Roles and Privileges
Drill has two roles that perform different functions:
- User (USER) role
- Administrator (ADMIN) role
User role
Users can execute queries on data that he/she has access to. Each storage plugin manages the read/write permissions. Users can create views on top of data to provide granular access to that data.
Administrator role
When authentication is enabled, only Drill users who are assigned Drill cluster administrator privileges can perform the following tasks.
- Change system-level options by issuing the ALTER SYSTEM command.
- Update a storage plugin configuration through the REST API or Web UI.
- Users and administrators have different navigation bars in the Web UI. Various tabs are shown based on privilege. For example, only administrators can see the Storage tab and create/read/update/delete storage plugin configuration.
- View profiles of all queries that all users have run or are currently running in a cluster.
- Cancel running queries that were launched by any user in the cluster.
When authentication is disabled anyone can perform the tasks above.
Specifying administrator users and groups
Drill administrators can specified using two system options.
| Option | Default | Description |
|---|---|---|
| security.admin.user_groups | Drill process user | A comma-separated list of administrator groups. |
| security.admin.users | Drill process user’s OS groups | A comma-separated list of administrator user names. |
The groups in security.admin.user_groups refer to groups in the configured Hadoop group mapping service which defaults to looking up local operating system groups. See Hadoop Groups Mapping for more information.
See Configuring Web UI and REST API Security for more information.