development/extensions-core/druid-basic-security.md#properties-for-ldap-user-authentication) for details about these properties. + ``` + druid.auth.authenticatorChain=["ldap"] + druid.auth.authenticator.ldap.type=basic + druid.auth.authenticator.ldap.enableCacheNotifications=true + druid.auth.authenticator.ldap.credentialsValidator.type=ldap + druid.auth.authenticator.ldap.credentialsValidator.url=ldap://ip_address:port + druid.auth.authenticator.ldap.credentialsValidator.bindUser=administrator@example.com + druid.auth.authenticator.ldap.credentialsValidator.bindPassword=adminpassword + druid.auth.authenticator.ldap.credentialsValidator.baseDn=dc=example,dc=com + druid.auth.authenticator.ldap.credentialsValidator.userSearch=(&(sAMAccountName=%s)(objectClass=user)) + druid.auth.authenticator.ldap.credentialsValidator.userAttribute=sAMAccountName + druid.auth.authenticator.ldap.authorizerName=ldapauth + druid.escalator.type=basic + druid.escalator.internalClientUsername=internal@example.com + druid.escalator.internalClientPassword=internaluserpassword + druid.escalator.authorizerName=ldapauth + druid.auth.authorizers=["ldapauth"] + druid.auth.authorizer.ldapauth.type=basic + druid.auth.authorizer.ldapauth.initialAdminUser=internal@example.com + druid.auth.authorizer.ldapauth.initialAdminRole=admin + druid.auth.authorizer.ldapauth.roleProvider.type=ldap + ``` + Note the following: - Notice that the LDAP user created in the previous step, `internal@example.com`, serves as the internal client user and the initial admin user. + - `bindUser`: A user for connecting to LDAP. + - `userSearch`: Your LDAP search syntax. + - `userAttribute`: The user search attribute. + - `internal@example.com` is the LDAP user you created in step 1. In the example it serves as both the internal client user and the initial admin user. -## Use LDAP groups to assign roles + > In the above example, the [Druid escalator](../development/extensions-core/druid-basic-security.md#escalator) and LDAP initial admin user are set to the same user - internal@example.com. If the escalator is set to a different user, you must follow steps 4 and 5 to create the group mapping and allocate initial roles before the rest of the cluster can function. -You can map LDAP groups to a role in Druid. Members in the group get access to the permissions of the corresponding role.  +4. Save your group mapping to a JSON file. An example file `groupmap.json` looks like this: + + ``` + { + "name": "group1map", + "groupPattern": "CN=group1,CN=Users,DC=example,DC=com", + "roles": [ + "readRole" + ] + } + ``` + In the example, the LDAP group `group1` maps to Druid role `readRole` and the name of the mapping is `group1map`. +5. Use the Druid API to create the group mapping and allocate initial roles according to your JSON file. The following example uses curl to create the mapping defined in `groupmap.json` for the LDAP group `group1`: + + ``` + curl -i -v -H "Content-Type: application/json" -u internal -X POST -d @groupmap.json http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map + ``` +6. Check that the group mapping was created successfully. The following example request lists all group mappings: + + ``` + curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings + ``` -### Step 1: Create a role +## Map LDAP groups to Druid roles -First create the role in Druid using the Druid REST API. +Once you've completed the initial setup and mapping, you can map more LDAP groups to Druid roles. Members of an LDAP group get access to the permissions of the corresponding Druid role. -Creating a role involves submitting a POST request to the Coordinator process.  +### Step 1: Create a Druid role -The following REST APIs to create the role to read access for datasource, config, state. +To create a Druid role, you submit a POST request to the Coordinator process using the Druid REST API. -> As mentioned, the REST API calls need to address the Coordinator node. The examples used below use localhost as the Coordinator host and 8081 as the port. Adjust these settings according to your deployment. +The examples below use `localhost` as the Coordinator host and `8081` as the port. Amend these properties according to the details of your deployment. -Call the following API to create role `readRole` .  +Example request to create a role named `readRole`: ``` -curl -i -v  -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles/readRole +curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles/readRole ``` -Check that the role has been created successfully by entering the following: +Check that the role was created successfully. The following example request lists all roles: ``` -curl -i -v  -H "Content-Type: application/json" -u internal -X GET  http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles +curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles ``` +### Step 2: Add permissions to the Druid role -### Step 2: Add permissions to a role  - -You can now add one or more permission to the role. The following example adds read-only access to a `wikipedia` data source.   +Once you have a Druid role you can add permissions to it. The following example adds read-only access to a `wikipedia` data source. Given the following JSON in a file named `perm.json`: ``` -[{ "resource": { "name": "wikipedia", "type": "DATASOURCE" }, "action": "READ" } -,{ "resource": { "name": ".*", "type": "STATE" }, "action": "READ" }, -{ "resource": {"name": ".*", "type": "CONFIG"}, "action": "READ"}] -``` - -The following command associates the permissions in the JSON file with the role - -``` -curl -i -v  -H "Content-Type: application/json" -u internal -X POST -d@perm.json  http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles/readRole/permissions +[ + { "resource": { "name": "wikipedia", "type": "DATASOURCE" }, "action": "READ" }, + { "resource": { "name": ".*", "type": "STATE" }, "action": "READ" }, + { "resource": {"name": ".*", "type": "CONFIG"}, "action": "READ"} +] ``` -Note that the STATE and CONFIG permissions in `perm.json` are needed to see the data source in the web console. If only querying permissions are needed, the READ action is sufficient: +The following request associates the permissions in the JSON file with the `readRole` role: ``` -[{ "resource": { "name": "wikipedia", "type": "DATASOURCE" }, "action": "READ" }] +curl -i -v -H "Content-Type: application/json" -u internal -X POST -d@perm.json http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles/readRole/permissions ``` -You can also provide the name in the form of regular expression. For example, to give access to all data sources starting with `wiki`, specify the name as  `{ "name": "wiki.*", .....`. +Druid users need the `STATE` and `CONFIG` permissions to view the data source in the Druid console. If you only want to assign querying permissions you can apply just the `READ` permission with the first line in the `perm.json` file. +You can also provide the data source name in the form of a regular expression. For example, to give access to all data sources starting with `wiki`, you would specify the data source name as `{ "name": "wiki.*" }` . -### Step 3: Create group Mapping  +### Step 3: Create the group mapping -The following shows an example of a group to role mapping. It assumes that a group named `group1` exists in the directory. Also assuming the following role mapping in a file named `groupmap.json`: +You can now map an LDAP group to the Druid role. The following example request creates a mapping with name `group1map`. It assumes that a group named `group1` exists in the directory. ``` { -    "name": "group1map", -    "groupPattern": "CN=group1,CN=Users,DC=example,DC=com", -    "roles": [ -        "readRole" -    ] + "name": "group1map", + "groupPattern": "CN=group1,CN=Users,DC=example,DC=com", + "roles": [ + "readRole" + ] } ``` -You can configure the mapping as follows: +The following example request configures the mapping—the role mapping is in the file `groupmap.json`. See [Configure Druid for LDAP authentication](#configure-druid-for-ldap-authentication) for the contents of an example file. ``` -curl -i -v  -H "Content-Type: application/json" -u internal -X POST -d @groupmap.json http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map +curl -i -v -H "Content-Type: application/json" -u internal -X POST -d @groupmap.json http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map ``` -To check whether the group mapping was created successfully, run the following command: +To check whether the group mapping was created successfully, the following request lists all group mappings: ``` -curl -i -v  -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings +curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings ``` -To check the details of a specific group mapping, use the following: +The following example request returns the details of the `group1map` group: ``` -curl -i -v  -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map +curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map ``` -To add additional roles to the group mapping, use the following API: +The following example request adds the role `queryRole` to the `group1map` mapping: ``` -curl -i -v  -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1/roles/  +curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1/roles/queryrole ``` -In the next two steps you will be creating a user, and assigning previously created roles to it. These steps are only needed in the following cases: - - - Your LDAP server does not support the `memberOf` attribute, or - - You want to configure a user with additional roles that are not mapped to the group(s) that the user is a member of - - If this is not the case for your scenario, you can skip these steps. +### Step 4: Add an LDAP user to Druid and assign a role -### Step 4. Create a user +You only need to complete this step if: +- Your LDAP server doesn't support the `memberOf` attribute, or +- You want to configure a user with additional Druid roles that are not mapped to the LDAP groups that the user belongs to. -Once LDAP is enabled, only user passwords are verified with LDAP. You add the LDAP user to Druid as follows:  +Example request to add the LDAP user `myuser` to Druid: ``` -curl -i -v  -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authentication/db/ldap/users/  +curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authentication/db/ldap/users/myuser ``` -### Step 5. Assign the role to the user - -The following command shows how to assign a role to a user: +Example request to assign the `myuser` user to the `queryRole` role: ``` -curl -i -v  -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/users//roles/  +curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authentication/db/ldap/users/myuser/roles/queryRole ``` -For more information about security and the basic security extension, see [Security Overview](security-overview.md). +## Enable LDAP over TLS (LDAPS) + +Once you've configured LDAP authentication in Druid, you can optionally make LDAP traffic confidential and secure by using Transport Layer Security (TLS)—previously Secure Socket Layer(SSL)—technology. + +## Prerequisites + +Before you start to set up LDAPS in Druid: + +- You must [configure Druid for LDAP authentication](#configure-druid-for-ldap-authentication). +- You need a CA certificate for your LDAP server. +- You need a self-signed certificate, or an Active Directory(AD) certificate if you configured LDAP using AD. + +## Configure Druid for LDAPS + +Complete the following steps to set up LDAP for Druid. See [Configuration reference](../configuration/index.md) for the location of the configuration files. + +1. Import the CA certificate for your LDAP server into the location saved as your `druid.client.https.trustStorePath` in your `common.runtime.properties` file. + + ``` + keytool -import -trustcacerts -keystore path/to/cacerts -storepass truststorepassword -alias aliasName -file path/to/certificate.cer + ``` + + Replace `path/to/cacerts` with the path to your trust store, `truststorepassword` with your trust store password, `aliasName` with an alias name for the keystore, and `path/to/certificate.cer` with the location and name of your certificate. For example: + + ``` + keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre/lib/security/cacerts -storepass mypassword -alias myAlias -file /etc/ssl/certs/my-certificate.cer + ``` + +2. Import your self-signed certificate or Active Directory certificate: + + ``` + keytool -importcert -keystore path/to/cacerts -storepass truststorepassword -alias aliasName -file path/to/certificate.cer + ``` + + Replace `path/to/cacerts` with the path to your trust store, `truststorepassword` with your trust store password, `aliasName` with an alias name for the keystore, and `path/to/certificate.cer` with the location and name of your certificate. For example: + + ``` + keytool -importcert -keystore /Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre/lib/security/cacerts -storepass mypassword -alias myAlias -file /etc/ssl/certs/my-certificate.cer + ``` + +3. In your `common.runtime.properties` file, add the following lines to the LDAP configuration section, substituting your own trust store path and password: + + ``` + druid.auth.basic.ssl.trustStorePath=/Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre/lib/security/cacerts + druid.auth.basic.ssl.protocol=TLS + druid.auth.basic.ssl.trustStorePassword=truststorepassword + ``` + +4. You can optionally configure additional LDAPS properties in the `common.runtime.properties` file. See [Druid basic security](../development/extensions-core/druid-basic-security.md#properties-for-ldaps) for details about these properties. + +5. Restart Druid. + + +## Troubleshooting tips + +The following are some ideas to help you troubleshoot issues with LDAP and LDAPS. + +### Check the coordinator logs + +If your LDAP connection isn't working, check the coordinator logs. See [Logging](./configuration/logging.md) for details. + +### Check the Druid escalator configuration + +If the coordinator is working but the rest of the cluster isn't, check the escalator configuration. See the [Configuration reference](./configurations/index.md) for details. You can also check other service logs to see why the services are unable to fetch authorization details from the coordinator. + +### Check your LDAP server response time + +If a user can log in to the Druid console but the landing page shows a 401 error, check your LDAP server response time. In a large organization with a high number of LDAP users, LDAP may be slow to respond, and this can result in a connection timeout. diff --git a/docs/operations/security-overview.md b/docs/operations/security-overview.md index 028cff04f55a..3fa80e24adc2 100644 --- a/docs/operations/security-overview.md +++ b/docs/operations/security-overview.md @@ -250,80 +250,7 @@ The following steps walk through a sample setup procedure: ## Configuring an LDAP authenticator -As an alternative to using the basic metadata authenticator, you can use LDAP to authenticate users. The following steps provide an overview of the setup procedure. For more information on these settings, see [Properties for LDAP user authentication](../development/extensions-core/druid-basic-security.md#properties-for-ldap-user-authentication). - -1. In `common.runtime.properties`, add LDAP to the authenticator chain in the order in which you want requests to be evaluated. For example: - ``` - # Druid basic security - druid.auth.authenticatorChain=["ldap", "MyBasicMetadataAuthenticator"] - ``` - -2. Configure LDAP settings in `common.runtime.properties` as appropriate for your LDAP scheme and system. For example: - ``` - druid.auth.authenticator.ldap.type=basic - druid.auth.authenticator.ldap.enableCacheNotifications=true - druid.auth.authenticator.ldap.credentialsValidator.type=ldap - druid.auth.authenticator.ldap.credentialsValidator.url=ldap://ad_host:389 - druid.auth.authenticator.ldap.credentialsValidator.bindUser=ad_admin_user - druid.auth.authenticator.ldap.credentialsValidator.bindPassword=ad_admin_password - druid.auth.authenticator.ldap.credentialsValidator.baseDn=dc=example,dc=com - druid.auth.authenticator.ldap.credentialsValidator.userSearch=(&(sAMAccountName=%s)(objectClass=user)) - druid.auth.authenticator.ldap.credentialsValidator.userAttribute=sAMAccountName - druid.auth.authenticator.ldap.authorizerName=ldapauth - druid.escalator.type=basic - druid.escalator.internalClientUsername=ad_interal_user - druid.escalator.internalClientPassword=Welcome123 - druid.escalator.authorizerName=ldapauth - druid.auth.authorizers=["ldapauth"] - druid.auth.authorizer.ldapauth.type=basic - druid.auth.authorizer.ldapauth.initialAdminUser= - druid.auth.authorizer.ldapauth.initialAdminRole=admin - druid.auth.authorizer.ldapauth.roleProvider.type=ldap - ``` - -3. Use the Druid API to create the group mapping and allocate initial roles. For example, using curl and given a group named `group1` in the directory, run: - ``` - curl -i -v -H "Content-Type: application/json" -u internal -X POST -d @groupmap.json http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map - ``` - The `groupmap.json` file contents would be something like: - ``` - { - "name": "group1map", - "groupPattern": "CN=group1,CN=Users,DC=example,DC=com", - "roles": [ - "readRole" - ] - } - ``` -4. Check if the group mapping is created successfully by executing the following API. This lists all group mappings. - ``` - curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings - ``` - - Alternatively, to check the details of a specific group mapping, use the following API: - ``` - curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map - ``` - -5. To add additional roles to the group mapping, use the following API: - ``` - curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1/roles/ - ``` - -6. Add the LDAP user to Druid. To add a user, use the following authentication API: - ``` - curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authentication/db/ldap/users/ - ``` - -7. Use the following command to assign the role to a user: - ``` - curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/users//roles/ - ``` - - - -Congratulations, you have configured permissions for user-assigned roles in Druid! - +As an alternative to using the basic metadata authenticator, you can use LDAP to authenticate users. See [Configure LDAP authentication](./auth-ldap.md) for information on configuring Druid for LDAP and LDAPS. ## Druid security trust model Within Druid's trust model there users can have different authorization levels: From 882e0b2ccc451b40dc56b59c0fa1ddcbc92cc558 Mon Sep 17 00:00:00 2001 From: Jill Osborne Date: Wed, 2 Nov 2022 16:56:15 +0000 Subject: [PATCH 2/9] Updated after review --- .../extensions-core/druid-basic-security.md | 6 +- docs/operations/auth-ldap.md | 81 ++++++++++--------- 2 files changed, 46 insertions(+), 41 deletions(-) diff --git a/docs/development/extensions-core/druid-basic-security.md b/docs/development/extensions-core/druid-basic-security.md index 565059cd2fe7..4e042b4405f3 100644 --- a/docs/development/extensions-core/druid-basic-security.md +++ b/docs/development/extensions-core/druid-basic-security.md @@ -442,9 +442,9 @@ Algorithm used by the trust manager to validate certificate chains.
         **Required**: No
         **Default**: N/A -**`druid.auth.basic.ssl.trustStorePasswordProvider`** +**`druid.auth.basic.ssl.trustStorePassword`** -[Password provider](./operations/password-provider.md) that enables access to the trust store.
+Password details that enable access to the truststore.
         **Required**: No
         **Default**: N/A @@ -456,8 +456,8 @@ druid.auth.basic.ssl.trustStorePath=/usr/local/druid-path/certs/truststore.jks druid.auth.basic.ssl.trustStorePassword=xxxxx druid.auth.basic.ssl.trustStoreType=jks druid.auth.basic.ssl.trustStoreAlgorithm=PKIX -druid.auth.basic.ssl.trustStorePasswordProvider=myPasswordProvider ``` +You can configure `druid.auth.basic.ssl.trustStorePassword` to be a plain text password or you can set the password as an environment variable. See [Password providers](../../operations/password-provider.md) for more information. ## Usage diff --git a/docs/operations/auth-ldap.md b/docs/operations/auth-ldap.md index bb4ae15253eb..c4ca5c66cfc9 100644 --- a/docs/operations/auth-ldap.md +++ b/docs/operations/auth-ldap.md @@ -33,7 +33,9 @@ Before you start to configure LDAP for Druid, test your LDAP connection and perf ### Check your LDAP connection -Verify that your LDAP connection is working by testing it with user credentials. For example, the following command tests the connection for the user `myuser@example.com`. Insert your LDAP server IP address and substitute `389` for the port number of your LDAP instance, if different. +Verify that your LDAP connection is working by testing it with user credentials. Later in the process you [configure Druid for LDAP authentication](#configure-druid-for-ldap-authentication) with this user as the `bindUser`. + +The following example command tests the connection for the user `myuser@example.com`. Insert your LDAP server IP address. Modify the port number of your LDAP instance if it listens on a port other than `389`. ```bash ldapwhoami -vv -H ldap://ip_address:389 -D "myuser@example.com" -W @@ -47,27 +49,27 @@ Enter the password for the user when prompted and verify that the command succee ### Test your LDAP search -Once your LDAP connection is working, search for a user. For example, the following command searches for the user myuser in an Active Directory system. The `sAMAccountName` attribute is specific to Active Directory and contains the authenticated user identity: +Once your LDAP connection is working, search for a user. For example, the following command searches for the user `myuser` in an Active Directory system. The `sAMAccountName` attribute is specific to Active Directory and contains the authenticated user identity: ```bash ldapsearch -x -W -H ldap://ip_address:389 -D "cn=admin,dc=example,dc=com" -b "dc=example,dc=com" "(sAMAccountName=myuser)" + ``` -The `memberOf` attribute in the results shows the groups the user belongs to. For example, the following response shows that the user is a member of the `group1` group: +The `memberOf` attribute in the results shows the groups the user belongs to. For example, the following response shows that the user is a member of the `mygroup` group: ```bash -memberOf: cn=group1,ou=groups,dc=example,dc=com +memberOf: cn=mygroup,ou=groups,dc=example,dc=com ``` You use this information to map the LDAP group to Druid roles in a later step. -> Druid uses the `memberOf` attribute to determine a group's membership using LDAP. If your LDAP server implementation doesn't include this attribute, you must complete some additional steps when you [map LDAP groups to Druid roles](). +> Druid uses the `memberOf` attribute to determine a group's membership using LDAP. If your LDAP server implementation doesn't include this attribute, you must complete some additional steps when you [map LDAP groups to Druid roles](#map-ldap-groups-to-druid-roles). ## Configure Druid for LDAP authentication To configure Druid to use LDAP authentication, follow these steps. See [Configuration reference](../configuration/index.md) for the location of the configuration files. -1. Create a user in your LDAP system that you'll use for internal communication with Druid. See [Security overview](./security-overview.md) for more information. +1. Create a user in your LDAP system that you'll use both for internal communication with Druid and as the LDAP initial admin user. See [Security overview](./security-overview.md) for more information. In the example below, the LDAP user is `internal@example.com`. 2. Enable the `druid-basic-security` extension in the `common.runtime.properties` file. @@ -98,7 +100,7 @@ In the example below, the LDAP user is `internal@example.com`. ``` Note the following: - - `bindUser`: A user for connecting to LDAP. + - `bindUser`: A user for connecting to LDAP. This should be the same user you used to [test your LDAP search](#test-your-ldap-search). - `userSearch`: Your LDAP search syntax. - `userAttribute`: The user search attribute. - `internal@example.com` is the LDAP user you created in step 1. In the example it serves as both the internal client user and the initial admin user. @@ -109,19 +111,19 @@ In the example below, the LDAP user is `internal@example.com`. ``` { - "name": "group1map", - "groupPattern": "CN=group1,CN=Users,DC=example,DC=com", + "name": "mygroupmap", + "groupPattern": "CN=mygroup,CN=Users,DC=example,DC=com", "roles": [ "readRole" ] } ``` - In the example, the LDAP group `group1` maps to Druid role `readRole` and the name of the mapping is `group1map`. + In the example, the LDAP group `mygroup` maps to Druid role `readRole` and the name of the mapping is `mygroupmap`. -5. Use the Druid API to create the group mapping and allocate initial roles according to your JSON file. The following example uses curl to create the mapping defined in `groupmap.json` for the LDAP group `group1`: +5. Use the Druid API to create the group mapping and allocate initial roles according to your JSON file. The following example uses curl to create the mapping defined in `groupmap.json` for the LDAP group `mygroup`: ``` - curl -i -v -H "Content-Type: application/json" -u internal -X POST -d @groupmap.json http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map + curl -i -v -H "Content-Type: application/json" -u internal -X POST -d @groupmap.json http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/mygroupmap ``` 6. Check that the group mapping was created successfully. The following example request lists all group mappings: @@ -133,9 +135,9 @@ In the example below, the LDAP user is `internal@example.com`. Once you've completed the initial setup and mapping, you can map more LDAP groups to Druid roles. Members of an LDAP group get access to the permissions of the corresponding Druid role. -### Step 1: Create a Druid role +### Create a Druid role -To create a Druid role, you submit a POST request to the Coordinator process using the Druid REST API. +To create a Druid role, you can submit a POST request to the Coordinator process using the Druid REST API or you can use the Druid console. The examples below use `localhost` as the Coordinator host and `8081` as the port. Amend these properties according to the details of your deployment. @@ -145,13 +147,13 @@ Example request to create a role named `readRole`: curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles/readRole ``` -Check that the role was created successfully. The following example request lists all roles: +Check that Druid created the role successfully. The following example request lists all roles: ``` curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/roles ``` -### Step 2: Add permissions to the Druid role +### Add permissions to the Druid role Once you have a Druid role you can add permissions to it. The following example adds read-only access to a `wikipedia` data source. @@ -175,14 +177,14 @@ Druid users need the `STATE` and `CONFIG` permissions to view the data source in You can also provide the data source name in the form of a regular expression. For example, to give access to all data sources starting with `wiki`, you would specify the data source name as `{ "name": "wiki.*" }` . -### Step 3: Create the group mapping +### Create the group mapping -You can now map an LDAP group to the Druid role. The following example request creates a mapping with name `group1map`. It assumes that a group named `group1` exists in the directory. +You can now map an LDAP group to the Druid role. The following example request creates a mapping with name `mygroupmap`. It assumes that a group named `mygroup` exists in the directory. ``` { - "name": "group1map", - "groupPattern": "CN=group1,CN=Users,DC=example,DC=com", + "name": "mygroupmap", + "groupPattern": "CN=mygroup,CN=Users,DC=example,DC=com", "roles": [ "readRole" ] @@ -192,7 +194,7 @@ You can now map an LDAP group to the Druid role. The following example request c The following example request configures the mapping—the role mapping is in the file `groupmap.json`. See [Configure Druid for LDAP authentication](#configure-druid-for-ldap-authentication) for the contents of an example file. ``` -curl -i -v -H "Content-Type: application/json" -u internal -X POST -d @groupmap.json http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map +curl -i -v -H "Content-Type: application/json" -u internal -X POST -d @groupmap.json http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/mygroupmap ``` To check whether the group mapping was created successfully, the following request lists all group mappings: @@ -201,19 +203,19 @@ To check whether the group mapping was created successfully, the following reque curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings ``` -The following example request returns the details of the `group1map` group: +The following example request returns the details of the `mygroupmap` group: ``` -curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1map +curl -i -v -H "Content-Type: application/json" -u internal -X GET http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/mygroupmap ``` -The following example request adds the role `queryRole` to the `group1map` mapping: +The following example request adds the role `queryRole` to the `mygroupmap` mapping: ``` -curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/group1/roles/queryrole +curl -i -v -H "Content-Type: application/json" -u internal -X POST http://localhost:8081/druid-ext/basic-security/authorization/db/ldapauth/groupMappings/mygroup/roles/queryrole ``` -### Step 4: Add an LDAP user to Druid and assign a role +### Add an LDAP user to Druid and assign a role You only need to complete this step if: - Your LDAP server doesn't support the `memberOf` attribute, or @@ -235,51 +237,54 @@ curl -i -v -H "Content-Type: application/json" -u internal -X POST http://local Once you've configured LDAP authentication in Druid, you can optionally make LDAP traffic confidential and secure by using Transport Layer Security (TLS)—previously Secure Socket Layer(SSL)—technology. +Configuring LDAPS establishes trust between Druid and the LDAP server. + ## Prerequisites -Before you start to set up LDAPS in Druid: +Before you start to set up LDAPS in Druid, you must [configure Druid for LDAP authentication](#configure-druid-for-ldap-authentication). You also need: -- You must [configure Druid for LDAP authentication](#configure-druid-for-ldap-authentication). -- You need a CA certificate for your LDAP server. -- You need a self-signed certificate, or an Active Directory(AD) certificate if you configured LDAP using AD. +- A certificate issued by a public certificate authority (CA) or a self-signed certificate by an internal CA. +- The root certificate for the CA that signed the certificate for the LDAP server. If you're using a common public CA, the certificate may already be in the Java truststore. Otherwise you need to import the certificate for the CA. ## Configure Druid for LDAPS -Complete the following steps to set up LDAP for Druid. See [Configuration reference](../configuration/index.md) for the location of the configuration files. +Complete the following steps to set up LDAPS for Druid. See [Configuration reference](../configuration/index.md) for the location of the configuration files. -1. Import the CA certificate for your LDAP server into the location saved as your `druid.client.https.trustStorePath` in your `common.runtime.properties` file. +1. Import the CA certificate for your LDAP server or a self-signed certificate into the truststore location saved as `druid.client.https.trustStorePath` in your `common.runtime.properties` file. ``` keytool -import -trustcacerts -keystore path/to/cacerts -storepass truststorepassword -alias aliasName -file path/to/certificate.cer ``` - Replace `path/to/cacerts` with the path to your trust store, `truststorepassword` with your trust store password, `aliasName` with an alias name for the keystore, and `path/to/certificate.cer` with the location and name of your certificate. For example: + Replace `path/to/cacerts` with the path to your truststore, `truststorepassword` with your truststore password, `aliasName` with an alias name for the keystore, and `path/to/certificate.cer` with the location and name of your certificate. For example: ``` keytool -import -trustcacerts -keystore /Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre/lib/security/cacerts -storepass mypassword -alias myAlias -file /etc/ssl/certs/my-certificate.cer ``` -2. Import your self-signed certificate or Active Directory certificate: +2. If the root certificate for the CA isn't already in the Java truststore, import it: ``` keytool -importcert -keystore path/to/cacerts -storepass truststorepassword -alias aliasName -file path/to/certificate.cer ``` - Replace `path/to/cacerts` with the path to your trust store, `truststorepassword` with your trust store password, `aliasName` with an alias name for the keystore, and `path/to/certificate.cer` with the location and name of your certificate. For example: + Replace `path/to/cacerts` with the path to your truststore, `truststorepassword` with your truststore password, `aliasName` with an alias name for the keystore, and `path/to/certificate.cer` with the location and name of your certificate. For example: ``` keytool -importcert -keystore /Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre/lib/security/cacerts -storepass mypassword -alias myAlias -file /etc/ssl/certs/my-certificate.cer ``` -3. In your `common.runtime.properties` file, add the following lines to the LDAP configuration section, substituting your own trust store path and password: +3. In your `common.runtime.properties` file, add the following lines to the LDAP configuration section, substituting your own truststore path and password: ``` druid.auth.basic.ssl.trustStorePath=/Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre/lib/security/cacerts druid.auth.basic.ssl.protocol=TLS - druid.auth.basic.ssl.trustStorePassword=truststorepassword + druid.auth.basic.ssl.trustStorePassword=xxxxxx ``` -4. You can optionally configure additional LDAPS properties in the `common.runtime.properties` file. See [Druid basic security](../development/extensions-core/druid-basic-security.md#properties-for-ldaps) for details about these properties. + See [Druid basic security](../development/extensions-core/druid-basic-security.md#properties-for-ldaps) for details about these properties. + +4. You can optionally configure additional LDAPS properties in the `common.runtime.properties` file. See [Druid basic security](../development/extensions-core/druid-basic-security.md#properties-for-ldaps) for more information. 5. Restart Druid. From d4f0797cee70c1bbf9a7bdfd903cb6d9266abdb0 Mon Sep 17 00:00:00 2001 From: Jill Osborne Date: Wed, 2 Nov 2022 16:57:59 +0000 Subject: [PATCH 3/9] Update auth-ldap.md Updated. --- docs/operations/auth-ldap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/operations/auth-ldap.md b/docs/operations/auth-ldap.md index c4ca5c66cfc9..b4111e947d9b 100644 --- a/docs/operations/auth-ldap.md +++ b/docs/operations/auth-ldap.md @@ -218,7 +218,7 @@ curl -i -v -H "Content-Type: application/json" -u internal -X POST http://local ### Add an LDAP user to Druid and assign a role You only need to complete this step if: -- Your LDAP server doesn't support the `memberOf` attribute, or +- Your LDAP user doesn't belong to any of your LDAP groups, or - You want to configure a user with additional Druid roles that are not mapped to the LDAP groups that the user belongs to. Example request to add the LDAP user `myuser` to Druid: From fbec7b29278630fe16ccb1105fce7ab3142b9d3c Mon Sep 17 00:00:00 2001 From: Jill Osborne Date: Thu, 10 Nov 2022 14:07:09 +0000 Subject: [PATCH 4/9] Update auth-ldap.md --- docs/operations/auth-ldap.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/operations/auth-ldap.md b/docs/operations/auth-ldap.md index b4111e947d9b..8f6b9a42e963 100644 --- a/docs/operations/auth-ldap.md +++ b/docs/operations/auth-ldap.md @@ -105,7 +105,7 @@ In the example below, the LDAP user is `internal@example.com`. - `userAttribute`: The user search attribute. - `internal@example.com` is the LDAP user you created in step 1. In the example it serves as both the internal client user and the initial admin user. - > In the above example, the [Druid escalator](../development/extensions-core/druid-basic-security.md#escalator) and LDAP initial admin user are set to the same user - internal@example.com. If the escalator is set to a different user, you must follow steps 4 and 5 to create the group mapping and allocate initial roles before the rest of the cluster can function. + > In the above example, the [Druid escalator](../development/extensions-core/druid-basic-security.md#escalator) and LDAP initial admin user are set to the same user - `internal@example.com`. If the escalator is set to a different user, you must follow steps 4 and 5 to create the group mapping and allocate initial roles before the rest of the cluster can function. 4. Save your group mapping to a JSON file. An example file `groupmap.json` looks like this: @@ -295,11 +295,11 @@ The following are some ideas to help you troubleshoot issues with LDAP and LDAPS ### Check the coordinator logs -If your LDAP connection isn't working, check the coordinator logs. See [Logging](./configuration/logging.md) for details. +If your LDAP connection isn't working, check the coordinator logs. See [Logging](../configuration/logging.md) for details. ### Check the Druid escalator configuration -If the coordinator is working but the rest of the cluster isn't, check the escalator configuration. See the [Configuration reference](./configurations/index.md) for details. You can also check other service logs to see why the services are unable to fetch authorization details from the coordinator. +If the coordinator is working but the rest of the cluster isn't, check the escalator configuration. See the [Configuration reference](../configurations/index.md) for details. You can also check other service logs to see why the services are unable to fetch authorization details from the coordinator. ### Check your LDAP server response time From ef5316b2640875f461fcbe8de3ff219a57d3b8eb Mon Sep 17 00:00:00 2001 From: Jill Osborne Date: Thu, 10 Nov 2022 14:12:29 +0000 Subject: [PATCH 5/9] Updated spelling file --- website/.spelling | 3 +++ 1 file changed, 3 insertions(+) diff --git a/website/.spelling b/website/.spelling index afa6c881b2d6..a262719f6a33 100644 --- a/website/.spelling +++ b/website/.spelling @@ -124,6 +124,7 @@ JDK JDK7 JDK8 JKS +jks JMX JRE JS @@ -142,6 +143,7 @@ Kerberos KeyStores Kinesis Kubernetes +LDAPS LRU LZ4 LZO @@ -197,6 +199,7 @@ SYSTEM_TABLE TCP TGT TLS +tls TopN TopNs UI From 1a9b42af992fe6797e84573c65a8d3ade3155c82 Mon Sep 17 00:00:00 2001 From: Jill Osborne Date: Mon, 21 Nov 2022 11:45:10 +0000 Subject: [PATCH 6/9] Update docs/operations/auth-ldap.md Co-authored-by: Charles Smith --- docs/operations/auth-ldap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/operations/auth-ldap.md b/docs/operations/auth-ldap.md index 8f6b9a42e963..21a798eb438e 100644 --- a/docs/operations/auth-ldap.md +++ b/docs/operations/auth-ldap.md @@ -33,7 +33,7 @@ Before you start to configure LDAP for Druid, test your LDAP connection and perf ### Check your LDAP connection -Verify that your LDAP connection is working by testing it with user credentials. Later in the process you [configure Druid for LDAP authentication](#configure-druid-for-ldap-authentication) with this user as the `bindUser`. +Test your LDAP connection to verify it works with user credentials. Later in the process you [configure Druid for LDAP authentication](#configure-druid-for-ldap-authentication) with this user as the `bindUser`. The following example command tests the connection for the user `myuser@example.com`. Insert your LDAP server IP address. Modify the port number of your LDAP instance if it listens on a port other than `389`. From 1018d9a0f4d23d58acc7d4dcd4ba20d522a21791 Mon Sep 17 00:00:00 2001 From: Jill Osborne Date: Mon, 21 Nov 2022 11:45:25 +0000 Subject: [PATCH 7/9] Update docs/operations/auth-ldap.md Co-authored-by: Charles Smith --- docs/operations/auth-ldap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/operations/auth-ldap.md b/docs/operations/auth-ldap.md index 21a798eb438e..821ebc12c1ef 100644 --- a/docs/operations/auth-ldap.md +++ b/docs/operations/auth-ldap.md @@ -45,7 +45,7 @@ Enter the password for the user when prompted and verify that the command succee - Make sure you're using the correct port for your LDAP instance. - Check whether a network firewall is preventing connections to the LDAP port. -- Review your LDAP implementation details to see whether you need to specifically whitelist LDAP clients at the LDAP server. If so, add the Druid Coordinator server to the whitelist. +- Review your LDAP implementation details to see whether you need to specifically allow LDAP clients at the LDAP server. If so, add the Druid Coordinator server to the allow list. ### Test your LDAP search From dd81b3f7dea7aaa27f78394e21d61710354e53d9 Mon Sep 17 00:00:00 2001 From: Jill Osborne Date: Mon, 21 Nov 2022 11:45:42 +0000 Subject: [PATCH 8/9] Update docs/operations/auth-ldap.md Co-authored-by: Charles Smith --- docs/operations/auth-ldap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/operations/auth-ldap.md b/docs/operations/auth-ldap.md index 821ebc12c1ef..9bf50281c20e 100644 --- a/docs/operations/auth-ldap.md +++ b/docs/operations/auth-ldap.md @@ -44,7 +44,7 @@ ldapwhoami -vv -H ldap://ip_address:389 -D "myuser@example.com" -W Enter the password for the user when prompted and verify that the command succeeded. If it failed, check the following: - Make sure you're using the correct port for your LDAP instance. -- Check whether a network firewall is preventing connections to the LDAP port. +- Check if a network firewall is preventing connections to the LDAP port. - Review your LDAP implementation details to see whether you need to specifically allow LDAP clients at the LDAP server. If so, add the Druid Coordinator server to the allow list. ### Test your LDAP search From f0655cfb81c27999980563685d08e3ba5a599bb1 Mon Sep 17 00:00:00 2001 From: Jill Osborne Date: Mon, 21 Nov 2022 17:14:28 +0000 Subject: [PATCH 9/9] Update auth-ldap.md --- docs/operations/auth-ldap.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/operations/auth-ldap.md b/docs/operations/auth-ldap.md index 9bf50281c20e..5a2d8b7e292f 100644 --- a/docs/operations/auth-ldap.md +++ b/docs/operations/auth-ldap.md @@ -299,7 +299,7 @@ If your LDAP connection isn't working, check the coordinator logs. See [Logging] ### Check the Druid escalator configuration -If the coordinator is working but the rest of the cluster isn't, check the escalator configuration. See the [Configuration reference](../configurations/index.md) for details. You can also check other service logs to see why the services are unable to fetch authorization details from the coordinator. +If the coordinator is working but the rest of the cluster isn't, check the escalator configuration. See the [Configuration reference](../configuration/index.md) for details. You can also check other service logs to see why the services are unable to fetch authorization details from the coordinator. ### Check your LDAP server response time