drill-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bridg...@apache.org
Subject drill-site git commit: Doc edits for Drill 1.11
Date Mon, 31 Jul 2017 21:04:12 GMT
Repository: drill-site
Updated Branches:
  refs/heads/asf-site e168c6134 -> 7866d03e2


Doc edits for Drill 1.11


Project: http://git-wip-us.apache.org/repos/asf/drill-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/drill-site/commit/7866d03e
Tree: http://git-wip-us.apache.org/repos/asf/drill-site/tree/7866d03e
Diff: http://git-wip-us.apache.org/repos/asf/drill-site/diff/7866d03e

Branch: refs/heads/asf-site
Commit: 7866d03e2ca893e29175a850fee831856edbd54b
Parents: e168c61
Author: Bridget Bevens <bbevens@maprtech.com>
Authored: Mon Jul 31 14:03:57 2017 -0700
Committer: Bridget Bevens <bbevens@maprtech.com>
Committed: Mon Jul 31 14:03:57 2017 -0700

----------------------------------------------------------------------
 blog/2017/07/31/drill-1.11-released/index.html  | 13 ++++--
 .../index.html                                  | 46 ++++++++++++++++----
 docs/configuring-user-authentication/index.html |  4 +-
 docs/secure-communication-paths/index.html      |  9 +++-
 docs/securing-drill-introduction/index.html     |  4 +-
 feed.xml                                        | 17 +++++---
 6 files changed, 68 insertions(+), 25 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/drill-site/blob/7866d03e/blog/2017/07/31/drill-1.11-released/index.html
----------------------------------------------------------------------
diff --git a/blog/2017/07/31/drill-1.11-released/index.html b/blog/2017/07/31/drill-1.11-released/index.html
index 7701412..be42b37 100644
--- a/blog/2017/07/31/drill-1.11-released/index.html
+++ b/blog/2017/07/31/drill-1.11-released/index.html
@@ -146,7 +146,7 @@
 
 <h2 id="spill-to-disk-for-hash-aggregate-operator-(drill-5457)">Spill to Disk for Hash
Aggregate Operator (DRILL-5457)</h2>
 
-<p>The Hash aggregate operator can spill data to disk in cases where the operation
exceeds the set memory limit.   </p>
+<p>The Hash aggregate operator can spill data to disk in cases where the operation
exceeds the set memory limit. Note that you may need to increase the default value of the
<code>planner.memory.max_query_memory_per_node</code> option due to insufficient
memory.      </p>
 
 <h2 id="format-plugin-support-for-pcap-files-(drill-5432)">Format Plugin Support for
PCAP Files (DRILL-5432)</h2>
 
@@ -168,7 +168,7 @@
 
 <h2 id="configurable-ctas-directory-and-file-permissions-option-(drill-5391)">Configurable
CTAS Directory and File Permissions Option (DRILL-5391)</h2>
 
-<p>You can use the <code>exec.persistent_table.umask</code> configuration
option, at the system or session level, to modify permissions on directories and files that
result from running the CTAS command. By default, the option is set to 002, which sets the
default directory permissions to 775 and default file permissions to -664.   </p>
+<p>You can use the <code>exec.persistent_table.umask</code> configuration
option, at the system or session level, to modify permissions on directories and files that
result from running the CTAS command. By default, the option is set to 002, which sets the
default directory permissions to 775 and default file permissions to 664.   </p>
 
 <h2 id="support-for-network-encryption-(drill-4335)">Support for Network Encryption
(DRILL-4335)</h2>
 
@@ -178,9 +178,14 @@
 
 <p>Drill now stores the relative path in the metadata file (versus the absolute path),
which enables you to move partitioned Parquet directories from one location in DFS to another
without having to rebuild the Parquet metadata files; the metadata remains valid in the new
location.  </p>
 
-<h2 id="support-for-ansi_quotes-(drill-3510)">Support for ANSI_QUOTES (DRILL-3510)</h2>
+<h2 id="support-for-additional-quoting-identifiers-(drill-3510)">Support for Additional
Quoting Identifiers (DRILL-3510)</h2>
 
-<p>In addition to back ticks, the SQL parser in Drill can use double quotes as identifier
quotes. Use the <code>planner.parser.quoting_identifiers</code> configuration
option, at the system or session level, to set the type of identifier quotes that the SQL
parser in Drill uses.  </p>
+<p>In addition to back ticks, the SQL parser in Drill can use double quotes and square
brackets as identifier quotes. Use the <code>planner.parser.quoting_identifiers</code>
configuration option, at the system or session level, to set the type of identifier quotes
that the SQL parser in Drill uses, as shown:  </p>
+<div class="highlight"><pre><code class="language-text" data-lang="text">
  ALTER SESSION SET planner.parser.quoting_identifiers = &#39;&quot;&#39;;  
+   ALTER SESSION SET planner.parser.quoting_identifiers = &#39;[&#39;;  
+   ALTER SESSION SET planner.parser.quoting_identifiers = &#39;`&#39;;  
+</code></pre></div>
+<p>The default setting is back ticks. The quoting identifier used in queries must match
the setting. If you use another type of quoting identifier, Drill returns an error.  </p>
 
 <p>You can find a complete list of JIRAs resolved in the 1.11.0 release <a href="https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12313820&amp;version=12339943">here</a>.</p>
 

http://git-wip-us.apache.org/repos/asf/drill-site/blob/7866d03e/docs/configuring-kerberos-authentication/index.html
----------------------------------------------------------------------
diff --git a/docs/configuring-kerberos-authentication/index.html b/docs/configuring-kerberos-authentication/index.html
index 6e671f0..01ea0be 100644
--- a/docs/configuring-kerberos-authentication/index.html
+++ b/docs/configuring-kerberos-authentication/index.html
@@ -1126,13 +1126,13 @@
 
     </div>
 
-     May 17, 2017
+     Jul 31, 2017
 
     <link href="/css/docpage.css" rel="stylesheet" type="text/css">
 
     <div class="int_text" align="left">
       
-        <p>In release 1.10 Drill supports Kerberos v5 network security authentication.
 To use Kerberos with Drill and establish connectivity, use the JDBC driver packaged with
Drill 1.10.</p>
+        <p>In release 1.11 Drill supports Kerberos v5 network security authentication
and client-to-drillbit encryption.  To use Kerberos with Drill and establish connectivity,
use the JDBC driver packaged with Drill 1.11.</p>
 
 <p>Kerberos allows trusted hosts to prove their identity over a network to an information
system.  A Kerberos <em>realm</em> is unique authentication domain. A centralized
<em>key distribution center (KDC)</em> coordinates authentication between a clients
and servers. Clients and servers obtain and use tickets from the KDC using a special <em>keytab</em>
file to communicate with the KDC and prove their identity to gain access to a drillbit.  Administrators
must create <em>principal</em> (user or server) identities and passwords to ensure
the secure exchange of mutual authentication information passed to and from the drillbit.
  </p>
 
@@ -1145,7 +1145,7 @@
 
 <h2 id="prerequisites">Prerequisites</h2>
 
-<p>The required Kerberos (JDBC) plugin is part of the 1.10 Drill package. To use it,
you must have a working Kerberos infrastructure, which Drill does not provide. You must be
working in a Linux-based or Windows Active Directory (AD) Kerberos environment with secure
clusters and have a Drill server configured for Kerberos. See <a href="/docs/configuring-kerberos-authentication/#enabling-authentication">Enabling
Authentication</a>.</p>
+<p>The required Kerberos (JDBC) plugin is part of the 1.11 Drill package. To use it,
you must have a working Kerberos infrastructure, which Drill does not provide. You must be
working in a Linux-based or Windows Active Directory (AD) Kerberos environment with secure
clusters and have a Drill server configured for Kerberos. See <a href="/docs/configuring-kerberos-authentication/#enabling-authentication">Enabling
Authentication</a>.</p>
 
 <h2 id="client-authentication-process">Client Authentication Process</h2>
 
@@ -1166,10 +1166,17 @@
 
 <p>For Kerberos server authentication information, see the <a href="http://web.mit.edu/kerberos/"
title="MIT Kerberos">MIT Kerberos</a> administration documentation. </p>
 
-<h2 id="enabling-authentication">Enabling Authentication</h2>
+<h2 id="enabling-authentication-and-encryption">Enabling Authentication and Encryption</h2>
 
 <p>During startup, a drillbit service must authenticate. At runtime, Drill uses the
keytab file. Trust is based on the keytab file; its secrets are shared with the KDC. The drillbit
service also uses this keytab credential to validate service tickets from clients. Based on
this information, the drillbit determines whether the client’s identity can be verified
to use its service. </p>
 
+<p>To enable encryption,set the following parameters in the <code>drill-override.conf</code>
file (as shown in the second example below): </p>
+
+<ul>
+<li><p><code>security.user.encryption.sasl.enabled</code> to true.
This parameter determines if the drillbit is enabled for encryption. Only Drill 1.11 drillbits
support encryption. </p></li>
+<li><p><code>security.user.encryption.sasl.max_wrapped_size</code>.
This parameter specifies the maximum size of encoded buffer in bytes (maxbuffer parameter
in sasl) that the client and server will receive. Using this the SASL framework exposes maximum
buffer size that the wrap function will accept, so that Drill client/server can chop the Outbound
RPC message with the size. The maximum recommended value is 16777215. The default is 65536.</p></li>
+</ul>
+
 <p><img src="/docs/img/kerberos-client-server.png" alt="kerberos client server"></p>
 
 <p>&nbsp;1. Create a Kerberos principal identity and a keytab file.  You can create
one principal for each drillbit or one principal for all drillbits in a cluster. The <code>drill.keytab</code>
file must be owned by and readable by the administrator user.  </p>
@@ -1222,11 +1229,13 @@
                 auth.principal:“drill/&lt;clustername&gt;@&lt;REALM&gt;.COM”,
 
                 auth.keytab:“/etc/drill/conf/drill.keytab”  
               }  
-        security.user.auth: {
-                enabled: true,
-                packages += &quot;org.apache.drill.exec.rpc.user.security&quot;,
-                impl: &quot;pam&quot;,
-                pam_profiles: [&quot;sudo&quot;, &quot;login&quot;]
+        security.user: {
+                auth.enabled: true,
+                auth.packages += &quot;org.apache.drill.exec.rpc.user.security&quot;,
+                auth.impl: &quot;pam&quot;,
+                auth.pam_profiles: [&quot;sudo&quot;, &quot;login&quot;],
+                encryption.sasl.enabled: true,
+                encryption.sasl.max_wrapped_size: 65536,
                }   
         }
 </code></pre></div></li>
@@ -1290,6 +1299,12 @@
 <td></td>
 </tr>
 <tr>
+<td>sasl_encrypt</td>
+<td>When set to true, ensures that a client connects to a server with encryption capabilities.
For example, Drill 1.11 drillbits, which support client-to-drillbit encryption.</td>
+<td>Optional</td>
+<td>false</td>
+</tr>
+<tr>
 <td>service_name</td>
 <td>Primary name of the drillbit service principal.</td>
 <td>Optional</td>
@@ -1309,6 +1324,19 @@
 </tr>
 </tbody></table>
 
+<h3 id="client-encryption">Client Encryption</h3>
+
+<p>A client can specify that it requires a server with encryption capabilities only
by setting the  <code>sasl_encrypt</code> connection parameter to <strong>true</strong>.
If the cluster to which client is connecting has encryption disabled, the client will fail
to connect to that server.</p>
+<div class="highlight"><pre><code class="language-text" data-lang="text">drill.exec
{
+ security:  {
+      user.auth.enabled: true,
+      auth.mechanisms: [&quot;KERBEROS&quot;],
+      auth.principal: &quot;drill/serverhostname@REALM.COM&quot;,
+      auth.keytab: &quot;/etc/drill/conf/drill.keytab&quot;,
+      user.encryption.sasl.enabled: true
+          }
+}
+</code></pre></div>
 <h3 id="connection-url-examples">Connection URL Examples</h3>
 
 <p>The following five examples show the JDBC connection URL that the embedded JDBC
client uses for Kerberos authentication. The first section, Example of a Simple Connection
URL, includes a simple connection string and the second section, Examples of Connection URLs
Used with Previously Generated TGTs, includes examples to use with previously generated TGTs.</p>

http://git-wip-us.apache.org/repos/asf/drill-site/blob/7866d03e/docs/configuring-user-authentication/index.html
----------------------------------------------------------------------
diff --git a/docs/configuring-user-authentication/index.html b/docs/configuring-user-authentication/index.html
index 16025ec..5eaa394 100644
--- a/docs/configuring-user-authentication/index.html
+++ b/docs/configuring-user-authentication/index.html
@@ -1126,7 +1126,7 @@
 
     </div>
 
-     May 17, 2017
+     Jul 31, 2017
 
     <link href="/css/docpage.css" rel="stylesheet" type="text/css">
 
@@ -1135,7 +1135,7 @@
         <p>Authentication is the process of establishing confidence of authenticity.
A Drill client user is authenticated when a drillbit process running in a Drill cluster confirms
the identity it is presented with.  Drill 1.10 supports several authentication mechanisms
through which users can prove their identity before accessing cluster data: </p>
 
 <ul>
-<li><strong>Kerberos</strong> - New in Drill 1.10. See <a href="/docs/configuring-kerberos-authentication/">Configuring
Kerberos Authentication</a>.</li>
+<li><strong>Kerberos</strong> - Featuring Drill client to Drillbit encryption
in Drill 1.11. See <a href="/docs/configuring-kerberos-authentication/">Configuring
Kerberos Authentication</a>.</li>
 <li><strong>Plain</strong> [also known as basic authentication (auth),
which is username and password-based authentication, through the Linux Pluggable Authentication
Module (PAM)] - See <a href="/docs/configuring-plain-authentication/">Configuring Plain
Authentication</a>.</li>
 <li><strong>Custom authenticators</strong> - See <a href="/docs/creating-custom-authenticators">Creating
Custom Authenticators</a>.</li>
 </ul>

http://git-wip-us.apache.org/repos/asf/drill-site/blob/7866d03e/docs/secure-communication-paths/index.html
----------------------------------------------------------------------
diff --git a/docs/secure-communication-paths/index.html b/docs/secure-communication-paths/index.html
index a1e53b1..68e542a 100644
--- a/docs/secure-communication-paths/index.html
+++ b/docs/secure-communication-paths/index.html
@@ -1126,7 +1126,7 @@
 
     </div>
 
-     Mar 17, 2017
+     Jul 31, 2017
 
     <link href="/css/docpage.css" rel="stylesheet" type="text/css">
 
@@ -1157,7 +1157,7 @@
 
 <p><strong>Note</strong></p>
 
-<p>Impersonation and authorization are available through the web clients only when
authentication is enabled. Otherwise, the user identity is unknown.</p>
+<p>Impersonation, authorization, and encryption are available through the web clients
only when authentication and encryption are enabled. Otherwise, the user identity is unknown
and encryption is not used.</p>
 
 <hr>
 
@@ -1174,6 +1174,11 @@
 <td><a href="/docs/configuring-web-console-and-rest-api-security">Configuring
Web Console and REST API Security</a></td>
 </tr>
 <tr>
+<td>Encryption</td>
+<td>Drill 1.11 supports encryption between a Drill client and Drillbit using the Kerberos
mechanism over a Java SASL framework. Encrypting the client-to-drillbit communication pathway
ensures data integrity and prevents data tampering as well as snooping.   On the server side,
enable encryption in the drill-override.conf file with the security.user.encryption.sasl.enabled
parameter. On the client side, use the sasl_encrypt parameter in the connection string.</td>
+<td><a href="/docs/configuring-kerberos-authentication/">Configuring Kerberos
Authentication</a></td>
+</tr>
+<tr>
 <td>Impersonation</td>
 <td>Drill acts on behalf of the user on the session. This is usually the connection
user (or the user that authenticates). This user can impersonate another user, which is allowed
if the connection user is authorized to impersonate the target user based on the inbound impersonation
policies (USER role).  By default, impersonation is disabled.</td>
 <td><a href="/docs/configuring-user-impersonation/#impersonation-and-views">Configuring
User Impersonation</a> and <a href="/docs/configuring-inbound-impersonation">Configuring
Inbound Impersonation</a></td>

http://git-wip-us.apache.org/repos/asf/drill-site/blob/7866d03e/docs/securing-drill-introduction/index.html
----------------------------------------------------------------------
diff --git a/docs/securing-drill-introduction/index.html b/docs/securing-drill-introduction/index.html
index b5465dc..8b4c8d7 100644
--- a/docs/securing-drill-introduction/index.html
+++ b/docs/securing-drill-introduction/index.html
@@ -1126,7 +1126,7 @@
 
     </div>
 
-     Mar 16, 2017
+     Jul 31, 2017
 
     <link href="/css/docpage.css" rel="stylesheet" type="text/css">
 
@@ -1155,7 +1155,7 @@ See <a href="/docs/configuring-kerberos-authentication/">Configuring
Kerberos Au
         - <a href="/docs/configuring-user-impersonation/">Configuring User Impersonation</a><br>
         - <a href="/docs/configuring-inbound-impersonation/">Configuring Inbound Impersonation</a><br>
         - <a href="/docs/configuring-user-impersonation-with-hive-authorization/">Configuring
User Impersonation with Hive Authorization</a><br></li>
-<li><strong>Encryption</strong> - Drill does not support encryption as
of Drill 1.10.</li>
+<li><strong>Encryption</strong> - Drill supports client-to-drillbit encryption
in Drill 1.11.</li>
 </ul>
 
     

http://git-wip-us.apache.org/repos/asf/drill-site/blob/7866d03e/feed.xml
----------------------------------------------------------------------
diff --git a/feed.xml b/feed.xml
index 1477bf3..3febaac 100644
--- a/feed.xml
+++ b/feed.xml
@@ -6,8 +6,8 @@
 </description>
     <link>/</link>
     <atom:link href="/feed.xml" rel="self" type="application/rss+xml"/>
-    <pubDate>Sun, 30 Jul 2017 21:54:25 -0700</pubDate>
-    <lastBuildDate>Sun, 30 Jul 2017 21:54:25 -0700</lastBuildDate>
+    <pubDate>Mon, 31 Jul 2017 14:01:58 -0700</pubDate>
+    <lastBuildDate>Mon, 31 Jul 2017 14:01:58 -0700</lastBuildDate>
     <generator>Jekyll v2.5.2</generator>
     
       <item>
@@ -31,7 +31,7 @@
 
 &lt;h2 id=&quot;spill-to-disk-for-hash-aggregate-operator-(drill-5457)&quot;&gt;Spill
to Disk for Hash Aggregate Operator (DRILL-5457)&lt;/h2&gt;
 
-&lt;p&gt;The Hash aggregate operator can spill data to disk in cases where the operation
exceeds the set memory limit.   &lt;/p&gt;
+&lt;p&gt;The Hash aggregate operator can spill data to disk in cases where the operation
exceeds the set memory limit. Note that you may need to increase the default value of the
&lt;code&gt;planner.memory.max_query_memory_per_node&lt;/code&gt; option due
to insufficient memory.      &lt;/p&gt;
 
 &lt;h2 id=&quot;format-plugin-support-for-pcap-files-(drill-5432)&quot;&gt;Format
Plugin Support for PCAP Files (DRILL-5432)&lt;/h2&gt;
 
@@ -53,7 +53,7 @@
 
 &lt;h2 id=&quot;configurable-ctas-directory-and-file-permissions-option-(drill-5391)&quot;&gt;Configurable
CTAS Directory and File Permissions Option (DRILL-5391)&lt;/h2&gt;
 
-&lt;p&gt;You can use the &lt;code&gt;exec.persistent_table.umask&lt;/code&gt;
configuration option, at the system or session level, to modify permissions on directories
and files that result from running the CTAS command. By default, the option is set to 002,
which sets the default directory permissions to 775 and default file permissions to -664.
  &lt;/p&gt;
+&lt;p&gt;You can use the &lt;code&gt;exec.persistent_table.umask&lt;/code&gt;
configuration option, at the system or session level, to modify permissions on directories
and files that result from running the CTAS command. By default, the option is set to 002,
which sets the default directory permissions to 775 and default file permissions to 664. 
 &lt;/p&gt;
 
 &lt;h2 id=&quot;support-for-network-encryption-(drill-4335)&quot;&gt;Support
for Network Encryption (DRILL-4335)&lt;/h2&gt;
 
@@ -63,9 +63,14 @@
 
 &lt;p&gt;Drill now stores the relative path in the metadata file (versus the absolute
path), which enables you to move partitioned Parquet directories from one location in DFS
to another without having to rebuild the Parquet metadata files; the metadata remains valid
in the new location.  &lt;/p&gt;
 
-&lt;h2 id=&quot;support-for-ansi_quotes-(drill-3510)&quot;&gt;Support for
ANSI_QUOTES (DRILL-3510)&lt;/h2&gt;
+&lt;h2 id=&quot;support-for-additional-quoting-identifiers-(drill-3510)&quot;&gt;Support
for Additional Quoting Identifiers (DRILL-3510)&lt;/h2&gt;
 
-&lt;p&gt;In addition to back ticks, the SQL parser in Drill can use double quotes
as identifier quotes. Use the &lt;code&gt;planner.parser.quoting_identifiers&lt;/code&gt;
configuration option, at the system or session level, to set the type of identifier quotes
that the SQL parser in Drill uses.  &lt;/p&gt;
+&lt;p&gt;In addition to back ticks, the SQL parser in Drill can use double quotes
and square brackets as identifier quotes. Use the &lt;code&gt;planner.parser.quoting_identifiers&lt;/code&gt;
configuration option, at the system or session level, to set the type of identifier quotes
that the SQL parser in Drill uses, as shown:  &lt;/p&gt;
+&lt;div class=&quot;highlight&quot;&gt;&lt;pre&gt;&lt;code class=&quot;language-text&quot;
data-lang=&quot;text&quot;&gt;   ALTER SESSION SET planner.parser.quoting_identifiers
= &amp;#39;&amp;quot;&amp;#39;;  
+   ALTER SESSION SET planner.parser.quoting_identifiers = &amp;#39;[&amp;#39;;  
+   ALTER SESSION SET planner.parser.quoting_identifiers = &amp;#39;`&amp;#39;;  
+&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;
+&lt;p&gt;The default setting is back ticks. The quoting identifier used in queries
must match the setting. If you use another type of quoting identifier, Drill returns an error.
 &lt;/p&gt;
 
 &lt;p&gt;You can find a complete list of JIRAs resolved in the 1.11.0 release &lt;a
href=&quot;https://issues.apache.org/jira/secure/ReleaseNote.jspa?projectId=12313820&amp;amp;version=12339943&quot;&gt;here&lt;/a&gt;.&lt;/p&gt;
 </description>


Mime
View raw message