You enable SSL in <DRILL_INSTALL_HOME>/conf/drill-override.conf
.
You can use several configuration options to customize SSL/TLS.
You must restart the Drillbit process on each node after you modify the configuration
options, as
shown:
$ maprcli node services -name drill-bits -action restart -nodes <node host names separated by a space>
The following sections describe how to enable and configure SSL:
Enabling SSL
If SSL is enabled, all Drill clients, such as JDBC and ODBC, must connect to Drill servers
using SSL. You enable SSL in the Drill startup configuration file,
drill-override.conf
, located in
/opt/mapr/drill/drill-<version>/conf
.
To enable SSL for Drill, set the
drill.exec.security.user.encryption.ssl.enabled
option in
drill-override.conf
to "true."
Configuring SSL
You can customize SSL on a Drillbit through the SSL configuration options. You can set the
options from the command line (using Java system properties) in the
drill-override.conf
file or in the property file to which the Hadoop
parameter
hadoop.ssl.server.conf
points (recommended).
NOTE
Specifying
values in
drill-override.conf
can expose the security parameters to end
users. Administrators should set these values in the Hadoop security file and restrict
permissions on that file.
If a parameter is specified in multiple places, the value in the Hadoop configuration takes
precedence over the Drill configuration, which takes precedence over the system
property.
The Hadoop configuration is specified in the file pointed to by the
hadoop.ssl.server.conf
parameter in the Hadoop
core-site.xml
file. Typically, this parameter points to
$HADOOP_CONF/ssl-server.xml
, which contains the property names to
configure SSL. Both the
core-site.xml
file and the
ssl-server.xml
file must exist in the Drill classpath. The Drill SSL
configuration picks up the Hadoop SSL configuration.
NOTE
Since the Drillbit implementation
is based on JSSE, several standard parameters that apply to JSSE also apply to the
Drillbit. However, you typically do not need to configure JSSE parameters.
Following are the SSL configuration options with their descriptions and default values.
- drill.exec.security.user.encryption.ssl.enabled
- Hadoop Property Name: N/A
- System Property Name: N/A
- Description: Enable or disable TLS for Drill client - Drill Server
communication. You must set this option in
drill-override.conf
.
- Allowed Values:
true
or false
- Drill Default:
false
- drill.exec.ssl.protocol
- Hadoop Property Name: N/A
- System Property Name: N/A
- Description: The version of the TLS protocol to use.
- Allowed Values: TLS, TLSV1, TLSv1.1, TLSv1.2,
TLSv1.3
- Drill
Default:
TLSv1.3 (recommended)
- drill.exec.ssl.keyStoreType
- Hadoop Property Name: ssl.server.keystore.type
- System Property Name: javax.net.ssl.keyStoreType
- Description: Format of the keystore file
- Allowed Values: jks, jceks, pkcs12
- Drill Default: jks
- drill.exec.ssl.keyStorePath
- Hadoop Property Name: ssl.server.keystore.location
- System Property Name: javax.net.ssl.keyStore
- Description: Location of the Java keystore file containing the Drillbit’s own
certificate and private key. On Windows, the specified pathname must use forward
slashes,
/
, in place of backslashes.
- Allowed Values: Not Applicable
- Drill Default: Not Applicable
- drill.exec.ssl.keyStorePassword
- Hadoop Property Name: ssl.server.keystore.password
- System Property Name: javax.net.ssl.keyStorePassword
- Description: Password to access the private key from the keystore file. This
password is used twice: To unlock the keystore file (store password), and to decrypt the
private key stored in the keystore (key password) unless a key password is specified
separately.
- Allowed Values: Not Applicable
- Drill Default: Not Applicable
- drill.exec.ssl.keyPassword
- Hadoop Property Name: ssl.server.keystore.keypassword
- System Property Name: Not Applicable
- Description: Password to access the private key from the keystore file. May be
different from the keystore password.
- Allowed Values: Not Applicable
- Drill Default: Not Applicable
- drill.exec.ssl.trustStoreType
- Hadoop Property Name: ssl.server.truststore.type
- System Property Name: javax.net.ssl.trustStoreType
- Description: Format of the truststore file
- Allowed Values: jks, jceks, pkcs12
- Drill Default: jks
- drill.exec.ssl.trustStorePath
- Hadoop Property Name: ssl.server.truststore.location
- System Property Name: javax.net.ssl.trustStore
- Description: Location of the Java keystore file containing the collection of CA
certificates trusted by the Drill client. On Windows, the specified pathname must use
forward slashes,
/
, in place of backslashes.NOTE
If the
trustStorePath
is not provided, Drill ignores the
trustStorePassword
parameter and gets the default Java truststore
instead. This operation causes issues if the Java truststore has a non-default
password. The Java APIs used to load the default keystore assume the default password.
The only way to use the default keystore with a non-default password is to specify
both the path and the password to the keystore. To work around this issue, pass the
default Java truststore to the
trustStorePath
parameter.
- Allowed Values: Not Applicable
- Drill Default: Not Applicable
- drill.exec.ssl.trustStorePassword
- Hadoop Property Name: ssl.server.truststore.password
- System Property Name: javax.net.ssl.trustStorePassword
- Description: Password to access the private key from the keystore file
specified as the truststore.
- Allowed Values: Not Applicable
- Drill Default: Not Applicable
- drill.exec.ssl.provider
- Hadoop Property Name: Not Applicable
- System Property Name: Not Applicable
- Description: Changes the underlying implementation to the chosen value.
- Allowed Values: OpenSSL or JDK
- Drill Default: JDK
- drill.exec.ssl.useHadoopConfig
- Hadoop Property Name: Not Applicable
- System Property Name: Not Applicable
- Description: Use the setting in the Hadoop configuration file.
The
Hadoop configuration is specified in the file pointed to by the
hadoop.ssl.server.conf
parameter in the
core-site.xml
file. Typically, this parameter points to
$HADOOP_CONF/ssl-server.xml
which contains the property names to
configure TLS.
- Allowed Values:
true
or false
- Drill Default:
true
Configuring SSL on Drill on Yarn (DOY)
Starting with EEP 8.1.0, you can enable SSL on Drill on Yarn through SSL configuration
options. In the drill-on-yarn.conf
file, add the
drill.yarn.http.ssl-enabled
parameter. See Drill-on-YARN Limitations for additional information on related limitations.
- drill.yarn.http.ssl-enabled
- Hadoop Property Name: Not Applicable
- System Property Name: Not Applicable
- Description: Use the setting in the Hadoop configuration file with the required
drill.yarn.ssl.useHadoopConfig
parameter.
- Allowed Values:
true
or false
- Drill Default:
false
- drill.yarn.ssl.useHadoopConfig
- Hadoop Property Name: Not Applicable
- System Property Name: Not Applicable
- Description: Use this setting in the Hadoop configuration file.
The
Hadoop configuration is specified in the file pointed to by the
hadoop.ssl.server.conf
parameter in the
core-site.xml
file. Typically, this parameter points to
$HADOOP_CONF/ssl-server.xml
which contains the property names for
configuring the TLS.
- Allowed Values:
true
or false
- Drill Default:
false