Password providers

Passwords help secure Apache Druid systems such as the metadata store and the keystore that contains server certificates, and so on.

These passwords have corresponding runtime properties associated with them, for example druid.metadata.storage.connector.password corresponds to the metadata store password.

By default users can directly set the passwords in plaintext for runtime properties. For example, druid.metadata.storage.connector.password=pwd sets the password to be used by Druid to connect to the metadata store to pwd. Alternatively, users can can set passwords as environment variables.

Environment variable passwords allow users to avoid exposing passwords in the runtime.properties file.

You can set an environment variable password as in the following example:

  1. druid.metadata.storage.connector.password={ "type": "environment", "variable": "METADATA_STORAGE_PASSWORD" }

The values are described below.

FieldTypeDescriptionRequired
typeStringpassword provider typeYes: environment
variableStringenvironment variable to read password fromYes

Another option that provides even greater control is to securely fetch passwords at runtime using a custom extension of the PasswordProvider interface that is registered at Druid process startup.

For more information, see Adding a new Password Provider implementation.

To use this implementation, simply set the relevant password runtime property similarly to how was shown for the environment variable password:

  1. druid.metadata.storage.connector.password={ "type": "<registered_password_provider_name>", "<jackson_property>": "<value>", ... }