You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@drill.apache.org by br...@apache.org on 2017/05/17 01:13:12 UTC
drill git commit: Edits to user authentication docs - config for user
impersonation also
Repository: drill
Updated Branches:
refs/heads/gh-pages 8a246b085 -> 208485234
Edits to user authentication docs - config for user impersonation also
Project: http://git-wip-us.apache.org/repos/asf/drill/repo
Commit: http://git-wip-us.apache.org/repos/asf/drill/commit/20848523
Tree: http://git-wip-us.apache.org/repos/asf/drill/tree/20848523
Diff: http://git-wip-us.apache.org/repos/asf/drill/diff/20848523
Branch: refs/heads/gh-pages
Commit: 2084852348e1cd91196ae488d81f6298b4024871
Parents: 8a246b0
Author: Bridget Bevens <bb...@maprtech.com>
Authored: Tue May 16 18:11:21 2017 -0700
Committer: Bridget Bevens <bb...@maprtech.com>
Committed: Tue May 16 18:11:21 2017 -0700
----------------------------------------------------------------------
.../070-configuring-user-authentication.md | 11 ++-
.../080-configuring-plain-authentication.md | 27 ++++---
...090-configuring-kerberos-auththentication.md | 74 ++++++++++++--------
3 files changed, 65 insertions(+), 47 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/drill/blob/20848523/_docs/configure-drill/securing-drill/070-configuring-user-authentication.md
----------------------------------------------------------------------
diff --git a/_docs/configure-drill/securing-drill/070-configuring-user-authentication.md b/_docs/configure-drill/securing-drill/070-configuring-user-authentication.md
index 8848534..daa0016 100644
--- a/_docs/configure-drill/securing-drill/070-configuring-user-authentication.md
+++ b/_docs/configure-drill/securing-drill/070-configuring-user-authentication.md
@@ -1,6 +1,6 @@
---
title: "Configuring User Authentication"
-date: 2017-03-16 01:48:00 UTC
+date: 2017-05-17 01:11:27 UTC
parent: "Securing Drill"
---
Authentication is the process of establishing confidence of authenticity. A Drill client user is authenticated when a drillbit process running in a Drill cluster confirms the identity it is presented with. Drill 1.10 supports several authentication mechanisms through which users can prove their identity before accessing cluster data:
@@ -9,14 +9,11 @@ Authentication is the process of establishing confidence of authenticity. A Dril
* **Plain** [also known as basic authentication (auth), which is username and password-based authentication, through the Linux Pluggable Authentication Module (PAM)] - See [Configuring Plain Authentication]({{site.baseurl}}/docs/configuring-plain-authentication/).
* **Custom authenticators** - See [Creating Custom Authenticators]({{site.baseurl}}/docs/creating-custom-authenticators).
-These authentication options are available through JDBC and ODBC interfaces.
+These authentication options are available through JDBC and ODBC interfaces.
----
-**Note**
-
-If user impersonation is enabled, Drill executes the client requests as the authenticated user. Otherwise, Drill executes client requests as the user that started the drillbit process. You can enable both authentication and impersonation to improve Drill security. See [Configuring User Impersonation]({{site.baseurl}}/docs/configuring-user-impersonation/) for more information.
----
+{% include startnote.html %}Enabling both [user impersonation]({{site.baseurl}}/docs/configuring-user-impersonation/) and authentication is recommended to restrict access to data and improve security. When user impersonation is enabled, Drill executes the client requests as
+the authenticated user. Otherwise, Drill executes client requests as the user that started the drillbit process.{% include endnote.html %}
http://git-wip-us.apache.org/repos/asf/drill/blob/20848523/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md
----------------------------------------------------------------------
diff --git a/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md b/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md
index 4669237..174f3e4 100644
--- a/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md
+++ b/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md
@@ -1,6 +1,6 @@
---
title: "Configuring Plain Authentication"
-date: 2017-03-16 23:46:05 UTC
+date: 2017-05-17 01:11:30 UTC
parent: "Securing Drill"
---
Linux PAM provides a Plain (or username and password) authentication module that interface with any installed PAM authentication entity, such as the local operating system password file (`/etc/passwd`) or LDAP.
@@ -90,14 +90,23 @@ Complete the following steps to install and configure PAM for Drill:
1. Add the following configuration to the drill.exec block in `<DRILL_HOME>/conf/drill-override.conf`:
- drill.exec {
- security.user.auth {
- enabled: true,
- packages += "org.apache.drill.exec.rpc.user.security",
- impl: "pam",
- pam_profiles: [ "sudo", "login" ]
- }
- }
+ drill.exec: {
+ cluster-id: "drillbits1",
+ zk.connect: "qa102-81.qa.lab:5181,qa102-82.qa.lab:5181,qa102-83.qa.lab:5181",
+ impersonation: {
+ enabled: true,
+ max_chained_user_hops: 3
+ },
+ security: {
+ auth.mechanisms : ["PLAIN"],
+ },
+ security.user.auth: {
+ enabled: true,
+ packages += "org.apache.drill.exec.rpc.user.security",
+ impl: "pam",
+ pam_profiles: [ "sudo", "login" ]
+ }
+ }
1. (Optional) To add or remove different PAM profiles, add or delete the profile names in the “pam_profiles” array shown above.
http://git-wip-us.apache.org/repos/asf/drill/blob/20848523/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md
----------------------------------------------------------------------
diff --git a/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md b/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md
index 7bd4e26..bff66d2 100644
--- a/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md
+++ b/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md
@@ -1,18 +1,14 @@
---
title: "Configuring Kerberos Authentication"
-date: 2017-03-17 22:31:37 UTC
+date: 2017-05-17 01:11:31 UTC
parent: "Securing Drill"
---
In release 1.10 Drill supports Kerberos v5 network security authentication. To use Kerberos with Drill and establish connectivity, use the JDBC driver packaged with Drill 1.10.
-Kerberos allows trusted hosts to prove their identity over a network to an information system. A Kerberos *realm* is unique authentication domain. A centralized *key distribution center (KDC)* coordinates authentication between a clients and servers. Clients and servers obtain and use tickets from the KDC using a special *keytab* file to communicate with the KDC and prove their identity to gain access to a drillbit. Administrators must create *principal* (user or server) identities and passwords to ensure the secure exchange of mutual authentication information passed to and from the drillbit.
+Kerberos allows trusted hosts to prove their identity over a network to an information system. A Kerberos *realm* is unique authentication domain. A centralized *key distribution center (KDC)* coordinates authentication between a clients and servers. Clients and servers obtain and use tickets from the KDC using a special *keytab* file to communicate with the KDC and prove their identity to gain access to a drillbit. Administrators must create *principal* (user or server) identities and passwords to ensure the secure exchange of mutual authentication information passed to and from the drillbit.
----
-**NOTE**
-
-Proper setup, configuration, administration, and usage of a Kerberos environment is beyond the scope of this documentation. See the [MIT Kerberos](http://web.mit.edu/kerberos/ "MIT Kerberos") documentation for information about Kerberos.
+{% include startnote.html %}Proper setup, configuration, administration, and usage of a Kerberos environment is beyond the scope of this documentation. See the [MIT Kerberos](http://web.mit.edu/kerberos/ "MIT Kerberos") documentation for information about Kerberos.{% include endnote.html %}
----
## Prerequisites
@@ -66,30 +62,46 @@ During startup, a drillbit service must authenticate. At runtime, Drill uses the
2. Add the Kerberos principal identity and keytab file to the `drill-override.conf` file.
- * The instance name must be lowercase. Also, if \_HOST is set as the instance name in the principal, it is replaced with the fully qualified domain name of that host for the instance name. For example, if a drillbit running on `host01.aws.lab` uses `drill/_HOST@<EXAMPLE>.COM` as the principal, the canonicalized principal is `drill/host01.aws.lab@<EXAMPLE>.COM`.
-
- drill.exec {
- security: {
- user.auth.enabled:true,
- auth.mechanisms:[“KERBEROS”],
- auth.principal:“drill/<clustername>@<REALM>.COM”,
- auth.keytab:“/etc/drill/conf/drill.keytab”
- }
- }
-
- * To configure multiple mechanisms, extend the mechanisms list and provide additional configuration parameters. For example, the following configuration enables Kerberos and Plain (username and password) mechanisms. See [Installing and Connfiguring Plain Authentication]({{site.baseurl}}/docs/configuring-plain-authentication/#installing-and-configuring-plain-authentication) for Plain PAM configuration instructions.
-
- drill.exec: {
- security: {
- user.auth.enabled:true,
- user.auth.impl:"pam",
- user.auth.pam_profile:["sudo", "login"],
- auth.mechanisms:["KERBEROS","PLAIN"],
- auth.principal:"drill/<clustername>@<REALM>.COM",
- auth.keytab:"/etc/drill/conf/drill.keytab"
- }
- }
-
+ * The instance name must be lowercase. Also, if \_HOST is set as the instance name in the principal, it is replaced with the fully qualified domain name of that host for the instance name. For example, if a drillbit running on `host01.aws.lab` uses `drill/_HOST@<EXAMPLE>.COM` as the principal, the canonicalized principal is `drill/host01.aws.lab@<EXAMPLE>.COM`.
+
+ drill.exec: {
+ cluster-id: "drillbits1",
+ zk.connect: "qa102-81.qa.lab:2181,qa102-82.qa.lab:2181,qa102-83.qa.lab:2181",
+ impersonation: {
+ enabled: true,
+ max_chained_user_hops: 3
+ },
+ security: {
+ user.auth.enabled:true,
+ auth.mechanisms:[“KERBEROS”],
+ auth.principal:“drill/<clustername>@<REALM>.COM”,
+ auth.keytab:“/etc/drill/conf/drill.keytab”
+ }
+
+ }
+
+ * To configure multiple mechanisms, extend the mechanisms list and provide additional configuration parameters. For example, the following configuration enables Kerberos and Plain (username and password) mechanisms. See [Installing and Connfiguring Plain Authentication]({{site.baseurl}}/docs/configuring-plain-authentication/#installing-and-configuring-plain-authentication) for Plain PAM configuration instructions.
+
+ drill.exec: {
+ cluster-id: "drillbits1",
+ zk.connect: "qa102-81.qa.lab:2181,qa102-82.qa.lab:2181,qa102-83.qa.lab:2181",
+ impersonation: {
+ enabled: true,
+ max_chained_user_hops: 3
+ },
+ security: {
+ user.auth.enabled:true,
+ auth.mechanisms:["KERBEROS","PLAIN"],
+ auth.principal:“drill/<clustername>@<REALM>.COM”,
+ auth.keytab:“/etc/drill/conf/drill.keytab”
+ }
+ security.user.auth: {
+ enabled: true,
+ packages += "org.apache.drill.exec.rpc.user.security",
+ impl: "pam",
+ pam_profiles: ["sudo", "login"]
+ }
+ }