Additional username/password login required even after SSO login using pac4j

[Subhashini2610]

Description

Please include as much detailed information about the problem as possible. I am trying to install Druid on K8s cluster using Helm chart. I need to add the SSO (Open ID connect) on to the router. For this, I am using pac4j. However, even after the SSO, I am prompted with a username/password dialog box as can be seen in the screenshot. I do not want to have two login sessions. The SSO login must be the one which identifies the user and assigns the necessary roles. Please help here!!!

The below are the configurations on the router:

2023-11-27T13:56:25+0000 startup service router
Setting druid.host=10.4.0.28 in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authenticator.BasicMetadataAuthenticator.skipOnFailure=false in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.indexer.logs.type=file in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authorizer.BasicMetadataAuthorizer.enableCacheNotifications=true in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authenticator.pac4j.type=pac4j in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authenticatorChain=["pac4j"] in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authenticator.BasicMetadataAuthenticator.initialAdminPassword=xxxxxxxxxx in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authorizer.BasicMetadataAuthorizer.initialAdminRole=admin in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.escalator.internalClientUsername=druid_system in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.extensions.loadList=["druid-basic-security", "druid-pac4j", "druid-multi-stage-query", "druid-stats", "druid-datasketches", "druid-kafka-indexing-service", "druid-protobuf-extensions", "druid-parquet-extensions", "druid-orc-extensions", "druid-azure-extensions", "druid-histogram", "druid-datasketches", "druid-lookups-cached-global", "postgresql-metadata-storage", "statsd-emitter"] in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authenticator.BasicMetadataAuthenticator.type=basic in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.azure.key=xxxxx in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.enablePlaintextPort=true in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.pac4j.oidc.clientID=xxxxxx in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.escalator.authorizerName=BasicMetadataAuthorizer in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.pac4j.cookiePassphrase=xxxxx in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.pac4j.oidc.oidcClaim=sub in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.pac4j.oidc.clientSecret=xxxxx in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.metadata.storage.type=postgresql in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.emitter.http.recipientBaseUrl=http://druid_exporter_url/:druid_exporter_port/druid in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authenticator.BasicMetadataAuthenticator.initialInternalClientPassword=xxxxxxx in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.azure.container=deepstorage in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.metadata.storage.connector.connectURI=jdbc:postgresql://dipeopensource.postgres.database.azure.com:5432/druid in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authenticator.BasicMetadataAuthenticator.credentialsValidator.type=metadata in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authorizer.allowAll.type=allowAll in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.storage.type=azure in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.pac4j.oidc.discoveryURI=https://xxxxxxxx.net/v1/.well-known/openid-configuration in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authorizer.BasicMetadataAuthorizer.roleProvider.type=context in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.metadata.storage.connector.user=druid_user in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.escalator.internalClientPassword=xxxxxxx in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authenticator.pac4j.authorizerName=BasicMetadataAuthorizer in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.router.managementProxy.enabled=true in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.indexer.logs.directory=/opt/data/indexing-logs in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.zk.service.host=druid-zookeeper-headless:2181 in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authorizer.BasicMetadataAuthorizer.type=basic in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.escalator.type=basic in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.emitter=noop in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authenticator.BasicMetadataAuthenticator.authorizerName=allowAll in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.metadata.storage.connector.password=xxxxxxxxx in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.emitter.logging.logLevel=debug in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.metadata.postgres.ssl.sslMode=require in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.auth.authorizers=["BasicMetadataAuthorizer", "allowAll"] in /tmp/conf/druid/cluster/query/router/runtime.properties
Setting druid.azure.account=dipedevdsstorage in /tmp/conf/druid/cluster/query/router/runtime.properties

[itsautfullday]

Hi can you please show your druid router properties? It could be likely your basicAuthenticator is added before the pac4j authenticator in druid.auth.authenticatorChain. This would cause the pac4j auth to happen before the basic authenticator flow.

[Subhashini2610]

@itsautfullday Druid router properties are already attached in the question :). The authenticator chain has only pac4j in it.

[itsautfullday]

I was able to reproduce this issue when my BasciMetaDataAuth is existing in config.properties, to prevent double login I had to add druid.auth.authenticatorChain=["pac4j","MyBasicMetadataAuthenticator"]. This causes router status to return 403 the entire time. I havent been able to move beyond that. If you find any workaround to using basic auth and pac4j auth Kindly update here as even I am looking for the same.

[Subhashini2610]

@itsautfullday I am still facing this issue and we have learnt to live with dual login now!

[github-actions[bot]]

This issue has been marked as stale due to 280 days of inactivity. It will be closed in 4 weeks if no further activity occurs. If this issue is still relevant, please simply write any comment. Even if closed, you can still revive the issue at any time or discuss it on the dev@druid.apache.org list. Thank you for your contributions.