Configuring Web Console and Web API Security
Drill (version 1.2) on MapR extends Drill User Authentication to the Web Console and underlying Web API. As administrator, you can control the extent of access to the Web Console and Web API client applications. For example, you can limit the access of certain users to Web Console functionality, such as viewing the in-progress or completed queries of other users. You can limit users from viewing other users' query profiles, who can cancel queries of other users, and other functionality.
HTTPS Support
drill.exec.http.ssl_enabled
By default this start-up option is set to FALSE.
Drill generates a self-signed certificate that works with SSL for HTTPS access to the Web
Console. Because Drill uses a self-signed certificate, you see a warning in the browser when
you go to https://<node IP address>:8047
. The Chrome browser, for
example, requires you to click Advanced, and then Proceed to <address>
(unsafe). If you have a signed certificate by an authority, you can set up a custom
SSL to avoid this warning. You can set up SSL to specify the keystore or truststore, or
both, for your organization, as described in the next section.
Setting Up a Custom SSL Configuration
conf/drill-override.conf
file, as described in the Java product documentation:javax.net.ssl.keyStore
- Path to the application's certificate and private key in the Java keystore file.
javax.net.ssl.keyStorePassword
- Password for accessing the private key from the keystore file.
javax.net.ssl.trustStore
- Path to the trusted CA certificates in a keystore file.
javax.net.ssl.trustStorePassword
- Password for accessing the trusted keystore file.
Prerequisites for Web Console and Web API Security
You need to perform the following configuration tasks using Web Console and Web API security.
- Enable HTTPS support
- Configure user authentication
- Set up Web Console administrators
Optionally, you can set up Web Console administrator-user groups to facilitate management of multiple Web Console administrators.
Setting up Web Console Administrators and Administrator-User Groups
security.admin.users
- Set the value of this option to a comma-separated list of user names who you want to give administrator privileges, such as changing system options.
security.admin.user_groups
- Set the value of this option to a comma-separated list of administrator groups.
Any user who is a member of any group listed in security.admin.user.groups is a Drill cluster administrator. Any user for whom you have configured Drill user authentication, but not set up as a Drill cluster administrator, has only user privileges to access the Web Console and Web API client applications.
Web Console and Web API Privileges
The following table and subsections describe the privilege levels for accessing the Web API methods and corresponding Web Console functions:
- Administrator (ADMIN)
- User (USER)
- Administrator and User (ALL)
Path | Request Type | Output Type | Functionality | Authorization |
/ | GET | text/html | Returns Drillbit stats in a table in HTML format. | ALL |
/stats.json | GET | application/json | Returns Drillbit stats such as ports and max direct memory in json format. | ALL |
/status | GET | text/html | Returns Running! | ALL |
/options.json | GET | application/json | Returns a list of options. Each option consists of name-value-type-kind (for example: (boot system datatype). | ALL |
/options | GET | text/html | Returns an HTML table where each row is a form containing the option details and ability to modify the option values. | ALL |
/option/{optionName} | POST | text/html | Updates the options and calls getSystemOptions to display list of options. | ADMIN |
/storage.json | GET | application/json | Returns a list of storage plugin wrappers each containing name-config (instance of StoragePluginConfig) and enables the storage plugin configuration. | ADMIN |
/storage | GET | text/html | Returns an HTML page with sections that contain:
|
ADMIN |
/storage/{name}.json | GET | application/json | Returns a plugin config wrapper for the requested web page. | ADMIN |
/storage/{name} | GET | text/html | Returns an HTML page that has an editable text box for configuration editing, followed by buttons for creating,updating, and deleting. Each of the buttons make calls that generate the new page again. | ADMIN |
/storage/{name}/enable/{val} | GET | application/json | Updates the storage plugin status. Returns success or failure. | ADMIN |
/storage/{name}.json | DELETE | application/json | Deletes the storage plugin. Returns success or failure. | ADMIN |
/storage/{name}/delete | GET | application/json | Same as deletePluginJSON but a GET instead of a DELETE request. | ADMIN |
/storage/{name}.json | POST | application/json | Creates or updates the storage plugin. Returns success or failure. Expects JSON input. | ADMIN |
/storage/{name} | POST | application/json | Same as createOrUpdatePluginJSON expects JSON or FORM input. | ADMIN |
/profiles.json | GET | application/json | Returns currently running and completed profiles from PStore. For each profile a queryId, startTime, foremanAddress, query, user, and state is returned. Each list (running and completed) is organized in reverse chronological order. | ADMIN, USER |
/profiles | GET | text/html | Generates an HTML page from the data returned by getProfilesJSON with a hyperlink to a detailed query page. | ADMIN, USER |
/profiles/{queryid}.json | GET | application/json | Returns the entire profile in JSON. | ADMIN, USER |
/profiles/{queryid} | GET | text/html | Returns a complex profile page. | ADMIN, USER |
/profiles/cancel/{queryid} | GET | text/html | Cancels the given query and sends a message. | ADMIN, USER |
/query | GET | text/html | Gets the query input page. | ALL |
/query.json | POST | application/json | Submits a query and waits until it is completed and then returns the results as one big JSON object. | ALL |
/query | POST | text/html | Returns the results of submitQueryJSON in an HTML table. | ALL |
/status/metrics | GET | application/json | Returns a page that fetches metric info from resource, status, and metrics. | ALL |
/status/threads | GET | text/html | Returns a page that fetches metric information from resource, status, and threads. | ALL |
/login NOTE: Prior to Drill 1.5, the path was /log/in. |
GET | text/html | Returns an HTML log in page. If the user is already logged in, returns the home page. If the URL contains a redirect, sets the redirect URI for the session and forwards the user to the redirect page after the user is successfully logged in. | ALL |
/login NOTE: Prior to Drill 1.5, the path was /log/in. |
POST | text/html | Returns a validation error for incorrect credentials. | ALL |
/logout | GET | text/html | Ends a session. | ALL |
- ADMIN - gets all profiles on the system.
- USER - only the profiles of the queries the user has launched.
- ADMIN - gets all profiles on the system.
- USER - only the profiles of the queries the user has launched.
- ADMIN - return the profile.
- USER - if the query is launched the by the requesting user return it. Otherwise, return an error saying no such profile exists.
- ADMIN - return the profile.
- USER - if the query is launched the by the requesting user return it. Otherwise, return an error saying no such profile exists
- ADMIN - can cancel the query.
- USER - cancel the query only if the query is launched by the user requesting the cancellation.