Configuring Server Authentication

Authentication is the process of establishing confidence of authenticity. Drill 1.10 supports several authentication mechanisms through which identities can be proven before accessing secure cluster data. This section describes how to configure the drillbit nodes in your secure cluster to use the authentication mechanisms.

Note: A Drill client user is authenticated when a drillbit process running in a secure Drill cluster confirms the identity it is presented with. Drill client authentication is available through JDBC and ODBC interfaces, which are described in the Drill Drivers section.
To configure server authentication, ensure that your MapR cluster is secure. To configure secure clusters with MapR security, see Enable Wire-Level Security.
Note: Enabling user impersonation with authorization is recommended to restrict access to data. See Configuring User Impersonation.
Note: If you created a custom mapr-admin PAM profile, see Creating a Custom PAM Profile to verify that the mapr-admin settings are correct.

To enable:

  • MapR-SASL authentication for a drillbit, set the authentication system options for MapR-SASL in the file, drill-override.conf, located in $DRILL_HOME/conf. See example 1.

Example 1: MapR-SASL

For configuration options, see Drill JDBC Driver Configuration Options.

drill.exec: {
  cluster-id: "drill_secure_com-drillbits",
  zk.connect: "qa102-81.qa.lab:5181,qa102-82.qa.lab:5181,qa102-83.qa.lab:5181",
  impersonation: {
    enabled: true,
    max_chained_user_hops: 3
  },
  security: {
    user.auth.enabled: true,
    auth.mechanisms : ["MAPRSASL"],
  }
  
}
  • Multiple types of authentication, set the authentication system options for a group of mechanisms in the file, drill-override.conf, located in $DRILL_HOME/conf. See example 2.

Example 2: Multiple Authentication Types

For configuration options, see Drill JDBC Driver Configuration Options.

 drill.exec: {
  cluster-id: "drill_secure_com-drillbits",
  zk.connect: "qa102-81.qa.lab:5181,qa102-82.qa.lab:5181,qa102-83.qa.lab:5181",
  impersonation: {
    enabled: true,
    max_chained_user_hops: 3
  },
  security: {          
          auth.mechanisms : ["MAPRSASL", "KERBEROS", "PLAIN"],
          auth.principal : "mapr/_host@REALM.COM",
          auth.keytab : "/opt/mapr/conf/mapr.keytab"
        },
  security.user.auth: {
          enabled: true,
          packages += "org.apache.drill.exec.rpc.user.security",
          impl: "pam",
          pam_profiles: ["sudo", "login", "mapr-admin"]
      }
  }