Page MenuHomePhabricator

Enforce authentication for Druid datasources
Open, Needs TriagePublic

Description

This task should end up with druid datasources containing PII data requiring Kerberos authentication.

In this case, Druid will not act as Hadoop proxy (as we do for Presto/Hive/etc..) since the files on HDFS are druid segments owned by the druid user, so it seems not the same use case. There should be two things to consider:

  1. Add authentication via https://druid.apache.org/docs/latest/development/extensions-core/druid-kerberos.html
  2. Map kerberos users to authz rules in some way (like user X can view datasource Y but not Z). This seems to be possible using https://druid.apache.org/docs/latest/development/extensions-core/druid-basic-security.html, via roles etc.. but we'll have to do some tests before getting the right combination.

Note: 1) may be replaced by LDAP authn, if we feel that it can work anyway.

Event Timeline

elukey created this task.Jun 16 2020, 9:23 AM
Aklapper removed a project: Analytics.Jul 4 2020, 7:59 AM