Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenID Connect support #473

Closed
Tracked by #431
, #462 #438
...
fhennig opened this issue Sep 20, 2023 · 1 comment · Fixed by #573
Closed
Tracked by #431
, #462 #438
...

OpenID Connect support #473

fhennig opened this issue Sep 20, 2023 · 1 comment · Fixed by #573
Assignees
@labrenbe
Labels
customer-request release/2024-07

Comments

@fhennig
Copy link
Contributor

fhennig commented Sep 20, 2023
edited by sbernauer
Loading

As a user of the SDP I want to connect Druid to my existing OpenID IDP, i.e. Keycloak.

Working example

A working example can be found in the integration tests in https://github.com/stackabletech/druid-operator/tree/main/tests/templates/kuttl/oidc

OPA integration

For OPA, we want Druid to use the Keycloak username when requesting policy decisions. By default, the sub from the token is used, which is the user ID from Keycloak. Supposedly the setting druid.auth.pac4j.oidc.oidcClaim should be used to configure a claim that is extracted from the token and used as the user identification, but that doesn't seem to work.

This is the code showing that the UID is extracted to create the AuthenticationResult: https://github.com/apache/druid/blob/fa61e654e47ca80271798c497eda2f3018e9c636/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/Pac4jFilter.java#L116

Here we can see that the oidcClaim is used in the JWTFilter: https://github.com/apache/druid/blob/fa61e654e47ca80271798c497eda2f3018e9c636/extensions-core/druid-pac4j/src/main/java/org/apache/druid/security/pac4j/JwtAuthFilter.java#L81 .. The pac4j authorizer should probably do something similar.

This is the pac4j function that is called from the authorizer: https://github.com/pac4j/pac4j/blob/e2b26ee231d38eab4a4f61a736d4614f272f593a/pac4j-core/src/main/java/org/pac4j/core/engine/DefaultSecurityLogic.java#L75

Alternatively, Keycloak can be configured to write the username into the sub field for the Druid client. That seems to be a bit hacky though. Here's the SO question explaining how to do it: https://stackoverflow.com/questions/56666054/keycloak-mapping-username-on-subject-claim

In trino, there's a setting called http-server.authentication.oauth2.principal-field which does someting similar and it works well.

It might be that the oidcClaim setting is actually not working and this might be a bug in Druid.
@fhennig fhennig mentioned this issue Sep 20, 2023
Closed
@fhennig fhennig mentioned this issue Nov 29, 2023
Open
@labrenbe labrenbe self-assigned this Apr 22, 2024
@soenkeliebau soenkeliebau pinned this issue Apr 24, 2024
@lfrancke lfrancke mentioned this issue Apr 24, 2024
Open
@sbernauer sbernauer mentioned this issue May 27, 2024
Merged
@labrenbe labrenbe linked a pull request Jun 14, 2024 that will close this issue
feat: Add OIDC support #573
Merged
@sbernauer
Copy link
Member

Updated the feature tracker ✔️
Also release the 24.07 release in feature tracker and added this feature it to the Roadmap

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@labrenbe labrenbe

Labels
customer-request release/2024-07
Projects
Stackable Engineering
Archived in project
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat: Add OIDC support stackabletech/druid-operator
4 participants
@lfrancke @fhennig @labrenbe @sbernauer