Uploaded image for project: 'Apache Drill'
  1. Apache Drill
  2. DRILL-7296

Kerberos Authorisation

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.16.0
    • Fix Version/s: None
    • Component/s: Server
    • Labels:
      None
    • Environment:

      drill version 1.16

      drill host ubuntu 1804

      kerberos: FreeIPA (hbac rules)

      Description

      Currently there is no way to limit drill user access to a particular LDAP group when kerberos is used for authentication.Its not an issue with PAM as it supports sssd which knows how to do this.

      So the sum effect is that any valid kerberos user can access drill while typically access would be limited to particular groups. So to test I have a kerberos enviroment with freeIPA and set up with a user tuser2 who has no host access on the drill server (hbac rule). 

      Access is denied when I try and connect using sqlLine using user/password credentials ( correct) but access it granted if I connect with an acquired TGT ticket then access is granted ( wrong)

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              teroz Terence Namusonge Sifuna
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: