Configuring Encryption

An administrator can enable encryption with Default Security (tickets).

NOTE

When the sasl_encrypt (for JDBC) or EnforceSaslEncrypt (for ODBC) connection parameter is set to "true" or 1, the Drill client only accepts encrypted connections. If the client tries connecting to a Drillbit with encryption disabled, the connection fails.

NOTE

For client-side configuration, see Drill Drivers.

Set the encryption options to "true" in /opt/mapr/drill/drill-<version>/conf/drill-override.conf.

The following table lists the encryption configuration options with their descriptions and default values:

NOTE

If you installed Drill on a cluster that was installed with the default security configuration, the following options are set to "true" by default.

Option	Description	Default
drill.exec.security.user.encryption.sasl.enabled	Determines if encryption on the server is enabled for negotiating privacy with the Drill client.	false
drill.exec.security.bit.encryption.sasl.enabled	Determines if the server is enabled for negotiating privacy with another Drillbit.	false

The following sections provide configuration examples for Drill client to Drillbit encryption and Drillbit to Drillbit encryption.

Example 1: Drill Client to Drillbit Connection with Default Security Authentication and Encryption

In the following server configuration, the Drill client connection to the Drillbit is encrypted using the Default Security mechanism when the client is running with encryption support.

NOTE

Drill clients running Drill 1.10 and earlier cannot connect to the Drillbit through Default Security with encryption enabled.

drill.exec {
            security: {
                user.auth.enabled: true,
                auth.mechanisms : ["MAPRSASL"]  
                user.encryption.sasl.enabled : true
                    }
                }

NOTE

Drill executes all queries as a service or process user when impersonation is disabled.

Example 2: Drillbit to Drillbit Connection with Default Security Authentication and Encryption

The following configuration authenticates and encrypts the path between Drillbits using the Default Security mechanism.

drill.exec {
              security: {
                  auth.mechanisms : ["MAPRSASL"],
                  bit.auth.enabled : true
                  bit.auth.mechanisms : "MAPRSASL"		
                  bit.encryption.sasl.enabled : true
        }    
}

Example 3: Drill Client to Drillbit and Drillbit to Drillbit Connection with Default Security Authentication and Encryption

The following configuration authenticates and encrypts the path between the Drill client and Drillbit, and between Drillbits using the Default Security mechanism.

drill.exec {
              security: {
                 user.auth.enabled: true,
                 auth.mechanisms : ["MAPRSASL"],
                 user.encryption.sasl.enabled : true

                 bit.auth.enabled : true
                 bit.auth.mechanism : "MAPRSASL"		
                 bit.encryption.sasl.enabled : true
                    }
                }

NOTE

Drill executes all queries as a service or process user when impersonation is disabled.

Example 4: Drill Client to Drillbit and Drillbit to Drillbit Connection with Default Security Authentication and Encryption and Impersonation Enabled

The following configuration authenticates and encrypts the path between the Drill client and Drillbit, and between Drillbits using the Default Security mechanism.

drill.exec {
              security: {
                 user.auth.enabled: true,
                 auth.mechanisms : ["MAPRSASL"],
                 user.encryption.sasl.enabled : true

                 bit.auth.enabled : true
                 bit.auth.mechanism : "MAPRSASL"		
                 bit.encryption.sasl.enabled : true
                    },
            impersonation: {
                   enabled: true,
                   max_chained_user_hops: 3
              }  
          }

NOTE

Drill executes all queries as the authenticated (ticket) user when impersonation is enabled.

Example 5: Drill Client to Drillbit Authentication and Encryption Enabled using Multiple Mechanisms and Drillbit to Drillbit Authentication using Default Security

The following configuration authenticates and encrypts the connection between the Drill client and Drillbit using multiple authentication mechanisms, and also authenticates and encrypts the connection between Drillbits using the Default security mechanism.

NOTE

Plain authentication not supported in this configuration.

drill.exec {
              security: {
                  user.auth.enabled: true,
                  auth.mechanisms : ["MAPRSASL", "KERBEROS"],
                  auth.principal : "mapr/_host@REALM.COM",
                  auth.keytab : "/opt/mapr/conf/mapr.keytab",
                  user.encryption.sasl.enabled : true,
                  bit.auth.enabled : true,
                  bit.auth.mechanism : "MAPRSASL",	
                  bit.encryption.sasl.enabled : true
                      }     
              impersonation: {
                  enabled: true,
                  max_chained_user_hops: 3
              }   
           }

NOTE

Drill executes all queries as a service or process user when impersonation is disabled.

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0