Configuring Drill-on-Yarn on a Secure Cluster
Describes how to enable SASL for Drill and SQLLine to run Drill-on-YARN in a secure cluster.
About this task
Update the drill_home/conf/distrib-env.sh file with the required
options. If you use --site, then use your site directory.
The following options are requried for Drill and SQLLine to work with SASL security:
-Ddrill.customAuthFactories=org.apache.drill.exec.rpc.security.maprsasl.MapRSaslFactory
-Dzookeeper.sasl.client=true
-Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf
-Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider
-Dhadoop.login=hybrid_keytabThe following sections describe how to update the
drill_home/conf/distrib-env.sh file with the options to ensure
that Drill and SQLLine work with SASL for security.- Drill
- To make Drill work with SASL, set DRILL_JAVA_OPTS as
shown:
export DRILL_JAVA_OPTS="${DRILL_JAVA_OPTS} -Ddrill.customAuthFactories=org.apache.drill.exec.rpc.security.maprsasl.MapRSaslFactory -Dzookeeper.sasl.client=true -Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf -Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider -Dhadoop.login=hybrid_keytab" - SQLLine
- To make SQLLine work with SASL, set SQLLINE_JAVA_OPTS as
shown:
export SQLLINE_JAVA_OPTS="${SQLLINE_JAVA_OPTS} -Ddrill.customAuthFactories=org.apache.drill.exec.rpc.security.maprsasl.MapRSaslFactory -Dzookeeper.sasl.client=true -Djava.security.auth.login.config=/opt/mapr/conf/mapr.login.conf -Dzookeeper.saslprovider=com.mapr.security.maprsasl.MaprSaslProvider"
TIP The following table describes each of the options:
| Option | Description |
|---|---|
| drill.customAuthFactories | Required to make Drill and SQLLine work with SASL. It points to the authentication factories used for authentication. Provides a full classpath to the SASL implementation. |
| zookeeper.sasl.client | Required to make Drill and SQLLine work with Zookeeper in a SASL-enabled environment and ZooKeeper client authentication. It enables or disables SASL authentication in Drill and SQLLine for ZooKeeper connections. |
| zookeeper.saslprovider | Required to make Drill and SQLLine work with ZooKeeper in a SASL-enabled environement and ZooKeeper client authentication. It points to the authentication factories used for authentication in Drill and SQLLine for ZooKeeper connections. Provides a full classpath to the SASL implementation. |
| java.security.auth.login.config | Required to make Drill and SQLLine work with security. It
points to a file with JAAS configurations. In the HPE
environment it is
/opt/mapr/conf/mapr.login.conf. |
| hadoop.login=hybrid_keytab | Required to make Drill work with SASL security. It points to the required JAAS configuration name. |