Configuring Drill-on-Yarn on a Secure Cluster

Describes how to enable SASL for Drill and SQLLine to run Drill-on-YARN in a secure cluster.

About this task

Update the drill_home/conf/distrib-env.sh file with the required options. If you use --site, then use your site directory.

The following options are requried for Drill and SQLLine to work with SASL security:

-Ddrill.customAuthFactories=org.apache.drill.exec.rpc.security.maprsasl.MapRSaslFactory 
-Dzookeeper.sasl.client=true 
-Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf
-Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider
-Dhadoop.login=hybrid_keytab
The following sections describe how to update the drill_home/conf/distrib-env.sh file with the options to ensure that Drill and SQLLine work with SASL for security.
Drill
To make Drill work with SASL, set DRILL_JAVA_OPTS as shown:
export DRILL_JAVA_OPTS="${DRILL_JAVA_OPTS} -Ddrill.customAuthFactories=org.apache.drill.exec.rpc.security.maprsasl.MapRSaslFactory -Dzookeeper.sasl.client=true -Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf -Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider -Dhadoop.login=hybrid_keytab"

SQLLine
To make SQLLine work with SASL, set SQLLINE_JAVA_OPTS as shown:
export SQLLINE_JAVA_OPTS="${SQLLINE_JAVA_OPTS} -Ddrill.customAuthFactories=org.apache.drill.exec.rpc.security.maprsasl.MapRSaslFactory -Dzookeeper.sasl.client=true -Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf -Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider"

TIP
The following table describes each of the options:
Option Description
drill.customAuthFactories Required to make Drill and SQLLine work with SASL. It points to the authentication factories used for authentication. Provides a full classpath to the SASL implementation.
zookeeper.sasl.client Required to make Drill and SQLLine work with Zookeeper in a SASL-enabled environment and ZooKeeper client authentication. It enables or disables SASL authentication in Drill and SQLLine for ZooKeeper connections.
zookeeper.saslprovider Required to make Drill and SQLLine work with ZooKeeper in a SASL-enabled environement and ZooKeeper client authentication. It points to the authentication factories used for authentication in Drill and SQLLine for ZooKeeper connections. Provides a full classpath to the SASL implementation.
java.security.auth.login.config Required to make Drill and SQLLine work with security. It points to a file with JAAS configurations. In the HPE environment it is /opt/mapr/conf/mapr.login.conf.
hadoop.login=hybrid_keytab Required to make Drill work with SASL security. It points to the required JAAS configuration name.