drill-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bridg...@apache.org
Subject drill git commit: updates to security docs
Date Thu, 16 Mar 2017 03:30:06 GMT
Repository: drill
Updated Branches:
  refs/heads/gh-pages b01577710 -> 04a17a2db

updates to security docs

Project: http://git-wip-us.apache.org/repos/asf/drill/repo
Commit: http://git-wip-us.apache.org/repos/asf/drill/commit/04a17a2d
Tree: http://git-wip-us.apache.org/repos/asf/drill/tree/04a17a2d
Diff: http://git-wip-us.apache.org/repos/asf/drill/diff/04a17a2d

Branch: refs/heads/gh-pages
Commit: 04a17a2db537a90344b0f612140b73ce6d194eb8
Parents: b015777
Author: Bridget Bevens <bbevens@maprtech.com>
Authored: Wed Mar 15 20:28:08 2017 -0700
Committer: Bridget Bevens <bbevens@maprtech.com>
Committed: Wed Mar 15 20:28:08 2017 -0700

 .../020-secure-communication-paths.md           |   4 ++--
 .../080-configuring-plain-authentication.md     |   4 ++--
 ...090-configuring-kerberos-auththentication.md |  11 +++++------
 _docs/img/kerberclientserver.png                | Bin 66070 -> 64107 bytes
 4 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/_docs/configure-drill/securing-drill/020-secure-communication-paths.md b/_docs/configure-drill/securing-drill/020-secure-communication-paths.md
index 37e09e9..9bdc1ee 100644
--- a/_docs/configure-drill/securing-drill/020-secure-communication-paths.md
+++ b/_docs/configure-drill/securing-drill/020-secure-communication-paths.md
@@ -1,6 +1,6 @@
 title: "Secure Communication Paths"
-date: 2017-03-16 03:01:53 UTC
+date: 2017-03-16 03:28:10 UTC
 parent: "Securing Drill"
 As illustrated in the following figure, Drill 1.10 features five secure communication paths.
Security features for each communication path are described their respective  sections.
@@ -12,7 +12,7 @@ As illustrated in the following figure, Drill 1.10 features five secure
 1. Java client and drillbit to ZooKeeper
 1. Drillbit to storage plugin
-![]({{ site.baseurl }}/docs/img/securecommunicationpaths.png)
 ## Web Client to Drillbit

diff --git a/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md
index 3c23e3e..4e29260 100644
--- a/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md
+++ b/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md
@@ -1,6 +1,6 @@
 title: "Configuring Plain Authentication"
-date: 2017-03-16 03:01:55 UTC
+date: 2017-03-16 03:28:11 UTC
 parent: "Securing Drill"
 Linux PAM provides a Plain (or username and password) authentication module that interface
with any installed PAM authentication entity, such as the local operating system password
file (`/etc/passwd`) or LDAP. 
@@ -19,7 +19,7 @@ This section includes the following topics:
 The following image illustrates the PAM user authentication process in Drill.  The client
passes a username and password to the drillbit as part of the connection request, which then
passes the credentials to PAM.  If PAM authenticates the user, the connection request passes
the authentication phase and the connection is established. The user will be authorized to
access Drill and issue queries against the file system or other storage plugins, such as Hive
or HBase.  
-![]({{ site.baseurl }}/docs/img/plainauthprocess.png)
 If PAM cannot authenticate the user, the connection request will not pass the authentication
phase, and the user will not be authorized to access Drill. The connection is terminated as

diff --git a/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md
index c756d8c..ac6f76d 100644
--- a/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md
+++ b/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md
@@ -1,6 +1,6 @@
 title: "Configuring Kerberos Authentication"
-date: 2017-03-16 03:01:56 UTC
+date: 2017-03-16 03:28:12 UTC
 parent: "Securing Drill"
 As of version 1.10, Drill supports Kerberos v5 network security authentication.  Kerberos
allows trusted hosts to prove their identity over a network to an information system.  A Kerberos
realm is unique authentication domain. A centralized key distribution center (KDC) coordinates
authentication between a clients and servers. Clients and servers obtain and use tickets from
the KDC using a special keytab file to communicate with the KDC and prove their identity to
gain access to a drillbit.  Administrators must create principal (user or server) identities
and passwords to ensure the secure exchange of mutual authentication information passed to
and from the drillbit. 
@@ -32,10 +32,10 @@ This section shows a high-level overview of the client authentication
process in
 1. The client uses the service ticket to request access to the drillbit.
-1. The drillbit service has access to the keytab, a file that contains a list of keys for
principals.  The key allows the service to decrypt the client’s ticket granting service
ticket, identify the principal, and grant access.
+1. The drillbit service has access to the keytab, a file that contains a list of keys for
principals.  The key allows the service to decrypt the client’s ticket granting service
ticket, identify the principal, and grant access.  
-![]({{ site.baseurl }}/docs/img/kerberosauthprocess.png)  
 ## Server Authentication Process
 For Kerberos server authentication information, see the [MIT Kerberos](http://web.mit.edu/kerberos/
"MIT Kerberos") administration documentation. 
@@ -49,10 +49,9 @@ During startup, a drillbit service must authenticate. At runtime, Drill
uses the
 Drill must  run as a user capable of impersonation. The Kerberos provider in the SASL framework
maps from the Kerberos identity to an OS user name. Drill impersonates the OS username when
running queries. 
-![]({{ site.baseurl }}/docs/img/kerberclientserver.png)  
 1. Create a Kerberos principal identity and a keytab file.  You can create one principal
for each drillbit or one principal for all drillbits in a cluster. The drill.keytab file must
be owned by and readable by the administrator user.  

diff --git a/_docs/img/kerberclientserver.png b/_docs/img/kerberclientserver.png
index caaaa66..1170144 100644
Binary files a/_docs/img/kerberclientserver.png and b/_docs/img/kerberclientserver.png differ

View raw message