Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id AB042200C1A for ; Mon, 13 Feb 2017 22:23:48 +0100 (CET) Received: by cust-asf.ponee.io (Postfix) id A9AA7160B60; Mon, 13 Feb 2017 21:23:48 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id CE68B160B4A for ; Mon, 13 Feb 2017 22:23:47 +0100 (CET) Received: (qmail 44599 invoked by uid 500); 13 Feb 2017 21:23:47 -0000 Mailing-List: contact issues-help@drill.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@drill.apache.org Delivered-To: mailing list issues@drill.apache.org Received: (qmail 44590 invoked by uid 99); 13 Feb 2017 21:23:47 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 13 Feb 2017 21:23:47 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id A0D791A7B10 for ; Mon, 13 Feb 2017 21:23:46 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.449 X-Spam-Level: X-Spam-Status: No, score=-0.449 tagged_above=-999 required=6.31 tests=[KAM_ASCII_DIVIDERS=0.8, KAM_INFOUSMEBIZ=0.75, KAM_LAZY_DOMAIN_SECURITY=1, RP_MATCHES_RCVD=-2.999] autolearn=disabled Received: from mx1-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id qE29JDND9gFP for ; Mon, 13 Feb 2017 21:23:45 +0000 (UTC) Received: from mailrelay1-us-west.apache.org (mailrelay1-us-west.apache.org [209.188.14.139]) by mx1-lw-eu.apache.org (ASF Mail Server at mx1-lw-eu.apache.org) with ESMTP id 933E85F30F for ; Mon, 13 Feb 2017 21:23:44 +0000 (UTC) Received: from jira-lw-us.apache.org (unknown [207.244.88.139]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 1107CE023B for ; Mon, 13 Feb 2017 21:23:43 +0000 (UTC) Received: from jira-lw-us.apache.org (localhost [127.0.0.1]) by jira-lw-us.apache.org (ASF Mail Server at jira-lw-us.apache.org) with ESMTP id 2ED8621D76 for ; Mon, 13 Feb 2017 21:23:42 +0000 (UTC) Date: Mon, 13 Feb 2017 21:23:42 +0000 (UTC) From: "Sudheesh Katkam (JIRA)" To: issues@drill.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Comment Edited] (DRILL-3584) Drill Kerberos HDFS Support / Documentation MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 archived-at: Mon, 13 Feb 2017 21:23:48 -0000 [ https://issues.apache.org/jira/browse/DRILL-3584?page=3Dcom.atlassian= .jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D1586= 2111#comment-15862111 ]=20 Sudheesh Katkam edited comment on DRILL-3584 at 2/13/17 9:22 PM: ----------------------------------------------------------------- I may be wrong, but AFAIK, following Nathan's blogpost is not sufficient fo= r Drill to authenticate to a Kerberized HDFS (specially since ticket's expi= re). The following instructions SHOULD allow for end to end (user to HDFS) authe= ntication, but I have not tested them since I do not have the infrastructur= e to setup KDC or HDFS (and not possible to write a unit test for this, Min= iDFS and Drill use the same auth library which has static variables that MU= ST be different). (1) Enable Drill login to KDC. Once the changes in DRILL-4280 are merged (targeted for 1.10 release), the = drillbit can be started with a Kerberos principal and keytab. Add appropria= te config to drill-override.conf, something like: {code} drill.exec { security.auth.principal: =E2=80=9Cdrill/_host@REALM=E2=80=9D security.auth.keytab: =E2=80=9C/etc/drill/conf/drill.keytab=E2=80=9D } {code} This assumes a service principal is created for Drill ([details here|http:/= /www.microhowto.info/howto/create_a_service_principal_using_mit_kerberos.ht= ml]). Ensure "drill" as a [user identity|http://hadoop.apache.org/docs/r1.2= .1/hdfs_permissions_guide.html#User+Identity] exists in HDFS (Drill uses HD= FS for [Dynamic UDFs|http://drill.apache.org/docs/dynamic-udfs/], etc.). At= startup, Drill will login to KDC, and when accessing HDFS, Drill uses the = configured Kerberos credentials. (2) Enable authentication from user to Drill. This is strongly recommended, but optional. (3) Enable Drill impersonation. This is strongly recommended, but optional. Otherwise, access to HDFS happe= n as "drill". (4) Enable 'secure impersonation' in HDFS. Setup "drill" as a proxy user for HDFS with the required privileges, [detai= ls here|http://hadoop.apache.org/docs/r1.2.1/Secure_Impersonation.html]. Th= is will allow Drill to act on behalf of the end user ("bob") when accessing= HDFS. For example, if "drill" is authorized to impersonate "bob", then whi= le accessing the HDFS, access rights are checked for "bob" and authenticati= on credentials of "drill" are verified. was (Author: sudheeshkatkam): I may be wrong, but AFAIK, following Nathan's blogpost is not sufficient fo= r Drill to authenticate to a Kerberized HDFS (specially since ticket's expi= re). The following instructions SHOULD allow for end to end (user to HDFS) authe= ntication, but I have not tested them since I do not have the infrastructur= e to setup KDC or HDFS (and not possible to write a unit test for this, Min= iDFS and Drill use the same auth library which has static variables that MU= ST be different). (1) Enable Drill login to KDC. Once the changes in DRILL-4280 are merged (targeted for 1.10 release), the = drillbit can be started with a Kerberos principal and keytab. Add appropria= te config to drill-override.conf, something like: {code} drill.exec { security.auth.principal: =E2=80=9Cdrill/_host@REALM=E2=80=9D security.auth.keytab: =E2=80=9C/etc/drill/conf/drill.keytab=E2=80=9D } {code} This assumes a service principal is created for Drill ([details here|http:/= /www.microhowto.info/howto/create_a_service_principal_using_mit_kerberos.ht= ml]). Ensure "drill" as a [user identity|http://hadoop.apache.org/docs/r1.2= .1/hdfs_permissions_guide.html#User+Identity] exists in HDFS (Drill uses HD= FS for [Dynamic UDFs|http://drill.apache.org/docs/dynamic-udfs/], etc.). At= startup, Drill will login to KDC, and when accessing HDFS, Drill uses the = configured Kerberos credentials. (2) Enable authentication from user to Drill. This is strongly recommended, but optional. (3) Enable Drill impersonation. This is strongly recommended, but optional. Otherwise, access to HDFS happe= n as "drill". (4) Enable secure impersonation in HDFS. Setup "drill" as a proxy user for HDFS with the required privileges, [detai= ls here|http://hadoop.apache.org/docs/r1.2.1/Secure_Impersonation.html]. Th= is will allow Drill to act on behalf of the end user ("bob") when accessing= HDFS. For example, if "drill" is authorized to impersonate "bob", then whi= le accessing the HDFS, access rights are checked for "bob" and authenticati= on credentials of "drill" are verified. > Drill Kerberos HDFS Support / Documentation > ------------------------------------------- > > Key: DRILL-3584 > URL: https://issues.apache.org/jira/browse/DRILL-3584 > Project: Apache Drill > Issue Type: New Feature > Affects Versions: 1.1.0 > Reporter: Hari Sekhon > Priority: Critical > Labels: security > > I'm trying to find Drill docs for Kerberos support for secure HDFS cluste= rs and it doesn't appear to be well tested / supported / documented yet. > This product is Dead-on-Arrival if it doesn't integrate well with secure = Hadoop clusters, specifically HDFS + Kerberos (plus obviously secure kerber= ized Hive/HCatalog etc.) -- This message was sent by Atlassian JIRA (v6.3.15#6346)