Security Between ZooKeeper and Drillbits
When Drill is installed on clusters with the default security enabled, authentication is enabled between the Drillbits and ZooKeeper. The ZooKeeper znode information is secured automatically through authentication and znode ACLs. Communication between the Drillbits and Zookeeper is not encrypted.
Drill uses ZooKeeper to store certain cluster-level configuration and query profile information in znodes. A znode is an internal data tree in ZooKeeper that stores coordination and execution related information. If information in the znodes is not properly secured, cluster privacy and/or security is compromised.
ZooKeeper uses ACLs to control access to znodes and secure the information they store. Starting in Drill 1.15, you can create a custom ACL (Access Control List) on the znodes to secure data. ACLs specify sets of ids and permissions that are associated with the ids.
[authid:
all]
, which provides full access to the authenticated user that created the znode
only. Discovery znodes (znodes with the list of Drillbits) have an additional ACL set to
[world:read]
making the list of Drillbits readable by any user.Securing znodes
Complete the following steps to create a custom ACL and secure znodes:
- Write a class that implements the
ZKACLProvider
interface. This class will contain the ACLs that need to be set on the znodes. You can use the ZKSecureACLProvider class as a sample reference. - Add the following dependency to the
pom
file of the project module created:<groupId>org.apache.drill.exec</groupId> <artifactId>drill-java-exec</artifactId>
- Refer to the steps listed at https://drill.apache.org/docs/manually-adding-custom-functions-to-drill/ to create a JAR and then add the JAR to Drill's classpath.
- In
/opt/mapr/drill/drill-<version>/conf/drill-override.conf
, setzk.acl_provider
to theZKACLProviderTemplate
type. - Restart Drill. When you restart Drill, the ACL, as mentioned in your custom class, is applied to the znode created when Drill starts.
- a) Shutdown Drillbits, delete the persistent znodes, change the ACL settings, and restart the Drillbit.
- b) Manually change the ACLs on the existing znodes to reflect the new ACL settings,
using the
setAcl
command in the zkCli.
For either option to work, an authenticated connection between the zkCli and ZooKeeper Server must be established.
For additional information, refer to: