You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "ASF GitHub Bot (Jira)" <ji...@apache.org> on 2020/02/11 06:10:00 UTC
[jira] [Commented] (DRILL-7573) Support text file for user
authentication instead of using PAM
[ https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17034153#comment-17034153 ]
ASF GitHub Bot commented on DRILL-7573:
---------------------------------------
dobesv commented on pull request #1977: DRILL-7573: Support htpasswd based authentication
URL: https://github.com/apache/drill/pull/1977
# [DRILL-7573](https://issues.apache.org/jira/browse/DRILL-7573): Support htpasswd based authentication
## Description
This allows you to specify `htpasswd` as your authentication implementation. In this case, users will be authenticated using usernames and password taken from a text file in `htpasswd` format.
This gives some more flexibility compared to the PAM authenticator. For example, in docker / kubernetes you can mount a folder with an htpasswd file and update that file when you want to add/remove users, without any concern about interfering with the contents of /etc/passwd and /etc/shadow.
## Documentation
# Using a password file for authentication
Apache Drill allows you to store valid usernames and passwords in a text file in the popular "htpasswd" format.
This can be more convenient than using PAM in containerized environments, because you do not have to modify any system files like `passwd`, `shadow`, or files in `pam.d`. Instead you can mount a volume with the `htpasswd` file in it and tell drill to use that file for authentication.
To configure this feature:
1. Create an htpasswd file and copy/mount it to/on the drillbit machines/containers:
$ htpasswd /path/to/htpasswd $USER
2. Add the following configuration to the `drill.exec` block in the `<DRILL_HOME>/conf/drill-override.conf` file:
drill.exec: {
security.auth.mechanisms : ["PLAIN"],
security.user.auth: {
enabled: true,
packages += "org.apache.drill.exec.rpc.user.security",
impl: "htpasswd",
htpasswd: { file: "/path/to/htpasswd" }
}
}
3. Restart the drillbit(s)
4. Now you must use a username/password from the `htpasswd` file when logging into Drill
Note: Currently the `crypt` and `bcrypt` algorithms are not supported, you should probably use the MD5 hashing algorithm used by default by the `htpasswd` command.
## Testing
I created an `htpasswd` file using `htpasswd`, configured the auth mechanism as shown above, and testing logging in with both valid and invalid passwords with MD5, SHA-1, and plantext password hashes in the `htpasswd` files.
No automated tests so far, but I'm open to advice on how/where to add them. Still very new to the code base.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
> Support text file for user authentication instead of using PAM
> --------------------------------------------------------------
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
> Issue Type: Improvement
> Components: Server, Web Server
> Affects Versions: 1.17.0
> Reporter: Dobes Vandermeer
> Priority: Major
>
> Currently plain login using PAM as its user database. However, in a containerized or server environment the passwd file is generally kept static, so some other mechanism for managing users is preferred. Also, pam does not by default come with an easy to way to check passwords other than via the passwd/shadow files.
> It would be great if there was another authentication method included in drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the simplest mechanism.
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)