Plain Authentication

An administrator can configure Drill to use the Linux pluggable authentication module (PAM) for Plain (username and password) authentication. PAM provides an authentication module that interfaces with any installed PAM authentication entity, such as the local operating system password file (/etc/passwd) or LDAP.

NOTE Starting in EEP 5.0, Drill supports form-based authentication between the web client and Drillbit. Form-based authentication is like Plain authentication in that a user is presented with a web form where s/he enters a username and password to access restricted web pages. Configuring Drill to Use libpam4j includes configuration details. When using form-based authentication, you can also configure Drill to use SPNEGO. See SPNEGO for HTTP Authentication.

When using PAM for authentication, each user with permission to run Drill queries must exist in the list of users that resides on each Drill node in the cluster. The username (including uid) and password for each user must be identical across all Drill nodes.

If you use PAM with /etc/passwd for authentication, verify that the users permitted to start the Drill process are part of the shadow user group on all nodes in the cluster. This enables Drill to read the /etc/shadow file for authentication.

NOTE Plain authentication does not support SASL encryption. You can use SSL/TLS for encryption when Plain authentication is enabled. You can also enable user impersonation and create views to limit user access to data.

Authentication Process Overview

During the authentication process, the client passes a username and password to the Drillbit as part of the connection request, which then passes the credentials to PAM. If PAM authenticates the user, the connection request passes the authentication phase, and the connection is established. The user will be authorized to access Drill and issue queries against the filesystem or other storage plugins, such as Hive.

The following image illustrates the PAM user authentication process in Drill:

If PAM cannot authenticate the user, the connection request does not pass the authentication phase and the user will not be authorized to access Drill. The connection is terminated as AUTH_FAILED.

For more PAM information (including a JPAM User Guide), see JPAM.

Configuring Plain Authentication in Drill

Drill supports the libjpam and libpam4j libraries. In Drill 1.12 and later, the libpam4j library is packaged with Drill. There is no download or external dependency required to use libpam4j. Using libpam4j is recommended for Drill 1.12 and later.

NOTE You can configure Drill to use multiple types of authenication mechanisms. For example, you can configure Drill to use Plain, Kerberos, and data-fabric-SASL; however, only SSL/TLS is supported for encryption when Plain authentication is configured with other authentication mechanisms.

The following sections provide information for configuring Drill to use libpam4j or libjpam, as well as instructions for connecting to Drill from SQLLine and BI tools when Plain authentication is enabled: