turnilo
turnilo copied to clipboard
Basic Security extension support
plywood-druid-requester
has support for basic-auth
.
https://github.com/implydata/plywood-druid-requester/blob/v2.6.2/src/druidRequester.ts#L102-L108
@mkuthan could you chime in?
@l2dy - what kind of authentication scenario would be expected:
-
Authentication between Turnilo sever and Druid broker only. Access to Turnilo for end-users stays unauthenticated as is now. For this scenario all end-users requests will be impersonated using credentials defined in Turnilo configuration file.
-
Fully authenticated access to the Turnilo . Turnilo will present basic auth browser dialog and forward provided by end-user credentials to Druid broker.
I would prefer option 1) as starting point:
- should be easy to implement
- browser dialog for basic auth is far from usability, and what is worse user is not able to change credentials easily
I would prefer option 1) as starting point:
should be easy to implement
browser dialog for basic auth is far from usability, and what is worse user is not able to change credentials easily
1) works for me. I could add an authenticating HTTP proxy in front of Turnilo, which is more flexible than putting credentials in the configuration file.
1) works for me. I could add an authenticating HTTP proxy in front of Turnilo, which is more flexible than putting credentials in the configuration file.
More specifically, (1) + data-cube level access, which is already implemented in aa1947d6c4c16b355e7362ff5867538c0d6af637.
If we place an authentication proxy in front of Turnilo to auth end-users, is there a means to configure Turnilo to only accept requests from the proxy? We have some end-users who have book-marked the URL to the physical Turnilo server, which bypasses auth. Thanks for the help.
If we place an authentication proxy in front of Turnilo to auth end-users, is there a means to configure Turnilo to only accept requests from the proxy? We have some end-users who have book-marked the URL to the physical Turnilo server, which bypasses auth. Thanks for the help.
@jmbowles You could use the system firewall, or the recently implemented plugin system in Turnilo (see #666).
Yeah, right now you have two entry points for your code in turnilo.
You can define plugin which have access to underlying express
application. We are using it internally and we are catching all requests, check for auth token, if not present we redirect user to authorisation page. This is still experimental feature, we will release documentation and final version soon. If you want to try it with us, start thread at slack.
You also can define request decorator for all druid queries. Decorator can add any header and by extension Authorization
header with basic HTTP credentials. One issue is that you can't pass any dynamic context to the decorator function, only static object defined in config.
Thanks for the follow-up. The plugin sounds useful. I'll take a look at the documentation when it's released. Keep up the great work.