drill-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bridg...@apache.org
Subject drill git commit: Bridget user auth change, Venki review DRILL-3725/3622
Date Thu, 17 Sep 2015 21:26:15 GMT
Repository: drill
Updated Branches:
  refs/heads/gh-pages 6efb0ab65 -> 14e28f74c


Bridget user auth change, Venki review DRILL-3725/3622


Project: http://git-wip-us.apache.org/repos/asf/drill/repo
Commit: http://git-wip-us.apache.org/repos/asf/drill/commit/14e28f74
Tree: http://git-wip-us.apache.org/repos/asf/drill/tree/14e28f74
Diff: http://git-wip-us.apache.org/repos/asf/drill/diff/14e28f74

Branch: refs/heads/gh-pages
Commit: 14e28f74cafe3006b921ae5fe63b6e3d4527436d
Parents: 6efb0ab
Author: Kristine Hahn <khahn@maprtech.com>
Authored: Thu Sep 17 14:22:01 2015 -0700
Committer: Kristine Hahn <khahn@maprtech.com>
Committed: Thu Sep 17 14:22:01 2015 -0700

----------------------------------------------------------------------
 .../075-configuring-user-authentication.md      |  13 ++++++++--
 ...-configuring-web-ui-and-rest-api-security.md |  26 ++++---------------
 _docs/img/query-flow-client.png                 | Bin 11366 -> 13094 bytes
 _docs/img/web-ui-admin-view.png                 | Bin 45701 -> 45382 bytes
 _docs/img/web-ui-user-view.png                  | Bin 47799 -> 47457 bytes
 _docs/img/web-ui.png                            | Bin 43194 -> 42637 bytes
 _docs/install/060-starting-the-web-ui.md        |   6 ++---
 7 files changed, 19 insertions(+), 26 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/drill/blob/14e28f74/_docs/configure-drill/075-configuring-user-authentication.md
----------------------------------------------------------------------
diff --git a/_docs/configure-drill/075-configuring-user-authentication.md b/_docs/configure-drill/075-configuring-user-authentication.md
old mode 100644
new mode 100755
index c00763d..8013800
--- a/_docs/configure-drill/075-configuring-user-authentication.md
+++ b/_docs/configure-drill/075-configuring-user-authentication.md
@@ -8,11 +8,20 @@ If user impersonation is enabled, Drill executes the client requests as
the auth
 
 When using PAM for authentication, each user that has permission to run Drill queries must
exist in the list of users that resides on each Drill node in the cluster. The username (including
uid) and password for each user must be identical across all of the Drill nodes. 
 
-If you use PAM with /etc/passwd for authentication, verify that the users with permission
to start the Drill process are part of the shadow user group on all nodes in the cluster.
This enables Drill to read the /etc/shadow file for authentication. 
+If you use PAM with /etc/passwd for authentication, verify that the users with permission
to start the Drill process are part of the shadow user group on all nodes in the cluster.
This enables Drill to read the /etc/shadow file for authentication.  
+
+## Administrator Privileges
+
+When authentication is enabled, only Drill users who are assigned Drill cluster administrator
privileges can perform the following tasks:
+
+* Change a system-level option by issuing an ALTER SYSTEM command
+* Update a storage plugin configuration through the REST API or Web Console
+* View profiles of all queries that all users have run or are currently running in a cluster
+* Cancel running queries that were launched by any user in the cluster
 
 ## User Authentication Process
 
-When user authentication is configured, each user that accesses the Drillbit process through
a client, such as SQLLine, must provide their username and password for access. 
+When user authentication is enabled, each user that accesses the Drillbit process through
a client, such as SQLLine, must provide their username and password for access. 
 
 When launching SQLLine, a user must include the `–n` and `–p` parameters with their username
and password in the SQLLine argument:  
        `sqlline –u jdbc:drill:zk=10.10.11.112:5181 –n bob –p bobdrill`

http://git-wip-us.apache.org/repos/asf/drill/blob/14e28f74/_docs/configure-drill/078-configuring-web-ui-and-rest-api-security.md
----------------------------------------------------------------------
diff --git a/_docs/configure-drill/078-configuring-web-ui-and-rest-api-security.md b/_docs/configure-drill/078-configuring-web-ui-and-rest-api-security.md
index 48b4707..9068090 100644
--- a/_docs/configure-drill/078-configuring-web-ui-and-rest-api-security.md
+++ b/_docs/configure-drill/078-configuring-web-ui-and-rest-api-security.md
@@ -10,11 +10,11 @@ With Web Console security in place, users who do not have administrator
privileg
 ## HTTPS Support
 Drill 1.2 uses the Linux Pluggable Authentication Module (PAM) and code-level support for
transport layer security (TLS) to secure the Web Console and REST API. By default, the Web
Console and REST API now support the HTTPS protocol.
 
-By default, Drill generates a self-signed certificate that works with SSL for HTTPS access
to the Web Console; however, as administrator, you can set up SSL to specify the keystore
or truststore, or both, for your organization, as described in the next section.
+By default, Drill generates a self-signed certificate that works with SSL for HTTPS access
to the Web Console. Because Drill uses a self-signed certificate, you see a warning in the
browser when you go to `https://<node IP address>:8047`. The Chrome browser, for example,
requires you to click `Advanced`, and then `Proceed to <address> (unsafe)`.  If you
have a signed certificate by an authority, you can set up a custom SSL to avoid this warning.
You can set up SSL to specify the keystore or truststore, or both, for your organization,
as described in the next section.
 
 ## Setting Up a Custom SSL Configuration
 
-As cluster administrator, you can set the following SSL configuration parameters at the JVM
level through system properties, as described in the [Java product documentation](http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization):
+As cluster administrator, you can set the following SSL configuration parameters at in the
`conf/drill-override.conf` file, as described in the [Java product documentation](http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html#Customization):
 
 * javax.net.ssl.keyStore  
   Path to the application's certificate and private key in the Java keystore file.  
@@ -40,9 +40,9 @@ Configure the following system options using the [ALTER SYSTEM]({{site.baseurl}}
 * security.admin.users  
   Set the value of this option to a comma-separated list of user names who you want to give
administrator privileges, such as changing system options.  
 * security.admin.user_groups  
-  Set the value of this option to a comma-separated list of administrators.
+  Set the value of this option to a comma-separated list of administrator groups.
 
-Any user for whom you have configured Drill user authentication, but not set up as a Web
Console administrator, has only user privileges to access the Web Console and REST API client
applications.
+Any user who is a member of any group listed in security.admin.user.groups is a Drill cluster
administrator. Any user for whom you have configured Drill user authentication, but not set
up as a Drill cluster administrator, has only user privileges to access the Web Console and
REST API client applications.
 
 ## Web Console and REST API Privileges
 
@@ -102,20 +102,4 @@ The following table and subsections describe the privilege levels for
accessing
 ### GET /profiles/cancel/{queryid}
 
 * ADMIN - can cancel the query.  
-* USER - cancel the query only if the query is launched by the user requesting the cancellation.
-
-## Starting the Web Console Using Authentication
-
-The following example shows the sequence of steps you typically perform to access the Web
Console when authentication is enabled on a Drill cluster.
-
-1. Set the JVM library path to the location of the PAM `.so` file.  
-   `export DRILLBIT_JAVA_OPTS=" -Djava.library.path=/root/ "`  
-2. Restart the Drillbit.  
-   `[root@centos64-30143 apache-drill-1.2.0-SNAPSHOT]# ./bin/drillbit.sh restart`  
-3. Start the Drill Shell, using  a user name and password.  
-   `bin/sqlline -u "jdbc:drill:zk=10.10.30.146:5181" -n joeadmin -p mypwd`  
-4. Open a browser, and go to `https://<IP address>:8047`, where IP address is the host
name or IP address of one of the installed Drillbits in a distributed system.  
-   The login screen appears:  
-
-   ![Web Console Login]({{ site.baseurl }}/docs/img/web-ui-login.png)
-5. [Start the Web Console]({{ site.baseurl }}/docs/starting-the-web-console/).
\ No newline at end of file
+* USER - cancel the query only if the query is launched by the user requesting the cancellation.
\ No newline at end of file

http://git-wip-us.apache.org/repos/asf/drill/blob/14e28f74/_docs/img/query-flow-client.png
----------------------------------------------------------------------
diff --git a/_docs/img/query-flow-client.png b/_docs/img/query-flow-client.png
index 0ae87fc..2aad204 100755
Binary files a/_docs/img/query-flow-client.png and b/_docs/img/query-flow-client.png differ

http://git-wip-us.apache.org/repos/asf/drill/blob/14e28f74/_docs/img/web-ui-admin-view.png
----------------------------------------------------------------------
diff --git a/_docs/img/web-ui-admin-view.png b/_docs/img/web-ui-admin-view.png
index fbdb709..b7d8657 100644
Binary files a/_docs/img/web-ui-admin-view.png and b/_docs/img/web-ui-admin-view.png differ

http://git-wip-us.apache.org/repos/asf/drill/blob/14e28f74/_docs/img/web-ui-user-view.png
----------------------------------------------------------------------
diff --git a/_docs/img/web-ui-user-view.png b/_docs/img/web-ui-user-view.png
index 0d75600..1f0dd10 100644
Binary files a/_docs/img/web-ui-user-view.png and b/_docs/img/web-ui-user-view.png differ

http://git-wip-us.apache.org/repos/asf/drill/blob/14e28f74/_docs/img/web-ui.png
----------------------------------------------------------------------
diff --git a/_docs/img/web-ui.png b/_docs/img/web-ui.png
index f68a135..2e14e1c 100644
Binary files a/_docs/img/web-ui.png and b/_docs/img/web-ui.png differ

http://git-wip-us.apache.org/repos/asf/drill/blob/14e28f74/_docs/install/060-starting-the-web-ui.md
----------------------------------------------------------------------
diff --git a/_docs/install/060-starting-the-web-ui.md b/_docs/install/060-starting-the-web-ui.md
index 3720bb1..d37985f 100644
--- a/_docs/install/060-starting-the-web-ui.md
+++ b/_docs/install/060-starting-the-web-ui.md
@@ -9,15 +9,15 @@ If [user authentication]({{site.baseurl}}/docs/configuring-user-authentication/)
 
 ![Web Console]({{ site.baseurl }}/docs/img/web-ui.png)
 
-If user authentication is enabled, Drill 1.2 and later prompts you for a user name and password:
+If [user authentication]({{site.baseurl}}/docs/configuring-user-authentication/) is enabled,
Drill 1.2 and later prompts you for a user name and password:
 
 ![Web Console Login]({{ site.baseurl }}/docs/img/web-ui-login.png)
 
-If an administrator logs in, all the Web Console controls appear: Query, Profiles, Storage,
Metrics, Threads, and Options.
+If an [administrator]({{ site.baseurl }}/docs/configuring-user-authentication/#administrator-privileges)
logs in, all the Web Console controls appear: Query, Profiles, Storage, Metrics, Threads,
and Options.
 
 ![Web Console Admin View]({{ site.baseurl }}/docs/img/web-ui-admin-view.png)
 
-If a user, who is not an administrator, logs in, the Web Console controls are limited to
Query, Metrics, Threads controls, and possibly, Profiles. An administrator can give users
permission to access the Profiles control. Only administrators can see and use the Storage
control for managing storage plugin configurations.
+If a user, who is not an administrator, logs in, the Web Console controls are limited to
Query, Metrics, and Profiles. The Profiles page for a non-administrator user contains the
profiles of all queries the user issued either through ODBC, JDBC, or the Web Console. The
Profiles pages for administrators contains the profiles of all queries executed on a cluster.
Only administrators can see and use the Storage control for managing storage plugin configurations.
 
 ![Web Console User View]({{ site.baseurl }}/docs/img/web-ui-user-view.png)
 


Mime
View raw message