DRUID AUTH BASIC/KERBEROS
494 views
Skip to first unread message
sai chandra
Jan 5, 2018, 9:05:13 AM1/5/18
to Druid User
hi team,
im really new to druid by seeing druid docs im unable to setup druid basic auth/kerberos with tranquility
can you please tell me how to setup druid auth with kerberos/basic with END-TO-END step process we really need it.
i tried with basic auth but im unable to download druid-basic-security extenstion can you tell me where can i find this extension
i followed this link to setup basic auth
is there any proper setup process for druid kerberos like initally what to install how to use kerberos and setup with druid, reading those kerberos properties in druid's doc doesnt give enough knowledge to setup druid
any proper step process to setup druid auth
Jonathan Wei
Jan 5, 2018, 6:27:17 PM1/5/18
to druid...@googlegroups.com
Hi Sai,
The druid-basic-security extension is only in master currently, it's not part of 0.11.0. It will be included in the next release, 0.12.0.
For now the only included authentication implementations are the default "allow everything" and kerberos.
We don't have a general kerberos cluster setup guide, so you'll need to find that elsewhere online.
After your kerberos is set up, you would need to create two principals for the Druid cluster itself, one for the druid "internalClientPrincipal" and the other for the "serverPrincipal". The principal for "serverPrincipal" needs to have the format HTTP/<druid host>@<your kerberos realm> where <druid host> is the host of the druid machine.
We don't have a general kerberos cluster setup guide, so you'll need to find that elsewhere online.
After your kerberos is set up, you would need to create two principals for the Druid cluster itself, one for the druid "internalClientPrincipal" and the other for the "serverPrincipal". The principal for "serverPrincipal" needs to have the format HTTP/<druid host>@<your kerberos realm> where <druid host> is the host of the druid machine.
After that, you should be able to authenticate with your other user principals.
--
You received this message because you are subscribed to the Google Groups "Druid User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to druid-user+unsubscribe@googlegroups.com.
To post to this group, send email to druid...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/druid-user/fc123a9f-408c-44f4-b6dc-ea82ef600eeb%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Message has been deleted
sai chandra
Jan 7, 2018, 2:31:45 AM1/7/18
to Druid User
hi Jonathan,
im able to setup kerberose with client and server, i would like to configure multiple CLIENTS with ONE DRUID SERVER using KERBEROS EXTENSION is there any way to do it?
Regards,
sai
sai chandra
Jan 7, 2018, 7:35:24 AM1/7/18
to Druid User
hi,
im able to setup kerberos and configure with druid 0.10.0 but still druid says unauthorized and giving 401 status
these are my druid properrties
common.properties
druid.hadoop.security.kerberos.principal = us...@ECN.COM
druid.hadoop.security.kerberos.keytab = /etc/krb5.keytab
druid.hadoop.security.spnego.principal = HTTP/_HO...@ECN.COM
druid.hadoop.security.spnego.keytab = /etc/krb5.keytab
using my kerberos client im able to get ticket to my client
by using command "kinit -k -t <path_to_keytab_file> us...@REALM.COM" it is successfuly login to kerberos/druid host
but when i used to send druid query from my client it say 401 unauthorised
by using command "curl --negotiate -u:anyUser -b ~/cookies.txt -c ~/cookies.txt -X POST -H'Content-Type: application/json' http://broker-host:port/druid/v2/?pretty -d @query.json"
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1"/>
<title>Error 401 </title>
</head>
<body>
<h2>HTTP ERROR: 401</h2>
<p>Problem accessing /druid/v2/. Reason:
<pre> </pre>
</p>
<hr />
<a href="http://eclipse.org/jetty">Powered by Jetty:// 9.3.16.v20170120</a>
<hr/>
</body>
</html>
what is this spnego principal is that kerberos host principal?
how do i create this spnego principal?
Jonathan Wei
Jan 9, 2018, 10:06:29 PM1/9/18
to druid...@googlegroups.com
The SPNEGO principal is the service principal name of the Druid service that clients connect to.
If I were trying to connect to a Druid broker at hostname "DRUID-BROKER.EXAMPLE.COM" under the "EXAMPLE.COM" kerberos realm, the SPNEGO principal would be HTTP/DRUID-BROKER...@EXAMPLE.COM
These links might be helpful:
--
You received this message because you are subscribed to the Google Groups "Druid User" group.
To unsubscribe from this group and stop receiving emails from it, send an email to druid-user+unsubscribe@googlegroups.com.
To post to this group, send email to druid...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/druid-user/72c38a07-3e6f-4ece-9249-ec5ef22978a7%40googlegroups.com.
Andriod Guru
May 25, 2019, 2:58:55 PM5/25/19
to Druid User
Hi Sai,
Can you let me know how did you setup basic authentication. I need to setup first basic then ldap setup on Druid server.
Thanks,
Ashish
Reply all
Reply to author
Forward
0 new messages