Securing Drill

An administrator can install Drill with the default security configuration or manually configure custom security for Drill.

Drill supports several security features that secure the communication paths between Drill clients (such as ODBC/JDBC) and Drillbits and also between Drillbits. The following sections briefly describe the security configuration options for Drill and provide links to additional information and instructions.

Default Security Configuration

Starting in Core 6.0 and Drill 1.11 (EEP 4.0), Drill is automatically secured when you install Drill on a cluster that was installed with the default security configuration. The default security configuration provides authentication, authorization, and encryption through the data-fabric-SASL mechanism, except for HTTPS, which uses SSL/TLS with form-based authentication. See Drill Default Security and SSL/TLS for Encryption for more information. You may also want to reference the following topics:

Installing Drill, which describes some Drill installation security scenarios.
Data Fabric Drill Drivers, where you can access the JDBC and ODBC driver information and downloads required to connect to Drill when using the default security configuration.

NOTE

The default security configuration does not include Kerberos or Plain authentication; however, you can manually configure these security mechanisms in addition to the default security configuration.

Security Features Supported in a Custom Configuration

Drill supports several security features that an administrator can manually configure to secure the communication paths between the Drill client and Drillbit and also between Drillbits.

The following table lists the security features and mechanisms supported by Drill, as well as the communication paths secured by each mechanism:

NOTE

In the following table, Drill client refers to the Drill ODBC and JDBC clients. See Drill Drivers for ODBC and JDBC driver information.

Security Features	Supported Mechanisms	Communication Paths Secured
Authentication	MapR Security (data-fabric-SASL/Tickets)	Drill client to Drillbit Drillbit to Drillbit Drillbit to ZooKeeper NOTE The Drillbit creates znodes, for which ZooKeeper ACLs provide security. See Security Between ZooKeeper and Drillbits for more information.
	Kerberos	Drill client to Drillbit Drillbit to Drillbit
	Plain (username and password)	Drill client to Drillbit
	Form-based	Web client/REST API to Drillbit NOTE You can configure SSL/TLS for encryption.
	SPNEGO for HTTP	Web client/REST API to Drillbit NOTE You can configure SSL/TLS for encryption.
Encryption	MapR Security (data-fabric/Tickets)	Drill client to Drillbit Drillbit to Drillbit
	Kerberos	Drill client to Drillbit Drillbit to Drillbit
	SSL/TLS	Drill client to Drillbit Web client/REST API to Drillbit
Authorization	Based on filesystem permissions.	Drill client to Drillbit
Impersonation	User Impersonation	Drill client to Drillbit NOTE Drill supports user impersonation, inbound impersonation, and user impersonation with Hive authorization.
	Inbound impersonation	Drill client to Drillbit NOTE Supports setting inbound impersonation policies, which are used to verify whether the user (set as the DelegationUID parameter passed in the client connection URL) can be impersonated by the connection user or not.

Views and File ACEs

In addition to the listed security features, you can create views on data to limit access to the data. You can also create file ACEs on the view definition files to protect the views.

HPE Ezmeral Data Fabric – Customer-Managed 7.9.0 Documentation
Abstract	This site contains documentation for the customer-managed platform of the HPE Ezmeral Data Fabric version 7.9.0 including installation, configuration, administration, and reference content, as well as content for the associated bundled ecosystem components and drivers.
Published	November 2024
Edition	7.9.0