Configuring Encryption

An administrator can enable encryption with Default Security (tickets).

NOTE
When the sasl_encrypt (for JDBC) or EnforceSaslEncrypt (for ODBC) connection parameter is set to "true" or 1, the Drill client only accepts encrypted connections. If the client tries connecting to a Drillbit with encryption disabled, the connection fails.
NOTE
For client-side configuration, see Drill Drivers.

Set the encryption options to "true" in /opt/mapr/drill/drill-<version>/conf/drill-override.conf.

The following table lists the encryption configuration options with their descriptions and default values:
NOTE
If you installed Drill on a cluster that was installed with the default security configuration, the following options are set to "true" by default.
Option Description Default
drill.exec.security.user.encryption.sasl.enabled Determines if encryption on the server is enabled for negotiating privacy with the Drill client. false
drill.exec.security.bit.encryption.sasl.enabled Determines if the server is enabled for negotiating privacy with another Drillbit. false

The following sections provide configuration examples for Drill client to Drillbit encryption and Drillbit to Drillbit encryption.

Example 1: Drill Client to Drillbit Connection with Default Security Authentication and Encryption

In the following server configuration, the Drill client connection to the Drillbit is encrypted using the Default Security mechanism when the client is running with encryption support.
NOTE
Drill clients running Drill 1.10 and earlier cannot connect to the Drillbit through Default Security with encryption enabled.
drill.exec {
            security: {
                user.auth.enabled: true,
                auth.mechanisms : ["MAPRSASL"]  
                user.encryption.sasl.enabled : true
                    }
                }
NOTE
Drill executes all queries as a service or process user when impersonation is disabled.

Example 2: Drillbit to Drillbit Connection with Default Security Authentication and Encryption

The following configuration authenticates and encrypts the path between Drillbits using the Default Security mechanism.
drill.exec {
              security: {
                  auth.mechanisms : ["MAPRSASL"],
                  bit.auth.enabled : true
                  bit.auth.mechanisms : "MAPRSASL"		
                  bit.encryption.sasl.enabled : true
        }    
}

Example 3: Drill Client to Drillbit and Drillbit to Drillbit Connection with Default Security Authentication and Encryption

The following configuration authenticates and encrypts the path between the Drill client and Drillbit, and between Drillbits using the Default Security mechanism.
drill.exec {
              security: {
                 user.auth.enabled: true,
                 auth.mechanisms : ["MAPRSASL"],
                 user.encryption.sasl.enabled : true

                 bit.auth.enabled : true
                 bit.auth.mechanism : "MAPRSASL"		
                 bit.encryption.sasl.enabled : true
                    }
                }
NOTE
Drill executes all queries as a service or process user when impersonation is disabled.

Example 4: Drill Client to Drillbit and Drillbit to Drillbit Connection with Default Security Authentication and Encryption and Impersonation Enabled

The following configuration authenticates and encrypts the path between the Drill client and Drillbit, and between Drillbits using the Default Security mechanism.
drill.exec {
              security: {
                 user.auth.enabled: true,
                 auth.mechanisms : ["MAPRSASL"],
                 user.encryption.sasl.enabled : true

                 bit.auth.enabled : true
                 bit.auth.mechanism : "MAPRSASL"		
                 bit.encryption.sasl.enabled : true
                    },
            impersonation: {
                   enabled: true,
                   max_chained_user_hops: 3
              }  
          }
NOTE
Drill executes all queries as the authenticated (ticket) user when impersonation is enabled.

Example 5: Drill Client to Drillbit Authentication and Encryption Enabled using Multiple Mechanisms and Drillbit to Drillbit Authentication using Default Security

The following configuration authenticates and encrypts the connection between the Drill client and Drillbit using multiple authentication mechanisms, and also authenticates and encrypts the connection between Drillbits using the Default security mechanism.
NOTE
Plain authentication not supported in this configuration.
drill.exec {
              security: {
                  user.auth.enabled: true,
                  auth.mechanisms : ["MAPRSASL", "KERBEROS"],
                  auth.principal : "mapr/_host@REALM.COM",
                  auth.keytab : "/opt/mapr/conf/mapr.keytab",
                  user.encryption.sasl.enabled : true,
                  bit.auth.enabled : true,
                  bit.auth.mechanism : "MAPRSASL",	
                  bit.encryption.sasl.enabled : true
                      }     
              impersonation: {
                  enabled: true,
                  max_chained_user_hops: 3
              }   
           }

NOTE
Drill executes all queries as a service or process user when impersonation is disabled.