Drill Default Security
The default security configuration uses MapR-SASL (tickets) for authentication, authorization, and encryption to automatically secure the MapR cluster and ecosystem components when you install them manually or using the MapR Installer.
- The path between the web client and web server (W) uses SSL/TLS with form-based authentication.
- The path between the ODBC/JDBC client and ZooKeeper (Zn, Zo) is unsecure.
The following diagram shows the secured communication paths:
Type of Security Supported | Communication Path |
Component Communication |
Authentication and encryption using MapR-SASL (tickets) | C | ODBC client/C++ API to Drillbits |
J | JDBC client/Java API to Drillbits | |
D1, D2, Dn | Drillbit to Drillbit | |
M | Drillbit to MapR-DB/MapR-FS | |
H |
Drillbit to Hive
NOTE: The Hive storage plugin is not secured by default
and requires that you manually modify the configuration to enable security. See
Configuring the Hive Storage Plugin. |
|
Plain authentication with SSL encryption (HTTPS enabled) |
W |
Web client/Web API to Web server
NOTE: The HTTPS channel (Web client)
uses Plain authentication to authenticate a Web client with SSL/TLS for
encryption. This is configured by default in a secure 6.x cluster with Drill
1.11 or later installed. Plain authentication does not support encryption. You
must enable SSL to encrypt the communication channels when using Plain
authentication. See Configuring Drill
Web UI and Web API Security. |
Authentication with MapR security (no encryption) | Zj |
Drillbit to ZooKeeper
NOTE: The Drillbit creates znodes, for which
ZooKeeper ACLs provide security. See Security Between
ZooKeeper and Drillbits for more information. |
No security support | Zo, Zn | ODBC/JDBC client to ZooKeeper NOTE: Only znodes created for Drillbit endpoints
in Zookeeper are readable by the client. All other znodes (not required by the
client) are secured using ZooKeeper ACLs and are only readable by Drillbits.
|
Disabling Security
configure.sh
with the -unsecure
parameter, as
shown:/opt/mapr/server/configure.sh -forceSecurityDefaults [ -unsecure | -secure ]
-C <CLDB_node> -Z <ZK_node>
Alternatively, you can enable security across an entire MapR cluster with the
-secure
parameter.
See Drill Installation and configure.sh for more information.
Additional Notes
- Performance
- The default security configuration enables encryption for all network channels,
which can affect Drill performance. If performance is your highest priority, install
MapR and Drill without security enabled and have your security expert manually
configure cluster security. Alternatively, you can install MapR and Drill with
security enabled, and then disable individual Drill security settings. For example you
can edit the drill-override.conf file and disable encryption, leaving authentication
enabled. NOTE: MapR does not recommend manually configuring security settings when default security is enabled.
- Drill Configuration Files
- The default security configuration introduces new Drill configuration files. In addition to drill-override.conf, distrib-env.sh, and drill-env.sh, Drill includes a drill-distrib.conf file. See Drill Configuration Files for more information. Note that modifying drill distribution-specific files is highly discouraged. To customize any Drill configuration, use drill-override.conf and drill-env.sh.
- HBase
- As of MapR 6.0 and Drill 1.11, HBase is no longer supported, therefore the communication path between Drill and HBase is also not supported.