Securing Drill

An administrator can install Drill with the default security configuration provided by MapR or manually configure custom security for Drill.

Drill supports several security features that secure the communication paths between Drill clients (such as ODBC/JDBC) and Drillbits and also between Drillbits. The following sections briefly describe the security configuration options for Drill and provide links to additional information and instructions.

MapR Default Security Configuration

Starting in MapR 6.0 and Drill 1.11 (MEP 4.0), Drill is automatically secured when you install Drill on a MapR cluster that was installed with the default MapR security configuration. The default MapR security configuration provides authentication, authorization, and encryption through the MapR-SASL mechanism, except for HTTPS, which uses SSL/TLS with form-based authentication.
Note: The default MapR security configuration does not include Kerberos or Plain authentication, however you can manually configure these security mechanisms in addition to the default MapR security configuration.

See Drill Default Security and SSL/TLS for Encryption for more information. You may also want to reference Installing Drill, which describes some Drill installation security scenarios.

Security Features Supported in a Custom Configuration

Drill supports several security features that an administrator can manually configure to secure the communication paths between the Drill client, such as ODBC and JDBC, and Drillbit and also between Drillbits. See Drill Drivers for ODBC and JDBC driver information.

The following table lists the security features and mechanisms supported by Drill, as well as the communication paths secured by each mechanism:
Note: In the following table, Drill client refers to the Drill ODBC and JDBC clients.
Security Features Supported Mechanisms Communication Paths Secured
Authentication MapR Security (MapR-SASL/Tickets)
  • Drill client to Drillbit
  • Drillbit to Drillbit
  • Drillbit to ZooKeeper
    Note: The Drillbit creates znodes, for which ZooKeeper ACLs provide security. See Security Between ZooKeeper and Drillbits for more information.
  Kerberos
  • Drill client to Drillbit
  • Drillbit to Drillbit
  Plain (username and password)
  • Drill client to Drillbit
  Form-based
  • Web client/REST API to Drillbit
Note: You can configure SSL/TLS for encryption.
  SPNEGO for HTTP
  • Web client/REST API to Drillbit
Note: You can configure SSL/TLS for encryption.
Ecryption MapR Security (MapR-SASL/Tickets)
  • Drill client to Drillbit
  • Drillbit to Drillbit
  Kerberos
  • Drill client to Drillbit
  • Drillbit to Drillbit
  SSL/TLS
  • Drill client to Drillbit
  • Web client/REST API to Drillbit
Authorization Based on file system permissions.
  • Drill client to Drillbit
Impersonation User Impersonation
  • Drill client to Drillbit
Note: Drill supports user impersonation, inbound impersonation, and user impersonation with Hive authorization.

Views and File ACEs

In additiona to the listed security features, you can create views on data to limit access to data. You can also create file ACEs on the view definition files to protect the views.