drill-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bridg...@apache.org
Subject drill git commit: Drill 1.10 doc updates
Date Thu, 16 Mar 2017 03:05:00 GMT
Repository: drill
Updated Branches:
  refs/heads/gh-pages 42920f268 -> b01577710


Drill 1.10 doc updates


Project: http://git-wip-us.apache.org/repos/asf/drill/repo
Commit: http://git-wip-us.apache.org/repos/asf/drill/commit/b0157771
Tree: http://git-wip-us.apache.org/repos/asf/drill/tree/b0157771
Diff: http://git-wip-us.apache.org/repos/asf/drill/diff/b0157771

Branch: refs/heads/gh-pages
Commit: b01577710bd9c914aa3962df3d14c9fa635d9977
Parents: 42920f2
Author: Bridget Bevens <bbevens@maprtech.com>
Authored: Wed Mar 15 20:01:52 2017 -0700
Committer: Bridget Bevens <bbevens@maprtech.com>
Committed: Wed Mar 15 20:01:52 2017 -0700

----------------------------------------------------------------------
 .../020-secure-communication-paths.md           | 26 +++++++++---------
 .../080-configuring-plain-authentication.md     |  4 +--
 ...090-configuring-kerberos-auththentication.md | 28 ++++++++++++--------
 3 files changed, 32 insertions(+), 26 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/drill/blob/b0157771/_docs/configure-drill/securing-drill/020-secure-communication-paths.md
----------------------------------------------------------------------
diff --git a/_docs/configure-drill/securing-drill/020-secure-communication-paths.md b/_docs/configure-drill/securing-drill/020-secure-communication-paths.md
index ee21b21..37e09e9 100644
--- a/_docs/configure-drill/securing-drill/020-secure-communication-paths.md
+++ b/_docs/configure-drill/securing-drill/020-secure-communication-paths.md
@@ -1,25 +1,25 @@
 ---
 title: "Secure Communication Paths"
-date: 2017-03-15 00:30:47 UTC
+date: 2017-03-16 03:01:53 UTC
 parent: "Securing Drill"
 ---
 As illustrated in the following figure, Drill 1.10 features five secure communication paths.
Security features for each communication path are described their respective  sections.
 
-
-1. Web client to drillbit
-1. C++ client to drillbit
-1. Java client to drillbit
-1. Java client and drillbit to ZooKeeper
+
+1. Web client to drillbit
+1. C++ client to drillbit
+1. Java client to drillbit
+1. Java client and drillbit to ZooKeeper
 1. Drillbit to storage plugin
 
-![Secure Communication Paths](http://i.imgur.com/2ndkLt6.png)
+![]({{ site.baseurl }}/docs/img/securecommunicationpaths.png)
 
 
 ## Web Client to Drillbit
 
 The Web Console and REST API clients are web clients. Web clients can:
-
-- Submit and monitor queries
+
+- Submit and monitor queries
 - Configure storage plugins
 
 ---
@@ -39,10 +39,10 @@ Impersonation and authorization are available through the web clients
only when
 
 Java (native or JDBC) and C++ (native or ODBC) clients submit queries to Drill. BI tools
use the ODBC or JDBC API.
 
-| Security Capability | Description                                                     
                                                                                         
                                                                                         
                                                                                         
                                                                                         
               | Reference                                                            |
-|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------|
-| Authentication      | Users authenticate to a drillbit using Kerberos, Plain (username
and password through PAM), and Custom authenticator (username and password). By default, user
authentication is disabled.                                                              
                                                                                         
                                                                                         
           | Configuring User Authentication                                      |
-| Impersonation       | Drill acts on behalf of the user on the session. This is usually
the connection user (or the user that authenticates). This user can impersonate another user.
This is allowed if the connection user is authorized to impersonate the target user based
on the inbound impersonation policies (USER role).  By default, impersonation is disabled.
                                                                                         
          | Configuring User Impersonation and Configuring Inbound Impersonation |
+| Security Capability | Description                                                     
                                                                                         
                                                                                         
                                                                                         
                                                                                         
               | Reference                                                            |
+|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------|
+| Authentication      | Users authenticate to a drillbit using Kerberos, Plain (username
and password through PAM), and Custom authenticator (username and password). By default, user
authentication is disabled.                                                              
                                                                                         
                                                                                         
           | Configuring User Authentication                                      |
+| Impersonation       | Drill acts on behalf of the user on the session. This is usually
the connection user (or the user that authenticates). This user can impersonate another user.
This is allowed if the connection user is authorized to impersonate the target user based
on the inbound impersonation policies (USER role).  By default, impersonation is disabled.
                                                                                         
          | Configuring User Impersonation and Configuring Inbound Impersonation |
 | Authorization       | A user can execute queries on data that he/she has access to. Each
storage plugin manages the read/write permissions. Users can create views on top of data to
provide granular access to that data. The user sets read permissions to appropriate users
and/or groups.  System-level options can only be changed by administrators (USER role). By
default, only the process user is an administrator. This is available if authentication is
enabled. | Configuring User Impersonation/Impersonation and Views               |
 
 ## Drill Client and Drillbit to ZooKeeper 

http://git-wip-us.apache.org/repos/asf/drill/blob/b0157771/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md
----------------------------------------------------------------------
diff --git a/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md
b/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md
index 0beaff6..3c23e3e 100644
--- a/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md
+++ b/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md
@@ -1,6 +1,6 @@
 ---
 title: "Configuring Plain Authentication"
-date: 2017-03-16 01:22:52 UTC
+date: 2017-03-16 03:01:55 UTC
 parent: "Securing Drill"
 ---
 Linux PAM provides a Plain (or username and password) authentication module that interface
with any installed PAM authentication entity, such as the local operating system password
file (`/etc/passwd`) or LDAP. 
@@ -19,7 +19,7 @@ This section includes the following topics:
 
 The following image illustrates the PAM user authentication process in Drill.  The client
passes a username and password to the drillbit as part of the connection request, which then
passes the credentials to PAM.  If PAM authenticates the user, the connection request passes
the authentication phase and the connection is established. The user will be authorized to
access Drill and issue queries against the file system or other storage plugins, such as Hive
or HBase.  
 
-![Plain Auth Process](http://i.imgur.com/JkuApo2.png)
+![]({{ site.baseurl }}/docs/img/plainauthprocess.png)
 
 If PAM cannot authenticate the user, the connection request will not pass the authentication
phase, and the user will not be authorized to access Drill. The connection is terminated as
`AUTH_FAILED`.
 

http://git-wip-us.apache.org/repos/asf/drill/blob/b0157771/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md
----------------------------------------------------------------------
diff --git a/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md
b/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md
index 284f34d..c756d8c 100644
--- a/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md
+++ b/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md
@@ -1,6 +1,6 @@
 ---
 title: "Configuring Kerberos Authentication"
-date: 2017-03-16 02:40:10 UTC
+date: 2017-03-16 03:01:56 UTC
 parent: "Securing Drill"
 ---
 As of version 1.10, Drill supports Kerberos v5 network security authentication.  Kerberos
allows trusted hosts to prove their identity over a network to an information system.  A Kerberos
realm is unique authentication domain. A centralized key distribution center (KDC) coordinates
authentication between a clients and servers. Clients and servers obtain and use tickets from
the KDC using a special keytab file to communicate with the KDC and prove their identity to
gain access to a drillbit.  Administrators must create principal (user or server) identities
and passwords to ensure the secure exchange of mutual authentication information passed to
and from the drillbit. 
@@ -35,14 +35,14 @@ This section shows a high-level overview of the client authentication
process in
 1. The drillbit service has access to the keytab, a file that contains a list of keys for
principals.  The key allows the service to decrypt the client’s ticket granting service
ticket, identify the principal, and grant access.
 
 
-![Kerberos Auth Process Overview](http://i.imgur.com/U6e8FR5.png)
+![]({{ site.baseurl }}/docs/img/kerberosauthprocess.png)  
 
 ## Server Authentication Process
 For Kerberos server authentication information, see the [MIT Kerberos](http://web.mit.edu/kerberos/
"MIT Kerberos") administration documentation. 
 
 
 ## Enabling Authentication
-During startup, a drillbit service must authenticate. At runtime, Drill uses the keytab file.
Trust is based on the keytab file; it’s secrets are shared with the KDC. The drillbit service
also uses this keytab credential to validate service tickets from clients. Based on this information,
the drillbit determines whether the client’s identity can be verified to use its service.

+During startup, a drillbit service must authenticate. At runtime, Drill uses the keytab file.
Trust is based on the keytab file; its secrets are shared with the KDC. The drillbit service
also uses this keytab credential to validate service tickets from clients. Based on this information,
the drillbit determines whether the client’s identity can be verified to use its service.

 
 ---
 **NOTE**
@@ -52,16 +52,20 @@ Drill must  run as a user capable of impersonation. The Kerberos provider
in the
 ---
 
 
-![Kerberos Client-Server Connection](http://i.imgur.com/04S0vss.png)  
+![]({{ site.baseurl }}/docs/img/kerberclientserver.png)  
+ 
 
-1. Create a Kerberos principal identity and a keytab file.  You can create one principal
for each drillbit or one principal for all drillbits in a cluster. The drill.keytab file must
be owned by and readable by the administrator user. 
-       * For a single principal per node in cluster:
+1. Create a Kerberos principal identity and a keytab file.  You can create one principal
for each drillbit or one principal for all drillbits in a cluster. The drill.keytab file must
be owned by and readable by the administrator user.  
+ 
+   * For a single principal per node in cluster:
        
 
             # kadmin  
 			: addprinc -randkey <username>/<FQDN>@<REALM>.COM  
-			: ktadd -k /opt/mapr/conf/drill.keytab <username>/<FQDN>@<REALM>.COM
-       * For a single principal per cluster, use `<clustername>` instead of `<FQDN>`:
+			: ktadd -k /opt/mapr/conf/drill.keytab <username>/<FQDN>@<REALM>.COM
 
+
+
+   * For a single principal per cluster, use `<clustername>` instead of `<FQDN>`:

        
 
             # kadmin  
@@ -70,6 +74,7 @@ Drill must  run as a user capable of impersonation. The Kerberos provider
in the
        
 
 2. Add the Kerberos principal identity and keytab file to the `drill-override.conf` file.
 
+  
  * The instance name must be lowercase. Also, if \_HOST is set as the instance name in the
principal, it is replaced with the fully qualified domain name of that host for the instance
name. For example, if a drillbit running on `host01.aws.lab` uses `drill/_HOST@<EXAMPLE>.COM`
as the principal, the canonicalized principal is `drill/host01.aws.lab@<EXAMPLE>.COM`.

  
    
@@ -81,8 +86,8 @@ Drill must  run as a user capable of impersonation. The Kerberos provider
in the
  			      auth.keytab:“/etc/drill/conf/drill.keytab”  
 				}  
 			}  
-  
-   * To configure multiple mechanisms, extend the mechanisms list and provide additional
configuration parameters. For example, the following configuration enables Kerberos and Plain
(username and password) mechanisms. See Installing and Configuring Plain Authentication for
PAM configuration instructions. 
+    
+ * To configure multiple mechanisms, extend the mechanisms list and provide additional configuration
parameters. For example, the following configuration enables Kerberos and Plain (username
and password) mechanisms. See Installing and Configuring Plain Authentication for PAM configuration
instructions. 
    
  
              drill.exec: {  
@@ -94,7 +99,8 @@ Drill must  run as a user capable of impersonation. The Kerberos provider
in the
               	   auth.principal:"drill/<clustername>@<REALM>.COM",  
               	   auth.keytab:"/etc/drill/conf/drill.keytab"  
               		}  
-              	}    
+              	}  
+   
 3. Restart the drillbit process on each Drill node.  
    
         <DRILLINSTALL_HOME>/bin/drillbit.sh restart 


Mime
View raw message