Drill Default Security

The default security configuration uses MapR-SASL (tickets) for authentication, authorization, and encryption to automatically secure the cluster and ecosystem components when you install them manually or using the Installer.

The default security configuration automatically secures all Drill communication paths with the following exceptions:
  • The path between the web client and web server (W) uses SSL/TLS with form-based authentication.
  • The path between the ODBC/JDBC client and ZooKeeper (Zn, Zo) is unsecure.

The following diagram shows the secured communication paths:



The following table describes the security support for each communication path in the diagram, along with the components involved in the communication:
Type of Security Supported Communication Path

Component Communication

Authentication and encryption using MapR-SASL (tickets) C ODBC client/C++ API to Drillbits
J JDBC client/Java API to Drillbits
D1, D2, Dn Drillbit to Drillbit
M Drillbit to HPE Ezmeral Data Fabric Database/file system
H
Drillbit to Hive
NOTE
The Hive storage plugin is not secured by default and requires that you manually modify the configuration to enable security. See Configuring the Hive Storage Plugin.

Plain authentication with SSL encryption (HTTPS enabled)

W
Web client/Web API to Web server
NOTE
The HTTPS channel (Web client) uses Plain authentication to authenticate a Web client with SSL/TLS for encryption. This is configured by default in a secure 6.x cluster with Drill 1.11 or later installed. Plain authentication does not support encryption. You must enable SSL to encrypt the communication channels when using Plain authentication. See Configuring Drill Web UI and Web API Security.
Authentication with security (no encryption) Zj
Drillbit to ZooKeeper
NOTE
The Drillbit creates znodes, for which ZooKeeper Access Control List (ACL)s provide security. See Security Between ZooKeeper and Drillbits for more information.
No security support Zo, Zn ODBC/JDBC client to ZooKeeper
NOTE
Only znodes created for Drillbit endpoints in Zookeeper are readable by the client. All other znodes (not required by the client) are secured using ZooKeeper ACLs, and are only readable by Drillbits.
Note the following information:
  • Kerberos and Plain authentication are not enabled or configured as part of the default security configuration. However, you can manually configure these security mechanisms in addition to the defaults. If you enable Plain authentication, you must use SSL/TLS for encryption.
  • Drill clients running Drill 1.10 and earlier do not support encryption and cannot connect to Drillbits installed with the default security configuration.

Connecting Drill

See Data Fabric Drill Drivers. Alternatively, you can use SQLLine, the Drill shell, as shown:

Additional Notes

Performance
The default security configuration enables encryption for all network channels, which can affect Drill performance. If performance is your highest priority, install the data-fabric and Drill without security enabled and have your security expert manually configure cluster security. Alternatively, you can install the data-fabric and Drill with security enabled, and then disable individual Drill security settings. For example, you can edit the drill-override.conf file and disable encryption, leaving authentication enabled.
NOTE
Manually configuring security settings when default security is enabled is not recommended.
Drill Configuration Files
The default security configuration introduces new Drill configuration files. In addition to drill-override.conf, distrib-env.sh, and drill-env.sh, Drill includes a drill-distrib.conf file. See Drill Configuration Files for more information. Note that modifying drill distribution-specific files is highly discouraged. To customize any Drill configuration, use drill-override.conf and drill-env.sh.
HBase
As of Core 6.0 and Drill 1.11, HBase is no longer supported; therefore, the communication path between Drill and HBase is also not supported.