Configuring SSO with OpenID (Drill)

SSO with OpenID Configuration in Drill

Starting from EEP 9.4.0, Drill supports a new Web-UI authentication method – OpenID.

OpenID Options

The following options are used to configure OpenID authentication:

Option name	Possible values	Description
`drill.exec.http.auth.oidc.provider.endpoint`	Any string	The URL of the OpenID provider, for example: https://node1.cluster.com:6443
`drill.exec.http.auth.oidc.client.id`	Any string	OAuth 2.0 Client Identifier valid at the Authorization Server
`drill.exec.http.auth.oidc.client.secret`	Any string	The client secret known only by the Client and the Authorization Server
`drill.exec.http.auth.oidc.claim.identifying.user`	Any string	Claim that identifies the authenticated user. Default value: `sub`
`drill.exec.http.auth.oidc.useMapRConfig`	boolean	Use the cluster-level SSO parameters. If set to true, non of any above option is required, Drill will configure OpenID authentication automatically. Default value: `false`

Enable OpenID Authentication

OpenID authentication is enabled by setting the drill.exec.http.auth.mechanisms option to ["OPENID"] as follows:

IMPORTANT

The value is case-sensitive

Set the value to ["OPENID"], for example:
```
drill.exec.http.auth.mechanisms: ["OPENID"]
```
Or
You can set multiple authentication methods, for example:
```
drill.exec.http.auth.mechanisms: ["OPENID", "FORM"]
```

Automatic configuration of SSO with OpenID

If you have set or reset any cluster-level SSO parameters, run configure.sh -R.
configure script verifies whether the cluster SSO is set or reset, and configures Drill Web-UI security accordingly in drill-distrib.conf by setting the drill.exec.http.auth.mechanisms and drill.exec.http.auth.oidc.useMapRConfig options. See Drill Properties for details on drill-distrib.conf options.
If you have only changed the cluster-level SSO parameters, restart the Drill. This is sufficient to apply the new values.

Manually Enable the SSO with OpenID

To manually configure SSO with OpenID in Drill, set drill.exec.http.auth.oidc.useMapRConfig to false in drill-override.conf. This makes Drill to use the following boot options instead of the cluster-level SSO parameters:

drill.exec.http.auth.oidc.provider.endpoint
drill.exec.http.auth.oidc.client.id
drill.exec.http.auth.oidc.client.secret
drill.exec.http.auth.oidc.claim.identifying.user

Manually disable SSO with OpendID

To disable SSO with OpenID in Drill, set drill.exec.http.auth.mechanisms option to value without OPENID in drill-override.conf. For example, to enable only form-based authentication, use:

drill.exec.http.auth.mechanisms: ["FORM"]

Authorization

The authorization process remains the same as for other authentication methods. For details, see Setting up Web UI Administrators and Administrator-User Groups.

Troubleshooting

Issue: SSO button is inactive with auto-configuration

Ensure the cluster-level SSO parameters are set and can be retrieved with the maprcli cluster getssoconf command.

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	April 2025
Edition	7.9.0
Topic last updated	2025-04-22