Enable SSL in <DRILL_INSTALL_HOME>/conf/drill-override.conf. You
can use several configuration options to customize SSL/TLS.
You must restart the Drillbit process on each node after you modify the configuration
options, as
shown:
$ maprcli node services -name drill-bits -action restart -nodes <node host names separated by a space>
The following sections provide information and instructions for enabling and configuring
SSL:
Enabling SSL
If SSL is enabled, all Drill clients, such as JDBC and ODBC, must connect to Drill servers
using SSL. Enable SSL in the Drill startup configuration file,
drill-override.conf located in
/opt/mapr/drill/drill-<version>/conf.
To enable SSL for Drill, set the
drill.exec.security.user.encryption.ssl.enabled option in
drill-override.conf to "true."
Configuring SSL
You can customize SSL on a Drillbit through the SSL configuration options. You can set the
options from the command line (using Java system properties) in the
drill-override.conf file or in the property file to which the Hadoop
parameter
hadoop.ssl.server.conf points (recommended).
NOTE Specifying
values in drill-override.conf can expose the security parameters to end
users. Administrators should set these values in the Hadoop security file and restrict
permissions on that file.
If a parameter is specified in multiple places, the value in the Hadoop configuration takes
precedence over the Drill configuration which takes precedence over the system property.
The Hadoop configuration is specified in the file pointed to by the
hadoop.ssl.server.conf parameter in the Hadoop
core-site.xml file. Typically, this parameter points to
$HADOOP_CONF/ssl-server.xml which contains the property names to
configure SSL. Both the
core-site.xml file and the
ssl-server.xml file must exist in the Drill classpath. The Drill SSL
configuration picks up the Hadoop SSL configuration.
NOTE Since the Drillbit implementation
is based on JSSE, several standard parameters that apply to JSSE also apply to the
Drillbit. However, you typically do not need to configure JSSE parameters.
The following are the SSL configuration options with their descriptions and default
values.
- drill.exec.security.user.encryption.ssl.enabled
- Hadoop Property Name: N/A
- System Property Name: N/A
- Description: Enable or disable TLS for Drill client - Drill Server
communication. You must set this option in
drill-override.conf.
- Allowed Values:
true or false
- Drill Default:
false
- drill.exec.ssl.protocol
- Hadoop Property Name: N/A
- System Property Name: N/A
- Description: The version of the TLS protocol to use.
- Allowed Values: TLS, TLSV1, TLSv1.1, TLSv1.2
- Drill Default: TLSv1.2 (recommended)
- drill.exec.ssl.keyStoreType
- Hadoop Property Name: ssl.server.keystore.type
- System Property Name: javax.net.ssl.keyStoreType
- Description: Format of the keystore file
- Allowed Values: jks, jceks, pkcs12
- Drill Default: jks
- drill.exec.ssl.keyStorePath
- Hadoop Property Name: ssl.server.keystore.location
- System Property Name: javax.net.ssl.keyStore
- Description: Location of the Java keystore file containing the Drillbit’s own
certificate and private key. On Windows, the specified pathname must use forward
slashes,
/, in place of backslashes.
- Allowed Values: Not Applicable
- Drill Default: Not Applicable
- drill.exec.ssl.keyStorePassword
- Hadoop Property Name: ssl.server.keystore.password
- System Property Name: javax.net.ssl.keyStorePassword
- Description: Password to access the private key from the keystore file. This
password is used twice: To unlock the keystore file (store password), and to decrypt the
private key stored in the keystore (key password) unless a key password is specified
separately.
- Allowed Values: Not Applicable
- Drill Default: Not Applicable
- drill.exec.ssl.keyPassword
- Hadoop Property Name: ssl.server.keystore.keypassword
- System Property Name: Not Applicable
- Description: Password to access the private key from the keystore file. May be
different from the keystore password.
- Allowed Values: Not Applicable
- Drill Default: Not Applicable
- drill.exec.ssl.trustStoreType
- Hadoop Property Name: ssl.server.truststore.type
- System Property Name: javax.net.ssl.trustStoreType
- Description: Format of the truststore file
- Allowed Values: jks, jceks, pkcs12
- Drill Default: jks
- drill.exec.ssl.trustStorePath
- Hadoop Property Name: ssl.server.truststore.location
- System Property Name: javax.net.ssl.trustStore
- Description: Location of the Java keystore file containing the collection of CA
certificates trusted by the Drill client. On Windows, the specified pathname must use
forward slashes,
/, in place of backslashes.NOTE If the
trustStorePath is not provided, Drill ignores the
trustStorePassword parameter and gets the default Java truststore
instead. This operation causes issues if the Java truststore has a non-default
password. The Java APIs used to load the default keystore assume the default password.
The only way to use the default keystore with a non-default password is to specify
both the path and the password to the keystore. To work around this issue, pass the
default Java truststore to the trustStorePath parameter.
- Allowed Values: Not Applicable
- Drill Default: Not Applicable
- drill.exec.ssl.trustStorePassword
- Hadoop Property Name: ssl.server.truststore.password
- System Property Name: javax.net.ssl.trustStorePassword
- Description: Password to access the private key from the keystore file
specified as the truststore.
- Allowed Values: Not Applicable
- Drill Default: Not Applicable
- drill.exec.ssl.provider
- Hadoop Property Name: Not Applicable
- System Property Name: Not Applicable
- Description: Changes the underlying implementation to the chosen value.
- Allowed Values: OpenSSL or JDK
- Drill Default: JDK
- drill.exec.ssl.useHadoopConfig
- Hadoop Property Name: Not Applicable
- System Property Name: Not Applicable
- Description: Use the setting in the Hadoop configuration file.
The
Hadoop configuration is specified in the file pointed to by the
hadoop.ssl.server.conf parameter in the
core-site.xml file. Typically, this parameter points to
$HADOOP_CONF/ssl-server.xml which contains the property names to
configure TLS.
- Allowed Values:
true or false
- Drill Default:
true
Configuring SSL on Drill on Yarn (DOY)
Starting with EEP 8.1.0, you can enable SSL on Drill on Yarn through SSL configuration
options. In the drill-on-yarn.conf file, add the
drill.yarn.http.ssl-enabled parameter. See Drill-on-YARN Limitations for additional information on related limitations.
- drill.yarn.http.ssl-enabled
- Hadoop Property Name: Not Applicable
- System Property Name: Not Applicable
- Description: Use the setting in the Hadoop configuration file with the required
drill.yarn.ssl.useHadoopConfig parameter.
- Allowed Values:
true or false
- Drill Default:
false
- drill.yarn.ssl.useHadoopConfig
- Hadoop Property Name: Not Applicable
- System Property Name: Not Applicable
- Description: Use this setting in the Hadoop configuration file.
The
Hadoop configuration is specified in the file pointed to by the
hadoop.ssl.server.conf parameter in the
core-site.xml file. Typically, this parameter points to
$HADOOP_CONF/ssl-server.xml which contains the property names for
configuring the TLS.
- Allowed Values:
true or false
- Drill Default:
false