Background

According to Druid’s best practices for basic security, credentialIterations determines the number of iterations used to hash a password. A higher number increases security, but costs more in terms of CPU utilization.

This cost affects API performance, including query times. The default setting of 10000 is intentionally high to prevent attackers from using brute force to guess passwords.

You can decrease the number of iterations to speed up API response times, but it may expose your system to dictionary attacks. Therefore, only reduce the number of iterations if your environment fits one of the following conditions:

• All passwords are long and random which make them as safe as a randomly-generated token.
• You have secured network access to Druid, so that no attacker can execute a dictionary attack against it.

Procedure

To reduce the number of iterations in use in our system which meets the conditions listed above:

1. Set druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialIterations to something low (like 100) in _common/common.runtime.properties

e.g.,

druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialIterations=100

Optional: restart the cluster for this setting to take effect for all new users and password changes

2. (Re)Set the password for the desired API user. This can be set to the existing password so other applications etc. are not affected by the change

In this example we are using an authenticator called basic and a user admin

curl -ik -H 'Content-Type: application/json' -u admin:<secretPassword> -X POST -d '{"password": "<secretPassword", "iterations":100}' https://localhost:9088/proxy/coordinator/druid-ext/basic-security/authentication/db/basic/users/admin/credentials

This step will set the credential iterations to the desired low level for this specific user. Repeat step 2 for any additional API users where reduced credential iterations are desired.

3. Verify the iterations have changed:

curl -ik -u admin:<secretPassword> https://localhost:9088/proxy/coordinator/druid-ext/basic-security/authentication/db/basic/users/admin

{
 "name": "admin",
 "credentials": {
   "salt": "Q2ZB9cRxHioHsX5mga4En5sA20m5jUHn18PMubC42Zc=",
   "hash": "Ziw/9hh1gxFcbIvY5kgCs5cm0PTwT2jmNJXpT96VlKec5Qb+O7LpimzFyXdFPlgOF0jaeyGSPLZkY5NP7xpAnw==",
   "iterations": 100
 }
}

Reducing credential iterations is not a one-size-fits-all solution. For environments that do not fulfil the two key conditions—long, random passwords and secured network access—this operation can actually be detrimental, leaving your system open to dictionary attacks. However, if your environment does meet those two requirements, you can reduce credentials to improve API response times, enabling better performance and ultimately, an improved user experience.