Configuring Encryption
An administrator can enable encryption with MapR Security (tickets).
NOTE When the
sasl_encrypt
(for JDBC) or EnforceSaslEncrypt
(for ODBC) connection parameter is set to "true"
or 1
, the
Drill client only accepts encrypted connections. If the client tries connecting to a Drillbit
with encryption disabled, the connection fails.NOTE For client-side configuration, see Drill Drivers.
Set the encryption options to "true"
in
/opt/mapr/drill/drill-<version>/conf/drill-override.conf
.
The following table lists the encryption configuration options with their descriptions and
default values:
NOTE If you installed Drill on a MapR cluster that
was installed with the default MapR security configuration, the
following options are set to "true" by default.
Option | Description | Default |
drill.exec.security.user.encryption.sasl.enabled | Determines if encryption on the server is enabled for negotiating privacy with the Drill client. | false |
drill.exec.security.bit.encryption.sasl.enabled | Determines if the server is enabled for negotiating privacy with another Drillbit. | false |
The following sections provide configuration examples for Drill client to Drillbit encryption and Drillbit to Drillbit encryption.
Example 1: Drill Client to Drillbit Connection with MapR Security Authentication and Encryption
In the following server configuration, the Drill client connection to the Drillbit is encrypted using the MapR Security mechanism when the client is running with encryption support.NOTE Drill clients running Drill 1.10 and earlier cannot connect to the Drillbit
through MapR Security with
encryption
enabled.
drill.exec {
security: {
user.auth.enabled: true,
auth.mechanisms : ["MAPRSASL"]
user.encryption.sasl.enabled : true
}
}
NOTE Drill
executes all queries as a service or process user when impersonation is
disabled.
Example 2: Drillbit to Drillbit Connection with MapR Security Authentication and Encryption
The following configuration authenticates and encrypts the path between Drillbits using the MapR Security mechanism.drill.exec {
security: {
auth.mechanisms : ["MAPRSASL"],
bit.auth.enabled : true
bit.auth.mechanisms : "MAPRSASL"
bit.encryption.sasl.enabled : true
}
}
Example 3: Drill Client to Drillbit and Drillbit to Drillbit Connection with MapR Security Authentication and Encryption
The following configuration authenticates and encrypts the path between the Drill client and Drillbit, and between Drillbits using the MapR Security mechanism.drill.exec {
security: {
user.auth.enabled: true,
auth.mechanisms : ["MAPRSASL"],
user.encryption.sasl.enabled : true
bit.auth.enabled : true
bit.auth.mechanism : "MAPRSASL"
bit.encryption.sasl.enabled : true
}
}
NOTE Drill
executes all queries as a service or process user when impersonation is
disabled.
Example 4: Drill Client to Drillbit and Drillbit to Drillbit Connection with MapR Security Authentication and Encryption and Impersonation Enabled
The following configuration authenticates and encrypts the path between the Drill client and Drillbit, and between Drillbits using the MapR Security mechanism.drill.exec {
security: {
user.auth.enabled: true,
auth.mechanisms : ["MAPRSASL"],
user.encryption.sasl.enabled : true
bit.auth.enabled : true
bit.auth.mechanism : "MAPRSASL"
bit.encryption.sasl.enabled : true
},
impersonation: {
enabled: true,
max_chained_user_hops: 3
}
}
NOTE Drill
executes all queries as the authenticated (ticket) user when impersonation is
enabled.
Example 5: Drill Client to Drillbit Authentication and Encryption Enabled using Multiple Mechanisms and Drillbit to Drillbit Authentication using MapR Security
The following configuration authenticates and encrypts the connection between the Drill client and Drillbit using multiple authentication mechanisms, and also authenticates and encrypts the connection between Drillbits using the MapR security mechanism.NOTE Plain authentication not supported in this
configuration.
drill.exec {
security: {
user.auth.enabled: true,
auth.mechanisms : ["MAPRSASL", "KERBEROS"],
auth.principal : "mapr/_host@REALM.COM",
auth.keytab : "/opt/mapr/conf/mapr.keytab",
user.encryption.sasl.enabled : true,
bit.auth.enabled : true,
bit.auth.mechanism : "MAPRSASL",
bit.encryption.sasl.enabled : true
}
impersonation: {
enabled: true,
max_chained_user_hops: 3
}
}
NOTE Drill
executes all queries as a service or process user when impersonation is
disabled.