You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@drill.apache.org by dz...@apache.org on 2021/12/10 11:00:44 UTC
[drill-site] branch master updated: Document htpasswd and Vault authentication.
This is an automated email from the ASF dual-hosted git repository.
dzamo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/drill-site.git
The following commit(s) were added to refs/heads/master by this push:
new 25b3376 Document htpasswd and Vault authentication.
25b3376 is described below
commit 25b337608771d7721b3ad5d3b1d4c2d6bb6345a4
Author: James Turton <ja...@somecomputer.xyz>
AuthorDate: Fri Dec 10 12:59:46 2021 +0200
Document htpasswd and Vault authentication.
---
.gitignore | 1 +
.../080-configuring-plain-security.md | 20 ++++----
.../082-using-libpam4j-as-the-pam-authenticator.md | 53 +++++++++++-----------
.../084-configuring-htpasswd-authentication.md | 30 ++++++++++++
.../085-configuring-vault-authentication.md | 40 ++++++++++++++++
_plugins/create_data_docs.rb | 2 +-
6 files changed, 108 insertions(+), 38 deletions(-)
diff --git a/.gitignore b/.gitignore
index 077a2b7..f871c2a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,6 +3,7 @@ vendor
.jekyll-cache
.jekyll-metadata
_site/*
+_data/docs*.json
.sass-cache/*
.project
.buildpath
diff --git a/_docs/en/configure-drill/securing-drill/080-configuring-plain-security.md b/_docs/en/configure-drill/securing-drill/080-configuring-plain-security.md
index 3a92156..8c45f66 100644
--- a/_docs/en/configure-drill/securing-drill/080-configuring-plain-security.md
+++ b/_docs/en/configure-drill/securing-drill/080-configuring-plain-security.md
@@ -3,9 +3,9 @@ title: "Configuring Plain Security"
slug: "Configuring Plain Security"
parent: "Securing Drill"
---
-Linux PAM provides a Plain (username and password) authentication module that interfaces with any installed PAM authentication entity, such as the local operating system password file (`/etc/passwd`) or LDAP.
-
-When using PAM for authentication, each user that has permission to run Drill queries must exist in the list of users that resides on each Drill node in the cluster. The username (including the `uid`) and password for each user must be identical across all Drill nodes.
+Linux PAM provides a Plain (username and password) authentication module that interfaces with any installed PAM authentication entity, such as the local operating system password file (`/etc/passwd`) or LDAP.
+
+When using PAM for authentication, each user that has permission to run Drill queries must exist in the list of users that resides on each Drill node in the cluster. The username (including the `uid`) and password for each user must be identical across all Drill nodes.
If you use PAM with `/etc/passwd` for authentication, verify that users with permission to start the Drill process belong to the shadow user group on all nodes in the cluster. This enables Drill to read the `/etc/shadow` file for authentication.
@@ -18,7 +18,7 @@ This section includes the following topics:
## Authentication Process
-The following image illustrates the PAM user authentication process in Drill. The client passes a username and password to the Drillbit as part of the connection request, which then passes the credentials to PAM. If PAM authenticates the user, the connection request passes the authentication phase and the connection is established. The user will be authorized to access Drill and issue queries against the file system or other storage plugins, such as Hive or HBase.
+The following image illustrates the PAM user authentication process in Drill. The client passes a username and password to the Drillbit as part of the connection request, which then passes the credentials to PAM. If PAM authenticates the user, the connection request passes the authentication phase and the connection is established. The user will be authorized to access Drill and issue queries against the file system or other storage plugins, such as Hive or HBase.
@@ -28,7 +28,7 @@ For more PAM information (including a *JPAM User Guide*), see [JPAM](http://jpam
## Connecting with SQLLine
-When Plain user authentication is enabled with PAM, each user that accesses the Drillbit process through a client, such as SQLLine, must provide username and password credentials for access. Users can include the `–n` and `–p` parameters with their username and password when launching SQLLine.
+When Plain user authentication is enabled with PAM, each user that accesses the Drillbit process through a client, such as SQLLine, must provide username and password credentials for access. Users can include the `–n` and `–p` parameters with their username and password when launching SQLLine.
**Example**
@@ -36,7 +36,7 @@ When Plain user authentication is enabled with PAM, each user that accesses the
Alternatively, a user can launch SQLLine and then issue the !connect command to hide the password.
-1. Start SQLLine on Linux by running the sqlline script.
+1. Start SQLLine on Linux by running the sqlline script.
bridgetsmachine:~$ /etc/drill/bin/sqlline
apache drill 1.10.0
@@ -50,9 +50,9 @@ Alternatively, a user can launch SQLLine and then issue the !connect command to
`sqlline> !connect jdbc:drill:zk=localhost:2181 scan complete in 1385m`s
1. When prompted, enter a username and password. The password is hidden as it is typed.
-
+
Enter username for jdbc:drill:zk=localhost:2181: bridget
- Enter password for jdbc:drill:zk=localhost:2181: *************
+ Enter password for jdbc:drill:zk=localhost:2181: *************
## Connecting with BI Tools
@@ -62,12 +62,12 @@ When you connect to Drill from a BI tool, such as Tableau, the ODBC driver promp
## Configuring Plain Security
-As of Drill 1.12, the libpam4j module is packaged with Drill. There is no download or external dependency required to use libpam4j. You can either use jpam or libpam4j as the PAM authenticator with Drill. Optionally, you can build and implement a custom authenticator.
+As of Drill 1.12, the libpam4j module is packaged with Drill. There is no download or external dependency required to use libpam4j. You can either use jpam or libpam4j as the PAM authenticator with Drill. Optionally, you can build and implement a custom authenticator.
- To configure Drill to use libpam4j as the PAM authenticator, see [Using libpam4j as the PAM Authenticator]({{site.baseurl}}/docs/using-libpam4j-as-the-pam-authenticator/).
-- To configure Drill to use jpam as the PAM authenticator, see [Using jpam as the PAM Authenticator]({{site.baseurl}}/docs/using-jpam-as-the-pam-authenticator/).
+- To configure Drill to use jpam as the PAM authenticator, see [Using jpam as the PAM Authenticator]({{site.baseurl}}/docs/using-jpam-as-the-pam-authenticator/).
diff --git a/_docs/en/configure-drill/securing-drill/082-using-libpam4j-as-the-pam-authenticator.md b/_docs/en/configure-drill/securing-drill/082-using-libpam4j-as-the-pam-authenticator.md
index bd5473b..1a4eff0 100644
--- a/_docs/en/configure-drill/securing-drill/082-using-libpam4j-as-the-pam-authenticator.md
+++ b/_docs/en/configure-drill/securing-drill/082-using-libpam4j-as-the-pam-authenticator.md
@@ -4,34 +4,33 @@ slug: "Using libpam4j as the PAM Authenticator"
parent: "Securing Drill"
---
-
-The libpam4j module is packaged with Drill. The libpam4j module does not have any external dependencies.
+The libpam4j module is packaged with Drill. The libpam4j module does not have any external dependencies.
To use libpam4j as the PAM authenticator with Drill, complete the following steps:
-1. Add the following configuration to the `drill.exec` block in the `<DRILL_HOME>/conf/drill-override.conf` file:
-
- drill.exec: {
- cluster-id: "drillbits1",
- zk.connect: "<zk-node-hostname>:2181,<zk-node-hostname>:2181,<zk-node-hostname>:2181",
- impersonation: {
- enabled: true,
- max_chained_user_hops: 3
- },
- security: {
- auth.mechanisms : ["PLAIN"],
- },
- security.user.auth: {
- enabled: true,
- packages += "org.apache.drill.exec.rpc.user.security",
- impl: "pam4j",
- pam_profiles: [ "sudo", "login" ]
- }
- }
-
-2. (Optional) To add or remove different PAM profiles, add or delete the profile names in the `pam_profiles` array in the configuration.
-3. Restart the Drillbit process on each Drill node, as shown:
-
- <DRILLINSTALL_HOME>/bin/drillbit.sh restart
-
+1. Add the following configuration to the `drill.exec` block in the `<DRILL_HOME>/conf/drill-override.conf` file:
+
+ drill.exec: {
+ cluster-id: "drillbits1",
+ zk.connect: "<zk-node-hostname>:2181,<zk-node-hostname>:2181,<zk-node-hostname>:2181",
+ impersonation: {
+ enabled: true,
+ max_chained_user_hops: 3
+ },
+ security: {
+ auth.mechanisms : ["PLAIN"],
+ },
+ security.user.auth: {
+ enabled: true,
+ packages += "org.apache.drill.exec.rpc.user.security",
+ impl: "pam4j",
+ pam_profiles: [ "sudo", "login" ]
+ }
+ }
+
+2. (Optional) To add or remove different PAM profiles, add or delete the profile names in the `pam_profiles` array in the configuration.
+3. Restart the Drillbit process on each Drill node, as shown:
+
+ <DRILLINSTALL_HOME>/bin/drillbit.sh restart
+
diff --git a/_docs/en/configure-drill/securing-drill/084-configuring-htpasswd-authentication.md b/_docs/en/configure-drill/securing-drill/084-configuring-htpasswd-authentication.md
new file mode 100644
index 0000000..a8250b3
--- /dev/null
+++ b/_docs/en/configure-drill/securing-drill/084-configuring-htpasswd-authentication.md
@@ -0,0 +1,30 @@
+---
+title: "Configuring htpasswd file authentication"
+slug: "Configuring htpasswd file authentication"
+parent: "Securing Drill"
+---
+
+An authenticator based on an htpasswd file is bundled with Drill and is aimed at situations where the list of users is relatively static and PAM is not convenient, e.g. because Drill is running in a container. The authenticator supports MD5, SHA-1 and plaintext passwords. You can create and modify htpasswd files using the htpasswd CLI program from the Apache HTTP Server project. Note that the htpasswd file must be visible in the filesystem of every Drillbit.
+
+To enable it, add the following configuration to the `drill.exec` block in the `<DRILL_HOME>/conf/drill-override.conf` file and restart every Drillbit. The path to the htpasswd file defaults to the value in the HOCON fragment below if it is not specified.
+
+```hocon
+drill.exec: {
+ cluster-id: "drillbits1",
+ zk.connect: "<zk-node-hostname>:2181,<zk-node-hostname>:2181,<zk-node-hostname>:2181",
+ impersonation: {
+ enabled: true,
+ max_chained_user_hops: 3
+ },
+ security: {
+ auth.mechanisms : ["PLAIN"],
+ },
+ security.user.auth: {
+ enabled: true,
+ packages += "org.apache.drill.exec.rpc.user.security",
+ impl: "htpasswd",
+ htpasswd.path: "/opt/drill/conf/htpasswd"
+ }
+}
+```
+
diff --git a/_docs/en/configure-drill/securing-drill/085-configuring-vault-authentication.md b/_docs/en/configure-drill/securing-drill/085-configuring-vault-authentication.md
new file mode 100644
index 0000000..3f568a1
--- /dev/null
+++ b/_docs/en/configure-drill/securing-drill/085-configuring-vault-authentication.md
@@ -0,0 +1,40 @@
+---
+title: "Configuring HashiCorp Vault authentication"
+slug: "Configuring HashiCorp Vault authentication"
+parent: "Securing Drill"
+---
+
+**Introduced in release:** 1.20
+
+[Vault](https://www.vaultproject.io/) is a popular credentials store and authentication provider which can be used by Drill for both purposes. Drill's Vault authenticator supports the following [Vault authentication methods](https://www.vaultproject.io/docs/auth).
+
+| Method | Description |
+| ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| AppRole | Built-in Vault method intended to authenticate apps or machines. Drill will use the provided username for the role id and the provided password for secret id. |
+| LDAP | Vault hands off authentication to an LDAP server. |
+| Username & Password | Built-in Vault method intended to authenticate users. |
+| Token | Built-in Vault method to validate a token created by an earlier Vault authentication. Drill user the provided password as the Vault token. This is the only method for which Drill does not require its own Vault token to carry out authentication (see the security.user.auth.vault.token option) |
+
+To enable Drill's Vault authneticator, add the following configuration based on the example below to the `drill.exec` block in the `<DRILL_HOME>/conf/drill-override.conf` file and restart every Drillbit.
+
+```hocon
+drill.exec: {
+ cluster-id: "drillbits1",
+ zk.connect: "<zk-node-hostname>:2181,<zk-node-hostname>:2181,<zk-node-hostname>:2181",
+ impersonation: {
+ enabled: true,
+ max_chained_user_hops: 3
+ },
+ security: {
+ auth.mechanisms : ["PLAIN"],
+ },
+ security.user.auth: {
+ enabled: true,
+ packages += "org.apache.drill.exec.rpc.user.security",
+ impl: "vault",
+ vault.address: "http://localhost:8200",
+ vault.token: "drill_vault_token_123",
+ vault.method: "USER_PASS" # supported values: APP_ROLE, LDAP, USER_PASS, VAULT_TOKEN
+ }
+}
+```
diff --git a/_plugins/create_data_docs.rb b/_plugins/create_data_docs.rb
index 141e77e..912aafd 100644
--- a/_plugins/create_data_docs.rb
+++ b/_plugins/create_data_docs.rb
@@ -77,6 +77,6 @@ Jekyll::Hooks.register :site, :pre_render do |site|
# Nasty hack: ask Jekyll to read all of the data files for the site again
# so that it will incorporate the new data_*.json files we generated here.
- puts 'INFO: asking Jekyll to reload site data files'
+ puts 'INFO: data_docs plugin asks Jekyll to reload site data files'
site.data = Jekyll::DataReader.new(site).read(site.config["data_dir"])
end