Uploaded image for project: 'Apache Drill'
  1. Apache Drill
  2. DRILL-6906

File permissions are not being honored



    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Workaround
    • Affects Version/s: 1.15.0
    • Fix Version/s: 1.16.0
    • Labels:


      I ran sqlline with user "kuser1".

      /opt/mapr/drill/drill-1.15.0.apache/bin/sqlline -u "jdbc:drill:drillbit=" -n kuser1 -p mapr

      I tried to access a file that is only accessible by root:

      [root@perfnode206 drill-test-framework_krystal]# hf -ls /drill/testdata/impersonation/neg_tc5/student
      -rwx------   3 root root      64612 2018-06-19 10:30 /drill/testdata/impersonation/neg_tc5/student

      I am able to read the table, which should not be possible. I used this commit for Drill 1.15.

      git.commit.message.full=DRILL-6866\: Upgrade to SqlLine 1.6.0\n\n1. Changed SqlLine version to 1.6.0.\n2. Overridden new getVersion method in DrillSqlLineApplication.\n3. Set maxColumnWidth to 80 to avoid issue described in DRILL-6769.\n4. Changed colorScheme to obsidian.\n5. Output null value for varchar / char / boolean types as null instead of empty string.\n6. Changed access modifier from package default to public for JDBC classes that implement external interfaces to avoid issues when calling methods from these classes using reflection.\n\ncloses \#1556

      This is from drillbit.log. It shows that user is kuser1.

      2018-12-15 05:00:52,516 [23eb04fb-1701-bea7-dd97-ecda58795b3b:foreman] DEBUG o.a.d.e.w.f.QueryStateProcessor - 23eb04fb-1701-bea7-dd97-ecda58795b3b: State change requested PREPARING --> PLANNING
      2018-12-15 05:00:52,531 [23eb04fb-1701-bea7-dd97-ecda58795b3b:foreman] INFO  o.a.drill.exec.work.foreman.Foreman - Query text for query with id 23eb04fb-1701-bea7-dd97-ecda58795b3b issued by kuser1: select * from dfs.`/drill/testdata/impersonation/neg_tc5/student`

      It is not clear to me if this is a Drill problem or a file system problem. I tested MFS by logging in as kuser1 and trying to copy the file using "hadoop fs -copyToLocal /drill/testdata/impersonation/neg_tc5/student" and got an error, and was not able to copy the file. So I think MFS permissions are working.

      I also tried with Drill 1.14, and I get the expected error:

      0: jdbc:drill:drillbit=> select * from dfs.`/drill/testdata/impersonation/neg_tc5/student` limit 1;
      Error: VALIDATION ERROR: From line 1, column 15 to line 1, column 17: Object '/drill/testdata/impersonation/neg_tc5/student' not found within 'dfs'
      [Error Id: cdf18c2a-b005-4f92-b819-d4324e8807d9 on perfnode206.perf.lab:31010] (state=,code=0)

      The commit for Drill 1.14 is:

      git.commit.message.full=[maven-release-plugin] prepare release drill-1.14.0\n

      This problem exists with both Apache JDBC and Simba ODBC.

      Here is drill-distrib.conf. drill-override.conf is empty. It is the same for both 1.14 and 1.15.

      drill.exec: {
        cluster-id: "secure206-drillbits",
        zk.connect: "perfnode206.perf.lab:5181,perfnode207.perf.lab:5181,perfnode208.perf.lab:5181",
        rpc.user.client.threads: "4",
        options.store.parquet.block-size: "268435456",
        sys.store.provider.zk.blobroot: "maprfs:///apps/drill",
        spill.directories: [ "/tmp/drill/spill" ],
        spill.fs: "maprfs:///",
        storage.action_on_plugins_override_file: "rename"
        zk.apply_secure_acl: true,
        impersonation.enabled: true,
        impersonation.max_chained_user_hops: 3,
        options.exec.impersonation.inbound_policies: "[{proxy_principals:{users:[\"mapr\"]},target_principals:{users:[\"*\"]}}]",
        security.auth.mechanisms: ["PLAIN", "KERBEROS"],
        security.auth.principal : "mapr/maprsasl@QA.LAB",
        security.auth.keytab : "/etc/drill/mapr_maprsasl.keytab",
        security.user.auth.enabled: true,
        security.user.auth.packages += "org.apache.drill.exec.rpc.user.security",
        security.user.auth.impl: "pam4j",
        security.user.auth.pam_profiles: ["sudo", "login"],
        http.ssl_enabled: true,
        ssl.useHadoopConfig: true,
        http.auth.mechanisms: ["FORM", "SPNEGO"],
        http.auth.spnego.principal: "HTTP/perfnode206.perf.lab@QA.LAB",
        http.auth.spnego.keytab: "/etc/drill_spnego/perfnode206.keytab"




            • Assignee:
              kkhatua Kunal Khatua
              rhou Robert Hou
            • Votes:
              0 Vote for this issue
              5 Start watching this issue


              • Created: