Support LDAP authentication

[lfrancke]

As a user I'd like to use my existing LDAP/AD credentials to log into Druid. This was already done in e.g. NiFi or Trino. This can be especially helpful for writing tests.

The LDAP support should be integrated in the structure from PR #6 which must be finished first.

apiVersion: druid.stackable.tech/v1alpha1
kind: DruidCluster
metadata:
  name: druid
spec:
  version: 24.0.0-stackable0.1.0
  clusterConfig:
    tls:
      serverSecretClass: String # defaults to "tls"
      internalSecretClass: String # defaults to "tls"
    authentication: 
      - authenticationClass: druid-tls-authentication-class # String
      - authenticationClass: druid-ldap-authentication-class # String

This is done when

• LDAP is configurable in the CRD using the LDAP structs from operator-rs
• A user/admin can configure Druid to use a LDAP server for authentication (while still offering existing authentication methods)
• There is documentation on how to configure Druid with LDAP using the Custom Resource
• Optional: There is an example demonstrating Druid with LDAP (docs, or example folder)
• There are tests which include:
  • OpenLDAP is installed and accessible via Druid
  • LDAP authenticated access to Druid works
• It is added to the feature tracker (ask Lars for help)

This depends on the reference architecture developed in stackabletech/issues#170

[fhennig]

Druid already supports LDAP authentication https://druid.apache.org/docs/latest/operations/auth-ldap.html

Edit: I meant by this that at least we don't have to write an extension for it - we just need to configure it properly

[lfrancke]

Blocked by #6

[sbernauer]

Blocked by #365

[vsupalov]

The first PR #374 is in review now. To close this ticket, we'll need to add ldaps:// in a later PR. They are separated for the sake of reviewer convenience, as the second part will require refactoring TLS-related code as well.

[vsupalov]

Follow-up tickets from the initial LDAP feature implementation PR, to be prioritized:

• Implement authentication with LDAP secured via TLS #382
• Support LDAP authentication without bind credentials #383
• Interconnection LDAP auth with an OPA authorization #384

[lfrancke]

I briefly talked to Vladislav today and he said that we might want to do more work here before we finish this ticket.
Can someone give an update on this issue?

[vsupalov]

My current understanding: there is the intention to add ldaps support to this ticket before closing it. The consensus was, that it probably would not be a lot of effort and supporting ldaps is something people expect.

The previous PR was very long-running and already quite big, which is why I opted to close it instead of cramming #382 into it as well. Adding ldaps could turn out to be a relatively simple PR, but from what I could tell a lot of existing TLS functionality would need to be adjusted as well (creating and handling a common trust store mostly), making it seem larger than it is.