Apache Drill Impersonation

Question

I'm trying to build in security on our Drill (1.6.0) system. I managed to get the security user authentication to work(JPam as explained in the documentation), but the impersonation does not seem to work. It seems to execute and fetch via the the admin user regardless of who has logged in via ODBC.

My drill-override.conf file is configured as follows:

  drill.exec: {
  cluster-id: "drillbits1",
  zk.connect: "localhost:2181",
  impersonation: {
    enabled: true,
    max_chained_user_hops: 3
  },
  security.user.auth {
      enabled: true,
      packages += "org.apache.drill.exec.rpc.user.security",
      impl: "pam",
      pam_profiles: [ "sudo", "login" ]  
  }
}

We are also only using Drill on one server, therefore I'm running drill-embedded to start things up. Troubleshooting:

root@srv001:/opt/apache-drill-1.6.0# bin/sqlline -u "jdbc:drill:schema=dfs;zk=localhost:2181;impersonation_target=dUser001" -n entryUser -p entryUserPassword
        Error: Failure in connecting to Drill: org.apache.drill.exec.rpc.RpcException: Failure setting up ZK for client.  (state=,code=0)
       java.sql.SQLException: Failure in connecting to Drill:  org.apache.drill.exec.rpc.RpcException: Failure setting up ZK for client.
        at org.apache.drill.jdbc.impl.DrillConnectionImpl.<init> (DrillConnectionImpl.java:159)
        at org.apache.drill.jdbc.impl.DrillJdbc41Factory.newDrillConnection(DrillJdbc41Factory.java:64)
        at org.apache.drill.jdbc.impl.DrillFactory.newConnection(DrillFactory.java:69)
        at net.hydromatic.avatica.UnregisteredDriver.connect(UnregisteredDriver.java:126)
        at org.apache.drill.jdbc.Driver.connect(Driver.java:72)
        at sqlline.DatabaseConnection.connect(DatabaseConnection.java:167)
        at sqlline.DatabaseConnection.getConnection(DatabaseConnection.java:213)
        at sqlline.Commands.connect(Commands.java:1083)
        at sqlline.Commands.connect(Commands.java:1015)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:606)
        at sqlline.ReflectiveCommandHandler.execute(ReflectiveCommandHandler.java:36)
        at sqlline.SqlLine.dispatch(SqlLine.java:742)
        at sqlline.SqlLine.initArgs(SqlLine.java:528)
        at sqlline.SqlLine.begin(SqlLine.java:596)
        at sqlline.SqlLine.start(SqlLine.java:375)
        at sqlline.SqlLine.main(SqlLine.java:268)
        Caused by: org.apache.drill.exec.rpc.RpcException: Failure setting up ZK for client.
        at org.apache.drill.exec.client.DrillClient.connect(DrillClient.java:200)
        at org.apache.drill.jdbc.impl.DrillConnectionImpl.<init>(DrillConnectionImpl.java:151)
        ... 18 more
    Caused by: java.io.IOException: Failure to connect to the zookeeper cluster service within the allotted time of 10000 milliseconds.
        at org.apache.drill.exec.coord.zk.ZKClusterCoordinator.start(ZKClusterCoordinator.java:123)
        at org.apache.drill.exec.client.DrillClient.connect(DrillClient.java:198)
        ... 19 more

Any ideas on this?

I have also looked at doing my own built in security, but I'm not able to retrieve the username from a SQL query. I have tried the following without any luck:

CURRENT_USER()  
USER()   
SESSION_USER()   

Any ideas on this approach?

Answer 1

I suggest to create a different pam profile (say drill) rather than login and sudo. Then create drill file under /etc/pam.d/ directory with the content:

#%PAM-1.0
auth include password-auth
account include password-auth

To get connections run:

select * from sys.connections;