Configuring User Security


Authentication is the process of establishing confidence of authenticity. A Drill client user is authenticated when a Drillbit confirms the identity it is presented with. Drill supports several authentication mechanisms through which users can prove their identity before accessing cluster data:

These authentication options are available through JDBC and ODBC interfaces.


Drill 1.11 introduces client-to-drillbit encryption for over-the-wire security using the Kerberos to:

  • Ensure data integrity and privacy
  • Prevent data tampering and snooping

See Configuring Kerberos Security for information about how to enable a drillbit for encryption.


The Plain mechanism does not support encryption.

Cipher Strength

By default, the highest security level is negotiated during the SASL handshake for each client-to-drillbit connection so that the AES-256 ciper is used when supported by key distribution center (KDC) encryption types. See Encryption Types in the MIT Kerberos documentation for details about specific combinations of cipher algorithms.

Client Compatibility

The following table shows Drill client version compatibility with secure Drill clusters enabled with encryption. Drill 1.10 clients and lower do not support encryption and will not be allowed to connect to a drillbit with encryption enabled.


See Client Encryption in Configuring Kerberos Security for the client connection string parameter, sasl_encrypt usage information.


Enabling both user impersonation and authentication is recommended to restrict access to data and improve security. When user impersonation is enabled, Drill executes the client requests as the authenticated user. Otherwise, Drill executes client requests as the user that started the drillbit process.

For more information, see Configuring User Impersonation and Configuring Inbound Impersonation.