Adding Druid to a cluster
Also available as:
PDF

Enable Kerberos authentication in Druid

As Administrator, you can set up authentication of users who submit queries through Druid HTTP endpoints to the rest of the Hadoop cluster.

  • You have enabled SPENGO-based Kerberos security on the cluster using the Ambari Server and Services.
  • You have planned for temporary down-time that is associated with this task.

    The entire HDP cluster must shut down after you configure the Kerberos settings and initialize the Kerberos wizard.

To enable SPNEGO-based Kerberos authentication between the Druid HTTP endpoints and the rest of the Hadoop cluster, you run the Ambari Kerberos Wizard and manually connect to Druid HTTP endpoints in a command line. In this wizard, you configure the following Advanced Druid Indentity Properties.
Property Default Value Setting Description

druid.hadoop.security.spnego.excludedPaths

['status']

To set more than one path, enter values in the following format:['/status','/condition']

Specify here HTTP paths that do not need to be secured with authentication. A possible use case for providing paths here are to test scripts outside of a production environment.
druid.hadoop.security.spnego.keytab keytab_dir/spnego.service.keytab The SPNEGO service keytab that is used for authentication.
druid.hadoop.security.spnego. principal HTTP/_HOST@realm The SPNEGO service principal that is used for authentication.
druid.security.extensions.loadlist [druid-kerberos] Indicates the Druid security extension to load for Kerberos.

Initializing the Kerberos Wizard might require a significant amount of time to complete, depending on the cluster size. Refer to the GUI messaging on the screen for progress status.

  1. In Ambari, launch the Kerberos wizard automated setup.
  2. In Configure Identities, adjust advanced Druid configuration settings: Review the principal names, particularly the Ambari Principals on the General tab and either leave the default appended names or adjust them by removing the -cluster-name from the principal name string.
    If your cluster is named druid and your realm is EXAMPLE.COM, the Druid principal that is created is druid@EXAMPLE.COM
    These principal names, by default, append the name of the cluster to each of the Ambari principals.
  3. Select the Advanced tab > Druid drop-down menu.
  4. Determine for which Advanced Druid Identity properties, if any, you need to change the default settings.
    Generally, you do not need to change the default values.
  5. Confirm your configuration, and, ptionally, download a CSV file of the principals and keytabs that Ambari can automatically create.
  6. Click Next.
    Kerberos configuration settings are applied to various components, and keytabs and principals are generated. When the Kerberos process finishes, all Services are restarted and checked. After authenticating successfully to Druid, users can submit queries through the endpoints.