Securing Drill

An administrator can install Drill with the default security configuration or manually configure custom security for Drill.

Drill supports several security features that secure the communication paths between Drill clients (such as ODBC/JDBC) and Drillbits and also between Drillbits. The following sections briefly describe the security configuration options for Drill and provide links to additional information and instructions.

MapR Default Security Configuration

Starting in MapR 6.0 and Drill 1.11 (EEP 4.0), Drill is automatically secured when you install Drill on a MapR cluster that was installed with the default MapR security configuration. The default MapR security configuration provides authentication, authorization, and encryption through the MapR-SASL mechanism, except for HTTPS, which uses SSL/TLS with form-based authentication. See Drill Default Security and SSL/TLS for Encryption for more information. You may also want to reference the following topics:

Installing Drill, which describes some Drill installation security scenarios.
Drill Drivers, where you can access the JDBC and ODBC driver information and downloads required to connect to Drill when using the default security configuration.

NOTE The default MapR security configuration does not include Kerberos or Plain authentication; however, you can manually configure these security mechanisms in addition to the default MapR security configuration.

Security Features Supported in a Custom Configuration

Drill supports several security features that an administrator can manually configure to secure the communication paths between the Drill client and Drillbit and also between Drillbits.

The following table lists the security features and mechanisms supported by Drill, as well as the communication paths secured by each mechanism:

NOTE In the following table, Drill client refers to the Drill ODBC and JDBC clients. See Drill Drivers for ODBC and JDBC driver information.

Security Features	Supported Mechanisms	Communication Paths Secured
Authentication	MapR Security (MapR-SASL/Tickets)	Drill client to Drillbit Drillbit to Drillbit Drillbit to ZooKeeper NOTE The Drillbit creates znodes, for which ZooKeeper ACLs provide security. See Security Between ZooKeeper and Drillbits for more information.
	Kerberos	Drill client to Drillbit Drillbit to Drillbit
	Plain (username and password)	Drill client to Drillbit
	Form-based	Web client/REST API to Drillbit NOTE You can configure SSL/TLS for encryption.
	SPNEGO for HTTP	Web client/REST API to Drillbit NOTE You can configure SSL/TLS for encryption.
Encryption	MapR Security (MapR/Tickets)	Drill client to Drillbit Drillbit to Drillbit
	Kerberos	Drill client to Drillbit Drillbit to Drillbit
	SSL/TLS	Drill client to Drillbit Web client/REST API to Drillbit
Authorization	Based on filesystem permissions.	Drill client to Drillbit
Impersonation	User Impersonation	Drill client to Drillbit NOTE Drill supports user impersonation, inbound impersonation, and user impersonation with Hive authorization.
	Inbound impersonation	Drill client to Drillbit NOTE Supports setting inbound impersonation policies, which are used to verify whether the user (set as the DelegationUID parameter passed in the client connection URL) can be impersonated by the connection user or not.

Views and File ACEs

In addition to the listed security features, you can create views on data to limit access to the data. You can also create file ACEs on the view definition files to protect the views.