You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@druid.apache.org by GitBox <gi...@apache.org> on 2020/02/03 12:01:39 UTC
[GitHub] [druid] soumyajose0784 opened a new issue #9304: Coordinator fails
in LDAPCredentialsValidator :must specify a trustStorePath
soumyajose0784 opened a new issue #9304: Coordinator fails in LDAPCredentialsValidator :must specify a trustStorePath
URL: https://github.com/apache/druid/issues/9304
### Affected Version
Affected version is 0.17.0
### Description
After enabling LDAP authentication, with SSL enabled LDAP url(ldaps://<hostname>:636), coordinator fails with following error
2020-02-03T11:59:34,295 ERROR [qtp744507749-175] org.apache.druid.security.basic.authentication.validator.LDAPCredentialsValidator - Exception during user lookup
javax.naming.CommunicationException: <hostname>:636
at com.sun.jndi.ldap.Connection.<init>(Connection.java:228) ~[?:1.8.0_232]
at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) ~[?:1.8.0_232]
at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1609) ~[?:1.8.0_232]
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) ~[?:1.8.0_232]
at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319) ~[?:1.8.0_232]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192) ~[?:1.8.0_232]
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210) ~[?:1.8.0_232]
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153) ~[?:1.8.0_232]
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83) ~[?:1.8.0_232]
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) ~[?:1.8.0_232]
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313) ~[?:1.8.0_232]
at javax.naming.InitialContext.init(InitialContext.java:244) ~[?:1.8.0_232]
at javax.naming.InitialContext.<init>(InitialContext.java:216) ~[?:1.8.0_232]
at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101) ~[?:1.8.0_232]
at org.apache.druid.security.basic.authentication.validator.LDAPCredentialsValidator.validateCredentials(LDAPCredentialsValidator.java:143) [druid-basic-security-0.17.0.jar:0.17.0]
at org.apache.druid.security.basic.authentication.BasicHTTPAuthenticator$BasicHTTPAuthenticationFilter.doFilter(BasicHTTPAuthenticator.java:201) [druid-basic-security-0.17.0.jar:0.17.0]
at org.apache.druid.server.security.AuthenticationWrappingFilter.doFilter(AuthenticationWrappingFilter.java:59) [druid-server-0.17.0.jar:0.17.0]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) [jetty-servlet-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.apache.druid.server.security.SecuritySanityCheckFilter.doFilter(SecuritySanityCheckFilter.java:86) [druid-server-0.17.0.jar:0.17.0]
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1642) [jetty-servlet-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:533) [jetty-servlet-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:1595) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.server.handler.ScopedHandler.nextHandle(ScopedHandler.java:255) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1340) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:203) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:473) [jetty-servlet-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:1564) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.server.handler.ScopedHandler.nextScope(ScopedHandler.java:201) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1242) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:144) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.server.handler.gzip.GzipHandler.handle(GzipHandler.java:740) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.server.handler.HandlerList.handle(HandlerList.java:61) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:132) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.server.Server.handle(Server.java:503) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:364) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:260) [jetty-server-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:305) [jetty-io-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.onFillable(SslConnection.java:411) [jetty-io-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.io.ssl.SslConnection.onFillable(SslConnection.java:305) [jetty-io-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.io.ssl.SslConnection$2.succeeded(SslConnection.java:159) [jetty-io-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:103) [jetty-io-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.io.ChannelEndPoint$2.run(ChannelEndPoint.java:118) [jetty-io-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.runTask(EatWhatYouKill.java:333) [jetty-util-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.doProduce(EatWhatYouKill.java:310) [jetty-util-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.tryProduce(EatWhatYouKill.java:168) [jetty-util-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.util.thread.strategy.EatWhatYouKill.run(EatWhatYouKill.java:126) [jetty-util-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.util.thread.ReservedThreadExecutor$ReservedThread.run(ReservedThreadExecutor.java:366) [jetty-util-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:765) [jetty-util-9.4.12.v20180830.jar:9.4.12.v20180830]
at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:683) [jetty-util-9.4.12.v20180830.jar:9.4.12.v20180830]
at java.lang.Thread.run(Thread.java:748) [?:1.8.0_232]
Caused by: java.lang.NullPointerException: must specify a trustStorePath
at com.google.common.base.Preconditions.checkNotNull(Preconditions.java:229) ~[guava-16.0.1.jar:?]
at org.apache.druid.server.security.TLSUtils$ClientSSLContextBuilder.build(TLSUtils.java:146) ~[druid-server-0.17.0.jar:0.17.0]
at org.apache.druid.security.basic.BasicSecuritySSLSocketFactory.<init>(BasicSecuritySSLSocketFactory.java:60) ~[druid-basic-security-0.17.0.jar:0.17.0]
at org.apache.druid.security.basic.BasicSecuritySSLSocketFactory.getDefault(BasicSecuritySSLSocketFactory.java:67) ~[druid-basic-security-0.17.0.jar:0.17.0]
at sun.reflect.GeneratedMethodAccessor20.invoke(Unknown Source) ~[?:?]
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:1.8.0_232]
at java.lang.reflect.Method.invoke(Method.java:498) ~[?:1.8.0_232]
at com.sun.jndi.ldap.Connection.createSocket(Connection.java:296) ~[?:1.8.0_232]
at com.sun.jndi.ldap.Connection.<init>(Connection.java:215) ~[?:1.8.0_232]
... 51 more
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] soumyajose0784 removed a comment on issue #9304:
Coordinator fails in LDAPCredentialsValidator :must specify a trustStorePath
Posted by GitBox <gi...@apache.org>.
soumyajose0784 removed a comment on issue #9304: Coordinator fails in LDAPCredentialsValidator :must specify a trustStorePath
URL: https://github.com/apache/druid/issues/9304#issuecomment-582915571
Thank you @mohammadjkhan. We could make ldap working with the given configurations
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] averma111 commented on issue #9304: Coordinator fails in
LDAPCredentialsValidator :must specify a trustStorePath
Posted by GitBox <gi...@apache.org>.
averma111 commented on issue #9304: Coordinator fails in LDAPCredentialsValidator :must specify a trustStorePath
URL: https://github.com/apache/druid/issues/9304#issuecomment-582570871
Thank you @mohammadjkhan for replying myself and Soumya works together and we are trying to ldap on premise machine for the first time.
We have been struggling past 1 week, if you can send all the settings used for https along with ldap it will be really helpful for us.
Also under which section do we need to add For connecting to secure ldap, tls settings need to be provided under the following config
druid.auth.basic.ssl
Thanks,
Ashish
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] mohammadjkhan edited a comment on issue #9304: Coordinator
fails in LDAPCredentialsValidator :must specify a trustStorePath
Posted by GitBox <gi...@apache.org>.
mohammadjkhan edited a comment on issue #9304: Coordinator fails in LDAPCredentialsValidator :must specify a trustStorePath
URL: https://github.com/apache/druid/issues/9304#issuecomment-582625018
No, that's a good question. You don't need to create both db and ldap settings. You can just have ldap, and as long as you have configured the escalator with a valid ldap userId/password and you have also configured the authorizer properties to set initialAdminUser with the escalator user AND/OR initialAdminGroupMapping with escalator user's ldap group mappings, then your cluster should startup fine.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] mohammadjkhan commented on issue #9304: Coordinator fails
in LDAPCredentialsValidator :must specify a trustStorePath
Posted by GitBox <gi...@apache.org>.
mohammadjkhan commented on issue #9304: Coordinator fails in LDAPCredentialsValidator :must specify a trustStorePath
URL: https://github.com/apache/druid/issues/9304#issuecomment-582567857
druid.client.https config properties are for turning on TLS for internal druid client related network traffic and u
For connecting to secure ldap, tls settings need to be provided under the following config
druid.auth.basic.ssl
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] mohammadjkhan commented on issue #9304: Coordinator fails
in LDAPCredentialsValidator :must specify a trustStorePath
Posted by GitBox <gi...@apache.org>.
mohammadjkhan commented on issue #9304: Coordinator fails in LDAPCredentialsValidator :must specify a trustStorePath
URL: https://github.com/apache/druid/issues/9304#issuecomment-582596278
@averma111 we also probably don't need to create 2 issues as it may be related to the same configuration related issue
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] averma111 commented on issue #9304: Coordinator fails in
LDAPCredentialsValidator :must specify a trustStorePath
Posted by GitBox <gi...@apache.org>.
averma111 commented on issue #9304: Coordinator fails in LDAPCredentialsValidator :must specify a trustStorePath
URL: https://github.com/apache/druid/issues/9304#issuecomment-582612807
@mohammadjkhan - Sure going forward we will create on ticket. I am just asking a dumb question do I need to create both db and ldap settings or only ldap will work. Just want to be specific
Thanks,
Ashish
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] mohammadjkhan commented on issue #9304: Coordinator fails
in LDAPCredentialsValidator :must specify a trustStorePath
Posted by GitBox <gi...@apache.org>.
mohammadjkhan commented on issue #9304: Coordinator fails in LDAPCredentialsValidator :must specify a trustStorePath
URL: https://github.com/apache/druid/issues/9304#issuecomment-583042865
👍 Nice!
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] averma111 commented on issue #9304: Coordinator fails in
LDAPCredentialsValidator :must specify a trustStorePath
Posted by GitBox <gi...@apache.org>.
averma111 commented on issue #9304: Coordinator fails in LDAPCredentialsValidator :must specify a trustStorePath
URL: https://github.com/apache/druid/issues/9304#issuecomment-582655349
@mohammadjkhan Thank you for the information. If it okay , can you join my webx or call you . It will be great help.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] soumyajose0784 commented on issue #9304: Coordinator fails
in LDAPCredentialsValidator :must specify a trustStorePath
Posted by GitBox <gi...@apache.org>.
soumyajose0784 commented on issue #9304: Coordinator fails in LDAPCredentialsValidator :must specify a trustStorePath
URL: https://github.com/apache/druid/issues/9304#issuecomment-581382813
We have already added druid.client.https.trustStorePath, as TLS was enabled/working fine for Druid already. So for LDAP we have added Root and intermediate certificate for LDAP server to existing trustore as mentioned in druid.client.https.trustStorePath.
But coordinator fails with above error mentioned once LDAP is enabled
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] soumyajose0784 commented on issue #9304: Coordinator fails
in LDAPCredentialsValidator :must specify a trustStorePath
Posted by GitBox <gi...@apache.org>.
soumyajose0784 commented on issue #9304: Coordinator fails in LDAPCredentialsValidator :must specify a trustStorePath
URL: https://github.com/apache/druid/issues/9304#issuecomment-582914797
@mohammadjkhan, thank you for the inputs. We could make ldap working now
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] mohammadjkhan edited a comment on issue #9304: Coordinator
fails in LDAPCredentialsValidator :must specify a trustStorePath
Posted by GitBox <gi...@apache.org>.
mohammadjkhan edited a comment on issue #9304: Coordinator fails in LDAPCredentialsValidator :must specify a trustStorePath
URL: https://github.com/apache/druid/issues/9304#issuecomment-582567857
druid.client.https config properties are for turning on TLS for internal druid client related network traffic.
For connecting to secure ldap, tls settings need to be provided under the following config
druid.auth.basic.ssl
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] soumyajose0784 commented on issue #9304: Coordinator fails
in LDAPCredentialsValidator :must specify a trustStorePath
Posted by GitBox <gi...@apache.org>.
soumyajose0784 commented on issue #9304: Coordinator fails in LDAPCredentialsValidator :must specify a trustStorePath
URL: https://github.com/apache/druid/issues/9304#issuecomment-582915571
Thank you @mohammadjkhan. We could make ldap working with the given configurations
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] mohammadjkhan edited a comment on issue #9304: Coordinator
fails in LDAPCredentialsValidator :must specify a trustStorePath
Posted by GitBox <gi...@apache.org>.
mohammadjkhan edited a comment on issue #9304: Coordinator fails in LDAPCredentialsValidator :must specify a trustStorePath
URL: https://github.com/apache/druid/issues/9304#issuecomment-582596278
@averma111 we also probably don't need to create 3 issues as it may be related to the same configuration related issue
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] mohammadjkhan edited a comment on issue #9304: Coordinator
fails in LDAPCredentialsValidator :must specify a trustStorePath
Posted by GitBox <gi...@apache.org>.
mohammadjkhan edited a comment on issue #9304: Coordinator fails in LDAPCredentialsValidator :must specify a trustStorePath
URL: https://github.com/apache/druid/issues/9304#issuecomment-582627474
But If your ldap server is unreliable, in that case i'd recommend adding db settings and just have your escalator configured with the druid_system user. That way if your ldap server is having any issues, your escalator will continue to be able to get authenticated/authorized and all internal communication within your druid cluster will continue to function properly so your druid cluster is still up and functioning. Only external users accessing the druid cluster might get affected. Also, if your escalator account in ldap gets locked or something, then that too will negatively impact your cluster as all druid internal communications/interactions will be affected
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] mohammadjkhan commented on issue #9304: Coordinator fails
in LDAPCredentialsValidator :must specify a trustStorePath
Posted by GitBox <gi...@apache.org>.
mohammadjkhan commented on issue #9304: Coordinator fails in LDAPCredentialsValidator :must specify a trustStorePath
URL: https://github.com/apache/druid/issues/9304#issuecomment-582627474
But If your ldap server is unreliable, in that case i'd recommend adding db settings and just have your escalator configured with the druid_system user. That way if your ldap server is having any issues, your escalator will continue to be able to get authenticated/authorized and all internal communication within your druid cluster will continue to function properly so your druid cluster is still up and functioning. Only external users accessing the druid cluster might get affected. Also, if your escalator account in ldap gets locked or something, then that too will negatively impact your cluster as all druid internal communications/interactions will be effected
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] mohammadjkhan commented on issue #9304: Coordinator fails
in LDAPCredentialsValidator :must specify a trustStorePath
Posted by GitBox <gi...@apache.org>.
mohammadjkhan commented on issue #9304: Coordinator fails in LDAPCredentialsValidator :must specify a trustStorePath
URL: https://github.com/apache/druid/issues/9304#issuecomment-582595230
Here's an example that worked for us.
trustStorePath will be different based on your env, and if your trust store is password protected then you can specify the
trust store password in trustStorePassword property
-Ddruid.auth.authenticatorChain=[\"db\",\"ldap\"]
-Ddruid.auth.basic.ssl.trustStorePath=/Library/Java/JavaVirtualMachines/adoptopenjdk-8.jdk/Contents/Home/jre/lib/security/cacerts
-Ddruid.auth.basic.ssl.protocol=TLS
-Ddruid.auth.authenticator.db.type=basic
-Ddruid.auth.authenticator.db.skipOnFailure=true
-Ddruid.auth.authenticator.db.initialAdminPassword=password1
-Ddruid.auth.authenticator.db.initialInternalClientPassword=password2
-Ddruid.auth.authenticator.db.credentialsValidator.type=metadata
-Ddruid.auth.authenticator.db.authorizerName=db
-Ddruid.auth.authenticator.ldap.type=basic
-Ddruid.auth.authenticator.ldap.skipOnFailure=false
-Ddruid.auth.authenticator.ldap.credentialsValidator.type=ldap
-Ddruid.auth.authenticator.ldap.credentialsValidator.url="ldaps://host:port"
-Ddruid.auth.authenticator.ldap.credentialsValidator.bindUser=DHC\userId
-Ddruid.auth.authenticator.ldap.credentialsValidator.bindPassword=
-Ddruid.auth.authenticator.ldap.credentialsValidator.baseDn="DC=corp,DC=company,DC=com"
-Ddruid.auth.authenticator.ldap.credentialsValidator.userSearch="(&(sAMAccountName=%s)(objectClass=user))"
-Ddruid.auth.authenticator.ldap.credentialsValidator.userAttribute=sAMAccountName
-Ddruid.auth.authenticator.ldap.authorizerName=ldap
-Ddruid.auth.authorizers=[\"db\",\"ldap\"]
-Ddruid.auth.authorizer.db.type=basic
-Ddruid.auth.authorizer.db.roleProvider.type=metadata
-Ddruid.auth.authorizer.ldap.type=basic
-Ddruid.auth.authorizer.ldap.roleProvider.type=ldap
-Ddruid.auth.authorizer.ldap.roleProvider.groupFilters=[\"*,OU=SUB-Groupings,OU=Groupings,DC=corp,DC=company,DC=com\"]
-Ddruid.auth.authorizer.ldap.initialAdminGroupMapping="CN=adm,*"
OR... you can skip setting groupFilters and just set initialAdminGroupMapping like this instead. These options/combination give
administrators some flexibility
-Ddruid.auth.authorizer.ldap.initialAdminGroupMapping="CN=adm,OU=SUB-Groupings,OU=Groupings,DC=corp,DC=comapany,DC=com"
-Ddruid.escalator.type=basic
-Ddruid.escalator.internalClientUsername=druid_system
-Ddruid.escalator.internalClientPassword=password2
-Ddruid.escalator.authorizerName=db
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] soumyajose0784 closed issue #9304: Coordinator fails in
LDAPCredentialsValidator :must specify a trustStorePath
Posted by GitBox <gi...@apache.org>.
soumyajose0784 closed issue #9304: Coordinator fails in LDAPCredentialsValidator :must specify a trustStorePath
URL: https://github.com/apache/druid/issues/9304
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org
[GitHub] [druid] mohammadjkhan commented on issue #9304: Coordinator fails
in LDAPCredentialsValidator :must specify a trustStorePath
Posted by GitBox <gi...@apache.org>.
mohammadjkhan commented on issue #9304: Coordinator fails in LDAPCredentialsValidator :must specify a trustStorePath
URL: https://github.com/apache/druid/issues/9304#issuecomment-582625018
No, that's a good question. You don't need to create both db and ldap settings. You can just have ldap, and as long as you have configured the escalator with a valid ldap userId/password and you have also configured the authorizer properties to set initialAdminUser with the escalator user AND/OR initialAdminUser with escalator user's ldap group mappings, then your cluster should startup fine.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
With regards,
Apache Git Services
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@druid.apache.org
For additional commands, e-mail: commits-help@druid.apache.org