Kerberised Druid issue #130

manigarg31 · 2024-02-06T07:53:40Z

I am running mm-less kerberized druid on k8s. But while running kafka task peons are using ip address when they are doing authentication from kerberos Van someone help me with that

Configuration:

apiVersion: "druid.apache.org/v1alpha1"
kind: "Druid"
metadata:
name: druid
namespace: druid
spec:
image: apache-druid:28.0.1
startScript: /druid.sh
podLabels:
app.kubernetes.io/instance: druid
app.kubernetes.io/managed-by: druid-operator
app.kubernetes.io/name: druid
serviceAccount: druid
readinessProbe:
httpGet:
path: /status/health
port: 8088
securityContext:
fsGroup: 0
runAsUser: 0
runAsGroup: 0
services:
- spec:
type: ClusterIP
clusterIP: None
commonConfigMountPath: "/opt/druid/conf/druid/cluster/_common"
jvm.options: |-
-server
-XX:MaxDirectMemorySize=10240g
-Duser.timezone=UTC
-Dfile.encoding=UTF-8
-Dlog4j.debug
-Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager
-Djava.io.tmpdir=/druid/data
-Dsun.security.krb5.debug=true
-Dsun.security.jgss.debug=true
-Dsun.security.spnego.debug=true
-Djava.security.auth.login.config=/opt/druid/conf/druid/kafka_jaas.conf

log4j.config: |-

common.runtime.properties: |

# K8S Service discovery
druid.zk.service.enabled=false
druid.serverview.type=http
druid.coordinator.loadqueuepeon.type=http
druid.indexer.runner.type=k8s
druid.discovery.type=k8s
druid.discovery.k8s.clusterIdentifier=druid
druid.indexer.task.encapsulatedTask=true
druid.indexer.runner.namespace=druid
druid.indexer.runner.capacity=10

# Metadata Store
druid.metadata.storage.type=mysql
druid.metadata.storage.connector.connectURI=jdbc:mysql://xxxx:3306/druid
druid.metadata.storage.connector.user=root
druid.auth.authenticator.xxx-authenticator.cookieSignatureSecret="xxxx"
druid.metadata.storage.connector.password={ "type": "environment", "variable": "METADATA_STORAGE_PASSWORD" }

# Deep Storage
druid.storage.type=google
druid.google.bucket=druid
druid.google.prefix=druid/segments
# druid.storage.storageDirectory=/druid/deepstorage
#
# Extensions
#
druid.extensions.loadList=["druid-kafka-indexing-service", "druid-kubernetes-extensions","druid-google-extensions","druid-kubernetes-overlord-extensions","mysql-metadata-storage","prometheus-emitter","druid-kubernetes-overlord-extensions","druid-protobuf-extensions", "druid-avro-extensions", "druid-parquet-extensions", "druid-orc-extensions", "druid-datasketches","druid-kerberos","druid-basic-security"]

#
# Service discovery
#
druid.selectors.indexing.serviceName=druid/overlord
druid.selectors.coordinator.serviceName=druid/coordinator

# druid.indexer.logs.type=file
# druid.indexer.logs.directory=/druid/data/indexing-logs
# druid.lookup.enableLookupSyncOnStartup=false
druid.indexer.logs.type=google
druid.indexer.logs.bucket=druid
druid.indexer.logs.prefix=druid/indexing-logs
# druid.emitter = prometheus
druid.emitter=composing
druid.emitter.composing.emitters=["prometheus", "logging"]

druid.emitter.prometheus.port=9090
druid.emitter.prometheus.addServiceAsLabel=true
druid.monitoring.monitors=["org.apache.druid.client.cache.CacheMonitor","org.apache.druid.java.util.metrics.JvmMonitor","org.apache.druid.java.util.metrics.JvmCpuMonitor","org.apache.druid.java.util.metrics.JvmThreadsMonitor","org.apache.druid.server.metrics.EventReceiverFirehoseMonitor","org.apache.druid.server.metrics.EventReceiverFirehoseMonitor"]
druid.processing.intermediaryData.storage.type=deepstore

metricDimensions.json: |-
{
"query/time" : { "dimensions" : ["dataSource", "type"], "type" : "timer"},
"query/bytes" : { "dimensions" : ["dataSource", "type"], "type" : "count"},
"query/node/time" : { "dimensions" : ["server"], "type" : "timer"},
"query/node/ttfb" : { "dimensions" : ["server"], "type" : "timer"},
"query/node/bytes" : { "dimensions" : ["server"], "type" : "count"},
"query/node/backpressure": { "dimensions" : ["server"], "type" : "timer"},
"query/intervalChunk/time" : { "dimensions" : [], "type" : "timer"},

  "query/segment/time" : { "dimensions" : [], "type" : "timer"},
  "query/wait/time" : { "dimensions" : [], "type" : "timer"},
  "segment/scan/pending" : { "dimensions" : [], "type" : "gauge"},
  "query/segmentAndCache/time" : { "dimensions" : [], "type" : "timer" },
  "query/cpu/time" : { "dimensions" : ["dataSource", "type"], "type" : "timer" },

  "query/count" : { "dimensions" : [], "type" : "count" },
  "query/success/count" : { "dimensions" : [], "type" : "count" },
  "query/failed/count" : { "dimensions" : [], "type" : "count" },
  "query/interrupted/count" : { "dimensions" : [], "type" : "count" },
  "query/timeout/count" : { "dimensions" : [], "type" : "count" },

  "query/cache/delta/numEntries" : { "dimensions" : [], "type" : "count" },
  "query/cache/delta/sizeBytes" : { "dimensions" : [], "type" : "count" },
  "query/cache/delta/hits" : { "dimensions" : [], "type" : "count" },
  "query/cache/delta/misses" : { "dimensions" : [], "type" : "count" },
  "query/cache/delta/evictions" : { "dimensions" : [], "type" : "count" },
  "query/cache/delta/hitRate" : { "dimensions" : [], "type" : "count", "convertRange" : true },
  "query/cache/delta/averageBytes" : { "dimensions" : [], "type" : "count" },
  "query/cache/delta/timeouts" : { "dimensions" : [], "type" : "count" },
  "query/cache/delta/errors" : { "dimensions" : [], "type" : "count" },

  "query/cache/total/numEntries" : { "dimensions" : [], "type" : "gauge" },
  "query/cache/total/sizeBytes" : { "dimensions" : [], "type" : "gauge" },
  "query/cache/total/hits" : { "dimensions" : [], "type" : "gauge" },
  "query/cache/total/misses" : { "dimensions" : [], "type" : "gauge" },
  "query/cache/total/evictions" : { "dimensions" : [], "type" : "gauge" },
  "query/cache/total/hitRate" : { "dimensions" : [], "type" : "gauge", "convertRange" : true },
  "query/cache/total/averageBytes" : { "dimensions" : [], "type" : "gauge" },
  "query/cache/total/timeouts" : { "dimensions" : [], "type" : "gauge" },
  "query/cache/total/errors" : { "dimensions" : [], "type" : "gauge" },

  "ingest/events/thrownAway" : { "dimensions" : ["dataSource"], "type" : "count" },
  "ingest/events/unparseable" : { "dimensions" : ["dataSource"], "type" : "count" },
  "ingest/events/duplicate" : { "dimensions" : ["dataSource"], "type" : "count" },
  "ingest/events/processed" : { "dimensions" : ["dataSource", "taskType", "taskId"], "type" : "count" },
  "ingest/events/messageGap" : { "dimensions" : ["dataSource"], "type" : "gauge" },
  "ingest/rows/output" : { "dimensions" : ["dataSource"], "type" : "count" },
  "ingest/persists/count" : { "dimensions" : ["dataSource"], "type" : "count" },
  "ingest/persists/time" : { "dimensions" : ["dataSource"], "type" : "timer" },
  "ingest/persists/cpu" : { "dimensions" : ["dataSource"], "type" : "timer" },
  "ingest/persists/backPressure" : { "dimensions" : ["dataSource"], "type" : "gauge" },
  "ingest/persists/failed" : { "dimensions" : ["dataSource"], "type" : "count" },
  "ingest/handoff/failed" : { "dimensions" : ["dataSource"], "type" : "count" },
  "ingest/merge/time" : { "dimensions" : ["dataSource"], "type" : "timer" },
  "ingest/merge/cpu" : { "dimensions" : ["dataSource"], "type" : "timer" },

  "ingest/kafka/lag" : { "dimensions" : ["dataSource"], "type" : "gauge" },
  "ingest/kafka/maxLag" : { "dimensions" : ["dataSource"], "type" : "gauge" },
  "ingest/kafka/avgLag" : { "dimensions" : ["dataSource"], "type" : "gauge" },

  "task/success/count" : { "dimensions" : ["dataSource"], "type" : "count" },
  "task/failed/count" : { "dimensions" : ["dataSource"], "type" : "count" },
  "task/running/count" : { "dimensions" : ["dataSource"], "type" : "gauge" },
  "task/pending/count" : { "dimensions" : ["dataSource"], "type" : "gauge" },
  "task/waiting/count" : { "dimensions" : ["dataSource"], "type" : "gauge" },

  "taskSlot/total/count" : { "dimensions" : [], "type" : "gauge" },
  "taskSlot/idle/count" : { "dimensions" : [], "type" : "gauge" },
  "taskSlot/busy/count" : { "dimensions" : [], "type" : "gauge" },
  "taskSlot/lazy/count" : { "dimensions" : [], "type" : "gauge" },
  "taskSlot/blacklisted/count" : { "dimensions" : [], "type" : "gauge" },

  "task/run/time" : { "dimensions" : ["dataSource", "taskType"], "type" : "timer" },
  "segment/added/bytes" : { "dimensions" : ["dataSource", "taskType"], "type" : "count" },
  "segment/moved/bytes" : { "dimensions" : ["dataSource", "taskType"], "type" : "count" },
  "segment/nuked/bytes" : { "dimensions" : ["dataSource", "taskType"], "type" : "count" },

  "segment/assigned/count" : { "dimensions" : ["tier"], "type" : "count" },
  "segment/moved/count" : { "dimensions" : ["tier"], "type" : "count" },
  "segment/dropped/count" : { "dimensions" : ["tier"], "type" : "count" },
  "segment/deleted/count" : { "dimensions" : ["tier"], "type" : "count" },
  "segment/unneeded/count" : { "dimensions" : ["tier"], "type" : "count" },
  "segment/unavailable/count" : { "dimensions" : ["dataSource"], "type" : "gauge" },
  "segment/underReplicated/count" : { "dimensions" : ["dataSource", "tier"], "type" : "gauge" },
  "segment/cost/raw" : { "dimensions" : ["tier"], "type" : "count" },
  "segment/cost/normalization" : { "dimensions" : ["tier"], "type" : "count" },
  "segment/cost/normalized" : { "dimensions" : ["tier"], "type" : "count" },
  "segment/loadQueue/size" : { "dimensions" : ["server"], "type" : "gauge" },
  "segment/loadQueue/failed" : { "dimensions" : ["server"], "type" : "gauge" },
  "segment/loadQueue/count" : { "dimensions" : ["server"], "type" : "gauge" },
  "segment/dropQueue/count" : { "dimensions" : ["server"], "type" : "gauge" },
  "segment/size" : { "dimensions" : ["dataSource"], "type" : "gauge" },
  "segment/overShadowed/count" : { "dimensions" : [], "type" : "gauge" },

  "segment/max" : { "dimensions" : [], "type" : "gauge"},
  "segment/used" : { "dimensions" : ["dataSource", "tier", "priority"], "type" : "gauge" },
  "segment/usedPercent" : { "dimensions" : ["dataSource", "tier", "priority"], "type" : "gauge", "convertRange" : true },
  "segment/pendingDelete" : { "dimensions" : [], "type" : "gauge"},

  "jvm/pool/committed" : { "dimensions" : ["poolKind", "poolName"], "type" : "gauge" },
  "jvm/pool/init" : { "dimensions" : ["poolKind", "poolName"], "type" : "gauge" },
  "jvm/pool/max" : { "dimensions" : ["poolKind", "poolName"], "type" : "gauge" },
  "jvm/pool/used" : { "dimensions" : ["poolKind", "poolName"], "type" : "gauge" },
  "jvm/bufferpool/count" : { "dimensions" : ["bufferpoolName"], "type" : "gauge" },
  "jvm/bufferpool/used" : { "dimensions" : ["bufferpoolName"], "type" : "gauge" },
  "jvm/bufferpool/capacity" : { "dimensions" : ["bufferpoolName"], "type" : "gauge" },
  "jvm/mem/init" : { "dimensions" : ["memKind"], "type" : "gauge" },
  "jvm/mem/max" : { "dimensions" : ["memKind"], "type" : "gauge" },
  "jvm/mem/used" : { "dimensions" : ["memKind"], "type" : "gauge" },
  "jvm/mem/committed" : { "dimensions" : ["memKind"], "type" : "gauge" },
  "jvm/gc/count" : { "dimensions" : ["gcName", "gcGen"], "type" : "count" },
  "jvm/gc/cpu" : { "dimensions" : ["gcName", "gcGen"], "type" : "count" },

  "ingest/events/buffered" : { "dimensions" : ["serviceName", "bufferCapacity"], "type" : "gauge"},

  "sys/swap/free" : { "dimensions" : [], "type" : "gauge"},
  "sys/swap/max" : { "dimensions" : [], "type" : "gauge"},
  "sys/swap/pageIn" : { "dimensions" : [], "type" : "gauge"},
  "sys/swap/pageOut" : { "dimensions" : [], "type" : "gauge"},
  "sys/disk/write/count" : { "dimensions" : ["fsDevName"], "type" : "count"},
  "sys/disk/read/count" : { "dimensions" : ["fsDevName"], "type" : "count"},
  "sys/disk/write/size" : { "dimensions" : ["fsDevName"], "type" : "count"},
  "sys/disk/read/size" : { "dimensions" : ["fsDevName"], "type" : "count"},
  "sys/net/write/size" : { "dimensions" : [], "type" : "count"},
  "sys/net/read/size" : { "dimensions" : [], "type" : "count"},
  "sys/fs/used" : { "dimensions" : ["fsDevName", "fsDirName", "fsTypeName", "fsSysTypeName", "fsOptions"], "type" : "gauge"},
  "sys/fs/max" : { "dimensions" : ["fsDevName", "fsDirName", "fsTypeName", "fsSysTypeName", "fsOptions"], "type" : "gauge"},
  "sys/mem/used" : { "dimensions" : [], "type" : "gauge"},
  "sys/mem/max" : { "dimensions" : [], "type" : "gauge"},
  "sys/storage/used" : { "dimensions" : ["fsDirName"], "type" : "gauge"},
  "sys/cpu" : { "dimensions" : ["cpuName", "cpuTime"], "type" : "gauge"},

  "coordinator-segment/count" : { "dimensions" : ["dataSource"], "type" : "gauge" },
  "historical-segment/count" : { "dimensions" : ["dataSource", "tier", "priority"], "type" : "gauge" },

  "jetty/numOpenConnections" : { "dimensions" : [], "type" : "gauge" },
  "query/cache/caffeine/total/requests" : { "dimensions" : [], "type" : "gauge" },
  "query/cache/caffeine/total/loadTime" : { "dimensions" : [], "type" : "gauge" },
  "query/cache/caffeine/total/evictionBytes" : { "dimensions" : [], "type" : "gauge" },
  "query/cache/memcached/total" : { "dimensions" : ["[MEM] Reconnecting Nodes (ReconnectQueue)",
    "[MEM] Request Rate: All",
    "[MEM] Average Bytes written to OS per write",
    "[MEM] Average Bytes read from OS per read",
    "[MEM] Response Rate: All (Failure + Success + Retry)",
    "[MEM] Response Rate: Retry",
    "[MEM] Response Rate: Failure",
    "[MEM] Response Rate: Success"],
    "type" : "gauge" },
  "query/cache/caffeine/delta/requests" : { "dimensions" : [], "type" : "count" },
  "query/cache/caffeine/delta/loadTime" : { "dimensions" : [], "type" : "count" },
  "query/cache/caffeine/delta/evictionBytes" : { "dimensions" : [], "type" : "count" },
  "query/cache/memcached/delta" : { "dimensions" : ["[MEM] Reconnecting Nodes (ReconnectQueue)",
    "[MEM] Request Rate: All",
    "[MEM] Average Bytes written to OS per write",
    "[MEM] Average Bytes read from OS per read",
    "[MEM] Response Rate: All (Failure + Success + Retry)",
    "[MEM] Response Rate: Retry",
    "[MEM] Response Rate: Failure",
    "[MEM] Response Rate: Success"],
    "type" : "count" }
}

volumeMounts:
- mountPath: /druid/data
name: data-volume
- mountPath: /druid/deepstorage
name: deepstorage-volume
- mountPath: /etc/krb5.conf
name: krbfile-volume
subPath: krb5.conf
- mountPath: /opt/druid/conf/druid/kafka_jaas.conf
name: kafka-jaas-volume
subPath: kafka_jaas.conf

volumes:
- name: data-volume
emptyDir: {}
- name: deepstorage-volume
hostPath:
path: /tmp/druid/deepstorage
type: DirectoryOrCreate
- name: krbfile-volume
configMap:
name: krb-file
- name: kafka-jaas-volume
configMap:
name: kafka-jaas

env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: METADATA_STORAGE_PASSWORD
valueFrom:
secretKeyRef:
name: druid-mysql-password
key: password
- name: DRUID_SET_HOST
value: "0"

nodes:
brokers:
# Optionally specify for running broker as Deployment
kind: Deployment
nodeType: "broker"
# Optionally specify for broker nodes
# imagePullSecrets:
# - name: tutu
podLabels:
app.kubernetes.io/component: broker
podAnnotations:
druid.k8s.enablePatching: "true"
prometheus.io/scrape: 'true'
prometheus.io/port: '9090'
druid.port: 8088
nodeConfigMountPath: "/opt/druid/conf/druid/cluster/query/broker"
replicas: 1
runtime.properties: |
druid.host=xxxx-brokers.service.xxx
druid.service=druid/broker
# HTTP server threads
druid.broker.http.numConnections=5
druid.server.http.numThreads=10
# Processing threads and buffers
druid.processing.buffer.sizeBytes=1
druid.processing.numMergeBuffers=1
druid.processing.numThreads=1
druid.sql.enable=true
druid.auth.authenticatorChain=["xxx-authenticator"]
druid.auth.authenticator.xxx-authenticator.type=kerberos
# druid.auth.authenticator.xxx-authenticator-internal.type=basic
druid.auth.authenticator.xxx-authenticator.serverPrincipal=HTTP/xxxx
druid.auth.authenticator.xxx-authenticator.serverKeytab=/druid/keytabs/xx.keytab
druid.auth.authenticator.xxx-authenticator.cookieSignatureSecret="xxxx"
druid.auth.authorizers=["xxx-authorizer"]
druid.auth.authorizer.xxx-authorizer.type=allowAll
druid.auth.authenticator.xxx-authenticator.authorizerName=xxx-authorizer
druid.escalator.type=kerberos
druid.escalator.authorizerName=xxx-authorizer
druid.escalator.internalClientKeytab=/druid/keytabs/internal.keytab
druid.escalator.internalClientPrincipal=druid-internal@xxxx
druid.auth.unsecuredPaths=["/metrics","/druid/historical/v1/loadstatus"]
extra.jvm.options: |-
-Xmx512M
-Xms512M

coordinators:
  # Optionally specify for running coordinator as Deployment
  kind: Deployment
  nodeType: "coordinator"
  podLabels:
    app.kubernetes.io/component: coordinator
  podAnnotations:
    druid.k8s.enablePatching: "true"
    prometheus.io/scrape: 'true'
    prometheus.io/port: '9090'
    
  druid.port: 8088
  nodeConfigMountPath: "/opt/druid/conf/druid/cluster/master/coordinator-overlord"
  replicas: 1
  runtime.properties: |
    druid.host=xxx-coordinators.service.xxxx
    druid.service=druid/coordinator

    # HTTP server threads
    druid.coordinator.startDelay=PT30S
    druid.coordinator.period=PT30S

    # Configure this coordinator to also run as Overlord
    druid.coordinator.asOverlord.enabled=false
 
    druid.auth.authenticatorChain=["xxx-authenticator"]
    druid.auth.authenticator.xxx-authenticator.type=kerberos
    druid.auth.authenticator.xxx-authenticator.serverPrincipal=HTTP/xxxx-coordinators.service.xxx
    druid.auth.authenticator.xxx-authenticator.serverKeytab=/druid/keytabs/xxx.keytab
    druid.auth.authenticator.xxx-authenticator.cookieSignatureSecret="xxxx"
    druid.auth.authorizers=["xxx-authorizer"]
    druid.auth.authorizer.xxx-authorizer.type=allowAll
   druid.auth.authenticator.xxx-authenticator.authorizerName=xxxx-authorizer
    druid.escalator.type=kerberos
    druid.escalator.authorizerName=xxx-authorizer
    druid.escalator.internalClientKeytab=/druid/keytabs/druid-internal.keytab
    druid.escalator.internalClientPrincipal=druid-internal@xxx
    druid.auth.unsecuredPaths=["/metrics","/druid/historical/v1/loadstatus"]
   
  extra.jvm.options: |-
    -Xmx512M
    -Xms512M

overlords:
  kind: Deployment
  nodeType: "overlord"
  readinessProbe:
    httpGet:
      path: /status/health
      port: 8100      
  podLabels:
    app.kubernetes.io/component: overlord
  extraEnv:
    - key: druid_host
    - value: "xxx-overlords.xxx"
  podAnnotations:
    druid.k8s.enablePatching: "true"
    prometheus.io/scrape: 'true'
    prometheus.io/port: '9090'
  druid.port: 8100
  nodeConfigMountPath: "/opt/druid/conf/druid/cluster/master/coordinator-overlord"
  replicas: 1
  runtime.properties: |
    druid.host=xxxx-overlords.service.xxx
    druid.service=druid/overlord
    # druid.extensions.loadList=["druid-kafka-indexing-service", "druid-kubernetes-extensions","druid-google-extensions","druid-kubernetes-overlord-extensions","mysql-metadata-storage","prometheus-emitter","druid-kubernetes-overlord-extensions","druid-protobuf-extensions", "druid-avro-extensions", "druid-parquet-extensions", "druid-orc-extensions", "druid-kinesis-indexing-service", "druid-datasketches","druid-kerberos","druid-basic-security"]
    # HTTP server threads
    druid.coordinator.startDelay=PT30S
    druid.coordinator.period=PT30S

    # Configure this coordinator to also run as Overlord
    # druid.coordinator.asOverlord.enabled=true
    # druid.coordinator.asOverlord.overlordService=druid/overlord
    druid.indexer.task.encapsulatedTask=true
    druid.peon.mode=remote
    druid.indexer.queue.startDelay=PT30S
    druid.indexer.runner.type=k8s
    druid.indexer.storage.type=metadata
    druid.auth.authenticatorChain=["xxx-authenticator"]
    druid.auth.authenticator.xxx-authenticator.type=kerberos
    druid.auth.authenticator.xxx-authenticator.serverPrincipal=HTTP/xxx-overlords.xxx
    druid.auth.authenticator.xxx-authenticator.serverKeytab=/druid/keytabs/xxx.keytab
    druid.auth.authenticator.xxx-authenticator.cookieSignatureSecret="xxxx"
    druid.auth.authorizers=["xxxx-authorizer"]
    druid.auth.authorizer.xxx-authorizer.type=allowAll
    druid.auth.authenticator.xxx-authenticator.authorizerName=xxxx-authorizer
    druid.escalator.type=kerberos
    druid.escalator.authorizerName=xxx-authorizer
    druid.escalator.internalClientKeytab=/druid/keytabs/druid-internal.keytab
    druid.escalator.internalClientPrincipal=druid-internal@xxxx
    druid.escalator.authorizerName=xxx-authorizer
    druid.auth.unsecuredPaths=["/metrics"]
    druid.indexer.runner.javaOptsArray=["-Djava.security.auth.login.config=/opt/druid/conf/druid/kafka_jaas.conf"]


  extra.jvm.options: |-
    -Xmx512M
    -Xms512M
  log4j.config: |-
    <?xml version="1.0" encoding="UTF-8" ?>
    <Configuration status="WARN">
        <Appenders>
            <Console name="Console" target="SYSTEM_OUT">
                <PatternLayout pattern="%d{ISO8601} %p [%t] %c - %m%n"/>
            </Console>
        </Appenders>
        <Loggers>
            <Root level="info">
                <AppenderRef ref="Console"/>
            </Root>
        </Loggers>
    </Configuration>

["org.apache.druid.client.cache.CacheMonitor","org.apache.druid.java.util.metrics.JvmMonitor","org.apache.druid.java.util.metrics.JvmCpuMonitor","org.apache.druid.java.util.metrics.CpuAcctDeltaMonitor","org.apache.druid.java.util.metrics.JvmThreadsMonitor","org.apache.druid.java.util.metrics.CgroupCpuMonitor","org.apache.druid.java.util.metrics.CgroupMemoryMonitor","org.apache.druid.server.metrics.EventReceiverFirehoseMonitor","org.apache.druid.server.metrics.HistoricalMetricsMonitor","org.apache.druid.server.metrics.SegmentStatsMonitor","org.apache.druid.server.metrics.ServiceStatusMonitor","org.apache.druid.server.metrics.EventReceiverFirehoseMonitor"]

hot:
  kind: StatefulSet
  druid.port: 8088
  nodeConfigMountPath: /opt/druid/conf/druid/cluster/data/historical
  nodeType: historical
  podLabels:
    app.kubernetes.io/component: historical
  podAnnotations:
    druid.k8s.enablePatching: "true"
    prometheus.io/scrape: 'true'
    prometheus.io/port: '9090'
     
  readinessProbe:
    failureThreshold: 18
    httpGet:
      path: /druid/historical/v1/readiness
      port: 8088
    periodSeconds: 10
  replicas: 1
  volumeClaimTemplates:
  - metadata:
      name: data-volume
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 10Gi
      storageClassName: standard
  runtime.properties: |
    druid.host=xxx-hot.service.xxx
    druid.service=druid/historical/hot
    druid.server.tier=hot
    druid.server.priority=1
    druid.monitoring.monitors=["org.apache.druid.client.cache.CacheMonitor","org.apache.druid.java.util.metrics.JvmMonitor","org.apache.druid.java.util.metrics.JvmCpuMonitor","org.apache.druid.java.util.metrics.JvmThreadsMonitor","org.apache.druid.server.metrics.EventReceiverFirehoseMonitor","org.apache.druid.server.metrics.HistoricalMetricsMonitor","org.apache.druid.server.metrics.SegmentStatsMonitor","org.apache.druid.server.metrics.EventReceiverFirehoseMonitor"]
    druid.segmentCache.locations=[{\"path\":\"/druid/data/segments\",\"maxSize\":10737418240}]
    druid.server.maxSize=10737418240
   druid.auth.authenticatorChain=["xxxx-authenticator"]
    druid.auth.authenticator.xxx-authenticator.type=kerberos
    druid.auth.authenticator.xxx-authenticator.serverPrincipal=HTTP/xxx-hot.xxxx
    druid.auth.authenticator.xxx-authenticator.serverKeytab=/druid/keytabs/hot.keytab
    druid.auth.authorizers=["xxx-authorizer"]
    druid.auth.authorizer.xxx-authorizer.type=allowAll
    druid.auth.authenticator.xxx-authenticator.authorizerName=xxx-authorizer
    druid.escalator.type=kerberos
    druid.escalator.authorizerName=xxx-authorizer
    druid.escalator.internalClientKeytab=/druid/keytabs/druid-internal.keytab
    druid.escalator.internalClientPrincipal=druid-internal@xxxx
    druid.auth.unsecuredPaths=["/metrics","/druid/historical/v1/loadstatus"]
    druid.auth.authenticator.xxx-authenticator.cookieSignatureSecret="xxx"
  extra.jvm.options: |-
    -Xmx512M
    -Xms512M

cold:
  kind: StatefulSet
  druid.port: 8088
  nodeConfigMountPath: /opt/druid/conf/druid/cluster/data/historical
  nodeType: historical
  podLabels:
    app.kubernetes.io/component: historical
  podAnnotations:
    druid.k8s.enablePatching: "true"
    prometheus.io/scrape: 'true'
    prometheus.io/port: '9090'
  readinessProbe:
    failureThreshold: 18
    httpGet:
      path: /druid/historical/v1/readiness
      port: 8088
    periodSeconds: 10
  replicas: 1
  volumeClaimTemplates:
  - metadata:
      name: data-volume
    spec:
      accessModes:
      - ReadWriteOnce
      resources:
        requests:
          storage: 10Gi
      storageClassName: standard
  runtime.properties: |
    druid.host=xxx-cold.service.xxx
    druid.service=druid/historical/cold
    druid.server.priority=0
    # druid.tier=cold
    druid.monitoring.monitors=["org.apache.druid.client.cache.CacheMonitor","org.apache.druid.java.util.metrics.JvmMonitor","org.apache.druid.java.util.metrics.JvmCpuMonitor","org.apache.druid.java.util.metrics.CpuAcctDeltaMonitor","org.apache.druid.java.util.metrics.JvmThreadsMonitor","org.apache.druid.server.metrics.EventReceiverFirehoseMonitor","org.apache.druid.server.metrics.HistoricalMetricsMonitor","org.apache.druid.server.metrics.SegmentStatsMonitor","org.apache.druid.server.metrics.EventReceiverFirehoseMonitor"]
    druid.segmentCache.locations=[{\"path\":\"/druid/data/segments\",\"maxSize\":10737418240}]
    druid.server.maxSize=10737418240
    druid.auth.authenticatorChain=["xxxx-authenticator"]
    druid.auth.authenticator.xxx-authenticator.type=kerbero
    druid.auth.authenticator.xxx-authenticator.serverPrincipal=HTTP/xxxx-cold.service.gxxxx
    druid.auth.authenticator.xxx-authenticator.serverKeytab=/druid/keytabs/cold.keytab
    druid.auth.authorizers=["xxx-authorizer"]
    druid.auth.authorizer.xxx-authorizer.type=allowAll
    druid.auth.authenticator.xxx-authenticator.authorizerName=xxx-authorizer
    druid.escalator.type=kerberos
    druid.escalator.authorizerName=xxx-authorizer
    druid.escalator.internalClientKeytab=/druid/keytabs/druid-internal.keytab
    druid.escalator.internalClientPrincipal=druid-internal@xxxx
    druid.auth.unsecuredPaths=["/metrics","/druid/historical/v1/loadstatus"]
    druid.auth.authenticator.xxx-authenticator.cookieSignatureSecret="xxxx"
  extra.jvm.options: |-
    -Xmx512M
    -Xms512M
      
routers:
  kind: Deployment
  nodeType: "router"
  podLabels:
    app.kubernetes.io/component: router
  podAnnotations:
    druid.k8s.enablePatching: "true"
    prometheus.io/scrape: 'true'
    prometheus.io/port: '9090'
  
  druid.port: 8088
  nodeConfigMountPath: "/opt/druid/conf/druid/cluster/query/router"
  replicas: 1
  runtime.properties: |
    druid.host=xxx-routers.service.xxx
    druid.service=druid/router

    # HTTP proxy
    druid.router.http.numConnections=10
    druid.router.http.readTimeout=PT5M
    druid.router.http.numMaxThreads=10
    druid.server.http.numThreads=10

    # Service discovery
    druid.router.defaultBrokerServiceName=druid/broker
    druid.router.coordinatorServiceName=druid/coordinator

    # Management proxy to coordinator / overlord: required for unified web console.
    druid.router.managementProxy.enabled=true
    druid.auth.authenticatorChain=["xxx-authenticator"]
    druid.auth.authenticator.xxx-authenticator.type=kerberos
    druid.auth.authenticator.xxx-authenticator.serverPrincipal=HTTP/sxxx-routers.service.xxx
    druid.auth.authenticator.xxx-authenticator.serverKeytab=/druid/keytabs/routers.keytab
    druid.auth.authenticator.xxx-authenticator.cookieSignatureSecret="xxx"
    druid.auth.authorizers=["xxx-authorizer"]
    druid.auth.authorizer.xxx-authorizer.type=allowAll
    druid.auth.authenticator.xxx-authenticator.authorizerName=xxx-authorizer
    druid.escalator.type=kerberos
    druid.escalator.authorizerName=xxx-authorizer
    druid.escalator.internalClientKeytab=/druid/keytabs/druid-internal.keytab
    druid.escalator.internalClientPrincipal=druid-internal@xxxx
    druid.auth.unsecuredPaths=["/metrics","/druid/historical/v1/loadstatus"]

  extra.jvm.options: |-
    -Xmx512M
    -Xms512M

apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: druid
rules:

apiGroups:
- ""
  resources:
- pods
- configmaps
  verbs:
- '*'
apiGroups: ["batch"]
resources: ["jobs"]
verbs: ["get", "watch", "list", "delete", "create"]
apiGroups: [""]
resources: ["pods", "pods/log"]
verbs: ["get", "watch", "list", "delete", "create"]

kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: druid
subjects:

kind: ServiceAccount
name: druid
roleRef:
kind: Role
name: druid
apiGroup: rbac.authorization.k8s.io

Can someone please help me with this

The text was updated successfully, but these errors were encountered:

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Kerberised Druid issue #130

Kerberised Druid issue #130

manigarg31 commented Feb 6, 2024

Kerberised Druid issue #130

Kerberised Druid issue #130

Comments

manigarg31 commented Feb 6, 2024