Uploaded image for project: 'Apache Drill'
  1. Apache Drill
  2. DRILL-6906

File permissions are not being honored

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Workaround
    • Affects Version/s: 1.15.0
    • Fix Version/s: 1.16.0
    • Labels:
      None

      Description

      I ran sqlline with user "kuser1".

      /opt/mapr/drill/drill-1.15.0.apache/bin/sqlline -u "jdbc:drill:drillbit=10.10.30.206" -n kuser1 -p mapr
      

      I tried to access a file that is only accessible by root:

      [root@perfnode206 drill-test-framework_krystal]# hf -ls /drill/testdata/impersonation/neg_tc5/student
      -rwx------   3 root root      64612 2018-06-19 10:30 /drill/testdata/impersonation/neg_tc5/student
      

      I am able to read the table, which should not be possible. I used this commit for Drill 1.15.

      git.commit.id=bf2b414ac62cfc515fdd77f2688bb110073d764d
      git.commit.message.full=DRILL-6866\: Upgrade to SqlLine 1.6.0\n\n1. Changed SqlLine version to 1.6.0.\n2. Overridden new getVersion method in DrillSqlLineApplication.\n3. Set maxColumnWidth to 80 to avoid issue described in DRILL-6769.\n4. Changed colorScheme to obsidian.\n5. Output null value for varchar / char / boolean types as null instead of empty string.\n6. Changed access modifier from package default to public for JDBC classes that implement external interfaces to avoid issues when calling methods from these classes using reflection.\n\ncloses \#1556
      

      This is from drillbit.log. It shows that user is kuser1.

      2018-12-15 05:00:52,516 [23eb04fb-1701-bea7-dd97-ecda58795b3b:foreman] DEBUG o.a.d.e.w.f.QueryStateProcessor - 23eb04fb-1701-bea7-dd97-ecda58795b3b: State change requested PREPARING --> PLANNING
      2018-12-15 05:00:52,531 [23eb04fb-1701-bea7-dd97-ecda58795b3b:foreman] INFO  o.a.drill.exec.work.foreman.Foreman - Query text for query with id 23eb04fb-1701-bea7-dd97-ecda58795b3b issued by kuser1: select * from dfs.`/drill/testdata/impersonation/neg_tc5/student`
      

      It is not clear to me if this is a Drill problem or a file system problem. I tested MFS by logging in as kuser1 and trying to copy the file using "hadoop fs -copyToLocal /drill/testdata/impersonation/neg_tc5/student" and got an error, and was not able to copy the file. So I think MFS permissions are working.

      I also tried with Drill 1.14, and I get the expected error:

      0: jdbc:drill:drillbit=10.10.30.206> select * from dfs.`/drill/testdata/impersonation/neg_tc5/student` limit 1;
      Error: VALIDATION ERROR: From line 1, column 15 to line 1, column 17: Object '/drill/testdata/impersonation/neg_tc5/student' not found within 'dfs'
      
      [Error Id: cdf18c2a-b005-4f92-b819-d4324e8807d9 on perfnode206.perf.lab:31010] (state=,code=0)
      

      The commit for Drill 1.14 is:

      git.commit.message.full=[maven-release-plugin] prepare release drill-1.14.0\n
      git.commit.id=0508a128853ce796ca7e99e13008e49442f83147
      

      This problem exists with both Apache JDBC and Simba ODBC.

      Here is drill-distrib.conf. drill-override.conf is empty. It is the same for both 1.14 and 1.15.

      drill.exec: {
        cluster-id: "secure206-drillbits",
        zk.connect: "perfnode206.perf.lab:5181,perfnode207.perf.lab:5181,perfnode208.perf.lab:5181",
        rpc.user.client.threads: "4",
        options.store.parquet.block-size: "268435456",
        sys.store.provider.zk.blobroot: "maprfs:///apps/drill",
        spill.directories: [ "/tmp/drill/spill" ],
        spill.fs: "maprfs:///",
        storage.action_on_plugins_override_file: "rename"
      
        zk.apply_secure_acl: true,
      
        impersonation.enabled: true,
        impersonation.max_chained_user_hops: 3,
        options.exec.impersonation.inbound_policies: "[{proxy_principals:{users:[\"mapr\"]},target_principals:{users:[\"*\"]}}]",
      
        security.auth.mechanisms: ["PLAIN", "KERBEROS"],
        security.auth.principal : "mapr/maprsasl@QA.LAB",
        security.auth.keytab : "/etc/drill/mapr_maprsasl.keytab",
        security.user.auth.enabled: true,
        security.user.auth.packages += "org.apache.drill.exec.rpc.user.security",
        security.user.auth.impl: "pam4j",
        security.user.auth.pam_profiles: ["sudo", "login"],
      
        http.ssl_enabled: true,
        ssl.useHadoopConfig: true,
        http.auth.mechanisms: ["FORM", "SPNEGO"],
        http.auth.spnego.principal: "HTTP/perfnode206.perf.lab@QA.LAB",
        http.auth.spnego.keytab: "/etc/drill_spnego/perfnode206.keytab"
      }
      

        Attachments

          Activity

            People

            • Assignee:
              kkhatua Kunal Khatua
              Reporter:
              rhou Robert Hou
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: