Thanks, William! Exactly what I was looking for. Can't wait to give this a try later today.
--Nathan On Fri, Jan 15, 2016 at 8:22 PM, William Witt <[email protected]> wrote: > > > Update core-site.xml > > Add the following properties to Drill’s core-site.xml found in the > $DRILL_HOME/conf folder. > > <property> > <name>yarn.resourcemanager.principal</name> > <value>yarn/[email protected]</value> > </property> > > <property> > <name>hadoop.security.authentication</name> > <value>kerberos</value> > </property> > > > Add YARN API jar to classpath > > Find the hadoop-yarn-api.jar for your distribution and add it to the class > path for Drill. This can be put in the jars folder, found at $DRILL_HOME/jars. > > > Install JPAM > > Following the instructions provided by Drill here: > https://drill.apache.org/docs/configuring-user- authentication/ > Since Drill doesn’t yet support Kerberos as a direct authentication > mechanism, this authenticates using the local system’s local user PAM modules. > > > Set up Proxy User on Cluster > > In the core-site.xml for each machine on the cluster you’ll need to add the > following lines to > allow the principal you are running Drill as to be a proxy user. Our examples > from henceforth will > assume a principal named [email protected]. For added security you > can > specify the hostname that Drill is running on instead of a * which will only > allow that location to > act as a proxy. > > <property> > <name>hadoop.proxyuser.hadooprevealed.hosts</name> > <value>*</value> > </property> > > <property> > <name>hadoop.proxyuser.hadooprevealed.groups</name> > <value>*</value> > </property> > > > Set Java Options > > Set the following as Java options in drill-env.sh, found in $DRILL_HOME/conf. > > -Djava.security.auth.login.config=$DRILL_HOME/conf/DrillLogin.conf > -Djavax.security.auth.useSubjectCredsOnly=false > -Dzookeeper.sasl.client=false > > > Create login config file > > After generating a Keytab for Drill to use, create a file named > DrillLogin.conf in Drill’s conf > directory create a file that follows the below outline. Add the path to the > key tab and change the > principal name as needed. > > Client { > com.sun.security.auth.module.Krb5LoginModule required refreshKrb5Config=true > useKeyTab=true useTicketCache=false keyTab=“<PATH TO KEYTAB>"" > storeKey=true principal=“[email protected]""; > }; > com.sun.security.jgss.initiate { > com.sun.security.auth.module.Krb5LoginModule required > refreshKrb5Config=true doNotPrompt=true useTicketCache=false useKeyTab=true > keyTab=""<PATH TO KEYTAB>"" > storeKey=true principal=“[email protected]""; > }; > com.sun.security.jgss.accept { com.sun.security.auth.module.Krb5LoginModule > required > refreshKrb5Config=true doNotPrompt=false useKeyTab=true keyTab=“<PATH TO > KEYTAB>"" > storeKey=true principal=“[email protected]""; > }; > > > Hive Storage Plugin Configuration > > Config the Hive Storage plugin as follows either via WebUI or cURL request: > > "type": "hive", > "enabled": true, > "configProps": { > “hive.metastore.uris": “thrift://<metastore url>:9083", > “hive.metastore.warehouse.dir": "/tmp/drill_hive_wh", > "fs.defaultFS": “hdfs://<metastore url>:8020/", > "hive.server2.enable.doAs": "true", > "hive.metastore.sasl.enabled": "true", > "hive.metastore.kerberos.principal": “hive/<metastore url>@LOCAL.COM”, > "hive.metastore.execute.setugi" : "true" > } > > >> On Jan 15, 2016, at 10:09 PM, Ted Dunning <[email protected]> wrote: >> >> Pushing it to the list in imperfect form is a great way to encourage >> participation. >> >> Do you have a non-pdf version? >> >> >> On Fri, Jan 15, 2016 at 7:20 PM, William Witt <[email protected]> >> wrote: >> >>> I’ve been meaning to post a how to. Attached is a PDF, I’m not sure if >>> i’ll make ti to the list however. >>> >>> >>> >>> William Witt >>> CTO BigDataRevealed (formerly HadoopRevelaed) >>> >>>> On Jan 15, 2016, at 5:03 PM, Nathan Griffith <[email protected]> >>> wrote: >>>> >>>> Hello all, >>>> >>>> This question seems to come up fairly frequently, and I'm interested >>>> in writing up a 'how to' so that this configuration information is >>>> easier to find. >>>> >>>> It seems like you need to add/tweak some xml files in Drill's conf >>>> directory in order to enable Kerberos support--does anyone know what >>>> the files (core-site.xml? hdfs-site.xml?) and relevant lines are? >>>> >>>> Thanks! >>>> >>>> Nathan Griffith >>>> Technical Writer/Evangelist >>>> Dremio >>> >>> >>> >
