Drill Default Security
The default security configuration uses MapR-SASL (tickets) for authentication, authorization, and encryption to automatically secure the cluster and ecosystem components when you install them manually or using the Installer.
The default security configuration automatically secures all Drill communication paths with
the following exceptions:
- The path between the web client and web server (W) uses SSL/TLS with form-based authentication.
- The path between the ODBC/JDBC client and ZooKeeper (Zn, Zo) is unsecure.
The following diagram shows the secured communication paths:
The following table describes the security support for each communication path in the
diagram, along with the components involved in the communication:
Type of Security Supported | Communication Path |
Component Communication |
Authentication and encryption using MapR-SASL (tickets) | C | ODBC client/C++ API to Drillbits |
J | JDBC client/Java API to Drillbits | |
D1, D2, Dn | Drillbit to Drillbit | |
M | Drillbit to HPE Ezmeral Data Fabric Database/file system | |
H |
Drillbit to Hive
NOTE The Hive storage plugin is not secured by default
and requires that you manually modify the configuration to enable security. See
Configuring the Hive Storage Plugin. |
|
Plain authentication with SSL encryption (HTTPS enabled) |
W |
Web client/Web API to Web server
NOTE The HTTPS channel (Web client)
uses Plain authentication to authenticate a Web client with SSL/TLS for
encryption. This is configured by default in a secure 6.x cluster with Drill
1.11 or later installed. Plain authentication does not support encryption. You
must enable SSL to encrypt the communication channels when using Plain
authentication. See Configuring Drill Web UI and Web API Security. |
Authentication with security (no encryption) | Zj |
Drillbit to ZooKeeper
NOTE The Drillbit creates znodes, for which
ZooKeeper Access Control List (ACL)s provide
security. See Security Between ZooKeeper and Drillbits for more information.
|
No security support | Zo, Zn | ODBC/JDBC client to ZooKeeper NOTE Only znodes created for Drillbit endpoints
in Zookeeper are readable by the client. All other znodes (not required by the
client) are secured using ZooKeeper ACLs, and are only readable by Drillbits.
|
Note the following information:
- Kerberos and Plain authentication are not enabled or configured as part of the default security configuration. However, you can manually configure these security mechanisms in addition to the defaults. If you enable Plain authentication, you must use SSL/TLS for encryption.
- Drill clients running Drill 1.10 and earlier do not support encryption and cannot connect to Drillbits installed with the default security configuration.
Connecting Drill
Additional Notes
- Performance
- The default security configuration enables encryption for all network channels,
which can affect Drill performance. If performance is your highest priority, install
the data-fabric and Drill
without security enabled and have your security expert manually configure cluster
security. Alternatively, you can install the data-fabric and Drill with security enabled, and then
disable individual Drill security settings. For example, you can edit the
drill-override.conf
file and disable encryption, leaving authentication enabled.NOTEManually configuring security settings when default security is enabled is not recommended. - Drill Configuration Files
- The default security configuration introduces new Drill configuration files. In
addition to drill-override.conf, distrib-env.sh, and drill-env.sh, Drill includes a
drill-distrib.conf file. See Drill Configuration Files for more information. Note that modifying drill
distribution-specific files is highly discouraged. To customize any Drill
configuration, use
drill-override.conf
anddrill-env.sh
. - HBase
- As of Core 6.0 and Drill 1.11, HBase is no longer supported; therefore, the communication path between Drill and HBase is also not supported.