Could anyone guide me on enabling SSO in Druid?
Please share the steps if available.
We have Druid single node implementation in GKE, and had successfully tested LDAP and Kerberos(with local KDC) authentications.
But now we are looking for single sign on to Druid using existing active token(with PingFederate).
Could I get some guidance?
Thanks
Soumya
can you describe what you are hoping to achieve with SSO .. do you need this to ensure that only a limited set of people could use the router web console ?
I haven't used PingFederate but have done above for OpenID Connnect on Okta. From https://www.pingidentity.com/en/software/pingfederate.html it seems like they support OpenID Connect.
Hi Himanshu,
Thanks for your response. By SSO(single sign on), we are looking to authenticate users to Druid with the exiting active login to the system using their LDAP id. Druid console should not prompt for further login credentials and it should automatically allow the user to access Druid URIs with existing active session. This should also restrict access for unauthorized LDAP ids.
Thanks
Soumya
Thanks you
Hi Himanshu,
Plain LDAP auth demand user to enter ldap credentials whenever Druid endpoints are accessed. But the requirement is to authenticate user without entering credentials. For eg, if a user is already logged in to windows machine using LDAP, he should be able to access Druid endpoints with the current active session.
Hi All,
Soumya and Myself works in same team. Let me know if we have options for JWT with Druid?.
Thanks,
Ashish
sorry, I am a bit occupied this week, so couldn't reply.
if your auth provider supports OpenID Connect then you can potentially use the SSO introduced in https://github.com/apache/druid/pull/8992 that would release in 0.18.0 .
@himanshug also could you please elaborate on druid-operator how we can utilize it in K8.It say
druid-operator is a kubernetes operator for deploying Druid clusters. Does it help in cluster setup and authentication.
@averma111 if you use kubernetes then you can use druid-operator. That helps with cluster setup . druid authentication mechanism would be same whether you used druid-operator or not.
which authentication server do you have ... Okta, PingFederate ?
@himanshug we are using PingFederate.
@himanshug - we are deploying druid into GCP Kubernetes. Let me know how to use druid-operator along with OpenId protocal.
@averma111 how-to for druid鈥搊perator is at https://github.com/druid-io/druid-operator , though I haven't personally tried things out on GCP kubernetes but steps should be the same I guess. I would suggest trying those instructions and create issues in https://github.com/druid-io/druid-operator when you hit specific issues.
Plain LDAP auth demand user to enter ldap credentials whenever Druid endpoints are accessed. But the requirement is to authenticate user without entering credentials. For eg, if a user is already logged in to windows machine using LDAP, he should be able to access Druid endpoints with the current active session.
@jon-wei I think above is because druid-basic-security extension doesn't manage a session with browser via cookies , druid-pac4j does that. To enable LDAP SSO...
druid-basic-security , we could add cookie handling in there.druid-pac4j which would be easy as pac4j lib does support BASIC auth and LDAP . (see http://www.pac4j.org/docs/index.html )downside to doing (2) is that we will have ldap in two different extensions then and that might confuse users, so I would favor (1) as that would add SSO for other auth mechanisms present in druid-basic-security ext as well, what do you think ?
@himanshug , To take the latest commit I simply have to mvn clean install druid 0.18 right along with parameters?
@averma111 https://github.com/apache/druid/pull/9637 is not merged yet, so that commit needs to be "cherry picked" onto 0.18.0 branch before doing the build.
@himanshug I am new to mvn build what are the steps involved for cherry pick to get the above changes in the new build 0.18
@averma111 since https://github.com/apache/druid/pull/9675 is merged, you don't have to cherry pick anything.
just get latest code in 0.18.0 branch and build that, something like this should work..
git clone https://github.com/apache/druid.git
cd druid
git checkout origin/0.18.0
mvn clean install -DskipTests
cd distribution
mvn clean install -Pdist
# if all of above worked then
ls target/
# should show, apache-druid-0.18.0-SNAPSHOT-bin.tar.gz , that you can experiment with
@himanshug Thank you I am going to build tonight and test out OpenId settings.
@himanshug I had tired a new packages of Druid 0.18 version along with SSL provided.
I am able to hit Pingfederate URL but call back has some issue
HTTP ERROR 500
Problem accessing /druid-ext/druid-pac4j/callback. Reason:
Server Error
Caused by:
org.pac4j.core.exception.TechnicalException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
Is this something to be fixed from Druid side or Pingfederate?
@himanshug its working , please merge with official 0.18 version. We are able to do handshake between Druid and Ping federate.
@himanshug I wanted to know if Druid supports both ldap and sso via pack4j extenstion together, because in my project all the reporting tools are connected via ldap and we want authentication with sso and ldap both.
Also could you please guide me if Druid can accept any jwt token for authentication?
@averma111 chaining ldap auth before pac4j should work fine ... something like...
druid.auth.authenticatorChain=["MyBasicLDAPAuthenticator", "pac4j"]
... further properties related to both of the above
Thank you @himanshug .
Also could you please let me know any way to send and recieve jwt token.
Thanks
Ashish
Also could you please let me know any way to send and recieve jwt token.
I couldn't understand what you need there :) , can you elaborate on what you are trying to achieve ?
Most helpful comment
Hi Himanshu,
Plain LDAP auth demand user to enter ldap credentials whenever Druid endpoints are accessed. But the requirement is to authenticate user without entering credentials. For eg, if a user is already logged in to windows machine using LDAP, he should be able to access Druid endpoints with the current active session.