Configuring SSL/TLS

You enable SSL in <DRILL_INSTALL_HOME>/conf/drill-override.conf. You can use several configuration options to customize SSL/TLS.

You must restart the Drillbit process on each node after you modify the configuration options, as shown:
$ maprcli node services -name drill-bits -action restart -nodes <node host names separated by a space>

The following sections describe how to enable and configure SSL:

Enabling SSL

If SSL is enabled, all Drill clients, such as JDBC and ODBC, must connect to Drill servers using SSL. You enable SSL in the Drill startup configuration file, drill-override.conf, located in /opt/mapr/drill/drill-<version>/conf.

To enable SSL for Drill, set the drill.exec.security.user.encryption.ssl.enabled option in drill-override.conf to "true."

Configuring SSL

You can customize SSL on a Drillbit through the SSL configuration options. You can set the options from the command line (using Java system properties) in the drill-override.conf file or in the property file to which the Hadoop parameter hadoop.ssl.server.conf points (recommended).
NOTE
Specifying values in drill-override.conf can expose the security parameters to end users. Administrators should set these values in the Hadoop security file and restrict permissions on that file.

If a parameter is specified in multiple places, the value in the Hadoop configuration takes precedence over the Drill configuration, which takes precedence over the system property.

The Hadoop configuration is specified in the file pointed to by the hadoop.ssl.server.conf parameter in the Hadoop core-site.xml file. Typically, this parameter points to $HADOOP_CONF/ssl-server.xml, which contains the property names to configure SSL. Both the core-site.xml file and the ssl-server.xml file must exist in the Drill classpath. The Drill SSL configuration picks up the Hadoop SSL configuration.
NOTE
Since the Drillbit implementation is based on JSSE, several standard parameters that apply to JSSE also apply to the Drillbit. However, you typically do not need to configure JSSE parameters.

Following are the SSL configuration options with their descriptions and default values.

drill.exec.security.user.encryption.ssl.enabled
Hadoop Property Name: N/A
System Property Name: N/A
Description: Enable or disable TLS for Drill client - Drill Server communication. You must set this option in drill-override.conf.
Allowed Values: true or false
Drill Default: false
drill.exec.ssl.protocol
Hadoop Property Name: N/A
System Property Name: N/A
Description: The version of the TLS protocol to use.
Allowed Values: TLS, TLSV1, TLSv1.1, TLSv1.2, TLSv1.3
Drill Default: TLSv1.3 (recommended)
drill.exec.ssl.keyStoreType
Hadoop Property Name: ssl.server.keystore.type
System Property Name: javax.net.ssl.keyStoreType
Description: Format of the keystore file
Allowed Values: jks, jceks, pkcs12
Drill Default: jks
drill.exec.ssl.keyStorePath
Hadoop Property Name: ssl.server.keystore.location
System Property Name: javax.net.ssl.keyStore
Description: Location of the Java keystore file containing the Drillbit’s own certificate and private key. On Windows, the specified pathname must use forward slashes,/, in place of backslashes.
Allowed Values: Not Applicable
Drill Default: Not Applicable
drill.exec.ssl.keyStorePassword
Hadoop Property Name: ssl.server.keystore.password
System Property Name: javax.net.ssl.keyStorePassword
Description: Password to access the private key from the keystore file. This password is used twice: To unlock the keystore file (store password), and to decrypt the private key stored in the keystore (key password) unless a key password is specified separately.
Allowed Values: Not Applicable
Drill Default: Not Applicable
drill.exec.ssl.keyPassword
Hadoop Property Name: ssl.server.keystore.keypassword
System Property Name: Not Applicable
Description: Password to access the private key from the keystore file. May be different from the keystore password.
Allowed Values: Not Applicable
Drill Default: Not Applicable
drill.exec.ssl.trustStoreType
Hadoop Property Name: ssl.server.truststore.type
System Property Name: javax.net.ssl.trustStoreType
Description: Format of the truststore file
Allowed Values: jks, jceks, pkcs12
Drill Default: jks
drill.exec.ssl.trustStorePath
Hadoop Property Name: ssl.server.truststore.location
System Property Name: javax.net.ssl.trustStore
Description: Location of the Java keystore file containing the collection of CA certificates trusted by the Drill client. On Windows, the specified pathname must use forward slashes, /, in place of backslashes.
NOTE
If the trustStorePath is not provided, Drill ignores the trustStorePassword parameter and gets the default Java truststore instead. This operation causes issues if the Java truststore has a non-default password. The Java APIs used to load the default keystore assume the default password. The only way to use the default keystore with a non-default password is to specify both the path and the password to the keystore. To work around this issue, pass the default Java truststore to the trustStorePath parameter.
Allowed Values: Not Applicable
Drill Default: Not Applicable
drill.exec.ssl.trustStorePassword
Hadoop Property Name: ssl.server.truststore.password
System Property Name: javax.net.ssl.trustStorePassword
Description: Password to access the private key from the keystore file specified as the truststore.
Allowed Values: Not Applicable
Drill Default: Not Applicable
drill.exec.ssl.provider
Hadoop Property Name: Not Applicable
System Property Name: Not Applicable
Description: Changes the underlying implementation to the chosen value.
Allowed Values: OpenSSL or JDK
Drill Default: JDK
drill.exec.ssl.useHadoopConfig
Hadoop Property Name: Not Applicable
System Property Name: Not Applicable
Description: Use the setting in the Hadoop configuration file.

The Hadoop configuration is specified in the file pointed to by the hadoop.ssl.server.conf parameter in the core-site.xml file. Typically, this parameter points to $HADOOP_CONF/ssl-server.xml which contains the property names to configure TLS.

Allowed Values: true or false
Drill Default: true

Configuring SSL on Drill on Yarn (DOY)

Starting with EEP 8.1.0, you can enable SSL on Drill on Yarn through SSL configuration options. In the drill-on-yarn.conf file, add the drill.yarn.http.ssl-enabled parameter. See Drill-on-YARN Limitations for additional information on related limitations.

drill.yarn.http.ssl-enabled
Hadoop Property Name: Not Applicable
System Property Name: Not Applicable
Description: Use the setting in the Hadoop configuration file with the required drill.yarn.ssl.useHadoopConfig parameter.
Allowed Values: true or false
Drill Default: false
drill.yarn.ssl.useHadoopConfig
Hadoop Property Name: Not Applicable
System Property Name: Not Applicable
Description: Use this setting in the Hadoop configuration file.

The Hadoop configuration is specified in the file pointed to by the hadoop.ssl.server.conf parameter in the core-site.xml file. Typically, this parameter points to $HADOOP_CONF/ssl-server.xml which contains the property names for configuring the TLS.

Allowed Values: true or false
Drill Default: false