From user-return-6181-apmail-drill-user-archive=drill.apache.org@drill.apache.org Thu Jun 9 18:27:35 2016 Return-Path: X-Original-To: apmail-drill-user-archive@www.apache.org Delivered-To: apmail-drill-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 355E31991D for ; Thu, 9 Jun 2016 18:27:35 +0000 (UTC) Received: (qmail 54143 invoked by uid 500); 9 Jun 2016 18:27:34 -0000 Delivered-To: apmail-drill-user-archive@drill.apache.org Received: (qmail 54076 invoked by uid 500); 9 Jun 2016 18:27:34 -0000 Mailing-List: contact user-help@drill.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@drill.apache.org Delivered-To: mailing list user@drill.apache.org Received: (qmail 54064 invoked by uid 99); 9 Jun 2016 18:27:34 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd4-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 Jun 2016 18:27:34 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd4-us-west.apache.org (ASF Mail Server at spamd4-us-west.apache.org) with ESMTP id 00258C0773 for ; Thu, 9 Jun 2016 18:27:34 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd4-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.179 X-Spam-Level: * X-Spam-Status: No, score=1.179 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd4-us-west.apache.org (amavisd-new); dkim=pass (1024-bit key) header.d=maprtech.com Received: from mx2-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd4-us-west.apache.org [10.40.0.11]) (amavisd-new, port 10024) with ESMTP id U7TuW6rZZt5x for ; Thu, 9 Jun 2016 18:27:31 +0000 (UTC) Received: from mail-qt0-f180.google.com (mail-qt0-f180.google.com [209.85.216.180]) by mx2-lw-eu.apache.org (ASF Mail Server at mx2-lw-eu.apache.org) with ESMTPS id ED8905FB38 for ; Thu, 9 Jun 2016 18:27:30 +0000 (UTC) Received: by mail-qt0-f180.google.com with SMTP id q45so12652832qtq.1 for ; Thu, 09 Jun 2016 11:27:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=maprtech.com; s=google; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=NoE/8MjHYWaDY4u18bWTLehkdjUBUF7BWNnYKfT5+T0=; b=lF9QQkXzYDSi0abhxC7tKfMIbW1RTleu7gx5amuC7zQAgIMEz7ieR2AQRczdLnmU1r 72JVmC1NwiX073ZVCxTdKMIA1/nlYeckswTM0N4WprIGdB82DiYUIntPpNa9JUDh7reI FIH8ITHgeoSADjj1t5+ytT8GWDrEFaBR3NnkI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=NoE/8MjHYWaDY4u18bWTLehkdjUBUF7BWNnYKfT5+T0=; b=RsAois4SZuviyWx93prnAe+Hbi493pSJ/NKtfTsmCfh1C1LE7Q6U8b0nYbqAjiMlL/ hNk79IXmH2UWUTS5rbEazBzABUXBNNWWgTZ8+zRxyFfJSIFTkax1OinIgCkJ03Kg/ga9 bc/ckkv73He2zcpmNHk5f/NzY83C2JlE2220jMtXjeuV2aCaYYB4KNxvk/URoC6HEsUv mpYKknNn2+w6fQyWbgFOYxsiGiMx5WXHIYhAqfvUP+tjHvtJfWUJ88NvFbXDQ5A1MiFf 7Tf3jKx6WOGUdJGpkCQr8vxoQVkI1+gKnhwE0wbhuFhHnv9kPZL5eM4aIu4OmznHjoCz CvBA== X-Gm-Message-State: ALyK8tLaTzxoKQfmdwBjrsq6kUpB0DR/7tJAc5OoQ5dI3ZUb4HCP3Y/lHrEg3Y/cub+loCLFWLo/s/HtYdG8TA3T MIME-Version: 1.0 X-Received: by 10.237.56.97 with SMTP id j88mr11642362qte.94.1465496844513; Thu, 09 Jun 2016 11:27:24 -0700 (PDT) Received: by 10.200.37.48 with HTTP; Thu, 9 Jun 2016 11:27:24 -0700 (PDT) In-Reply-To: References: <519743$3ahs5d@ironport10.mayo.edu> Date: Thu, 9 Jun 2016 11:27:24 -0700 Message-ID: Subject: Re: Dynamic setting of user id / password for Storage plugin From: Chun Chang To: user@drill.apache.org Content-Type: multipart/alternative; boundary=001a113db2e8d64e370534dc92f0 --001a113db2e8d64e370534dc92f0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable That's in deed hard in general. Currently, Drill only supports impersonation through dfs and hive storage plugin. On Thu, Jun 9, 2016 at 11:14 AM, John Omernik wrote: > I think the original question is more about using the JDBC Storage Plugin > and connections to other sources. I know I've posted a few user posts > related to the security of storage plugins and the idea of passing > credentials to the back end was discussed. The challenge here from a > security perspective is A. Does Drill and the RDBMS share an authenticato= r? > (i.e. LDAP) if so, how can Drill pass a token to the backend to to ensure > end to end accountability without storing passwords. This is a non-trivi= al > challenge in a multi-user system. > > My "first step" approach was to Storage plugins where the ability to que= ry > these could be set within drill (using Filesystem ACLs or other > methodologies) This could allow a drill admin to setup different plugins > with different permissions and assign users there. It defeats the "end > point" (RDBMS) accountability because unless each user got their own > plugin, there would be shared users via abit, but that's better than the > everyone can access all the storage plugins. > > This is hard in general :) > > John > > On Thu, Jun 9, 2016 at 1:02 PM, Chun Chang wrote: > > > Yaxiong, > > > > If you still have questions after reading the docs provided by Neeraja, > > please let us know. I will be happy to help. > > > > Chun > > > > On Thu, Jun 9, 2016 at 10:40 AM, Neeraja Rentachintala < > > nrentachintala@maprtech.com> wrote: > > > > > Have you checked these docs. > > > https://drill.apache.org/docs/configuring-user-authentication/ > > > > > > On Thu, Jun 9, 2016 at 8:05 AM, Lin, Yaxiong > > wrote: > > > > > > > Hi, > > > > > > > > I am evaluating Drills as the query service for our analytics > > > applications > > > > to access various data sources and it seems to fill the needs very > > well. > > > > However I have one concern/question that I could not find the answe= r > > from > > > > Drill=E2=80=99s website or on google. > > > > > > > > My question/concern is that from what I=E2=80=99ve read, the storag= e plugin > > > > configuration requires static user id and password set in the > > > configuration > > > > which storage plugin will use to connect to the backend data > > > > source/database. I need Drill client to pass the user id and passwo= rd > > at > > > > query submission to storage plugin (e.g. RDMBS) and have storage > plugin > > > use > > > > that to connect to the back end data source/database. Obviously ea= ch > > > > client has his/her own set of user id and password for each data > > > > source/database. Is there anyway that I can achieve this? > > > > > > > > Thanks. > > > > > > > > Yaxiong Lin > > > > Mayo Clinic > > > > > > > > > > --001a113db2e8d64e370534dc92f0--