drill-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bridg...@apache.org
Subject drill git commit: Edits to user authentication docs - config for user impersonation also
Date Wed, 17 May 2017 01:13:12 GMT
Repository: drill
Updated Branches:
  refs/heads/gh-pages 8a246b085 -> 208485234


Edits to user authentication docs - config for user impersonation also


Project: http://git-wip-us.apache.org/repos/asf/drill/repo
Commit: http://git-wip-us.apache.org/repos/asf/drill/commit/20848523
Tree: http://git-wip-us.apache.org/repos/asf/drill/tree/20848523
Diff: http://git-wip-us.apache.org/repos/asf/drill/diff/20848523

Branch: refs/heads/gh-pages
Commit: 2084852348e1cd91196ae488d81f6298b4024871
Parents: 8a246b0
Author: Bridget Bevens <bbevens@maprtech.com>
Authored: Tue May 16 18:11:21 2017 -0700
Committer: Bridget Bevens <bbevens@maprtech.com>
Committed: Tue May 16 18:11:21 2017 -0700

----------------------------------------------------------------------
 .../070-configuring-user-authentication.md      | 11 ++-
 .../080-configuring-plain-authentication.md     | 27 ++++---
 ...090-configuring-kerberos-auththentication.md | 74 ++++++++++++--------
 3 files changed, 65 insertions(+), 47 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/drill/blob/20848523/_docs/configure-drill/securing-drill/070-configuring-user-authentication.md
----------------------------------------------------------------------
diff --git a/_docs/configure-drill/securing-drill/070-configuring-user-authentication.md b/_docs/configure-drill/securing-drill/070-configuring-user-authentication.md
index 8848534..daa0016 100644
--- a/_docs/configure-drill/securing-drill/070-configuring-user-authentication.md
+++ b/_docs/configure-drill/securing-drill/070-configuring-user-authentication.md
@@ -1,6 +1,6 @@
 ---
 title: "Configuring User Authentication"
-date: 2017-03-16 01:48:00 UTC
+date: 2017-05-17 01:11:27 UTC
 parent: "Securing Drill"
 ---
 Authentication is the process of establishing confidence of authenticity. A Drill client
user is authenticated when a drillbit process running in a Drill cluster confirms the identity
it is presented with.  Drill 1.10 supports several authentication mechanisms through which
users can prove their identity before accessing cluster data: 
@@ -9,14 +9,11 @@ Authentication is the process of establishing confidence of authenticity.
A Dril
 * **Plain** [also known as basic authentication (auth), which is username and password-based
authentication, through the Linux Pluggable Authentication Module (PAM)] - See [Configuring
Plain Authentication]({{site.baseurl}}/docs/configuring-plain-authentication/).
 * **Custom authenticators** - See [Creating Custom Authenticators]({{site.baseurl}}/docs/creating-custom-authenticators).
 
-These authentication options are available through JDBC and ODBC interfaces.
+These authentication options are available through JDBC and ODBC interfaces.  
 
----
-**Note**
-
-If user impersonation is enabled, Drill executes the client requests as the authenticated
user. Otherwise, Drill executes client requests as the user that started the drillbit process.
You can enable both authentication and impersonation to improve Drill security. See [Configuring
User Impersonation]({{site.baseurl}}/docs/configuring-user-impersonation/) for more information.
 
----
+{% include startnote.html %}Enabling both [user impersonation]({{site.baseurl}}/docs/configuring-user-impersonation/)
and authentication is recommended to restrict access to data and improve security. When user
impersonation is enabled, Drill executes the client requests as 
+the authenticated user. Otherwise, Drill executes client requests as the user that started
the drillbit process.{% include endnote.html %}
 
 
 

http://git-wip-us.apache.org/repos/asf/drill/blob/20848523/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md
----------------------------------------------------------------------
diff --git a/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md
b/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md
index 4669237..174f3e4 100644
--- a/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md
+++ b/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md
@@ -1,6 +1,6 @@
 ---
 title: "Configuring Plain Authentication"
-date: 2017-03-16 23:46:05 UTC
+date: 2017-05-17 01:11:30 UTC
 parent: "Securing Drill"
 ---
 Linux PAM provides a Plain (or username and password) authentication module that interface
with any installed PAM authentication entity, such as the local operating system password
file (`/etc/passwd`) or LDAP. 
@@ -90,14 +90,23 @@ Complete the following steps to install and configure PAM for Drill:
 
 1. Add the following configuration to the drill.exec block in `<DRILL_HOME>/conf/drill-override.conf`:

 		
-		  drill.exec {
-		   security.user.auth {
-		         enabled: true,
-		         packages += "org.apache.drill.exec.rpc.user.security",
-		         impl: "pam",
-		         pam_profiles: [ "sudo", "login" ]
-		   } 
-		  }
+              drill.exec: {
+                cluster-id: "drillbits1",
+                zk.connect: "qa102-81.qa.lab:5181,qa102-82.qa.lab:5181,qa102-83.qa.lab:5181",
+                impersonation: {
+                  enabled: true,
+                  max_chained_user_hops: 3
+                },
+                security: {          
+                        auth.mechanisms : ["PLAIN"],
+                         },
+                security.user.auth: {
+                        enabled: true,
+                        packages += "org.apache.drill.exec.rpc.user.security",
+                        impl: "pam",
+                        pam_profiles: [ "sudo", "login" ]
+                 }
+               }
 
 1. (Optional) To add or remove different PAM profiles, add or delete the profile names in
the “pam_profiles” array shown above. 
 

http://git-wip-us.apache.org/repos/asf/drill/blob/20848523/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md
----------------------------------------------------------------------
diff --git a/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md
b/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md
index 7bd4e26..bff66d2 100644
--- a/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md
+++ b/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md
@@ -1,18 +1,14 @@
 ---
 title: "Configuring Kerberos Authentication"
-date: 2017-03-17 22:31:37 UTC
+date: 2017-05-17 01:11:31 UTC
 parent: "Securing Drill"
 ---
 In release 1.10 Drill supports Kerberos v5 network security authentication.  To use Kerberos
with Drill and establish connectivity, use the JDBC driver packaged with Drill 1.10.
 
-Kerberos allows trusted hosts to prove their identity over a network to an information system.
 A Kerberos *realm* is unique authentication domain. A centralized *key distribution center
(KDC)* coordinates authentication between a clients and servers. Clients and servers obtain
and use tickets from the KDC using a special *keytab* file to communicate with the KDC and
prove their identity to gain access to a drillbit.  Administrators must create *principal*
(user or server) identities and passwords to ensure the secure exchange of mutual authentication
information passed to and from the drillbit. 
+Kerberos allows trusted hosts to prove their identity over a network to an information system.
 A Kerberos *realm* is unique authentication domain. A centralized *key distribution center
(KDC)* coordinates authentication between a clients and servers. Clients and servers obtain
and use tickets from the KDC using a special *keytab* file to communicate with the KDC and
prove their identity to gain access to a drillbit.  Administrators must create *principal*
(user or server) identities and passwords to ensure the secure exchange of mutual authentication
information passed to and from the drillbit.   
 
----
-**NOTE**
-
-Proper setup, configuration, administration, and usage of a Kerberos environment is beyond
the scope of this documentation.  See the [MIT Kerberos](http://web.mit.edu/kerberos/ "MIT
Kerberos") documentation for information about Kerberos.
+{% include startnote.html %}Proper setup, configuration, administration, and usage of a Kerberos
environment is beyond the scope of this documentation.  See the [MIT Kerberos](http://web.mit.edu/kerberos/
"MIT Kerberos") documentation for information about Kerberos.{% include endnote.html %}  
 
----
 
 ## Prerequisites
 
@@ -66,30 +62,46 @@ During startup, a drillbit service must authenticate. At runtime, Drill
uses the
 &nbsp;
 2.  Add the Kerberos principal identity and keytab file to the `drill-override.conf` file.
 
 
- * The instance name must be lowercase. Also, if \_HOST is set as the instance name in the
principal, it is replaced with the fully qualified domain name of that host for the instance
name. For example, if a drillbit running on `host01.aws.lab` uses `drill/_HOST@<EXAMPLE>.COM`
as the principal, the canonicalized principal is `drill/host01.aws.lab@<EXAMPLE>.COM`.

-
-             drill.exec {  
-   			    security: {  
- 			      user.auth.enabled:true,  
- 			      auth.mechanisms:[“KERBEROS”],  
- 			      auth.principal:“drill/<clustername>@<REALM>.COM”,  
- 			      auth.keytab:“/etc/drill/conf/drill.keytab”  
-				}  
-			}  
-
- * To configure multiple mechanisms, extend the mechanisms list and provide additional configuration
parameters. For example, the following configuration enables Kerberos and Plain (username
and password) mechanisms. See [Installing and Connfiguring Plain Authentication]({{site.baseurl}}/docs/configuring-plain-authentication/#installing-and-configuring-plain-authentication)
for Plain PAM configuration instructions. 
-   
-             drill.exec: {  
-              	security: {  
-              	   user.auth.enabled:true,  
-              	   user.auth.impl:"pam",  
-              	   user.auth.pam_profile:["sudo", "login"],  
-              	   auth.mechanisms:["KERBEROS","PLAIN"],  
-              	   auth.principal:"drill/<clustername>@<REALM>.COM",  
-              	   auth.keytab:"/etc/drill/conf/drill.keytab"  
-              		}  
-              	}  
-
+ * The instance name must be lowercase. Also, if \_HOST is set as the instance name in the
principal, it is replaced with the fully qualified domain name of that host for the instance
name. For example, if a drillbit running on `host01.aws.lab` uses `drill/_HOST@<EXAMPLE>.COM`
as the principal, the canonicalized principal is `drill/host01.aws.lab@<EXAMPLE>.COM`.
 
+
+              drill.exec: {
+                cluster-id: "drillbits1",
+                zk.connect: "qa102-81.qa.lab:2181,qa102-82.qa.lab:2181,qa102-83.qa.lab:2181",
+                impersonation: {
+                  enabled: true,
+                  max_chained_user_hops: 3
+                },
+                security: {  
+                        user.auth.enabled:true,  
+                        auth.mechanisms:[“KERBEROS”],  
+                        auth.principal:“drill/<clustername>@<REALM>.COM”,
 
+                        auth.keytab:“/etc/drill/conf/drill.keytab”  
+                }
+                
+              }
+
+ * To configure multiple mechanisms, extend the mechanisms list and provide additional configuration
parameters. For example, the following configuration enables Kerberos and Plain (username
and password) mechanisms. See [Installing and Connfiguring Plain Authentication]({{site.baseurl}}/docs/configuring-plain-authentication/#installing-and-configuring-plain-authentication)
for Plain PAM configuration instructions.  
+
+              drill.exec: {
+                cluster-id: "drillbits1",
+                zk.connect: "qa102-81.qa.lab:2181,qa102-82.qa.lab:2181,qa102-83.qa.lab:2181",
+                impersonation: {
+                  enabled: true,
+                  max_chained_user_hops: 3
+                },
+                security: {  
+                        user.auth.enabled:true,  
+                        auth.mechanisms:["KERBEROS","PLAIN"],  
+                        auth.principal:“drill/<clustername>@<REALM>.COM”,
 
+                        auth.keytab:“/etc/drill/conf/drill.keytab”  
+                      }  
+                security.user.auth: {
+                        enabled: true,
+                        packages += "org.apache.drill.exec.rpc.user.security",
+                        impl: "pam",
+                        pam_profiles: ["sudo", "login"]
+                       }   
+                }
 
 
 &nbsp;


Mime
View raw message