Configuring Encryption
An administrator can enable encryption with Default Security (tickets).
NOTE
When the sasl_encrypt
(for JDBC) or EnforceSaslEncrypt
(for ODBC) connection parameter is set to "true"
or 1
, the
Drill client only accepts encrypted connections. If the client tries connecting to a Drillbit
with encryption disabled, the connection fails.NOTE
For client-side configuration, see Drill Drivers. Set the encryption options to "true"
in
/opt/mapr/drill/drill-<version>/conf/drill-override.conf
.
The following table lists the encryption configuration options with their descriptions and
default values:
NOTE
If you installed Drill on a cluster that
was installed with the default security configuration, the
following options are set to "true" by default. Option | Description | Default |
drill.exec.security.user.encryption.sasl.enabled | Determines if encryption on the server is enabled for negotiating privacy with the Drill client. | false |
drill.exec.security.bit.encryption.sasl.enabled | Determines if the server is enabled for negotiating privacy with another Drillbit. | false |
The following sections provide configuration examples for Drill client to Drillbit encryption and Drillbit to Drillbit encryption.
Example 1: Drill Client to Drillbit Connection with Default Security Authentication and Encryption
In the following server configuration, the Drill client connection to the Drillbit is encrypted using the Default Security mechanism when the client is running with encryption support.NOTE
Drill clients running Drill 1.10 and earlier cannot connect to the Drillbit
through Default Security with
encryption
enabled.drill.exec {
security: {
user.auth.enabled: true,
auth.mechanisms : ["MAPRSASL"]
user.encryption.sasl.enabled : true
}
}
NOTE
Drill
executes all queries as a service or process user when impersonation is
disabled.Example 2: Drillbit to Drillbit Connection with Default Security Authentication and Encryption
The following configuration authenticates and encrypts the path between Drillbits using the Default Security mechanism.drill.exec {
security: {
auth.mechanisms : ["MAPRSASL"],
bit.auth.enabled : true
bit.auth.mechanisms : "MAPRSASL"
bit.encryption.sasl.enabled : true
}
}
Example 3: Drill Client to Drillbit and Drillbit to Drillbit Connection with Default Security Authentication and Encryption
The following configuration authenticates and encrypts the path between the Drill client and Drillbit, and between Drillbits using the Default Security mechanism.drill.exec {
security: {
user.auth.enabled: true,
auth.mechanisms : ["MAPRSASL"],
user.encryption.sasl.enabled : true
bit.auth.enabled : true
bit.auth.mechanism : "MAPRSASL"
bit.encryption.sasl.enabled : true
}
}
NOTE
Drill
executes all queries as a service or process user when impersonation is
disabled.Example 4: Drill Client to Drillbit and Drillbit to Drillbit Connection with Default Security Authentication and Encryption and Impersonation Enabled
The following configuration authenticates and encrypts the path between the Drill client and Drillbit, and between Drillbits using the Default Security mechanism.drill.exec {
security: {
user.auth.enabled: true,
auth.mechanisms : ["MAPRSASL"],
user.encryption.sasl.enabled : true
bit.auth.enabled : true
bit.auth.mechanism : "MAPRSASL"
bit.encryption.sasl.enabled : true
},
impersonation: {
enabled: true,
max_chained_user_hops: 3
}
}
NOTE
Drill
executes all queries as the authenticated (ticket) user when impersonation is
enabled.Example 5: Drill Client to Drillbit Authentication and Encryption Enabled using Multiple Mechanisms and Drillbit to Drillbit Authentication using Default Security
The following configuration authenticates and encrypts the connection between the Drill client and Drillbit using multiple authentication mechanisms, and also authenticates and encrypts the connection between Drillbits using the Default security mechanism.NOTE
Plain authentication not supported in this
configuration.drill.exec {
security: {
user.auth.enabled: true,
auth.mechanisms : ["MAPRSASL", "KERBEROS"],
auth.principal : "mapr/_host@REALM.COM",
auth.keytab : "/opt/mapr/conf/mapr.keytab",
user.encryption.sasl.enabled : true,
bit.auth.enabled : true,
bit.auth.mechanism : "MAPRSASL",
bit.encryption.sasl.enabled : true
}
impersonation: {
enabled: true,
max_chained_user_hops: 3
}
}
NOTE
Drill
executes all queries as a service or process user when impersonation is
disabled.