SPNEGO for HTTP Authentication

Drill 1.13 and later supports the Simple and Protected GSS-API Negotiation mechanism (SPNEGO) to extend the Kerberos-based single sign-on authentication mechanism to HTTP. An administrator configures the web server (Drillbit) to use SPNEGO for authentication. Depending on the system, either the administrator or the user configures the client (web browser or web client tool) to use SPNEGO for authentication.

An administrator can configure both FORM (username and password) and SPNEGO authentication together, which provides the ability for clients with different security preferences to connect to the same Drill cluster. When a client (a web browser or a web client tool, such as curl) requests access to a secured page from the web server (Drillbit), the SPNEGO mechanism uses tokens to perform a handshake that authenticates the client browser and the web server.

The Drill Web UI provides two possible log in options for a user depending on the configuration. If a user selects FORM, s/he must enter their username and password to access restricted pages in the Drill Web UI. The user is authenticated through PAM. If the user selects SPNEGO, the user is automatically logged in if they are an authenticated Kerberos user. If accessing a protected page directly, the user is redirected to the authentication log in page. If the client fails to authenticate using SPNEGO, an error page displays with an option to use FORM authentication, assuming FORM authentication is configured on the server side.

Browser Support

The following browsers were tested with Drill configured to use SPNEGO authentication:

  • Firefox
  • Chrome
  • Safari
  • Internet Explorer
  • Web client tool, such as curl

Prerequisites

SPNEGO authentication for Drill requires the following:
  • Drill 1.13 or later installed on each node.
  • A working Kerberos infrastructure, which Drill does not provide.
  • A Linux-based or Windows Active Directory (AD) Kerberos environment with secure clusters and a Drill server configured for Kerberos.
  • Kerberos principal and keytab on each web server (Drillbit) that will use SPNEGO for authentication.
  • Kerberos Ticket Granting Ticket on the client machine for the user accessing the Drillbit (web server).
  • Drill web server configured for SPNEGO.

Configuring SPNEGO on the Web Server and Web Client

The following sections provide the steps that an administrator can follow to configure SPNEGO on the web server (Drillbit). An administrator or a user can follow the steps for configuring the web browser or client tool.