dobesv opened a new pull request #1977: DRILL-7573: Support htpasswd based authentication URL: https://github.com/apache/drill/pull/1977 # [DRILL-7573](https://issues.apache.org/jira/browse/DRILL-7573): Support htpasswd based authentication ## Description This allows you to specify `htpasswd` as your authentication implementation. In this case, users will be authenticated using usernames and password taken from a text file in `htpasswd` format. This gives some more flexibility compared to the PAM authenticator. For example, in docker / kubernetes you can mount a folder with an htpasswd file and update that file when you want to add/remove users, without any concern about interfering with the contents of /etc/passwd and /etc/shadow. ## Documentation # Using a password file for authentication Apache Drill allows you to store valid usernames and passwords in a text file in the popular "htpasswd" format. This can be more convenient than using PAM in containerized environments, because you do not have to modify any system files like `passwd`, `shadow`, or files in `pam.d`. Instead you can mount a volume with the `htpasswd` file in it and tell drill to use that file for authentication. To configure this feature: 1. Create an htpasswd file and copy/mount it to/on the drillbit machines/containers: $ htpasswd /path/to/htpasswd $USER 2. Add the following configuration to the `drill.exec` block in the `<DRILL_HOME>/conf/drill-override.conf` file: drill.exec: { security.auth.mechanisms : ["PLAIN"], security.user.auth: { enabled: true, packages += "org.apache.drill.exec.rpc.user.security", impl: "htpasswd", htpasswd: { file: "/path/to/htpasswd" } } } 3. Restart the drillbit(s) 4. Now you must use a username/password from the `htpasswd` file when logging into Drill Note: Currently the `crypt` and `bcrypt` algorithms are not supported, you should probably use the MD5 hashing algorithm used by default by the `htpasswd` command. ## Testing I created an `htpasswd` file using `htpasswd`, configured the auth mechanism as shown above, and testing logging in with both valid and invalid passwords with MD5, SHA-1, and plantext password hashes in the `htpasswd` files. No automated tests so far, but I'm open to advice on how/where to add them. Still very new to the code base.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
