Security Between ZooKeeper and Drillbits

When Drill is installed on clusters with the default security enabled, authentication is enabled between the Drillbits and ZooKeeper. The ZooKeeper znode information is secured automatically through authentication and znode ACLs. Communication between the Drillbits and Zookeeper is not encrypted.

NOTE If you installed Drill on a cluster that does not have the default security configuration, and you are configuring custom security, you must enable authentication and manually set ACLs on the znodes.

Drill uses ZooKeeper to store certain cluster-level configuration and query profile information in znodes. A znode is an internal data tree in ZooKeeper that stores coordination and execution related information. If information in the znodes is not properly secured, cluster privacy and/or security is compromised.

ZooKeeper uses ACLs to control access to znodes and secure the information they store. Starting in Drill 1.15, you can create a custom ACL (Access Control List) on the znodes to secure data. ACLs specify sets of ids and permissions that are associated with the ids.

Prior to Drill 1.15, ZooKeeper ACLs in secure and insecure clusters were set to [world:all], meaning that all users had create, delete, read, write, and administrator access to the zknodes. Starting in Drill 1.15, ACLs in insecure clusters are set to [world:all]. ACLs in secure clusters are set to [authid: all], which provides full access to the authenticated user that created the znode only. Discovery znodes (znodes with the list of Drillbits) have an additional ACL set to [world:read] making the list of Drillbits readable by any user.
NOTE View the drill-override-example.conf file to see example ACL configurations.

Securing znodes

Complete the following steps to create a custom ACL and secure znodes:

  1. Write a class that implements the ZKACLProvider interface. This class will contain the ACLs that need to be set on the znodes. You can use the ZKSecureACLProvider class as a sample reference.
  2. Add the following dependency to the pom file of the project module created:
    <groupId>org.apache.drill.exec</groupId>
    <artifactId>drill-java-exec</artifactId> 
  3. Refer to the steps listed at https://drill.apache.org/docs/manually-adding-custom-functions-to-drill/ to create a JAR and then add the JAR to Drill's classpath.
  4. In /opt/mapr/drill/drill-<version>/conf/drill-override.conf, set zk.acl_provider to the ZKACLProviderTemplate type.
  5. Restart Drill. When you restart Drill, the ACL, as mentioned in your custom class, is applied to the znode created when Drill starts.
NOTE Existing ACLs for persistent znodes will not be affected if a Drillbit is restarted with a different ACL setting. ACLs are applied only at znode creation time. Drill does not recreate any znode that is already present. If you want to change an ACL for existing znodes, connect to the ZooKeeper server using zkCli and then use option a or b, as described:
  • a) Shutdown Drillbits, delete the persistent znodes, change the ACL settings, and restart the Drillbit.
  • b) Manually change the ACLs on the existing znodes to reflect the new ACL settings, using the setAcl command in the zkCli.

For either option to work, an authenticated connection between the zkCli and ZooKeeper Server must be established.

For additional information, refer to: