search

apache / druid

Apache Druid: a high performance real-time analytics database.
https://druid.apache.org/
Apache License 2.0
13.5k stars 3.7k forks source link

pac4j oidc limit valid domains for authentication #12890

Closed FarhadF closed 1 month ago

FarhadF commented 2 years ago

I have setup pac4j oidc authentication with google as provider. I am wondering how I can limit the users authenticating to a certain email domain.

Other software do it like following allowing to whitelist the email domains that you want to allow to authenticate (grafana example): 

[...]
      allowed_domains: domain1.com domain2.com sub.domain1.com
[...]

Current behavior: anyone can authenticate with a google account:

    # Druid basic security
    druid.auth.authenticatorChain=["BasicMetadataAuthenticator", "pac4j"]
    druid.auth.authenticator.BasicMetadataAuthenticator.type=basic

    # Default password for 'admin' user
    druid.auth.authenticator.BasicMetadataAuthenticator.initialAdminPassword=xxx

    # Default password for internal 'druid_system' user
    druid.auth.authenticator.BasicMetadataAuthenticator.initialInternalClientPassword=xxx

    # Uses the metadata store for storing users, you can use authentication API to create new users and grant permissions
    druid.auth.authenticator.BasicMetadataAuthenticator.credentialsValidator.type=metadata

    # If true and the request credential doesn't exists in this credentials store, the request will proceed to next Authenticator in the chain.
    druid.auth.authenticator.BasicMetadataAuthenticator.skipOnFailure=true
    druid.auth.authenticator.BasicMetadataAuthenticator.authorizerName=BasicMetadataAuthorizer

    # Escalator
    druid.escalator.type=basic
    druid.escalator.internalClientUsername=druid_system
    druid.escalator.internalClientPassword=xxx
    druid.escalator.authorizerName=BasicMetadataAuthorizer

    # pac4j
    druid.auth.authenticator.pac4j.type=pac4j
    druid.auth.pac4j.oidc.clientID=xxx
    druid.auth.pac4j.oidc.clientSecret=xxx
    druid.auth.pac4j.oidc.discoveryURI=xxx
    druid.auth.pac4j.cookiePassphrase=xxx

Expected behavior: setup example.com in the settings so only users with example.com domain can authenticate

a2l007 commented 2 years ago

@FarhadF We currently do not have domain based filtering support in the pac4j druid extension. Would you be interested in contributing this feature?

itsautfullday commented 11 months ago

Hi is there any workaround that has been used currently to enable domain based authorization?

github-actions[bot] commented 2 months ago

This issue has been marked as stale due to 280 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the dev@druid.apache.org list. Thank you for your contributions.

github-actions[bot] commented 1 month ago

This issue has been closed due to lack of activity. If you think that is incorrect, or the issue requires additional review, you can revive the issue at any time.