Configuring Authentication and Encryption

To enable authentication and encryption, you must create a Kerberos principal identity and a keytab file. You add the principal and keytab file to <DRILLINSTALL_HOME>/conf/drill-override.conf with the specified configuration parameters. In addition, you can configure a mapping from a Kerberos principal to a Drill user account. This mapping is used by a Drillbit to convert an authenticated client principal to a corresponding Kerberos short name, which is used to determine administrator privileges for the client principal. After you complete the configuration steps, restart the Drillbit.

To enable authentication and encyption using the Kerberos mechanism, configure the following Kerberos-specific parameters in drill-override.conf:

NOTE

Only Drill 1.11 and later supports encryption.

NOTE

For client-side configuration, see Drill Drivers.

Parameters	Communication Path	Description	Default
drill.exec.security.auth.principal	Drill client (ODBC/JDBC) to Drillbit	String representation of the Kerberos principal used by the Drillbit service.	N/A
drill.exec.security.auth.keytab	Drill client (ODBC/JDBC) to Drillbit	Location of the keytab file for the configured Drillbit service principal. NOTE The Kerberos keytab file that contains the encrypted key for the Drillbit service principal. The file should be readable by the Drillbit process user.	N/A
drill.exec.security.auth.auth_to_local	Drill client (ODBC/JDBC) to Drillbit	Custom rules to convert the Kerberos principal to the Kerberos short name. NOTE Drill uses a Hadoop Kerberos name and rules to transform the Kerberos principal provided by client to the one it will use internally as the client’s identity. This client identity is used to determine administrator privileges. See Mapping from Kerberos Principal to OS user account in the Hadoop in Secure Mode documentation for details about how the rule works.	The primary name of the Kerberos principal. By default, this mapping rule extracts the first part from the provided principal. For example, if the principal format is `<Name1>/<Name2>@realm`, the default rule extracts only `Name1` from the principal and `Name1` as the client’s identity on server side.
drill.exec.security.user.encryption.sasl.enabled	Drill client (ODBC/JDBC) to Drillbit	Enables/disables encryption for the communication path between the Drill client and Drillbit.	false
drill.exec.security.bit.auth.use_login_principal	Drilbit to Drillbit	When set to true, the Drillbit uses the same logged in service principal configured with drill.exec.security.auth.principal for the Drillbit to Drillbit communication paths. When this parameter is set to false, a principal is constructed using the hostname from ZooKeeper for the remote Drillbit and keeping the primary and realm information the same as the logged in principal set by drill.exec.security.auth.principal .	false
drill.exec.security.bit.encryption.sasl.enabled	Drillbit to Drillbit	Enables/disables encryption for the communication path between the Drillbits.	false

Steps to Enable Kerberos Authentication and Encryption

Complete the following steps to enable Drill to use Kerberos for authentication and encryption:

Create a Kerberos principal identity and a keytab file. You can create one principal for each Drill node or one principal for all Drillb nodes in a cluster.
For one principal per Drill node in the cluster:
```
    # kadmin  
    : addprinc -randkey <username>/<FQDN>@<REALM>.COM  
    : ktadd -k /opt/mapr/conf/drill.keytab <username>/<FQDN>@<REALM>.COM  
```
For one principal for all Drill nodes in the cluster:
Use <clustername> instead of <FQDN>:
```
    # kadmin  
    : addprinc -randkey <username>/<clustername>@<REALM>.COM  
    : ktadd -k /opt/mapr/conf/drill.keytab <username>/<clustername>@<REALM>.COM
```
IMPORTANT
When creating the Kerberos principal identity and keytab file, note the following requirements:
- The administrator must own the drill.keytab file and have the ability to read the file.
- The instance name must be lowercase. If _HOST is set as the instance name in the principal, it is replaced with the fully qualified domain name of that host for the instance name. For example, if Drill running on host01.aws.labuses drill/_HOST@<EXAMPLE>.COM as the principal, the canonicalized principal is drill/host01.aws.lab@<EXAMPLE>.COM.
- When Drill runs on a secure cluster (maprsasl enabled), the username in the Drill service principal must correspond with the user running the Drill process. By default, the user is mapr:
```
mapr/_HOST@<EXAMPLE>.COM
```

Add the Kerberos principal identity, keytab file, and parameters specific to Kerberos to the drill-override.conf file. You can use the following configuration examples for enabling authentication, encryption, or both between the Drill client and Drillbit and between Drillbits.

Example 1: Enabling Kerberos Authentication Between the Drill Client and Drillbit

      drill.exec: {
        cluster-id: "drillbits1",
        zk.connect: "qa102-81.qa.lab:5181,qa102-82.qa.lab:5181,qa102-83.qa.lab:5181",
        impersonation: {
          enabled: true,
          max_chained_user_hops: 3
        },
        security: {  
                user.auth.enabled:true,  
                auth.mechanisms:["KERBEROS"],  
                auth.principal:"drill/<clustername>@<REALM>.COM",  
                auth.keytab:"/etc/drill/conf/drill.keytab"  
              }   
        }

Example 2: Enabling Kerberos Authentication and Encryption Between the Drill Client and Drillbit

      drill.exec: {
        cluster-id: "drillbits1",
        zk.connect: "qa102-81.qa.lab:5181,qa102-82.qa.lab:5181,qa102-83.qa.lab:5181",
        impersonation: {
          enabled: true,
          max_chained_user_hops: 3
        },
        security: {  
                user.auth.enabled:true,  
                auth.mechanisms:["KERBEROS"],  
                auth.principal:"drill/<clustername>@<REALM>.COM",  
                auth.keytab:"/etc/drill/conf/drill.keytab",
             user.encryption.sasl.enabled: true
              }
            }   
        }

Example 3: Enabling Kerberos Authentication Between Drill Client and Drillbits and Between Drillbits

      drill.exec: {
        cluster-id: "drillbits1",
        zk.connect: "qa102-81.qa.lab:5181,qa102-82.qa.lab:5181,qa102-83.qa.lab:5181",
        impersonation: {
          enabled: true,
          max_chained_user_hops: 3
        },
        security: {  
                user.auth.enabled:true,  
                auth.mechanisms:["KERBEROS"],  
                auth.principal:"drill/<clustername>@<REALM>.COM",  
                auth.keytab:"/etc/drill/conf/drill.keytab"  
              }  
        security.bit: {
                auth.enabled: true,
                auth.mechanism: "Kerberos",
                auth.use_login_principal: true      
               }   
        }

Example 4: Enabling Kerberos Authentication and Encryption Between Drill Client and Drillbits and Between Drillbits

      drill.exec: {
        cluster-id: "drillbits1",
        zk.connect: "qa102-81.qa.lab:5181,qa102-82.qa.lab:5181,qa102-83.qa.lab:5181",
        impersonation: {
          enabled: true,
          max_chained_user_hops: 3
        },
        security: {  
                user.auth.enabled:true,  
                auth.mechanisms:["KERBEROS"],  
                auth.principal:"drill/<clustername>@<REALM>.COM",  
                auth.keytab:"/etc/drill/conf/drill.keytab", 
                user.encryption.sasl.enabled: true 
              }  
        security.bit: {
                auth.enabled: true,
                auth.mechanism: "Kerberos",
                auth.use_login_principal: true,
                encryption.sasl.enabled: true    
               }   
        }

NOTE

In examples 3 and 4 above, the Drillbit will use the same logged in service principal as configured in drill.exec.security.auth.principal.

Example 5: Enabling Kerberos Authentication and Encryption Between Drill Client and Drillbits and Between Drillbits. For Drillbit to Drillbit authentication, where the service principal is created using the hostname from ZooKeeper for a remote Drillbit as an instance name. The primary and the realm component of the service principal is used from the drill.exec.security.auth.principal parameter.

      drill.exec: {
        cluster-id: "drillbits1",
        zk.connect: "qa102-81.qa.lab:5181,qa102-82.qa.lab:5181,qa102-83.qa.lab:5181",
        impersonation: {
          enabled: true,
          max_chained_user_hops: 3
        },
        security: {  
                user.auth.enabled:true,  
                auth.mechanisms:["KERBEROS"],  
                auth.principal:"drill/<clustername>@<REALM>.COM",  
                auth.keytab:"/etc/drill/conf/drill.keytab", 
                user.encryption.sasl.enabled: true 
              }  
        security.bit: {
                auth.enabled: true,
                auth.mechanism: "Kerberos",
                encryption.sasl.enabled: true    
               }   
        }

NOTE

For the configuration in example 5, if the hostname of the remote Drillbit known to ZooKeeper is host01.aws.lab, then the service principal used by a Drillbit to authenticate with the remote Drillbit will be drill/host01.aws.lab@<REALM>.COM.

Restart the Drillbit process on each Drill node.

$ maprcli node services -name drill-bits -action restart -nodes <node host names separated by a space>

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0