You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2019/02/21 21:57:43 UTC
[GitHub] mohammadjkhan opened a new pull request #6972: Support LDAP
authentication/authorization
mohammadjkhan opened a new pull request #6972: Support LDAP authentication/authorization
URL: https://github.com/apache/incubator-druid/pull/6972
Proposal for LDAP authentication/authorization within Druid
Issues/limitations with the existing Druid Basic Security extension:
1. Inability to authenticate requests using basic authentication with LDAP as the credentials store. Basic Security extension limits clients to use the internal database as the only credentials store option.
2. Basic Security extension does more than just providing the mechanism to transport/process credentials supplied in http requests
3. Basic Security extension authorization limits clients to use internal database as the only source to manage and lookup user roles. Inability to retrieve user role information from an external source like LDAP. Inability to map user groups, retrieved from LDAP for example, to roles.
Goals:
1. Expose the ability to authenticate HTTP requests with basic authentication using LDAP as the credentials store to validate against.
2. Refactor the existing basic security extension authentication and authorization implementation to be a bit more pluggable (database vs ldap or something else, with database being the default)
3. Expose a LDAP role-based authorizer that allows druid users to be authorized by enumerating user group/s fetched in LDAP, and group/s to role mappings configured in the internal database
Proposal:
1. Refactor the existing basic security extension authenticator to make it a bit more pluggable/configurable as to how to validate requests with basic authentication credentials. Abstract out a CredentialsValidator interface for use by BasicHTTPAuthenticator that will be used to select and configure the credential store/s to use (database, ldap, etc).
2. CredentialsValidator interface will expose a validate method that takes a username and password and give you back whether a user is valid (return an AuthenticationResult).
3. Support multiple credential validators. Authenticate a local user to the internal database and a ldap user at the same time, it’s common to have a local user in the database that’s used as the system user within the cluster, and ldap user for external access.
4. Refactor basis security extension authorizer (BasicRoleBasedAuthroizer) and make it configurable for multiple sources of truth for assigning roles to users/groups
5. Provide the ability to assign and lookup roles to groups instead of just users in the database. Check local database first for user permissions. If not, then check ldap and enumerate all groups and then follow set of rules dynamically configured in database for how to map those set of groups on to set of roles
6. Groups to role mappings in the database will be stored similar to the current structure of how user to role mappings are stored.
https://github.com/apache/incubator-druid/issues/6416
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org