You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2020/03/26 13:04:04 UTC
[GitHub] [druid] soumyajose0784 opened a new issue #9569: SSO support in
Druid
soumyajose0784 opened a new issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569
Could anyone guide me on enabling SSO in Druid?
Please share the steps if available.
We have Druid single node implementation in GKE, and had successfully tested LDAP and Kerberos(with local KDC) authentications.
But now we are looking for single sign on to Druid using existing active token(with PingFederate).
Could I get some guidance?
Thanks
Soumya
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] averma111 commented on issue #9569: SSO support in Druid
Posted by GitBox <gi...@apache.org>.
averma111 commented on issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569#issuecomment-613018679
@himanshug I had tired a new packages of Druid 0.18 version along with SSL provided.
I am able to hit Pingfederate URL but call back has some issue
HTTP ERROR 500
Problem accessing /druid-ext/druid-pac4j/callback. Reason:
Server Error
Caused by:
org.pac4j.core.exception.TechnicalException: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed:
Is this something to be fixed from Druid side or Pingfederate?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] averma111 commented on issue #9569: SSO support in Druid
Posted by GitBox <gi...@apache.org>.
averma111 commented on issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569#issuecomment-607488267
Hi All,
Soumya and Myself works in same team. Let me know if we have options for JWT with Druid?.
Thanks,
Ashish
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] soumyajose0784 commented on issue #9569: SSO support in
Druid
Posted by GitBox <gi...@apache.org>.
soumyajose0784 commented on issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569#issuecomment-604878719
Hi Himanshu,
Plain LDAP auth demand user to enter ldap credentials whenever Druid endpoints are accessed. But the requirement is to authenticate user without entering credentials. For eg, if a user is already logged in to windows machine using LDAP, he should be able to access Druid endpoints with the current active session.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] averma111 commented on issue #9569: SSO support in Druid
Posted by GitBox <gi...@apache.org>.
averma111 commented on issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569#issuecomment-612164439
@himanshug , To take the latest commit I simply have to mvn clean install druid 0.18 right along with parameters?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] averma111 commented on issue #9569: SSO support in Druid
Posted by GitBox <gi...@apache.org>.
averma111 commented on issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569#issuecomment-609895787
@himanshug we are using PingFederate.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug commented on issue #9569: SSO support in Druid
Posted by GitBox <gi...@apache.org>.
himanshug commented on issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569#issuecomment-604835405
I think https://druid.apache.org/docs/latest/development/extensions-core/druid-basic-security.html supports LDAP
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] soumyajose0784 commented on issue #9569: SSO support in
Druid
Posted by GitBox <gi...@apache.org>.
soumyajose0784 commented on issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569#issuecomment-604812330
Hi Himanshu,
Thanks for your response. By SSO(single sign on), we are looking to authenticate users to Druid with the exiting active login to the system using their LDAP id. Druid console should not prompt for further login credentials and it should automatically allow the user to access Druid URIs with existing active session. This should also restrict access for unauthorized LDAP ids.
Thanks
Soumya
Thanks you
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug edited a comment on issue #9569: SSO support in
Druid
Posted by GitBox <gi...@apache.org>.
himanshug edited a comment on issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569#issuecomment-608223555
sorry, I am a bit occupied this week, so couldn't reply.
if your auth provider supports OpenID Connect then you can potentially use the SSO introduced in https://github.com/apache/druid/pull/8992 that would release in 0.18.0 .
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] averma111 commented on issue #9569: SSO support in Druid
Posted by GitBox <gi...@apache.org>.
averma111 commented on issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569#issuecomment-612283205
@himanshug I am new to mvn build what are the steps involved for cherry pick to get the above changes in the new build 0.18
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] averma111 commented on issue #9569: SSO support in Druid
Posted by GitBox <gi...@apache.org>.
averma111 commented on issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569#issuecomment-609900467
@himanshug - we are deploying druid into GCP Kubernetes. Let me know how to use druid-operator along with OpenId protocal.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug commented on issue #9569: SSO support in Druid
Posted by GitBox <gi...@apache.org>.
himanshug commented on issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569#issuecomment-612328403
@averma111 since https://github.com/apache/druid/pull/9675 is merged, you don't have to cherry pick anything.
just get latest code in 0.18.0 branch and build that, something like this should work..
```
git clone https://github.com/apache/druid.git
cd druid
git checkout origin/0.18.0
mvn clean install -DskipTests
cd distribution
mvn clean install -Pdist
# if all of above worked then
ls target/
# should show, apache-druid-0.18.0-SNAPSHOT-bin.tar.gz , that you can experiment with
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug commented on issue #9569: SSO support in Druid
Posted by GitBox <gi...@apache.org>.
himanshug commented on issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569#issuecomment-609980322
> Plain LDAP auth demand user to enter ldap credentials whenever Druid endpoints are accessed. But the requirement is to authenticate user without entering credentials. For eg, if a user is already logged in to windows machine using LDAP, he should be able to access Druid endpoints with the current active session.
@jon-wei I think above is because `druid-basic-security` extension doesn't manage a session with browser via cookies , `druid-pac4j` does that. To enable LDAP SSO...
1. in `druid-basic-security` , we could add cookie handling in there.
2. or add ldap support in `druid-pac4j` which would be easy as pac4j lib does support BASIC auth and LDAP . (see http://www.pac4j.org/docs/index.html )
downside to doing (2) is that we will have ldap in two different extensions then and that might confuse users, so I would favor (1) as that would add SSO for other auth mechanisms present in `druid-basic-security` ext as well, what do you think ?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] averma111 commented on issue #9569: SSO support in Druid
Posted by GitBox <gi...@apache.org>.
averma111 commented on issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569#issuecomment-612658200
@himanshug Thank you I am going to build tonight and test out OpenId settings.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] averma111 commented on issue #9569: SSO support in Druid
Posted by GitBox <gi...@apache.org>.
averma111 commented on issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569#issuecomment-614469757
@himanshug its working , please merge with official 0.18 version. We are able to do handshake between Druid and Ping federate.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug commented on issue #9569: SSO support in Druid
Posted by GitBox <gi...@apache.org>.
himanshug commented on issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569#issuecomment-609954095
@averma111 how-to for druid–operator is at https://github.com/druid-io/druid-operator , though I haven't personally tried things out on GCP kubernetes but steps should be the same I guess. I would suggest trying those instructions and create issues in https://github.com/druid-io/druid-operator when you hit specific issues.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug commented on issue #9569: SSO support in Druid
Posted by GitBox <gi...@apache.org>.
himanshug commented on issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569#issuecomment-608223555
sorry, I am a bit occupied this week, so couldn't reply.
if your auth provider supports OpenID connect then you can potentially use the SSO introduced in https://github.com/apache/druid/pull/8992 that would release in 0.18.0 .
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug commented on issue #9569: SSO support in Druid
Posted by GitBox <gi...@apache.org>.
himanshug commented on issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569#issuecomment-609121443
@averma111 if you use kubernetes then you can use druid-operator. That helps with cluster setup . druid authentication mechanism would be same whether you used druid-operator or not.
which authentication server do you have ... Okta, PingFederate ?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug commented on issue #9569: SSO support in Druid
Posted by GitBox <gi...@apache.org>.
himanshug commented on issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569#issuecomment-604538816
can you describe what you are hoping to achieve with SSO .. do you need this to ensure that only a limited set of people could use the router web console ?
I haven't used `PingFederate` but have done above for OpenID Connnect on Okta. From https://www.pingidentity.com/en/software/pingfederate.html it seems like they support OpenID Connect.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] averma111 commented on issue #9569: SSO support in Druid
Posted by GitBox <gi...@apache.org>.
averma111 commented on issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569#issuecomment-609115117
@himanshug also could you please elaborate on druid-operator how we can utilize it in K8.It say
druid-operator is a kubernetes operator for deploying Druid clusters. Does it help in cluster setup and authentication.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] himanshug commented on issue #9569: SSO support in Druid
Posted by GitBox <gi...@apache.org>.
himanshug commented on issue #9569: SSO support in Druid
URL: https://github.com/apache/druid/issues/9569#issuecomment-612193937
@averma111 https://github.com/apache/druid/pull/9637 is not merged yet, so that commit needs to be "cherry picked" onto 0.18.0 branch before doing the build.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org