Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 40D65200C86 for ; Wed, 17 May 2017 03:13:14 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 3F6DB160BC9; Wed, 17 May 2017 01:13:14 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 3796C160BC1 for ; Wed, 17 May 2017 03:13:13 +0200 (CEST) Received: (qmail 87283 invoked by uid 500); 17 May 2017 01:13:12 -0000 Mailing-List: contact commits-help@drill.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: commits@drill.apache.org Delivered-To: mailing list commits@drill.apache.org Received: (qmail 87274 invoked by uid 99); 17 May 2017 01:13:12 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 17 May 2017 01:13:12 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id 4843ADFD43; Wed, 17 May 2017 01:13:12 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: bridgetb@apache.org To: commits@drill.apache.org Message-Id: <302495e02ecf4576a2de491c41eaecc9@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: drill git commit: Edits to user authentication docs - config for user impersonation also Date: Wed, 17 May 2017 01:13:12 +0000 (UTC) archived-at: Wed, 17 May 2017 01:13:14 -0000 Repository: drill Updated Branches: refs/heads/gh-pages 8a246b085 -> 208485234 Edits to user authentication docs - config for user impersonation also Project: http://git-wip-us.apache.org/repos/asf/drill/repo Commit: http://git-wip-us.apache.org/repos/asf/drill/commit/20848523 Tree: http://git-wip-us.apache.org/repos/asf/drill/tree/20848523 Diff: http://git-wip-us.apache.org/repos/asf/drill/diff/20848523 Branch: refs/heads/gh-pages Commit: 2084852348e1cd91196ae488d81f6298b4024871 Parents: 8a246b0 Author: Bridget Bevens Authored: Tue May 16 18:11:21 2017 -0700 Committer: Bridget Bevens Committed: Tue May 16 18:11:21 2017 -0700 ---------------------------------------------------------------------- .../070-configuring-user-authentication.md | 11 ++- .../080-configuring-plain-authentication.md | 27 ++++--- ...090-configuring-kerberos-auththentication.md | 74 ++++++++++++-------- 3 files changed, 65 insertions(+), 47 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/drill/blob/20848523/_docs/configure-drill/securing-drill/070-configuring-user-authentication.md ---------------------------------------------------------------------- diff --git a/_docs/configure-drill/securing-drill/070-configuring-user-authentication.md b/_docs/configure-drill/securing-drill/070-configuring-user-authentication.md index 8848534..daa0016 100644 --- a/_docs/configure-drill/securing-drill/070-configuring-user-authentication.md +++ b/_docs/configure-drill/securing-drill/070-configuring-user-authentication.md @@ -1,6 +1,6 @@ --- title: "Configuring User Authentication" -date: 2017-03-16 01:48:00 UTC +date: 2017-05-17 01:11:27 UTC parent: "Securing Drill" --- Authentication is the process of establishing confidence of authenticity. A Drill client user is authenticated when a drillbit process running in a Drill cluster confirms the identity it is presented with. Drill 1.10 supports several authentication mechanisms through which users can prove their identity before accessing cluster data: @@ -9,14 +9,11 @@ Authentication is the process of establishing confidence of authenticity. A Dril * **Plain** [also known as basic authentication (auth), which is username and password-based authentication, through the Linux Pluggable Authentication Module (PAM)] - See [Configuring Plain Authentication]({{site.baseurl}}/docs/configuring-plain-authentication/). * **Custom authenticators** - See [Creating Custom Authenticators]({{site.baseurl}}/docs/creating-custom-authenticators). -These authentication options are available through JDBC and ODBC interfaces. +These authentication options are available through JDBC and ODBC interfaces. ---- -**Note** - -If user impersonation is enabled, Drill executes the client requests as the authenticated user. Otherwise, Drill executes client requests as the user that started the drillbit process. You can enable both authentication and impersonation to improve Drill security. See [Configuring User Impersonation]({{site.baseurl}}/docs/configuring-user-impersonation/) for more information. ---- +{% include startnote.html %}Enabling both [user impersonation]({{site.baseurl}}/docs/configuring-user-impersonation/) and authentication is recommended to restrict access to data and improve security. When user impersonation is enabled, Drill executes the client requests as +the authenticated user. Otherwise, Drill executes client requests as the user that started the drillbit process.{% include endnote.html %} http://git-wip-us.apache.org/repos/asf/drill/blob/20848523/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md ---------------------------------------------------------------------- diff --git a/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md b/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md index 4669237..174f3e4 100644 --- a/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md +++ b/_docs/configure-drill/securing-drill/080-configuring-plain-authentication.md @@ -1,6 +1,6 @@ --- title: "Configuring Plain Authentication" -date: 2017-03-16 23:46:05 UTC +date: 2017-05-17 01:11:30 UTC parent: "Securing Drill" --- Linux PAM provides a Plain (or username and password) authentication module that interface with any installed PAM authentication entity, such as the local operating system password file (`/etc/passwd`) or LDAP. @@ -90,14 +90,23 @@ Complete the following steps to install and configure PAM for Drill: 1. Add the following configuration to the drill.exec block in `/conf/drill-override.conf`: - drill.exec { - security.user.auth { - enabled: true, - packages += "org.apache.drill.exec.rpc.user.security", - impl: "pam", - pam_profiles: [ "sudo", "login" ] - } - } + drill.exec: { + cluster-id: "drillbits1", + zk.connect: "qa102-81.qa.lab:5181,qa102-82.qa.lab:5181,qa102-83.qa.lab:5181", + impersonation: { + enabled: true, + max_chained_user_hops: 3 + }, + security: { + auth.mechanisms : ["PLAIN"], + }, + security.user.auth: { + enabled: true, + packages += "org.apache.drill.exec.rpc.user.security", + impl: "pam", + pam_profiles: [ "sudo", "login" ] + } + } 1. (Optional) To add or remove different PAM profiles, add or delete the profile names in the “pam_profiles” array shown above. http://git-wip-us.apache.org/repos/asf/drill/blob/20848523/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md ---------------------------------------------------------------------- diff --git a/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md b/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md index 7bd4e26..bff66d2 100644 --- a/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md +++ b/_docs/configure-drill/securing-drill/090-configuring-kerberos-auththentication.md @@ -1,18 +1,14 @@ --- title: "Configuring Kerberos Authentication" -date: 2017-03-17 22:31:37 UTC +date: 2017-05-17 01:11:31 UTC parent: "Securing Drill" --- In release 1.10 Drill supports Kerberos v5 network security authentication. To use Kerberos with Drill and establish connectivity, use the JDBC driver packaged with Drill 1.10. -Kerberos allows trusted hosts to prove their identity over a network to an information system. A Kerberos *realm* is unique authentication domain. A centralized *key distribution center (KDC)* coordinates authentication between a clients and servers. Clients and servers obtain and use tickets from the KDC using a special *keytab* file to communicate with the KDC and prove their identity to gain access to a drillbit. Administrators must create *principal* (user or server) identities and passwords to ensure the secure exchange of mutual authentication information passed to and from the drillbit. +Kerberos allows trusted hosts to prove their identity over a network to an information system. A Kerberos *realm* is unique authentication domain. A centralized *key distribution center (KDC)* coordinates authentication between a clients and servers. Clients and servers obtain and use tickets from the KDC using a special *keytab* file to communicate with the KDC and prove their identity to gain access to a drillbit. Administrators must create *principal* (user or server) identities and passwords to ensure the secure exchange of mutual authentication information passed to and from the drillbit. ---- -**NOTE** - -Proper setup, configuration, administration, and usage of a Kerberos environment is beyond the scope of this documentation. See the [MIT Kerberos](http://web.mit.edu/kerberos/ "MIT Kerberos") documentation for information about Kerberos. +{% include startnote.html %}Proper setup, configuration, administration, and usage of a Kerberos environment is beyond the scope of this documentation. See the [MIT Kerberos](http://web.mit.edu/kerberos/ "MIT Kerberos") documentation for information about Kerberos.{% include endnote.html %} ---- ## Prerequisites @@ -66,30 +62,46 @@ During startup, a drillbit service must authenticate. At runtime, Drill uses the   2. Add the Kerberos principal identity and keytab file to the `drill-override.conf` file. - * The instance name must be lowercase. Also, if \_HOST is set as the instance name in the principal, it is replaced with the fully qualified domain name of that host for the instance name. For example, if a drillbit running on `host01.aws.lab` uses `drill/_HOST@.COM` as the principal, the canonicalized principal is `drill/host01.aws.lab@.COM`. - - drill.exec { - security: { - user.auth.enabled:true, - auth.mechanisms:[“KERBEROS”], - auth.principal:“drill/@.COM”, - auth.keytab:“/etc/drill/conf/drill.keytab” - } - } - - * To configure multiple mechanisms, extend the mechanisms list and provide additional configuration parameters. For example, the following configuration enables Kerberos and Plain (username and password) mechanisms. See [Installing and Connfiguring Plain Authentication]({{site.baseurl}}/docs/configuring-plain-authentication/#installing-and-configuring-plain-authentication) for Plain PAM configuration instructions. - - drill.exec: { - security: { - user.auth.enabled:true, - user.auth.impl:"pam", - user.auth.pam_profile:["sudo", "login"], - auth.mechanisms:["KERBEROS","PLAIN"], - auth.principal:"drill/@.COM", - auth.keytab:"/etc/drill/conf/drill.keytab" - } - } - + * The instance name must be lowercase. Also, if \_HOST is set as the instance name in the principal, it is replaced with the fully qualified domain name of that host for the instance name. For example, if a drillbit running on `host01.aws.lab` uses `drill/_HOST@.COM` as the principal, the canonicalized principal is `drill/host01.aws.lab@.COM`. + + drill.exec: { + cluster-id: "drillbits1", + zk.connect: "qa102-81.qa.lab:2181,qa102-82.qa.lab:2181,qa102-83.qa.lab:2181", + impersonation: { + enabled: true, + max_chained_user_hops: 3 + }, + security: { + user.auth.enabled:true, + auth.mechanisms:[“KERBEROS”], + auth.principal:“drill/@.COM”, + auth.keytab:“/etc/drill/conf/drill.keytab” + } + + } + + * To configure multiple mechanisms, extend the mechanisms list and provide additional configuration parameters. For example, the following configuration enables Kerberos and Plain (username and password) mechanisms. See [Installing and Connfiguring Plain Authentication]({{site.baseurl}}/docs/configuring-plain-authentication/#installing-and-configuring-plain-authentication) for Plain PAM configuration instructions. + + drill.exec: { + cluster-id: "drillbits1", + zk.connect: "qa102-81.qa.lab:2181,qa102-82.qa.lab:2181,qa102-83.qa.lab:2181", + impersonation: { + enabled: true, + max_chained_user_hops: 3 + }, + security: { + user.auth.enabled:true, + auth.mechanisms:["KERBEROS","PLAIN"], + auth.principal:“drill/@.COM”, + auth.keytab:“/etc/drill/conf/drill.keytab” + } + security.user.auth: { + enabled: true, + packages += "org.apache.drill.exec.rpc.user.security", + impl: "pam", + pam_profiles: ["sudo", "login"] + } + }