Enable Kerberos authentication in Druid
As Administrator, you can set up authentication of users who submit queries through Druid HTTP endpoints to the rest of the Hadoop cluster.
- You have enabled SPENGO-based Kerberos security on the cluster using the Ambari Server and Services.
- You have planned for temporary down-time that is associated with this task.
The entire HDP cluster must shut down after you configure the Kerberos settings and initialize the Kerberos wizard.
|Property||Default Value Setting||Description|
To set more than one path, enter values in the following format:['/status','/condition']
|Specify here HTTP paths that do not need to be secured with authentication. A possible use case for providing paths here are to test scripts outside of a production environment.|
|druid.hadoop.security.spnego.keytab||keytab_dir/spnego.service.keytab||The SPNEGO service keytab that is used for authentication.|
|druid.hadoop.security.spnego. principal||HTTP/_HOST@realm||The SPNEGO service principal that is used for authentication.|
|druid.security.extensions.loadlist||[druid-kerberos]||Indicates the Druid security extension to load for Kerberos.|
Initializing the Kerberos Wizard might require a significant amount of time to complete, depending on the cluster size. Refer to the GUI messaging on the screen for progress status.
- In Ambari, launch the Kerberos wizard automated setup.
In Configure Identities, adjust advanced Druid configuration settings: Review
the principal names, particularly the Ambari Principals on the General tab and
either leave the default appended names or adjust them by removing the
-cluster-namefrom the principal name string.If your cluster is named druid and your realm is EXAMPLE.COM, the Druid principal that is created is druid@EXAMPLE.COMThese principal names, by default, append the name of the cluster to each of the Ambari principals.
- Select the Advanced tab > Druid drop-down menu.
Determine for which Advanced Druid Identity properties, if any, you need to change the default settings.Generally, you do not need to change the default values.
- Confirm your configuration, and, ptionally, download a CSV file of the principals and keytabs that Ambari can automatically create.
- Click Next.Kerberos configuration settings are applied to various components, and keytabs and principals are generated. When the Kerberos process finishes, all Services are restarted and checked. After authenticating successfully to Druid, users can submit queries through the endpoints.