Hi Kenny, I think you can achieve it using a custom authenticator. The interface is located at [1]. As far as I have understand Keycloak provides a client adapter to communicate with backend service or framework. So the custom authenticator which you will develop will have the logic to instantiate Keycloak client adapter and when authenticate is called from Drillbit on this custom authenticator basically the client adapter needs to pass the creds to it's backend service and return success or failure.
The way Drill loads an authenticator to use is using this[2] annotation whose name is configured in Drill's config file. For example you can look into these 2 implementations provided by Drill [3][4]. Example of configuration to determine which authenticator to load is at [5]. If you see the value of config drill.exec.security.user.auth.impl that is same as annotation name tied to an implementation at [3]. [1]: https://github.com/apache/drill/blob/master/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/UserAuthenticator.java [2]: https://github.com/apache/drill/blob/master/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/UserAuthenticatorTemplate.java [3]: https://github.com/apache/drill/blob/master/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/Pam4jUserAuthenticator.java [4]: https://github.com/apache/drill/blob/master/exec/java-exec/src/main/java/org/apache/drill/exec/rpc/user/security/PamUserAuthenticator.java [5]: https://drill.apache.org/docs/using-libpam4j-as-the-pam-authenticator/ Thanks, Sorabh ________________________________ From: Ted Dunning <[email protected]> Sent: Thursday, April 19, 2018 8:12 AM To: [email protected] Subject: Re: Keycloak integration Hmm... interesting project. I think you are right about the custom authenticator, but somebody who is deeper into the code would have to comment. On Wed, Apr 18, 2018 at 11:00 AM, Kenny B <[email protected]> wrote: > I have a requirement for developing micro-services that are secured through > Keycloak. > > As far as I can tell, the way one might accomplish this through the latest > Drill version (1.13) would be a custom authenticator. > > I haven't had great success in accomplishing this goal as of yet. > > Are there any examples that I could be pointed to? > > Is there any plan to expand native Drill security beyond Plain, PAM, > Kerberos, HTTP? > > Thanks in advance! >
