End-to-end Security in Druid

Dec 18, 2017
Jon Wei

Since the start of the Druid project, one of the most frequent questions we get asked is: “How do we secure our Druid cluster?”.While we previously recommended deploying Druid entirely behind a secure firewall, we’ve greatly expanded our security capabilities in our latest release (Imply 2.4.0 and Druid 0.11).This post will detail the different security features that are now available.

Security in Druid 0.11

First, end-to-end encryption of all traffic is now possible in Druid.You simply need to provide each node with a private key and a certificate and all internode communications will be over TLS.Druid will also open secure ports that will only accept TLS connections for outside traffic.The performance impact of the additional TLS handshake is negligible so whether you are running in a shared data center or looking protect sensitive data, you can rest assured that your data is secure with the same experience for your users.

Next, a framework for user authentication and role based authorization has been added.This framework provides Druid with a concept of users and permissions, and when this feature is enabled, every request must come from a user, and that user will only be allowed to do what their permissions permit.

Building on the user authentication framework, a Kerberos authentication module is now bundled as part of Druid 0.11.There are a number of additional authentication modules included in the Imply release.

Security in Imply 2.4

Imply 2.4 is based on Druid 0.11 and additionally adds a module to authenticate users with HTTP BasicAuth.This enables a ‘traditional’ user management system where the database maintains the username, passwords, and roles it needs for every operation.For more information, see the docs for the BasicAuth extension.

To interface with a secure database securely, you will also need secure tools and accordingly, Imply has gone through a security overhaul.
Imply is now capable of connecting to a secure Druid cluster, and to pass through authentication information for the BasicAuth extension (link to docs).Furthermore, Imply also includes customizable rolles to allow you to select the level of access for every user.

Finally, the Imply UI can now serve secure connections and communicate to the metadata database with TLS.

Security in Imply Cloud

Imply’s beta cloud offering also bundles all of these security features.
While spinning up secure clusters requires a little bit more work (you have to generate keys, distribute certificates, and setup roles), we will help with all of that.In fact, starting with version 2.4, it will be impossible to have an unsecured cluster in Imply Cloud.

A perk of having a secure cluster with authentication is Druid’s new ability to attach the user of each request to metrics it emits.As a result, you can use Clarity to examine which users are issuing the heaviest queries.

We hope you make use of these new features to keep your data safe from prying eyes.

Other blogs you might find interesting

No records found...
Jul 03, 2024

Using Upserts in Imply Polaris

Transform your data management with upserts in Imply Polaris! Ensure data consistency and supercharge efficiency by seamlessly combining insert and update operations into one powerful action. Discover how Polaris’s...

Learn More
Jul 01, 2024

Make Imply Polaris the New Home for your Rockset Data

Rockset is deprecating its services—so where should you go? Try Imply Polaris, the database built for speed, scale, and streaming data.

Learn More
Jun 26, 2024

Announcing Imply Polaris on Microsoft Azure: Elevating Real-Time Analytics for Developers

We are excited to announce that Imply Polaris, our Database-as-a-Service (DBaaS) solution built from Apache Druid, is now available on Microsoft Azure. Azure customers worldwide can now take advantage of a...

Learn More

Let us help with your analytics apps

Request a Demo