Page MenuHomePhabricator

Add authentication and encryption to Druid Analytics clients
Open, MediumPublic

Description

The Druid Analytics cluster currently does not offer any form of authentication and encryption of data. Druid supports Kerberos and TLS plus Authorization rules, so we should be able to secure the cluster.

There are a lot of moving gears and things to keep into account:

  1. Druid would need to be upgraded to its latest version before starting anything, the project came out of the incubator and a lot of fixes/plugins for security have been added. This is currently being tracked in T244482
  2. Superset needs to be able to contact Druid via TLS/Kerberos before we enable it. Some followup with upstream is surely needed.
  3. Turnilo needs to be able to contact Druid via TLS/Kerberos before enabling it. Some followup with upstream is surely needed.
  4. All our scripts run via systemd timers (for example to drop old data) needs to work with Kerberos/TLS before we enable it.

Event Timeline

elukey triaged this task as Medium priority.Apr 17 2020, 1:14 PM
elukey created this task.
elukey set Final Story Points to 0.