[
https://issues.apache.org/jira/browse/DRILL-7573?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17034153#comment-17034153
]
ASF GitHub Bot commented on DRILL-7573:
---------------------------------------
dobesv commented on pull request #1977: DRILL-7573: Support htpasswd based
authentication
URL: https://github.com/apache/drill/pull/1977
# [DRILL-7573](https://issues.apache.org/jira/browse/DRILL-7573): Support
htpasswd based authentication
## Description
This allows you to specify `htpasswd` as your authentication implementation.
In this case, users will be authenticated using usernames and password taken
from a text file in `htpasswd` format.
This gives some more flexibility compared to the PAM authenticator. For
example, in docker / kubernetes you can mount a folder with an htpasswd file
and update that file when you want to add/remove users, without any concern
about interfering with the contents of /etc/passwd and /etc/shadow.
## Documentation
# Using a password file for authentication
Apache Drill allows you to store valid usernames and passwords in a text
file in the popular "htpasswd" format.
This can be more convenient than using PAM in containerized environments,
because you do not have to modify any system files like `passwd`, `shadow`, or
files in `pam.d`. Instead you can mount a volume with the `htpasswd` file in
it and tell drill to use that file for authentication.
To configure this feature:
1. Create an htpasswd file and copy/mount it to/on the drillbit
machines/containers:
$ htpasswd /path/to/htpasswd $USER
2. Add the following configuration to the `drill.exec` block in the
`<DRILL_HOME>/conf/drill-override.conf` file:
drill.exec: {
security.auth.mechanisms : ["PLAIN"],
security.user.auth: {
enabled: true,
packages += "org.apache.drill.exec.rpc.user.security",
impl: "htpasswd",
htpasswd: { file: "/path/to/htpasswd" }
}
}
3. Restart the drillbit(s)
4. Now you must use a username/password from the `htpasswd` file when
logging into Drill
Note: Currently the `crypt` and `bcrypt` algorithms are not supported, you
should probably use the MD5 hashing algorithm used by default by the
`htpasswd` command.
## Testing
I created an `htpasswd` file using `htpasswd`, configured the auth mechanism
as shown above, and testing logging in with both valid and invalid passwords
with MD5, SHA-1, and plantext password hashes in the `htpasswd` files.
No automated tests so far, but I'm open to advice on how/where to add them.
Still very new to the code base.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Support text file for user authentication instead of using PAM
> --------------------------------------------------------------
>
> Key: DRILL-7573
> URL: https://issues.apache.org/jira/browse/DRILL-7573
> Project: Apache Drill
> Issue Type: Improvement
> Components: Server, Web Server
> Affects Versions: 1.17.0
> Reporter: Dobes Vandermeer
> Priority: Major
>
> Currently plain login using PAM as its user database. However, in a
> containerized or server environment the passwd file is generally kept static,
> so some other mechanism for managing users is preferred. Also, pam does not
> by default come with an easy to way to check passwords other than via the
> passwd/shadow files.
> It would be great if there was another authentication method included in
> drill that was easier to use in a containerized environment.
> Reading the usernames and password from a specific file would probably be the
> simplest mechanism.
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
