Configuring Authentication

Some Drill databases require authentication. You can configure the Simba Drill JDBC Connector to authenticate the connection to the database using one of several methods. For more information, see the following sections:

Using Your Drill User Name and Password
Using Kerberos
Using MapR-SASL

Note:

For some of the connection properties used for authentication, the connector supports more than one property name. For example, you can set either AuthMech or auth to specify the authentication mechanism to use. For complete information about each connection property, see Connector Configuration Options.

Using Your Drill User Name and Password

You can configure the connector to use your Drill data store credentials to authenticate the connection.

You provide this information to the connector in the connection URL. For more information about the syntax of the connection URL, see Building the Connection URL.

To configure user name and password authentication:

Set the AuthMech property to Plain.
Set the UID property to an appropriate user name for accessing the Drill server.
Set the PWD property to the password corresponding to the user name you provided.

For example:

jdbc:drill:drillbit=192.168.1.1:31500;AuthMech=Plain;
UID=simba;PWD=simba

Using Kerberos

You can configure the connector to use the Kerberos protocol to authenticate the connection.

Kerberos must be installed and configured before you can use this authentication mechanism. For information about how to install and configure Kerberos, see the MIT Kerberos Documentation: http://web.mit.edu/kerberos/krb5-latest/doc/.

You can configure Kerberos authentication in the connector using a keytab or a service principal name, depending on the specific requirements of your Kerberos setup.

You provide this information to the connector in the connection URL. For more information about the syntax of the connection URL, see Building the Connection URL.

To configure Kerberos authentication using a keytab:

Set the AuthMech property to Kerberos.
Set the KrbKeytab property to the full path and file name of your keytab file.
Set the UID property to your client principal name.
Optionally, set the KrbRealm property to the realm name of the service principal. If you do not set this property, the connector uses the default realm defined in your Kerberos setup.

For example:

jdbc:drill:drillbit=192.168.1.1:31500;AuthMech=Kerberos;
KrbKeytab=C:\\myKeytabs\\myUser.keytab;UID=simba;
KrbRealm=drill.example.com

To configure Kerberos authentication using the service principal name:

Run the kinit command using the following syntax, where [Keytab] is the Kerberos credential and [Principal] is the Kerberos user principal to use for authentication:

kinit -kt [Keytab] [Principal]

In your connection URL, set the AuthMech property to Kerberos.

Do one of the following:

To specify a complete service principal name including the primary and instance (and optionally, the realm), set the KrbPrincipal property to the service principal name.

For example, the following settings are both valid:

KrbPrincipal=jsmith/simbadrill

KrbPrincipal=jsmith/simbadrill@drill.example.com

Or, to specify one or more components of the service principal name individually, configure one or more of the following connection properties as needed:

Component Configuration Instructions

Component	Configuration Instructions
Primary	Set the `KrbServiceName` property to the primary name of the service principal. If you do not set this property, the connector uses the default value `drill` as the primary name.
Instance	Set the `KrbHostFQDN` property to the instance name of the service principal. If you do not set this property, the connector uses the host name of the drillbit as the instance name.
Realm	Set the `KrbRealm` property to the realm name of the service principal. If you do not set this property, the connector uses the default realm defined in your Kerberos setup.

Primary

Set the KrbServiceName property to the primary name of the service principal.

If you do not set this property, the connector uses the default value drill as the primary name.

Instance

Set the KrbHostFQDN property to the instance name of the service principal.

If you do not set this property, the connector uses the host name of the drillbit as the instance name.

Realm

Set the KrbRealm property to the realm name of the service principal.

If you do not set this property, the connector uses the default realm defined in your Kerberos setup.

For example, to specify a complete service principal name for authentication:

jdbc:drill:drillbit=192.168.1.1:31500;AuthMech=Kerberos;
KrbPrincipal=jsmith/simbadrill@drill.example.com

As another example, to specify your primary name only so that the connector authenticates the connection using the host name of the drillbit node as the instance name and the default realm defined in your Kerberos setup:

jdbc:drill:drillbit=192.168.1.1:31500;AuthMech=Kerberos;
KrbServiceName=jsmith

Using MapR-SASL

You can configure the connector to use the MapR-SASL protocol to authenticate the connection.

The maprlogin utility must be installed and configured before you can use this authentication mechanism. For more information, see the MapR Security Guide: http://maprdocs.mapr.com/51/SecurityGuide/SecurityOverview.html.

You provide this information to the connector in the connection URL. For more information about the syntax of the connection URL, see Building the Connection URL.

To configure MapR-SASL authentication:

Use the maprlogin utility to acquire a maprticket. For more information, see "Logging Into a Cluster with maprlogin" in the MapR Security Guide: http://maprdocs.mapr.com/51/SecurityGuide/LoggingIntoCluster.html.
In your connection URL, set the AuthMech or auth property to MapRSASL.

For example:

jdbc:drill:drillbit=192.168.1.1:31500;AuthMech=MapRSASL