Update core-site.xml
Add the following properties to Drill’s core-site.xml found in the $DRILL_HOME/conf folder. <property> <name>yarn.resourcemanager.principal</name> <value>yarn/[email protected]</value> </property> <property> <name>hadoop.security.authentication</name> <value>kerberos</value> </property> Add YARN API jar to classpath Find the hadoop-yarn-api.jar for your distribution and add it to the class path for Drill. This can be put in the jars folder, found at $DRILL_HOME/jars. Install JPAM Following the instructions provided by Drill here: https://drill.apache.org/docs/configuring-user- authentication/ Since Drill doesn’t yet support Kerberos as a direct authentication mechanism, this authenticates using the local system’s local user PAM modules. Set up Proxy User on Cluster In the core-site.xml for each machine on the cluster you’ll need to add the following lines to allow the principal you are running Drill as to be a proxy user. Our examples from henceforth will assume a principal named [email protected]. For added security you can specify the hostname that Drill is running on instead of a * which will only allow that location to act as a proxy. <property> <name>hadoop.proxyuser.hadooprevealed.hosts</name> <value>*</value> </property> <property> <name>hadoop.proxyuser.hadooprevealed.groups</name> <value>*</value> </property> Set Java Options Set the following as Java options in drill-env.sh, found in $DRILL_HOME/conf. -Djava.security.auth.login.config=$DRILL_HOME/conf/DrillLogin.conf -Djavax.security.auth.useSubjectCredsOnly=false -Dzookeeper.sasl.client=false Create login config file After generating a Keytab for Drill to use, create a file named DrillLogin.conf in Drill’s conf directory create a file that follows the below outline. Add the path to the key tab and change the principal name as needed. Client { com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true useKeyTab=true useTicketCache=false keyTab=“<PATH TO KEYTAB>"" storeKey=true principal=“[email protected]""; }; com.sun.security.jgss.initiate { com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true doNotPrompt=true useTicketCache=false useKeyTab=true keyTab=""<PATH TO KEYTAB>"" storeKey=true principal=“[email protected]""; }; com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true doNotPrompt=false useKeyTab=true keyTab=“<PATH TO KEYTAB>"" storeKey=true principal=“[email protected]""; }; Hive Storage Plugin Configuration Config the Hive Storage plugin as follows either via WebUI or cURL request: "type": "hive", "enabled": true, "configProps": { “hive.metastore.uris": “thrift://<metastore url>:9083", “hive.metastore.warehouse.dir": "/tmp/drill_hive_wh", "fs.defaultFS": “hdfs://<metastore url>:8020/", "hive.server2.enable.doAs": "true", "hive.metastore.sasl.enabled": "true", "hive.metastore.kerberos.principal": “hive/<metastore url>@LOCAL.COM”, "hive.metastore.execute.setugi" : "true" } > On Jan 15, 2016, at 10:09 PM, Ted Dunning <[email protected]> wrote: > > Pushing it to the list in imperfect form is a great way to encourage > participation. > > Do you have a non-pdf version? > > > On Fri, Jan 15, 2016 at 7:20 PM, William Witt <[email protected]> > wrote: > >> I’ve been meaning to post a how to. Attached is a PDF, I’m not sure if >> i’ll make ti to the list however. >> >> >> >> William Witt >> CTO BigDataRevealed (formerly HadoopRevelaed) >> >>> On Jan 15, 2016, at 5:03 PM, Nathan Griffith <[email protected]> >> wrote: >>> >>> Hello all, >>> >>> This question seems to come up fairly frequently, and I'm interested >>> in writing up a 'how to' so that this configuration information is >>> easier to find. >>> >>> It seems like you need to add/tweak some xml files in Drill's conf >>> directory in order to enable Kerberos support--does anyone know what >>> the files (core-site.xml? hdfs-site.xml?) and relevant lines are? >>> >>> Thanks! >>> >>> Nathan Griffith >>> Technical Writer/Evangelist >>> Dremio >> >> >>
