Configuring Authentication
An administrator can enable Default Security as the only authentication mechanism, or in addition to other
mechanisms, such as Kerberos and Plain authentication in
drill-override.conf
.
NOTE
When Drill is installed on the HPE Ezmeral Data Fabric, Drill
distribution defaults are stored in the drill-distrib.conf
file. To
override the defaults, you must explicitly disable them in the
drill-override.conf
file. NOTE
For client-side
configuration, see Drill Drivers.
Example 1: Drill Client to Drillbit Authentication using Default Security Only
drill.exec:{
security: {
user.auth.enabled: true,
auth.mechanisms : ["MAPRSASL"]
}
}
NOTE
Drill executes all queries as a service or process user when impersonation is
disabled.Example 2: Drill Client to Drillbit Authentication with User Impersonation using Default
drill.exec:{
security: {
user.auth.enabled: true,
auth.mechanisms : ["MAPRSASL"],
}
impersonation: {
enabled: true,
max_chained_user_hops: 3
}
}
NOTE
Drill executes all queries as the authenticated (ticket) user when impersonation is
enabled. The client to Drillbit communication path will not be encrypted.Example 3: Drill Client to Drillbit using Multiple Authentication Mechanisms
drill.exec:{
security: {
user.auth.enabled: true,
user.auth.impl: "pam4j",
security.user.auth.packages += "org.apache.drill.exec.rpc.user.security",
user.auth.pam_profiles: ["sudo", "login", "mapr-admin"],
auth.mechanisms : ["MAPRSASL", "KERBEROS", "PLAIN"],
auth.principal : "mapr/_host@REALM.COM",
auth.keytab : "/opt/mapr/conf/mapr.keytab"
},
impersonation: {
enabled: true,
max_chained_user_hops: 3
}
}
Example 4: Drillbit to Drillbit Authentication using Default Security
drill.exec:{
security: {
auth.mechanisms : ["MAPRSASL"],
bit.auth.enabled : true
bit.auth.mechanism : "MAPRSASL"
}
}
Example 5: Drill Client to Drillbit and Drillbit to Drillbit Authentication using Default Security
drill.exec {
security: {
user.auth.enabled: true,
auth.mechanisms : ["MAPRSASL"],
bit.auth.enabled : true,
bit.auth.mechanism : "MAPRSASL"
},
impersonation: {
enabled: true,
max_chained_user_hops: 3
}
}