drill-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bridg...@apache.org
Subject drill-site git commit: config edits to auth docs to include impersonation
Date Wed, 17 May 2017 01:22:05 GMT
Repository: drill-site
Updated Branches:
  refs/heads/asf-site 279ce2e7b -> 354d7a203


config edits to auth docs to include impersonation


Project: http://git-wip-us.apache.org/repos/asf/drill-site/repo
Commit: http://git-wip-us.apache.org/repos/asf/drill-site/commit/354d7a20
Tree: http://git-wip-us.apache.org/repos/asf/drill-site/tree/354d7a20
Diff: http://git-wip-us.apache.org/repos/asf/drill-site/diff/354d7a20

Branch: refs/heads/asf-site
Commit: 354d7a2035a5784be0ca215b0b9e54c20acdff9e
Parents: 279ce2e
Author: Bridget Bevens <bbevens@maprtech.com>
Authored: Tue May 16 18:21:47 2017 -0700
Committer: Bridget Bevens <bbevens@maprtech.com>
Committed: Tue May 16 18:21:47 2017 -0700

----------------------------------------------------------------------
 .../index.html                                  | 68 ++++++++++++--------
 .../configuring-plain-authentication/index.html | 27 +++++---
 docs/configuring-user-authentication/index.html | 16 ++---
 feed.xml                                        |  4 +-
 4 files changed, 68 insertions(+), 47 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/drill-site/blob/354d7a20/docs/configuring-kerberos-authentication/index.html
----------------------------------------------------------------------
diff --git a/docs/configuring-kerberos-authentication/index.html b/docs/configuring-kerberos-authentication/index.html
index a870e26..419b5db 100644
--- a/docs/configuring-kerberos-authentication/index.html
+++ b/docs/configuring-kerberos-authentication/index.html
@@ -1122,7 +1122,7 @@
 
     </div>
 
-     Mar 17, 2017
+     May 17, 2017
 
     <link href="/css/docpage.css" rel="stylesheet" type="text/css">
 
@@ -1130,15 +1130,12 @@
       
         <p>In release 1.10 Drill supports Kerberos v5 network security authentication.
 To use Kerberos with Drill and establish connectivity, use the JDBC driver packaged with
Drill 1.10.</p>
 
-<p>Kerberos allows trusted hosts to prove their identity over a network to an information
system.  A Kerberos <em>realm</em> is unique authentication domain. A centralized
<em>key distribution center (KDC)</em> coordinates authentication between a clients
and servers. Clients and servers obtain and use tickets from the KDC using a special <em>keytab</em>
file to communicate with the KDC and prove their identity to gain access to a drillbit.  Administrators
must create <em>principal</em> (user or server) identities and passwords to ensure
the secure exchange of mutual authentication information passed to and from the drillbit.
</p>
+<p>Kerberos allows trusted hosts to prove their identity over a network to an information
system.  A Kerberos <em>realm</em> is unique authentication domain. A centralized
<em>key distribution center (KDC)</em> coordinates authentication between a clients
and servers. Clients and servers obtain and use tickets from the KDC using a special <em>keytab</em>
file to communicate with the KDC and prove their identity to gain access to a drillbit.  Administrators
must create <em>principal</em> (user or server) identities and passwords to ensure
the secure exchange of mutual authentication information passed to and from the drillbit.
  </p>
 
-<hr>
-
-<p><strong>NOTE</strong></p>
-
-<p>Proper setup, configuration, administration, and usage of a Kerberos environment
is beyond the scope of this documentation.  See the <a href="http://web.mit.edu/kerberos/"
title="MIT Kerberos">MIT Kerberos</a> documentation for information about Kerberos.</p>
-
-<hr>
+<div class="admonition note">
+  <p class="first admonition-title">Note</p>
+  <p class="last">Proper setup, configuration, administration, and usage of a Kerberos
environment is beyond the scope of this documentation.  See the [MIT Kerberos](http://web.mit.edu/kerberos/
"MIT Kerberos") documentation for information about Kerberos.  </p>
+</div>  
 
 <h2 id="prerequisites">Prerequisites</h2>
 
@@ -1188,27 +1185,44 @@
 2.  Add the Kerberos principal identity and keytab file to the <code>drill-override.conf</code>
file.  </p>
 
 <ul>
-<li><p>The instance name must be lowercase. Also, if _HOST is set as the instance
name in the principal, it is replaced with the fully qualified domain name of that host for
the instance name. For example, if a drillbit running on <code>host01.aws.lab</code>
uses <code>drill/_HOST@&lt;EXAMPLE&gt;.COM</code> as the principal, the
canonicalized principal is <code>drill/host01.aws.lab@&lt;EXAMPLE&gt;.COM</code>.
</p>
-<div class="highlight"><pre><code class="language-text" data-lang="text">
    drill.exec {  
+<li><p>The instance name must be lowercase. Also, if _HOST is set as the instance
name in the principal, it is replaced with the fully qualified domain name of that host for
the instance name. For example, if a drillbit running on <code>host01.aws.lab</code>
uses <code>drill/_HOST@&lt;EXAMPLE&gt;.COM</code> as the principal, the
canonicalized principal is <code>drill/host01.aws.lab@&lt;EXAMPLE&gt;.COM</code>.
 </p>
+<div class="highlight"><pre><code class="language-text" data-lang="text">
     drill.exec: {
+        cluster-id: &quot;drillbits1&quot;,
+        zk.connect: &quot;qa102-81.qa.lab:2181,qa102-82.qa.lab:2181,qa102-83.qa.lab:2181&quot;,
+        impersonation: {
+          enabled: true,
+          max_chained_user_hops: 3
+        },
         security: {  
-          user.auth.enabled:true,  
-          auth.mechanisms:[“KERBEROS”],  
-          auth.principal:“drill/&lt;clustername&gt;@&lt;REALM&gt;.COM”,
 
-          auth.keytab:“/etc/drill/conf/drill.keytab”  
-        }  
-    }  
+                user.auth.enabled:true,  
+                auth.mechanisms:[“KERBEROS”],  
+                auth.principal:“drill/&lt;clustername&gt;@&lt;REALM&gt;.COM”,
 
+                auth.keytab:“/etc/drill/conf/drill.keytab”  
+        }
+
+      }
 </code></pre></div></li>
-<li><p>To configure multiple mechanisms, extend the mechanisms list and provide
additional configuration parameters. For example, the following configuration enables Kerberos
and Plain (username and password) mechanisms. See <a href="/docs/configuring-plain-authentication/#installing-and-configuring-plain-authentication">Installing
and Connfiguring Plain Authentication</a> for Plain PAM configuration instructions.
</p>
-<div class="highlight"><pre><code class="language-text" data-lang="text">
    drill.exec: {  
+<li><p>To configure multiple mechanisms, extend the mechanisms list and provide
additional configuration parameters. For example, the following configuration enables Kerberos
and Plain (username and password) mechanisms. See <a href="/docs/configuring-plain-authentication/#installing-and-configuring-plain-authentication">Installing
and Connfiguring Plain Authentication</a> for Plain PAM configuration instructions.
 </p>
+<div class="highlight"><pre><code class="language-text" data-lang="text">
     drill.exec: {
+        cluster-id: &quot;drillbits1&quot;,
+        zk.connect: &quot;qa102-81.qa.lab:2181,qa102-82.qa.lab:2181,qa102-83.qa.lab:2181&quot;,
+        impersonation: {
+          enabled: true,
+          max_chained_user_hops: 3
+        },
         security: {  
-           user.auth.enabled:true,  
-           user.auth.impl:&quot;pam&quot;,  
-           user.auth.pam_profile:[&quot;sudo&quot;, &quot;login&quot;], 

-           auth.mechanisms:[&quot;KERBEROS&quot;,&quot;PLAIN&quot;],  
-           auth.principal:&quot;drill/&lt;clustername&gt;@&lt;REALM&gt;.COM&quot;,
 
-           auth.keytab:&quot;/etc/drill/conf/drill.keytab&quot;  
-            }  
-        }  
+                user.auth.enabled:true,  
+                auth.mechanisms:[&quot;KERBEROS&quot;,&quot;PLAIN&quot;],
 
+                auth.principal:“drill/&lt;clustername&gt;@&lt;REALM&gt;.COM”,
 
+                auth.keytab:“/etc/drill/conf/drill.keytab”  
+              }  
+        security.user.auth: {
+                enabled: true,
+                packages += &quot;org.apache.drill.exec.rpc.user.security&quot;,
+                impl: &quot;pam&quot;,
+                pam_profiles: [&quot;sudo&quot;, &quot;login&quot;]
+               }   
+        }
 </code></pre></div></li>
 </ul>
 

http://git-wip-us.apache.org/repos/asf/drill-site/blob/354d7a20/docs/configuring-plain-authentication/index.html
----------------------------------------------------------------------
diff --git a/docs/configuring-plain-authentication/index.html b/docs/configuring-plain-authentication/index.html
index 7cbde42..00a7f4b 100644
--- a/docs/configuring-plain-authentication/index.html
+++ b/docs/configuring-plain-authentication/index.html
@@ -1122,7 +1122,7 @@
 
     </div>
 
-     Mar 16, 2017
+     May 17, 2017
 
     <link href="/css/docpage.css" rel="stylesheet" type="text/css">
 
@@ -1212,14 +1212,23 @@ Enter password for jdbc:drill:zk=localhost:2181: *************
 <div class="highlight"><pre><code class="language-text" data-lang="text">`export
DRILLBIT_JAVA_OPTS=&quot;-Djava.library.path=/opt/pam/&quot;` 
 </code></pre></div></li>
 <li><p>Add the following configuration to the drill.exec block in <code>&lt;DRILL_HOME&gt;/conf/drill-override.conf</code>:
</p>
-<div class="highlight"><pre><code class="language-text" data-lang="text">
 drill.exec {
-   security.user.auth {
-         enabled: true,
-         packages += &quot;org.apache.drill.exec.rpc.user.security&quot;,
-         impl: &quot;pam&quot;,
-         pam_profiles: [ &quot;sudo&quot;, &quot;login&quot; ]
-   } 
-  }
+<div class="highlight"><pre><code class="language-text" data-lang="text">
     drill.exec: {
+        cluster-id: &quot;drillbits1&quot;,
+        zk.connect: &quot;qa102-81.qa.lab:5181,qa102-82.qa.lab:5181,qa102-83.qa.lab:5181&quot;,
+        impersonation: {
+          enabled: true,
+          max_chained_user_hops: 3
+        },
+        security: {          
+                auth.mechanisms : [&quot;PLAIN&quot;],
+                 },
+        security.user.auth: {
+                enabled: true,
+                packages += &quot;org.apache.drill.exec.rpc.user.security&quot;,
+                impl: &quot;pam&quot;,
+                pam_profiles: [ &quot;sudo&quot;, &quot;login&quot; ]
+         }
+       }
 </code></pre></div></li>
 <li><p>(Optional) To add or remove different PAM profiles, add or delete the
profile names in the “pam_profiles” array shown above. </p></li>
 <li><p>Restart the Drillbit process on each Drill node. </p>

http://git-wip-us.apache.org/repos/asf/drill-site/blob/354d7a20/docs/configuring-user-authentication/index.html
----------------------------------------------------------------------
diff --git a/docs/configuring-user-authentication/index.html b/docs/configuring-user-authentication/index.html
index 2926f1c..8accebc 100644
--- a/docs/configuring-user-authentication/index.html
+++ b/docs/configuring-user-authentication/index.html
@@ -1122,7 +1122,7 @@
 
     </div>
 
-     Mar 16, 2017
+     May 17, 2017
 
     <link href="/css/docpage.css" rel="stylesheet" type="text/css">
 
@@ -1136,15 +1136,13 @@
 <li><strong>Custom authenticators</strong> - See <a href="/docs/creating-custom-authenticators">Creating
Custom Authenticators</a>.</li>
 </ul>
 
-<p>These authentication options are available through JDBC and ODBC interfaces.</p>
+<p>These authentication options are available through JDBC and ODBC interfaces.  </p>
 
-<hr>
-
-<p><strong>Note</strong></p>
-
-<p>If user impersonation is enabled, Drill executes the client requests as the authenticated
user. Otherwise, Drill executes client requests as the user that started the drillbit process.
You can enable both authentication and impersonation to improve Drill security. See <a
href="/docs/configuring-user-impersonation/">Configuring User Impersonation</a> for
more information.</p>
-
-<hr>
+<div class="admonition note">
+  <p class="first admonition-title">Note</p>
+  <p class="last">Enabling both [user impersonation](/docs/configuring-user-impersonation/)
and authentication is recommended to restrict access to data and improve security. When user
impersonation is enabled, Drill executes the client requests as 
+the authenticated user. Otherwise, Drill executes client requests as the user that started
the drillbit process.  </p>
+</div>
 
     
       

http://git-wip-us.apache.org/repos/asf/drill-site/blob/354d7a20/feed.xml
----------------------------------------------------------------------
diff --git a/feed.xml b/feed.xml
index 24b9139..d0bbe22 100644
--- a/feed.xml
+++ b/feed.xml
@@ -6,8 +6,8 @@
 </description>
     <link>/</link>
     <atom:link href="/feed.xml" rel="self" type="application/rss+xml"/>
-    <pubDate>Tue, 09 May 2017 16:29:50 -0700</pubDate>
-    <lastBuildDate>Tue, 09 May 2017 16:29:50 -0700</lastBuildDate>
+    <pubDate>Tue, 16 May 2017 18:17:56 -0700</pubDate>
+    <lastBuildDate>Tue, 16 May 2017 18:17:56 -0700</lastBuildDate>
     <generator>Jekyll v2.5.2</generator>
     
       <item>


Mime
View raw message