Security

This guide covers security features in Apache Druid, including TLS encryption, authentication, authorization, and security best practices for production deployments.

By default, security features in Druid are disabled. You must configure security features for production deployments.

Security Overview

Druid security encompasses three main areas:

TLS Encryption

Encrypt traffic between clients and services

Authentication

Verify user and service identities

Authorization

Control access to resources and operations

Best Practices

Cluster Setup

Run as Unprivileged User

Never run Druid as root. Druid administrators have the same OS permissions as the Unix user running Druid.

If Druid runs as root, administrators can read/write sensitive files like /etc/passwd. Always use a dedicated, unprivileged user:

# Create druid user
sudo useradd -r -s /bin/false druid

# Set ownership
sudo chown -R druid:druid /opt/druid

Enable Authentication

Enable authentication for any environment accessible by untrusted networks, especially production.

# common.runtime.properties
druid.auth.authenticatorChain=["MyBasicMetadataAuthenticator"]
druid.auth.authenticator.MyBasicMetadataAuthenticator.type=basic

Enable Authorization

Never expose the web console without authorization enabled. Without authorization, any user has the same privileges as the OS user running Druid.

druid.auth.authorizers=["MyBasicMetadataAuthorizer"]
druid.auth.authorizer.MyBasicMetadataAuthorizer.type=basic

Principle of Least Privilege

Grant users only the minimum permissions necessary:

Read-only users: Only DATASOURCE READ permissions
Data engineers: DATASOURCE WRITE for specific datasources only
Administrators: Full access, granted only to highly-trusted users

Protect Sensitive Credentials

Never use plain-text passwords in configuration files. Use environment variables or secret management:

# Use environment variable provider
druid.metadata.storage.connector.password=${METADATA_STORE_PASSWORD}

See Environment Variable Dynamic Config Provider for more information.

Disable JavaScript

JavaScript functions pose security risks. Disable them unless absolutely required:

druid.javascript.enabled=false

Network Security

Enable TLS

Encrypt all communication within the cluster and with external clients

Use API Gateway

Implement an API gateway to:

Restrict access from untrusted networks
Create allow lists for specific APIs
Implement account lockout and throttling

Firewall Configuration

Expose only required ports:

Broker ports to query clients
Router/Web console to authenticated users
Block all other ports from public networks

IP Restrictions

Limit access to specific IP addresses or ranges when possible

Permission Guidelines

Critical Permissions - Only grant to highly-trusted users:

DATASOURCE WRITE: Users can execute arbitrary code with Druid process privileges
STATE READ/WRITE: Access to cluster-wide state and resources
CONFIG WRITE: Modify cluster configuration
EXTERNAL READ: Access to external files and network resources

If less-trusted users control ingestion task input sources, validate all URLs to prevent SSRF attacks against internal resources.

TLS Configuration

Generate Certificates

Generate KeyStore

keytool -keystore keystore.jks -alias druid -genkey -keyalg RSA

Export Public Certificate

keytool -export -alias druid -keystore keystore.jks -rfc -file public.cert

Create TrustStore

keytool -import -file public.cert -alias druid -keystore truststore.jks

Never use self-signed certificates in production. Use certificates from your organization’s PKI or a trusted CA.

Enable TLS

Configure TLS in common.runtime.properties for all Druid services:

# Enable TLS globally
druid.enableTlsPort=true
druid.enablePlaintextPort=false

# Load TLS extension
druid.extensions.loadList=["simple-client-sslcontext", ...]

# Client-side TLS (for inter-service communication)
druid.client.https.protocol=TLSv1.2
druid.client.https.trustStoreType=jks
druid.client.https.trustStorePath=/etc/druid/truststore.jks
druid.client.https.trustStorePassword=${TRUSTSTORE_PASSWORD}

# Server-side TLS
druid.server.https.keyStoreType=jks
druid.server.https.keyStorePath=/etc/druid/keystore.jks
druid.server.https.keyStorePassword=${KEYSTORE_PASSWORD}
druid.server.https.certAlias=druid

After enabling TLS, all service URLs change from http:// to https:// and ports change from 80xx to 82xx (e.g., Broker: 8082 → 8282).

Authentication

Enable Basic Authentication

Load Extension

Add druid-basic-security to extension load list:

druid.extensions.loadList=["druid-basic-security", ...]

Configure Authenticator

druid.auth.authenticatorChain=["MyBasicMetadataAuthenticator"]
druid.auth.authenticator.MyBasicMetadataAuthenticator.type=basic
druid.auth.authenticator.MyBasicMetadataAuthenticator.initialAdminPassword=change_me_admin
druid.auth.authenticator.MyBasicMetadataAuthenticator.initialInternalClientPassword=change_me_internal
druid.auth.authenticator.MyBasicMetadataAuthenticator.credentialsValidator.type=metadata
druid.auth.authenticator.MyBasicMetadataAuthenticator.skipOnFailure=false
druid.auth.authenticator.MyBasicMetadataAuthenticator.authorizerName=MyBasicMetadataAuthorizer

Configure Escalator

druid.escalator.type=basic
druid.escalator.internalClientUsername=druid_system
druid.escalator.internalClientPassword=change_me_internal
druid.escalator.authorizerName=MyBasicMetadataAuthorizer

Restart Cluster

Restart all Druid services to apply authentication configuration

Change default passwords immediately after first startup. The default admin and druid_system users are created with the passwords specified in configuration.

Alternative Authentication Methods

LDAP
Kerberos

Configure LDAP authentication for integration with existing directory services:

druid.auth.authenticatorChain=["ldap"]
druid.auth.authenticator.ldap.type=basic
druid.auth.authenticator.ldap.credentialsValidator.type=ldap
druid.auth.authenticator.ldap.credentialsValidator.url=ldap://ldap.example.com:389
druid.auth.authenticator.ldap.credentialsValidator.bindUser=cn=admin,dc=example,dc=com
druid.auth.authenticator.ldap.credentialsValidator.bindPassword=${LDAP_BIND_PASSWORD}
druid.auth.authenticator.ldap.credentialsValidator.baseDn=ou=users,dc=example,dc=com
druid.auth.authenticator.ldap.credentialsValidator.userSearch=(&(uid=%s)(objectClass=inetOrgPerson))

See Configure LDAP Authentication for details.

Configure Kerberos for enterprise environments:

druid.auth.authenticatorChain=["kerberos"]
druid.auth.authenticator.kerberos.type=kerberos
druid.auth.authenticator.kerberos.serverPrincipal=HTTP/[email protected]
druid.auth.authenticator.kerberos.serverKeytab=/etc/security/keytabs/druid.keytab
druid.auth.authenticator.kerberos.authToLocal=DEFAULT

Authorization

Resource Types

DATASOURCE

resource

Individual datasources (tables). Resource names are datasource names or regex patterns.

CONFIG

resource

Configuration endpoints. Resource names: CONFIG or security.

STATE

resource

Cluster-wide state and status. Resource name: STATE.

EXTERNAL

resource

External data access via EXTERN function. Resource name: EXTERNAL.

SYSTEM_TABLE

resource

System schema tables in SQL. Resource names are table names like sys.segments.

Actions

READ

Read-only operations, queries, and status checks

WRITE

Modify operations, ingestion, and configuration changes

WRITE permission does not include READ. Grant both explicitly if both are needed.

Configure Authorization

Enable Authorizer

druid.auth.authorizers=["MyBasicMetadataAuthorizer"]
druid.auth.authorizer.MyBasicMetadataAuthorizer.type=basic

Create Users

curl -u admin:password -XPOST \
  https://coordinator:8281/druid-ext/basic-security/authentication/db/MyBasicMetadataAuthenticator/users/alice

Set User Password

curl -u admin:password -H'Content-Type: application/json' -XPOST \
  https://coordinator:8281/druid-ext/basic-security/authentication/db/MyBasicMetadataAuthenticator/users/alice/credentials \
  --data '{"password": "alice_password"}'

Create Authorizer User

curl -u admin:password -XPOST \
  https://coordinator:8281/druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/users/alice

Create Roles

curl -u admin:password -XPOST \
  https://coordinator:8281/druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/roles/data-reader

Assign Role to User

curl -u admin:password -XPOST \
  https://coordinator:8281/druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/users/alice/roles/data-reader

Grant Permissions to Role

curl -u admin:password -H'Content-Type: application/json' -XPOST \
  https://coordinator:8281/druid-ext/basic-security/authorization/db/MyBasicMetadataAuthorizer/roles/data-reader/permissions \
  --data @permissions.json

permissions.json:

[
  {
    "resource": {"type": "DATASOURCE", "name": "wikipedia"},
    "action": "READ"
  },
  {
    "resource": {"type": "STATE", "name": "STATE"},
    "action": "READ"
  }
]

Permission Examples

Read-Only User

[
  {
    "resource": {"type": "DATASOURCE", "name": ".*"},
    "action": "READ"
  },
  {
    "resource": {"type": "STATE", "name": "STATE"},
    "action": "READ"
  }
]

Data Engineer

[
  {
    "resource": {"type": "DATASOURCE", "name": "analytics_.*"},
    "action": "READ"
  },
  {
    "resource": {"type": "DATASOURCE", "name": "analytics_.*"},
    "action": "WRITE"
  },
  {
    "resource": {"type": "STATE", "name": "STATE"},
    "action": "READ"
  }
]

Administrator

[
  {
    "resource": {"type": "DATASOURCE", "name": ".*"},
    "action": "READ"
  },
  {
    "resource": {"type": "DATASOURCE", "name": ".*"},
    "action": "WRITE"
  },
  {
    "resource": {"type": "CONFIG", "name": ".*"},
    "action": "READ"
  },
  {
    "resource": {"type": "CONFIG", "name": ".*"},
    "action": "WRITE"
  },
  {
    "resource": {"type": "STATE", "name": "STATE"},
    "action": "READ"
  },
  {
    "resource": {"type": "STATE", "name": "STATE"},
    "action": "WRITE"
  }
]

Security Trust Model

Druid operates on the following security assumptions:

Process Level

Druid processes have the same file access as the Unix user running the process
Ingestion tasks can create processes that inherit parent process permissions
Users with DATASOURCE WRITE can access any files/resources the Druid process can access

Cluster Level

Druid assumes it operates on an isolated, protected network
Network traffic within the cluster is encrypted (via TLS)
Auxiliary services (metadata store, ZooKeeper) are not under adversary control
Implement firewalls and network security to isolate the cluster

Storage Level

Deep storage security follows the storage system’s native policies
Druid relies on storage system encryption capabilities
Configure appropriate IAM roles/credentials for cloud storage

Client Level

Clients are authenticated based on configured authenticator
Actions are authorized based on configured authorizer
Default configuration is allowAll (no restrictions)

Reporting Security Issues

If you discover a security vulnerability in Druid, do not create a public GitHub issue.

Report security issues privately to: [email protected]

Vulnerability Handling Process

Reporter sends vulnerability details to [email protected]
Druid security team acknowledges receipt
Team works privately with reporter to resolve the issue
Team creates a patch and releases a new version
Team publicly announces the vulnerability and fix

For more details, see the Apache Security Committer Guide.

Getting Started

Design & Architecture

Data Ingestion

Querying

Data Management

Operations

Configuration

Security Overview

TLS Encryption

Authentication

Authorization

Best Practices

Cluster Setup

Network Security

Permission Guidelines

TLS Configuration

Generate Certificates

Enable TLS

Authentication

Enable Basic Authentication

Alternative Authentication Methods

Authorization

Resource Types

Actions

READ

WRITE

Configure Authorization

Permission Examples

Security Trust Model

Reporting Security Issues

Vulnerability Handling Process

Build docs developers (and LLMs) love

Getting Started

Design & Architecture

Data Ingestion

Querying

Data Management

Operations

Configuration

​Security Overview

TLS Encryption

Authentication

Authorization

​Best Practices

​Cluster Setup

​Network Security

​Permission Guidelines

​TLS Configuration

​Generate Certificates

​Enable TLS

​Authentication

​Enable Basic Authentication

​Alternative Authentication Methods

​Authorization

​Resource Types

​Actions

READ

WRITE

​Configure Authorization

​Permission Examples

​Security Trust Model

​Reporting Security Issues

​Vulnerability Handling Process

Build docs developers (and LLMs) love

Security Overview

Best Practices

Cluster Setup

Network Security

Permission Guidelines

TLS Configuration

Generate Certificates

Enable TLS

Authentication

Enable Basic Authentication

Alternative Authentication Methods

Authorization

Resource Types

Actions

Configure Authorization

Permission Examples

Security Trust Model

Reporting Security Issues

Vulnerability Handling Process