Securing Drill

An administrator can install Drill with the default security configuration or manually configure custom security for Drill.

Drill supports several security features that secure the communication paths between Drill clients (such as ODBC/JDBC) and Drillbits and also between Drillbits. The following sections briefly describe the security configuration options for Drill and provide links to additional information and instructions.

Default Security Configuration

Starting in Core 6.0 and Drill 1.11 (EEP 4.0), Drill is automatically secured when you install Drill on a cluster that was installed with the default security configuration. The default security configuration provides authentication, authorization, and encryption through the data-fabric-SASL mechanism, except for HTTPS, which uses SSL/TLS with form-based authentication. See Drill Default Security and SSL/TLS for Encryption for more information. You may also want to reference the following topics:
  • Installing Drill, which describes some Drill installation security scenarios.
  • Data Fabric Drill Drivers, where you can access the JDBC and ODBC driver information and downloads required to connect to Drill when using the default security configuration.
NOTE
The default security configuration does not include Kerberos or Plain authentication; however, you can manually configure these security mechanisms in addition to the default security configuration.

Security Features Supported in a Custom Configuration

Drill supports several security features that an administrator can manually configure to secure the communication paths between the Drill client and Drillbit and also between Drillbits.

The following table lists the security features and mechanisms supported by Drill, as well as the communication paths secured by each mechanism:
NOTE
In the following table, Drill client refers to the Drill ODBC and JDBC clients. See Drill Drivers for ODBC and JDBC driver information.
Security Features Supported Mechanisms Communication Paths Secured
Authentication MapR Security (data-fabric-SASL/Tickets)
  • Drill client to Drillbit
  • Drillbit to Drillbit
  • Drillbit to ZooKeeper
    NOTE
    The Drillbit creates znodes, for which ZooKeeper ACLs provide security. See Security Between ZooKeeper and Drillbits for more information.
Kerberos
  • Drill client to Drillbit
  • Drillbit to Drillbit
Plain (username and password)
  • Drill client to Drillbit
Form-based
  • Web client/REST API to Drillbit
    NOTE
    You can configure SSL/TLS for encryption.
SPNEGO for HTTP
  • Web client/REST API to Drillbit
NOTE
You can configure SSL/TLS for encryption.
Encryption MapR Security (data-fabric/Tickets)
  • Drill client to Drillbit
  • Drillbit to Drillbit
Kerberos
  • Drill client to Drillbit
  • Drillbit to Drillbit
SSL/TLS
  • Drill client to Drillbit
  • Web client/REST API to Drillbit
Authorization Based on filesystem permissions.
  • Drill client to Drillbit
Impersonation User Impersonation
  • Drill client to Drillbit
NOTE
Drill supports user impersonation, inbound impersonation, and user impersonation with Hive authorization.
Inbound impersonation
  • Drill client to Drillbit
NOTE
Supports setting inbound impersonation policies, which are used to verify whether the user (set as the DelegationUID parameter passed in the client connection URL) can be impersonated by the connection user or not.

Views and File ACEs

In addition to the listed security features, you can create views on data to limit access to the data. You can also create file ACEs on the view definition files to protect the views.