[DRILL-8135] Option to prevent Impersonation for Metastore - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Open
Priority: Minor
Resolution: Unresolved
Affects Version/s: 1.20.0
Fix Version/s: None
Component/s: Metadata
Labels:
- iceberg
- metastore
Environment:
- drill-1.20.0-hadoop2
- hadoop 2.9.2
- ranger 1.2.0

Description

After enabling iceberg metastore within a kerberized hadoop cluster and enabled impersonation, i have to give all users full access to the metastore directory in hdfs.

If not, i get an Permission denied when a non-admistator tries to call

analyze table hdfs.`dataset` refresh metadata

I attached the profile with the permission denied error from hdfs/ranger.

Im not sure if i should call this a bug, because drill should impersonate everything, and so its also impersonating the iceberg metastore. But as an admin i dont want to give all users full write access to the metastore. A unexperienced user could accidentally overwrite something and corrupt the iceberg table or delete metadata completly.

Maybe we could add a option to drill-metastore-overwrite.conf


drill.metastore: {
  implementation.class: "org.apache.drill.metastore.iceberg.IcebergMetastore",
  iceberg: {
    location: {
      relative_path: "hdfs://nameservice/drill-metastore"
    },
    impersonation: {
      enabled: true,
      max_chained_user_hops: 3
    }
  }
}

In my case, i would of course disable it, but to match the behaviour of the general impersonation it could look like this.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

analyze-table-refresh-metadata.json
15/Feb/22 12:27
20 kB
Christian Pfarr

Activity

People

Assignee:: Unassigned

Reporter:: Christian Pfarr

Reviewer:: James Turton

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 15/Feb/22 12:28

Updated:: 15/Feb/23 06:34