This task should end up with druid datasources containing PII data requiring Kerberos authentication.
In this case, Druid will not act as Hadoop proxy (as we do for Presto/Hive/etc..) since the files on HDFS are druid segments owned by the druid user, so it seems not the same use case. There should be two things to consider:
- Add authentication via https://druid.apache.org/docs/latest/development/extensions-core/druid-kerberos.html
- Map kerberos users to authz rules in some way (like user X can view datasource Y but not Z). This seems to be possible using https://druid.apache.org/docs/latest/development/extensions-core/druid-basic-security.html, via roles etc.. but we'll have to do some tests before getting the right combination.
Note: 1) may be replaced by LDAP authn, if we feel that it can work anyway.