Repository: drill Updated Branches: refs/heads/gh-pages ffe59b8a2 -> 881b8ec98
Add SPNEGO content Project: http://git-wip-us.apache.org/repos/asf/drill/repo Commit: http://git-wip-us.apache.org/repos/asf/drill/commit/881b8ec9 Tree: http://git-wip-us.apache.org/repos/asf/drill/tree/881b8ec9 Diff: http://git-wip-us.apache.org/repos/asf/drill/diff/881b8ec9 Branch: refs/heads/gh-pages Commit: 881b8ec98c0706e60a2259be069aeb9ca694a7f6 Parents: ffe59b8 Author: Bridget Bevens <[email protected]> Authored: Tue Apr 3 16:36:58 2018 -0700 Committer: Bridget Bevens <[email protected]> Committed: Tue Apr 3 16:36:58 2018 -0700 ---------------------------------------------------------------------- .../070-configuring-user-security.md | 8 +- ...ill-to-use-spnego-for-http-authentication.md | 148 +++++++++++++++++++ ...-configuring-web-ui-and-rest-api-security.md | 111 -------------- ...-configuring-web-ui-and-rest-api-security.md | 111 ++++++++++++++ _docs/install/060-starting-the-web-ui.md | 6 +- .../026-parquet-filter-pushdown.md | 4 +- 6 files changed, 269 insertions(+), 119 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/drill/blob/881b8ec9/_docs/configure-drill/securing-drill/070-configuring-user-security.md ---------------------------------------------------------------------- diff --git a/_docs/configure-drill/securing-drill/070-configuring-user-security.md b/_docs/configure-drill/securing-drill/070-configuring-user-security.md index 51889ba..412e901 100644 --- a/_docs/configure-drill/securing-drill/070-configuring-user-security.md +++ b/_docs/configure-drill/securing-drill/070-configuring-user-security.md @@ -1,15 +1,15 @@ --- title: "Configuring User Security" -date: 2018-02-09 00:15:58 UTC +date: 2018-04-03 23:36:59 UTC parent: "Securing Drill" --- ## Authentication Authentication is the process of establishing confidence of authenticity. A Drill client user is authenticated when a drillbit process running in a Drill cluster confirms the identity it is presented with. Drill supports several authentication mechanisms through which users can prove their identity before accessing cluster data: -* **Kerberos** - -* See [Configuring Kerberos Security]({{site.baseurl}}/docs/configuring-kerberos-security/). -* **Plain** [also known as basic authentication (auth), which is username and password-based authentication, through the Linux Pluggable Authentication Module (PAM)] - See [Configuring Plain Security]({{site.baseurl}}/docs/configuring-plain-security/). +* **Kerberos** - Featuring Drill client to Drillbit encryption as of Drill 1.11. See [Configuring Kerberos Security]({{site.baseurl}}/docs/configuring-kerberos-security/). +* **SPNEGO** - Drill 1.13 and later supports the Simple and Protected GSS-API Negotiation mechanism (SPNEGO) to extend the Kerberos-based single sign-on authentication mechanism to HTTP. See [Configuring Drill to use SPNEGO for HTTP Authentication]({{site.baseurl}}/docs/configuring-drill-to-use-spnego-for-http-authentication/). +* **Plain** - Also known as basic authentication (auth), which is username and password-based authentication through the Linux Pluggable Authentication Module (PAM). See [Configuring Plain Security]({{site.baseurl}}/docs/configuring-plain-security/). * **Custom authenticators** - See [Creating Custom Authenticators]({{site.baseurl}}/docs/creating-custom-authenticators). These authentication options are available through JDBC and ODBC interfaces. http://git-wip-us.apache.org/repos/asf/drill/blob/881b8ec9/_docs/configure-drill/securing-drill/091-configuring-drill-to-use-spnego-for-http-authentication.md ---------------------------------------------------------------------- diff --git a/_docs/configure-drill/securing-drill/091-configuring-drill-to-use-spnego-for-http-authentication.md b/_docs/configure-drill/securing-drill/091-configuring-drill-to-use-spnego-for-http-authentication.md new file mode 100644 index 0000000..49d2aca --- /dev/null +++ b/_docs/configure-drill/securing-drill/091-configuring-drill-to-use-spnego-for-http-authentication.md @@ -0,0 +1,148 @@ +--- +title: "Configuring Drill to use SPNEGO for HTTP Authentication" +date: 2018-04-03 17:47:38 UTC +parent: "Securing Drill" +--- + +Drill 1.13 and later supports the Simple and Protected GSS-API Negotiation mechanism (SPNEGO) to extend the Kerberos-based single sign-on authentication mechanism to HTTP. An administrator can configure both FORM (username and password) and SPNEGO authentication together, which provides the ability for clients with different security preferences to connect to the same Drill cluster. + +When a client (a web browser or a web client tool, such as curl) requests access to a secured page from the web server (Drillbit), the SPNEGO mechanism uses tokens to perform a handshake that authenticates the client browser and the web server. + +The following browsers were tested with Drill configured to use SPNEGO authentication: + + + +- Firefox +- Chrome +- Safari +- Web client tool, such as curl + +An IT administrator configures the web server (Drillbit) to use SPNEGO for authentication. Depending on the system, either the administrator or the user configures the client (web browser or web client tool) to use SPNEGO for authentication. Configuration instructions are presented later in this document. + +##Prerequisites + +SPNEGO authentication for Drill requires the following: + + +- Drill 1.13 installed on each node. +- Drill provides the required Kerberos (JDBC) plugin as part of the Drill package. To use the plugin, you must have a working Kerberos infrastructure, which Drill does not provide. +- You must be working in a Linux-based or Windows Active Directory (AD) Kerberos environment with secure clusters and have a Drill server configured for Kerberos. See [Enabling Authentication]({{site.baseurl}}/docs/configuring-kerberos-authentication/#enabling-authentication-and-encryption). +- Kerberos principal and keytab on each Drillbit (web server) that will use SPNEGO for authentication. +- Kerberos Ticket Granting Ticket on the client machine for the user accessing the Drillbit (web server). +- Drill web server configured for SPNEGO. + +##Configure SPNEGO on the Web Server and Web Client + +The following sections provide the steps that an administrator can follow to configure SPNEGO on the web server (Drillbit). An administrator or a user can follow the steps for configuring the Drill client (web browser or client tool, such as curl). + +###Configuring SPNEGO on the Drillbit (Web Server) +To configure SPNEGO on the web server, complete the following steps: +1-Generate a Kerberos principal on each web server that will receive inbound SPNEGO traffic. Each principal must have a corresponding keytab. The principal must have the following form: + + âHTTP/<client-known-server-hostname@realm>â + + Example: âHTTP/[email protected]â + //In this example, the client known server hostname is example.QA.LAB. + +2-Update the `<DRILL_HOME>/conf/drill-override.conf` file on each Drillbit with the following server-side SPNEGO configurations: + + + +- To enable SPNEGO, add the following configuration to `drill-override.conf`: + + drill.exec.http: { + spnego.auth.principal:"HTTP/hostname@realm", + spnego.auth.keytab:"path/to/keytab", + auth.mechanisms: [âSPNEGOâ] + } + + //The default authentication mechanism is âFORMâ. + +- To enable SPNEGO and FORM authentication, add the following configuration to `drill-override.conf`: + + impersonation: { + enabled: true, + max_chained_user_hops: 3 + }, + security.user.auth: { + enabled: true, + packages += "org.apache.drill.exec.rpc.user.security", + impl: "pam4j", + pam_profiles: [ "sudo", "login" ] + } + drill.exec.http: { + spnego.auth.principal:"HTTP/hostname@realm", + spnego.auth.keytab:"path/to/keytab", + auth.mechanisms: [âSPNEGOâ, âFORMâ] + } + } + +3-Configure the mapping from a Kerberos principal to a user account used by Drill. By default, the short name, which contains only the primary portion of the principal, is used as the user account known to Drill. This user account name is used to determine if the authenticated user has administrative privileges. + + +- Drill uses a Hadoop Kerberos name and rules to transform the client Kerberos principal to the principal Drill uses internally as the clientâs identity. By default, this mapping rule extracts the first portion from the provided principal. For example, if the principal format is <Name1>/<Name2>@realm, the default rule extracts only Name1 from the principal and stores Name1 as the clientâs identity on server side. +- Administrators can configure custom rules by setting the `drill.exec.security.auth.auth_to_local` property in the `drill-override.conf` file. + +##Configuring SPNEGO on the Drill Client (Web Client) + +An administrator or user can configure SPNEGO on the client (web browser or client tools, such as curl). To configure SPNEGO on the client, a Kerberos Ticket Granting Ticket must exist for the user accessing the web server. The Kerberos ticket must have been created using `kinit`. The Kerberos ticket translates into a token for SPNEGO. If a user is authenticated through Kerberos, the user is granted a token for SPNEGO. + +The client uses the web server name (in the server-side principal) to access the Drill Web Console. Use the same web server name that is used in the server-side principal to access the Drill Web Console. For example, if the server principal is `"HTTP/[email protected]â`, the client should use `http://example.QA.LAB:8047` as the Drill Web Console URL. + +The following sections provide instructions for configuring the supported client-side browsers: + +**Note:** SPNEGO is not tested on Windows browsers in Drill 1.13. + +###Firefox +To configure Firefox to use a negotiation dialog, such as SPNEGO to authenticate, complete the following steps: + +1-Go to About > Config, and accept the warnings. +2-Navigate to the network settings. +3-Set network.negotiate-auth.delegation-uris to âhttp://,https://â. +4-Set network.negotiate-auth.trusted-uris to âhttp://,https://â. + +###Chrome +For MacOS or Linux, add the `--auth-server-whitelist` parameter to the `google-chrome` command. For example, to run Chrome from a Linux prompt, run the `google-chrome` command, as follows: + + google-chrome --auth-server-whitelist = "hostname/domain" + Example: google-chrome --auth-server-whitelist = "example.QA.LAB" + +###Safari +No configuration is required for Safari. Safari automatically authenticates using SPNEGO when requested by the server. + +###REST API +You can use CURL commands to log in to SPNEGO, and use SPNEGO over REST. + +Issue the following `curl` command to log in to SPNEGO, and save the authenticated session cookie to a file, such as `cookie.txt`, as shown: + + curl -v --negotiate -c cookie.txt -u : http://<hostname>:8047/spnegoLogin + +Use the authenticated session cookie stored in the file, for example `cookie.txt`, to access the Drill Web Console pages, as shown in the following example: + + curl -v --negotiate -b cookie.txt -u : http://<hostname>:8047/query + Example: curl -v --negotiate -b cookie.txt -u : http://example.QA.LAB:8047/query + +##Logging in to the Drill Web Console +With the addition of SPNEGO authentication in Drill 1.13, an administrator can configure FORM and/or SPNEGO authentication mechanisms. The Drill Web Console provides two possible log in options for a user depending on the configuration. + +If a user selects FORM, he/she must enter their username and password to access restricted pages in the Drill Web Console. The user is authenticated through PAM. + +If the user selects SPNEGO, the user is automatically logged in if they are an authenticated Kerberos user. + +If accessing a protected page directly, the user is redirected to the authentication log in page. + + + + + + + + + + + + + + + + http://git-wip-us.apache.org/repos/asf/drill/blob/881b8ec9/_docs/configure-drill/securing-drill/091-configuring-web-ui-and-rest-api-security.md ---------------------------------------------------------------------- diff --git a/_docs/configure-drill/securing-drill/091-configuring-web-ui-and-rest-api-security.md b/_docs/configure-drill/securing-drill/091-configuring-web-ui-and-rest-api-security.md deleted file mode 100644 index d3feb9a..0000000 --- a/_docs/configure-drill/securing-drill/091-configuring-web-ui-and-rest-api-security.md +++ /dev/null @@ -1,111 +0,0 @@ ---- -title: "Configuring Web Console and REST API Security" -date: 2017-08-07 19:02:44 UTC -parent: "Securing Drill" ---- -Drill 1.5 extends [Drill user security]({{site.baseurl}}/docs/configuring-user-security/) to the Web Console and underlying REST API. As administrator, you can control the extent of access to the Web Console and REST API client applications. For example, -you can limit the access of certain users to Web Console functionality, such as viewing the in-progress or completed queries of other users. You can limit users from viewing other users' query profiles, who can cancel queries of other users, and other functionality. - -With Web Console security in place, users who do not have administrator privileges need to use the SHOW SCHEMAS command instead of the Web Console for storage plugin configuration information. - -## HTTPS Support -Drill 1.2 uses code-level support for transport layer security (TLS) to secure the Web Console and REST API. By default, the Web Console and REST API support the HTTP protocol. You set the following start-up option to TRUE to enable HTTPS support: - -`drill.exec.http.ssl_enabled` - -By default this start-up option is set to FALSE. - -Drill generates a self-signed certificate that works with SSL for HTTPS access to the Web Console. Because Drill uses a self-signed certificate, you see a warning in the browser when you go to `https://<node IP address>:8047`. The Chrome browser, for example, requires you to click `Advanced`, and then `Proceed to <address> (unsafe)`. If you have a signed certificate by an authority, you can set up a custom SSL to avoid this warning. You can set up SSL to specify the keystore or truststore, or both, for your organization, as described in the next section. - -## Setting Up a Custom SSL Configuration - -As cluster administrator, you can set the following SSL configuration parameters in the `conf/drill-override.conf` file, as described in the [Java product documentation](http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html/#Customization): - -* javax.net.ssl.keyStore - Path to the application's certificate and private key in the Java keystore file. -* javax.net.ssl.keyStorePassword - Password for accessing the private key from the keystore file. -* javax.net.ssl.trustStore - Path to the trusted CA certificates in a keystore file. -* javax.net.ssl.trustStorePassword - Password for accessing the trusted keystore file. - -## Prerequisites for Web Console and REST API Security - -You need to perform the following configuration tasks using Web Console and REST API security. - -* Configure [user security]({{site.baseurl}}/docs/configuring-user-security/) -* Set up Web Console administrators - Optionally, you can set up Web Console administrator-user groups to facilitate management of multiple Web Console administrators. - -## Setting up Web Console Administrators and Administrator-User Groups - -Configure the following system options using the [ALTER SYSTEM]({{site.baseurl}}/docs/alter-system/) command: - -* security.admin.users - Set the value of this option to a comma-separated list of user names who you want to give administrator privileges, such as changing system options. -* security.admin.user_groups - Set the value of this option to a comma-separated list of administrator groups. - -Any user who is a member of any group listed in security.admin.user.groups is a Drill cluster administrator. Any user for whom you have configured Drill user authentication, but not set up as a Drill cluster administrator, has only user privileges to access the Web Console and REST API client applications. - -## Web Console and REST API Privileges - -The following table and subsections describe the privilege levels for accessing the REST API methods and corresponding Web Console functions: - -* Administrator (ADMIN) -* User (USER) -* Administrator and User (ALL) - -| Resource Method | Path | Request Type | Output Type | Functionality | Privilege Level | -|--------------------------|------------------------------|--------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------| -| getStats | / | GET | text/html | Returns Drillbit stats in a table in HTML format. | ALL | -| getStatsJSON | /stats.json | GET | application/json | Returns Drillbit stats such as ports and max direct memory in json format. | ALL | -| getStatus | /status | GET | text/html | Returns Running! | ALL | -| getSystemOptionsJSON | /options.json | GET | application/json | Returns a list of options. Each option consists of name-value-type-kind (for example: (boot system datatype). | ALL | -| getSystemOptions | /options | GET | text/html | Returns an HTML table where each row is a form containing the option details that allows option values to be modified. | ALL | -| updateSystemOption | /option/{optionName} | POST | text/html | Updates the options and calls getSystemOptions. So again an option list is displayed. | ADMIN | -| getStoragePluginsJSON | /storage.json | GET | application/json | Returns a list of storage plugin wrappers each containing name-config (instance of StoragePluginConfig) and enabled. | ADMIN | -| getStoragePlugins | /storage | GET | text/html | Returns an HTML page with two sections: The first section contains a table of rows that are forms containing the plugin button for the update page and a button to disable the plugin. The second section is the same except the button enables the plugin. | ADMIN | -| getStoragePluginJSON | /storage/{name}.json | GET | application/json | Returns a plugin config wrapper for the requested web page. | ADMIN | -| getStoragePlugin | /storage/{name} | GET | text/html | Returns an HTML page that has an editable text box for configuration changes and buttons for creating/updating/deleting. Each button makes calls that regenerate the page. | ADMIN | -| enablePlugin | /storage/{name}/enable/{val} | GET | application/json | Updates the storage plugin configuration status. Returns success or failure. | ADMIN | -| deletePluginJSON | /storage/{name}.json | DELETE | application/json | Deletes the storage plugin. Returns success or failure. | ADMIN | -| deletePlugin | /storage/{name}/delete | GET | application/json | Same as deletePluginJSON but a GET instead of a DELETE request. | ADMIN | -| createOrUpdatePluginJSON | /storage/{name}.json | POST | application/json | Creates or updates the storage plugin configuration. Returns success or failure. Expects JSON input. | ADMIN | -| createOrUpdatePlugin | /storage/{name} | POST | application/json | Same as createOrUpdatePluginJSON expects JSON or FORM input. | ADMIN | -| getProfilesJSON | /profiles.json | GET | application/json | Returns currently running and completed profiles from PStore. For each profile a queryId, startTime, foremanAddress, query, user, and state is returned. Each list (running and completed) is organized in reverse chronological order. | [ADMIN, USER]({{site.baseurl}}/docs/configuring-web-console-and-rest-api-security/#get-/profiles.json) | -| getProfiles | /profiles | GET | text/html | Generates an HTML page from the data returned by getProfilesJSON with a hyperlink to a detailed query page, | [ADMIN, USER]({{site.baseurl}}/docs/configuring-web-console-and-rest-api-security/#get-/profiles) | -| getProfileJSON | /profiles/{queryid}.json | GET | application/json | Returns the entire profile in JSON. | [ADMIN, USER]({{site.baseurl}}/docs/configuring-web-console-and-rest-api-security/#get-/profiles/{queryid}.json) | -| getProfile | /profiles/{queryid} | GET | text/html | Returns a complicated profile page. | [ADMIN, USER]({{site.baseurl}}/docs/configuring-web-console-and-rest-api-security/#get-/profiles/{queryid}) | -| cancelQuery | /profiles/cancel/{queryid} | GET | text/html | Cancels the given query and sends a message. | [ADMIN, USER]({{site.baseurl}}/docs/configuring-web-console-and-rest-api-security/#get-/profiles/cancel/{queryid}) | -| getQuery | /query | GET | text/html | Gets the query input page. | ALL | -| submitQueryJSON | /query.json | POST | application/json | Submits a query and waits until it is completed and then returns the results as one big JSON object. | ALL | -| submitQuery | /query | POST | text/html | Returns results from submitQueryJSON populated in a HTML table. | ALL | -| getMetrics | /metrics | GET | text/html | Returns a page that fetches metric info from resource, status, and metrics. | ALL | -| getThreads | /threads | GET | text/html | Returns a page that fetches metric information from resource, status, and threads. | ALL | - -### GET /profiles.json - -* ADMIN - gets all profiles on the system. -* USER - only the profiles of the queries the user has launched. - -### GET /profiles - -* ADMIN - gets all profiles on the system. -* USER - only the profiles of the queries the user has launched. - -### GET /profiles/{queryid}.json - -* ADMIN - return the profile. -* USER - if the query is launched the by the requesting user return it. Otherwise, return an error saying no such profile exists. - -### GET /profiles/{queryid} - -* ADMIN - return the profile. -* USER - if the query is launched the by the requesting user return it. Otherwise, return an error saying no such profile exists - -### GET /profiles/cancel/{queryid} - -* ADMIN - can cancel the query. -* USER - cancel the query only if the query is launched by the user requesting the cancellation. http://git-wip-us.apache.org/repos/asf/drill/blob/881b8ec9/_docs/configure-drill/securing-drill/092-configuring-web-ui-and-rest-api-security.md ---------------------------------------------------------------------- diff --git a/_docs/configure-drill/securing-drill/092-configuring-web-ui-and-rest-api-security.md b/_docs/configure-drill/securing-drill/092-configuring-web-ui-and-rest-api-security.md new file mode 100644 index 0000000..d3feb9a --- /dev/null +++ b/_docs/configure-drill/securing-drill/092-configuring-web-ui-and-rest-api-security.md @@ -0,0 +1,111 @@ +--- +title: "Configuring Web Console and REST API Security" +date: 2017-08-07 19:02:44 UTC +parent: "Securing Drill" +--- +Drill 1.5 extends [Drill user security]({{site.baseurl}}/docs/configuring-user-security/) to the Web Console and underlying REST API. As administrator, you can control the extent of access to the Web Console and REST API client applications. For example, +you can limit the access of certain users to Web Console functionality, such as viewing the in-progress or completed queries of other users. You can limit users from viewing other users' query profiles, who can cancel queries of other users, and other functionality. + +With Web Console security in place, users who do not have administrator privileges need to use the SHOW SCHEMAS command instead of the Web Console for storage plugin configuration information. + +## HTTPS Support +Drill 1.2 uses code-level support for transport layer security (TLS) to secure the Web Console and REST API. By default, the Web Console and REST API support the HTTP protocol. You set the following start-up option to TRUE to enable HTTPS support: + +`drill.exec.http.ssl_enabled` + +By default this start-up option is set to FALSE. + +Drill generates a self-signed certificate that works with SSL for HTTPS access to the Web Console. Because Drill uses a self-signed certificate, you see a warning in the browser when you go to `https://<node IP address>:8047`. The Chrome browser, for example, requires you to click `Advanced`, and then `Proceed to <address> (unsafe)`. If you have a signed certificate by an authority, you can set up a custom SSL to avoid this warning. You can set up SSL to specify the keystore or truststore, or both, for your organization, as described in the next section. + +## Setting Up a Custom SSL Configuration + +As cluster administrator, you can set the following SSL configuration parameters in the `conf/drill-override.conf` file, as described in the [Java product documentation](http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html/#Customization): + +* javax.net.ssl.keyStore + Path to the application's certificate and private key in the Java keystore file. +* javax.net.ssl.keyStorePassword + Password for accessing the private key from the keystore file. +* javax.net.ssl.trustStore + Path to the trusted CA certificates in a keystore file. +* javax.net.ssl.trustStorePassword + Password for accessing the trusted keystore file. + +## Prerequisites for Web Console and REST API Security + +You need to perform the following configuration tasks using Web Console and REST API security. + +* Configure [user security]({{site.baseurl}}/docs/configuring-user-security/) +* Set up Web Console administrators + Optionally, you can set up Web Console administrator-user groups to facilitate management of multiple Web Console administrators. + +## Setting up Web Console Administrators and Administrator-User Groups + +Configure the following system options using the [ALTER SYSTEM]({{site.baseurl}}/docs/alter-system/) command: + +* security.admin.users + Set the value of this option to a comma-separated list of user names who you want to give administrator privileges, such as changing system options. +* security.admin.user_groups + Set the value of this option to a comma-separated list of administrator groups. + +Any user who is a member of any group listed in security.admin.user.groups is a Drill cluster administrator. Any user for whom you have configured Drill user authentication, but not set up as a Drill cluster administrator, has only user privileges to access the Web Console and REST API client applications. + +## Web Console and REST API Privileges + +The following table and subsections describe the privilege levels for accessing the REST API methods and corresponding Web Console functions: + +* Administrator (ADMIN) +* User (USER) +* Administrator and User (ALL) + +| Resource Method | Path | Request Type | Output Type | Functionality | Privilege Level | +|--------------------------|------------------------------|--------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------| +| getStats | / | GET | text/html | Returns Drillbit stats in a table in HTML format. | ALL | +| getStatsJSON | /stats.json | GET | application/json | Returns Drillbit stats such as ports and max direct memory in json format. | ALL | +| getStatus | /status | GET | text/html | Returns Running! | ALL | +| getSystemOptionsJSON | /options.json | GET | application/json | Returns a list of options. Each option consists of name-value-type-kind (for example: (boot system datatype). | ALL | +| getSystemOptions | /options | GET | text/html | Returns an HTML table where each row is a form containing the option details that allows option values to be modified. | ALL | +| updateSystemOption | /option/{optionName} | POST | text/html | Updates the options and calls getSystemOptions. So again an option list is displayed. | ADMIN | +| getStoragePluginsJSON | /storage.json | GET | application/json | Returns a list of storage plugin wrappers each containing name-config (instance of StoragePluginConfig) and enabled. | ADMIN | +| getStoragePlugins | /storage | GET | text/html | Returns an HTML page with two sections: The first section contains a table of rows that are forms containing the plugin button for the update page and a button to disable the plugin. The second section is the same except the button enables the plugin. | ADMIN | +| getStoragePluginJSON | /storage/{name}.json | GET | application/json | Returns a plugin config wrapper for the requested web page. | ADMIN | +| getStoragePlugin | /storage/{name} | GET | text/html | Returns an HTML page that has an editable text box for configuration changes and buttons for creating/updating/deleting. Each button makes calls that regenerate the page. | ADMIN | +| enablePlugin | /storage/{name}/enable/{val} | GET | application/json | Updates the storage plugin configuration status. Returns success or failure. | ADMIN | +| deletePluginJSON | /storage/{name}.json | DELETE | application/json | Deletes the storage plugin. Returns success or failure. | ADMIN | +| deletePlugin | /storage/{name}/delete | GET | application/json | Same as deletePluginJSON but a GET instead of a DELETE request. | ADMIN | +| createOrUpdatePluginJSON | /storage/{name}.json | POST | application/json | Creates or updates the storage plugin configuration. Returns success or failure. Expects JSON input. | ADMIN | +| createOrUpdatePlugin | /storage/{name} | POST | application/json | Same as createOrUpdatePluginJSON expects JSON or FORM input. | ADMIN | +| getProfilesJSON | /profiles.json | GET | application/json | Returns currently running and completed profiles from PStore. For each profile a queryId, startTime, foremanAddress, query, user, and state is returned. Each list (running and completed) is organized in reverse chronological order. | [ADMIN, USER]({{site.baseurl}}/docs/configuring-web-console-and-rest-api-security/#get-/profiles.json) | +| getProfiles | /profiles | GET | text/html | Generates an HTML page from the data returned by getProfilesJSON with a hyperlink to a detailed query page, | [ADMIN, USER]({{site.baseurl}}/docs/configuring-web-console-and-rest-api-security/#get-/profiles) | +| getProfileJSON | /profiles/{queryid}.json | GET | application/json | Returns the entire profile in JSON. | [ADMIN, USER]({{site.baseurl}}/docs/configuring-web-console-and-rest-api-security/#get-/profiles/{queryid}.json) | +| getProfile | /profiles/{queryid} | GET | text/html | Returns a complicated profile page. | [ADMIN, USER]({{site.baseurl}}/docs/configuring-web-console-and-rest-api-security/#get-/profiles/{queryid}) | +| cancelQuery | /profiles/cancel/{queryid} | GET | text/html | Cancels the given query and sends a message. | [ADMIN, USER]({{site.baseurl}}/docs/configuring-web-console-and-rest-api-security/#get-/profiles/cancel/{queryid}) | +| getQuery | /query | GET | text/html | Gets the query input page. | ALL | +| submitQueryJSON | /query.json | POST | application/json | Submits a query and waits until it is completed and then returns the results as one big JSON object. | ALL | +| submitQuery | /query | POST | text/html | Returns results from submitQueryJSON populated in a HTML table. | ALL | +| getMetrics | /metrics | GET | text/html | Returns a page that fetches metric info from resource, status, and metrics. | ALL | +| getThreads | /threads | GET | text/html | Returns a page that fetches metric information from resource, status, and threads. | ALL | + +### GET /profiles.json + +* ADMIN - gets all profiles on the system. +* USER - only the profiles of the queries the user has launched. + +### GET /profiles + +* ADMIN - gets all profiles on the system. +* USER - only the profiles of the queries the user has launched. + +### GET /profiles/{queryid}.json + +* ADMIN - return the profile. +* USER - if the query is launched the by the requesting user return it. Otherwise, return an error saying no such profile exists. + +### GET /profiles/{queryid} + +* ADMIN - return the profile. +* USER - if the query is launched the by the requesting user return it. Otherwise, return an error saying no such profile exists + +### GET /profiles/cancel/{queryid} + +* ADMIN - can cancel the query. +* USER - cancel the query only if the query is launched by the user requesting the cancellation. http://git-wip-us.apache.org/repos/asf/drill/blob/881b8ec9/_docs/install/060-starting-the-web-ui.md ---------------------------------------------------------------------- diff --git a/_docs/install/060-starting-the-web-ui.md b/_docs/install/060-starting-the-web-ui.md index 525645b..03320ce 100644 --- a/_docs/install/060-starting-the-web-ui.md +++ b/_docs/install/060-starting-the-web-ui.md @@ -1,6 +1,6 @@ --- title: "Starting the Web Console" -date: 2018-02-08 00:38:57 UTC +date: 2018-04-03 23:37:00 UTC parent: Install Drill --- @@ -21,7 +21,9 @@ If [user authentication]({{site.baseurl}}/docs/configuring-user-authentication/)  -**Note:** As of Drill 1.12, users must enter a username to issue queries through the Query page in the Drill Web Console if user impersonation is enabled and authentication is disabled. To re-run a query from the Profiles page, users must also submit a username. See [REST API]({{site.baseurl}}/docs/submitting-queries-from-the-rest-api-when-impersonation-is-enabled-and-authentication-is-disabled/) for more information. +**Note:** As of Drill 1.12, users must enter a username to issue queries through the Query page in the Drill Web Console if user impersonation is enabled and authentication is disabled. To re-run a query from the Profiles page, users must also submit a username. See [REST API]({{site.baseurl}}/docs/submitting-queries-from-the-rest-api-when-impersonation-is-enabled-and-authentication-is-disabled/) for more information. + +**Note:** As of Drill 1.13, an administrator can configure FORM and/or SPNEGO authentication mechanisms. The Drill Web Console provides two possible log in options for a user depending on the configuration. If a user selects FORM, he/she must enter their username and password to access restricted pages in the Drill Web Console. The user is authenticated through PAM. If the user selects SPNEGO, the user is automatically logged in if they are an authenticated Kerberos user. If accessing a protected page directly, the user is redirected to the authentication log in page. If [user authentication]({{site.baseurl}}/docs/configuring-user-authentication/) is enabled, Drill prompts you for a user name/password: http://git-wip-us.apache.org/repos/asf/drill/blob/881b8ec9/_docs/performance-tuning/026-parquet-filter-pushdown.md ---------------------------------------------------------------------- diff --git a/_docs/performance-tuning/026-parquet-filter-pushdown.md b/_docs/performance-tuning/026-parquet-filter-pushdown.md index 569377d..cf9ef05 100644 --- a/_docs/performance-tuning/026-parquet-filter-pushdown.md +++ b/_docs/performance-tuning/026-parquet-filter-pushdown.md @@ -1,6 +1,6 @@ --- title: "Parquet Filter Pushdown" -date: 2018-03-26 18:30:22 UTC +date: 2018-04-03 23:37:00 UTC parent: "Performance Tuning" --- @@ -46,7 +46,7 @@ Run the [EXPLAIN PLAN command]({{site.baseurl}}/docs/explain-commands/) to see t ##Support The following table lists the supported and unsupported clauses, operators, data types, function, and scenarios for Parquet filter pushdown: -**Note:** An asterisk (*) indicates support as of Drill 1.13 +**Note:** An asterisk (*) indicates support as of Drill 1.13. | | Supported | Not Supported | |------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------|
