Using jpam as the PAM Authenticator

May 17, 2017

To use jpam as the PAM authenticator with Drill, complete the following steps:

Note

Do not point to an existing directory where other Hadoop components are installed. Other file system libraries can conflict with the Drill libraries and cause system errors.

  1. Download the tar.gz file for the Linux platform:

    http://sourceforge.net/projects/jpam/files/jpam/jpam-1.1/

  2. Untar the file, and copy the libjpam.so file into a directory that does not contain other Hadoop components. For example, /opt/pam/

  3. Add the following line to <DRILL_HOME>/conf/drill-env.sh, including the directory where the libjpam.so file is located:

    export DRILLBIT_JAVA_OPTS="-Djava.library.path=<directory>"
    

    Example

    export DRILLBIT_JAVA_OPTS="-Djava.library.path=/opt/pam/" 
    
  4. Add the following configuration to the drill.exec block in <DRILL_HOME>/conf/drill-override.conf:

          drill.exec: {
            cluster-id: "drillbits1",
            zk.connect: "qa102-81.qa.lab:5181,qa102-82.qa.lab:5181,qa102-83.qa.lab:5181",
            impersonation: {
              enabled: true,
              max_chained_user_hops: 3
            },
            security: {          
                    auth.mechanisms : ["PLAIN"],
                     },
            security.user.auth: {
                    enabled: true,
                    packages += "org.apache.drill.exec.rpc.user.security",
                    impl: "pam",
                    pam_profiles: [ "sudo", "login" ]
             }
           }
    
  5. (Optional) To add or remove different PAM profiles, add or delete the profile names in the “pam_profiles” array shown above.

  6. Restart the Drillbit process on each Drill node, as shown:

    <DRILLINSTALL_HOME>/bin/drillbit.sh restart