From e6d7f685fa868e3e28e70b133f771e508a9930b4 Mon Sep 17 00:00:00 2001 From: Charles Smith Date: Wed, 6 Oct 2021 09:53:33 -0700 Subject: [PATCH 1/7] security recommendation --- docs/operations/security-overview.md | 3 ++- docs/operations/security-user-auth.md | 24 ++++++++++++++---------- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/docs/operations/security-overview.md b/docs/operations/security-overview.md index e1a1dd7ff83b..f528198cc856 100644 --- a/docs/operations/security-overview.md +++ b/docs/operations/security-overview.md @@ -39,6 +39,7 @@ The following recommendations apply to the Druid cluster setup: * Enable authentication to the Druid cluster for production environments and other environments that can be accessed by untrusted networks. * Enable authorization and do not expose the Druid Console without authorization enabled. If authorization is not enabled, any user that has access to the web console has the same privileges as the operating system user that runs the Druid Console process. * Grant users the minimum permissions necessary to perform their functions. For instance, do not allow users who only need to query data to write to data sources or view state. +* Do not provide plain-text passwords for production systems in configuration specs. For example, sensitive properties in the consumerProperties of `KafkaSupervisorIngestionSpec`. * Disable JavaScript, as noted in the [Security section](https://druid.apache.org/docs/latest/development/javascript.html#security) of the JavaScript guide. The following recommendations apply to the network where Druid runs: @@ -50,7 +51,7 @@ The following recommendations apply to the network where Druid runs: * When possible, use firewall and other network layer filtering to only expose Druid services and ports specifically required for your use case. For example, only expose Broker ports to downstream applications that execute queries. You can limit access to a specific IP address or IP range to further tighten and enhance security. The following recommendation applies to Druids authorization and authentication model: -* Only grant `WRITE` permissions to any `DATASOURCE` to trusted users. Druid's trust model assumes those users have the same privileges as the operating system user that runs the Druid Console process. +* Only grant `WRITE` permissions to any `DATASOURCE` to trusted users. Druid's trust model assumes those users have the same privileges as the operating system user that runs the Druid Console process. Additionally, users with `WRITE` permissions can make changes to datasources and they have access to both task and supervisor APIs which may return sensitive information. * Only grant `STATE READ`, `STATE WRITE`, `CONFIG WRITE`, and `DATASOURCE WRITE` permissions to highly-trusted users. These permissions allow users to access resources on behalf of the Druid server process regardless of the datasource. * If your Druid client application allows less-trusted users to control the input source or firehose of an ingestion task, validate the URLs from the users. It is possible to point unchecked URLs to other locations and resources within your network or local file system. diff --git a/docs/operations/security-user-auth.md b/docs/operations/security-user-auth.md index 54f4317a708c..8dc63ebc83d6 100644 --- a/docs/operations/security-user-auth.md +++ b/docs/operations/security-user-auth.md @@ -34,7 +34,7 @@ Druid uses the following resource types: * DATASOURCE – Each Druid table (i.e., `tables` in the `druid` schema in SQL) is a resource. * CONFIG – Configuration resources exposed by the cluster components. * STATE – Cluster-wide state resources. -* SYSTEM_TABLE – if `druid.sql.planner.authorizeSystemTablesDirectly` is enabled, then Druid authorizes system tables, the `sys` schema in SQL, using this resource type. +* SYSTEM_TABLE – when the Broker property `druid.sql.planner.authorizeSystemTablesDirectly` is true, then Druid uses this resource type to authorize the system tables in the `sys` schema in SQL. For specific resources associated with the types, see the endpoint list below and corresponding descriptions in [API Reference](./api-reference.md). @@ -69,10 +69,10 @@ There are two action types in Druid: READ and WRITE There are three resource types in Druid: DATASOURCE, CONFIG, and STATE. -### DATASOURCE +### `DATASOURCE` Resource names for this type are datasource names. Specifying a datasource permission allows the administrator to grant users access to specific datasources. -### CONFIG +### `CONFIG` There are two possible resource names for the "CONFIG" resource type, "CONFIG" and "security". Granting a user access to CONFIG resources allows them to access the following endpoints. "CONFIG" resource name covers the following endpoints: @@ -92,7 +92,7 @@ There are two possible resource names for the "CONFIG" resource type, "CONFIG" a |`/druid-ext/basic-security/authentication`|coordinator| |`/druid-ext/basic-security/authorization`|coordinator| -### STATE +### `STATE` There is only one possible resource name for the "STATE" config resource type, "STATE". Granting a user access to STATE resources allows them to access the following endpoints. "STATE" resource name covers the following endpoints: @@ -121,6 +121,9 @@ There is only one possible resource name for the "STATE" config resource type, " |`/druid-internal/v1/segments/`|realtime| |`/status`|all process types| +### `SYSTEM_TABLES` +Resource names for this type are system schema table names in the `sys` schema in SQL. For example `sys.segments` and `sys.server_segments`. Druid only enforces authorization for `SYSTEM_TABLES` resources when the Broker property `druid.sql.planner.authorizeSystemTablesDirectly` is true. + ### HTTP methods For information on what HTTP methods are supported on a particular request endpoint, please refer to the [API documentation](./api-reference.md). @@ -131,15 +134,16 @@ GET requires READ permission, while POST and DELETE require WRITE permission. Queries on Druid datasources require DATASOURCE READ permissions for the specified datasource. -Queries on the [INFORMATION_SCHEMA tables](../querying/sql.md#information-schema) will -return information about datasources that the caller has DATASOURCE READ access to. Other -datasources will be omitted. +Queries on [INFORMATION_SCHEMA tables](../querying/sql.md#information-schema) return information about datasources that the caller has DATASOURCE READ access to. Other +datasources are omitted. Queries on the [system schema tables](../querying/sql.md#system-schema) require the following permissions: -- `segments`: Segments will be filtered based on DATASOURCE READ permissions. +- `segments`: Druid filters segments according to DATASOURCE READ permissions. - `servers`: The user requires STATE READ permissions. -- `server_segments`: The user requires STATE READ permissions and segments will be filtered based on DATASOURCE READ permissions. -- `tasks`: Tasks will be filtered based on DATASOURCE READ permissions. +- `server_segments`: The user requires STATE READ permissions. Druid filters segments according to DATASOURCE READ permissions. +- `tasks`: Druid filters tasks according to DATASOURCE WRITE permissions. +- `supervisors`: Druid filters supervisors according to DATASOURCE WRITE permissions. +When the Broker property `druid.sql.planner.authorizeSystemTablesDirectly` is true, users also require `SYSTEM_TABLE` authorization on a system schema table to query it. ## Configuration Propagation From 83a11bf34dd97743bf121efa9dd338733efca828 Mon Sep 17 00:00:00 2001 From: Charles Smith Date: Thu, 7 Oct 2021 11:29:03 -0700 Subject: [PATCH 2/7] Update docs/operations/security-overview.md Co-authored-by: Victoria Lim --- docs/operations/security-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/operations/security-overview.md b/docs/operations/security-overview.md index f528198cc856..627698f03666 100644 --- a/docs/operations/security-overview.md +++ b/docs/operations/security-overview.md @@ -50,7 +50,7 @@ The following recommendations apply to the network where Druid runs: - Implement account lockout and throttling features. * When possible, use firewall and other network layer filtering to only expose Druid services and ports specifically required for your use case. For example, only expose Broker ports to downstream applications that execute queries. You can limit access to a specific IP address or IP range to further tighten and enhance security. -The following recommendation applies to Druids authorization and authentication model: +The following recommendation applies to Druid's authorization and authentication model: * Only grant `WRITE` permissions to any `DATASOURCE` to trusted users. Druid's trust model assumes those users have the same privileges as the operating system user that runs the Druid Console process. Additionally, users with `WRITE` permissions can make changes to datasources and they have access to both task and supervisor APIs which may return sensitive information. * Only grant `STATE READ`, `STATE WRITE`, `CONFIG WRITE`, and `DATASOURCE WRITE` permissions to highly-trusted users. These permissions allow users to access resources on behalf of the Druid server process regardless of the datasource. * If your Druid client application allows less-trusted users to control the input source or firehose of an ingestion task, validate the URLs from the users. It is possible to point unchecked URLs to other locations and resources within your network or local file system. From 80d438e082ac71f625f33003b39552c490c6bf13 Mon Sep 17 00:00:00 2001 From: Charles Smith Date: Thu, 7 Oct 2021 11:29:55 -0700 Subject: [PATCH 3/7] Update docs/operations/security-user-auth.md Co-authored-by: Victoria Lim --- docs/operations/security-user-auth.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/docs/operations/security-user-auth.md b/docs/operations/security-user-auth.md index 8dc63ebc83d6..9d3ea94df6a9 100644 --- a/docs/operations/security-user-auth.md +++ b/docs/operations/security-user-auth.md @@ -121,9 +121,8 @@ There is only one possible resource name for the "STATE" config resource type, " |`/druid-internal/v1/segments/`|realtime| |`/status`|all process types| -### `SYSTEM_TABLES` -Resource names for this type are system schema table names in the `sys` schema in SQL. For example `sys.segments` and `sys.server_segments`. Druid only enforces authorization for `SYSTEM_TABLES` resources when the Broker property `druid.sql.planner.authorizeSystemTablesDirectly` is true. - +### `SYSTEM_TABLE` +Resource names for this type are system schema table names in the `sys` schema in SQL, for example `sys.segments` and `sys.server_segments`. Druid only enforces authorization for `SYSTEM_TABLE` resources when the Broker property `druid.sql.planner.authorizeSystemTablesDirectly` is true. ### HTTP methods For information on what HTTP methods are supported on a particular request endpoint, please refer to the [API documentation](./api-reference.md). From c08676c846ccfc1c0d6e25bbadb6cf5e4b083577 Mon Sep 17 00:00:00 2001 From: Charles Smith Date: Thu, 7 Oct 2021 11:32:07 -0700 Subject: [PATCH 4/7] Update docs/operations/security-user-auth.md Co-authored-by: Victoria Lim --- docs/operations/security-user-auth.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/operations/security-user-auth.md b/docs/operations/security-user-auth.md index 9d3ea94df6a9..8f093a3d30f5 100644 --- a/docs/operations/security-user-auth.md +++ b/docs/operations/security-user-auth.md @@ -67,7 +67,7 @@ Each Authorizer will always have a default "admin" and "druid_system" user with There are two action types in Druid: READ and WRITE -There are three resource types in Druid: DATASOURCE, CONFIG, and STATE. +Druid uses the following resource types: `DATASOURCE`, `CONFIG`, `STATE`, and `SYSTEM_TABLE`. ### `DATASOURCE` Resource names for this type are datasource names. Specifying a datasource permission allows the administrator to grant users access to specific datasources. From 48dadf067221325f75d8e381b2a90ccda17b72b2 Mon Sep 17 00:00:00 2001 From: Charles Smith Date: Thu, 7 Oct 2021 13:10:34 -0700 Subject: [PATCH 5/7] Update security-user-auth.md add newline --- docs/operations/security-user-auth.md | 1 + 1 file changed, 1 insertion(+) diff --git a/docs/operations/security-user-auth.md b/docs/operations/security-user-auth.md index 8f093a3d30f5..31815995d3ca 100644 --- a/docs/operations/security-user-auth.md +++ b/docs/operations/security-user-auth.md @@ -142,6 +142,7 @@ Queries on the [system schema tables](../querying/sql.md#system-schema) require - `server_segments`: The user requires STATE READ permissions. Druid filters segments according to DATASOURCE READ permissions. - `tasks`: Druid filters tasks according to DATASOURCE WRITE permissions. - `supervisors`: Druid filters supervisors according to DATASOURCE WRITE permissions. + When the Broker property `druid.sql.planner.authorizeSystemTablesDirectly` is true, users also require `SYSTEM_TABLE` authorization on a system schema table to query it. ## Configuration Propagation From 2f4b24e5dc1934685d82568f3331c4ec343b5e20 Mon Sep 17 00:00:00 2001 From: Charles Smith Date: Thu, 7 Oct 2021 13:11:25 -0700 Subject: [PATCH 6/7] Update docs/operations/security-overview.md Co-authored-by: Victoria Lim --- docs/operations/security-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/operations/security-overview.md b/docs/operations/security-overview.md index 627698f03666..e18da22b990e 100644 --- a/docs/operations/security-overview.md +++ b/docs/operations/security-overview.md @@ -39,7 +39,7 @@ The following recommendations apply to the Druid cluster setup: * Enable authentication to the Druid cluster for production environments and other environments that can be accessed by untrusted networks. * Enable authorization and do not expose the Druid Console without authorization enabled. If authorization is not enabled, any user that has access to the web console has the same privileges as the operating system user that runs the Druid Console process. * Grant users the minimum permissions necessary to perform their functions. For instance, do not allow users who only need to query data to write to data sources or view state. -* Do not provide plain-text passwords for production systems in configuration specs. For example, sensitive properties in the consumerProperties of `KafkaSupervisorIngestionSpec`. +* Do not provide plain-text passwords for production systems in configuration specs. For example, sensitive properties should not be in the `consumerProperties` field of `KafkaSupervisorIngestionSpec`. * Disable JavaScript, as noted in the [Security section](https://druid.apache.org/docs/latest/development/javascript.html#security) of the JavaScript guide. The following recommendations apply to the network where Druid runs: From 2baea2bfdd3ff055ef3049ee31ac31605277b7ff Mon Sep 17 00:00:00 2001 From: Charles Smith Date: Fri, 8 Oct 2021 13:35:00 -0700 Subject: [PATCH 7/7] Update security-overview.md add suggestion for environment variable dynamic config provider --- docs/operations/security-overview.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/operations/security-overview.md b/docs/operations/security-overview.md index e18da22b990e..236b942a7dcc 100644 --- a/docs/operations/security-overview.md +++ b/docs/operations/security-overview.md @@ -39,7 +39,7 @@ The following recommendations apply to the Druid cluster setup: * Enable authentication to the Druid cluster for production environments and other environments that can be accessed by untrusted networks. * Enable authorization and do not expose the Druid Console without authorization enabled. If authorization is not enabled, any user that has access to the web console has the same privileges as the operating system user that runs the Druid Console process. * Grant users the minimum permissions necessary to perform their functions. For instance, do not allow users who only need to query data to write to data sources or view state. -* Do not provide plain-text passwords for production systems in configuration specs. For example, sensitive properties should not be in the `consumerProperties` field of `KafkaSupervisorIngestionSpec`. +* Do not provide plain-text passwords for production systems in configuration specs. For example, sensitive properties should not be in the `consumerProperties` field of `KafkaSupervisorIngestionSpec`. See [Environment variable dynamic config provider](./dynamic-config-provider.md#environment-variable-dynamic-config-provider) for more information. * Disable JavaScript, as noted in the [Security section](https://druid.apache.org/docs/latest/development/javascript.html#security) of the JavaScript guide. The following recommendations apply to the network where Druid runs: