End-to-end Security in Druid

by Jon Wei · December 18, 2017

End-to-end Security in Druid

Since the start of the Druid project, one of the most frequent questions we get asked is: “How do we secure our Druid cluster?”. While we previously recommended deploying Druid entirely behind a secure firewall, we’ve greatly expanded our security capabilities in our latest release (Imply 2.4.0 and Druid 0.11). This post will detail the different security features that are now available.

Security in Druid 0.11

First, end-to-end encryption of all traffic is now possible in Druid. You simply need to provide each node with a private key and a certificate and all internode communications will be over TLS. Druid will also open secure ports that will only accept TLS connections for outside traffic. The performance impact of the additional TLS handshake is negligible so whether you are running in a shared data center or looking protect sensitive data, you can rest assured that your data is secure with the same experience for your users.

Next, a framework for user authentication and role based authorization has been added. This framework provides Druid with a concept of users and permissions, and when this feature is enabled, every request must come from a user, and that user will only be allowed to do what their permissions permit.

Building on the user authentication framework, a Kerberos authentication module is now bundled as part of Druid 0.11. There are a number of additional authentication modules included in the Imply release.

Security in Imply 2.4

Imply 2.4 is based on Druid 0.11 and additionally adds a module to authenticate users with HTTP BasicAuth. This enables a ‘traditional’ user management system where the database maintains the username, passwords, and roles it needs for every operation. For more information, see the docs for the BasicAuth extension.

To interface with a secure database securely, you will also need secure tools and accordingly, Imply has gone through a security overhaul. Imply is now capable of connecting to a secure Druid cluster, and to pass through authentication information for the BasicAuth extension (link to docs). Furthermore, Imply also includes customizable rolles to allow you to select the level of access for every user.

Finally, the Imply UI can now serve secure connections and communicate to the metadata database with TLS.

Security in Imply Cloud

Imply’s beta cloud offering also bundles all of these security features. While spinning up secure clusters requires a little bit more work (you have to generate keys, distribute certificates, and setup roles), we will help with all of that. In fact, starting with version 2.4, it will be impossible to have an unsecured cluster in Imply Cloud.

A perk of having a secure cluster with authentication is Druid’s new ability to attach the user of each request to metrics it emits. As a result, you can use Clarity to examine which users are issuing the heaviest queries.

clarity

We hope you make use of these new features to keep your data safe from prying eyes.

Back to blog

How can we help?