You are viewing a plain text version of this content. The canonical link for it is here.

Posted to user@drill.apache.org by Akihiko Kusanagi <ak...@maprtech.com> on 2016/12/21 18:08:29 UTC

Impersonation with Drill Web Console or REST API

Hi,

The 'Impersonation Support' table In the following page says that
impersonation
is not supported with Drill Web Console or REST API.
http://drill.apache.org/docs/configuring-user-impersonation/

However, when authentication and impersonation are enabled, impersonation is
in effect through Web UI.

$ cat drill-override.conf
...
drill.exec: {
...
 impersonation: {
   enabled: true
 },
...

Only mapr user has read permission for nation.parquet, and Drillbit is
running as mapr user.

$ hadoop fs -ls /sample-data
...
drwx------   - mapr mapr       1210 2016-01-11 19:58 nation.parquet
...

Then, login as the other user via Drill Web UI, and run this query:

select * from dfs.`/sample-data/nation.parquet`

This returns the following error, so it seems that impersonation is in
effect.

Query Failed: An Error Occurred
org.apache.drill.common.exceptions.UserRemoteException: SYSTEM ERROR:
IOException: 2049.177.8452826 /sample-data/nation.parquet (Input/output
error) Fragment 0:0 [Error Id: 91684467-8a4f-4fb8-8ad7-6ee04b7f8f53 on
node3:31010]

When drill.exec.impersonation.enabled = false, the query above returns
multiple rows.

Is this expected behavior? Does the document need to be updated?

Thanks,
Aki

Re: Impersonation with Drill Web Console or REST API

Posted by Chun Chang <cc...@maprtech.com>.

Aki,

I tried myself and seems working for me too. The "not supported" probably
means "no formal QA testing".

On Wed, Dec 21, 2016 at 10:08 AM, Akihiko Kusanagi <ak...@maprtech.com>
wrote:

> Hi,
>
> The 'Impersonation Support' table In the following page says that
> impersonation
> is not supported with Drill Web Console or REST API.
> http://drill.apache.org/docs/configuring-user-impersonation/
>
> However, when authentication and impersonation are enabled, impersonation
> is
> in effect through Web UI.
>
> $ cat drill-override.conf
> ...
> drill.exec: {
> ...
>  impersonation: {
>    enabled: true
>  },
> ...
>
> Only mapr user has read permission for nation.parquet, and Drillbit is
> running as mapr user.
>
> $ hadoop fs -ls /sample-data
> ...
> drwx------   - mapr mapr       1210 2016-01-11 19:58 nation.parquet
> ...
>
> Then, login as the other user via Drill Web UI, and run this query:
>
> select * from dfs.`/sample-data/nation.parquet`
>
> This returns the following error, so it seems that impersonation is in
> effect.
>
> Query Failed: An Error Occurred
> org.apache.drill.common.exceptions.UserRemoteException: SYSTEM ERROR:
> IOException: 2049.177.8452826 /sample-data/nation.parquet (Input/output
> error) Fragment 0:0 [Error Id: 91684467-8a4f-4fb8-8ad7-6ee04b7f8f53 on
> node3:31010]
>
> When drill.exec.impersonation.enabled = false, the query above returns
> multiple rows.
>
> Is this expected behavior? Does the document need to be updated?
>
> Thanks,
> Aki
>

Re: Impersonation with Drill Web Console or REST API

Posted by Bridget Bevens <bb...@maprtech.com>.

Hi,

I created DRILL-5147 to address this.

Thanks,
Bridget

On Wed, Dec 21, 2016 at 10:52 AM, Sudheesh Katkam <sk...@maprtech.com>
wrote:

> Maybe the doc should say that Drill supports impersonation through web
> console. These clients use Java client library, just like JDBC.
>
> Note that *inbound* impersonation is not supported yet because Drill does
> not expose an “impersonation_target” field through the web login form.
>
> Thank you,
> Sudheesh
>
> > On Dec 21, 2016, at 10:08 AM, Akihiko Kusanagi <ak...@maprtech.com>
> wrote:
> >
> > Hi,
> >
> > The 'Impersonation Support' table In the following page says that
> > impersonation
> > is not supported with Drill Web Console or REST API.
> > http://drill.apache.org/docs/configuring-user-impersonation/
> >
> > However, when authentication and impersonation are enabled,
> impersonation is
> > in effect through Web UI.
> >
> > $ cat drill-override.conf
> > ...
> > drill.exec: {
> > ...
> > impersonation: {
> >   enabled: true
> > },
> > ...
> >
> > Only mapr user has read permission for nation.parquet, and Drillbit is
> > running as mapr user.
> >
> > $ hadoop fs -ls /sample-data
> > ...
> > drwx------   - mapr mapr       1210 2016-01-11 19:58 nation.parquet
> > ...
> >
> > Then, login as the other user via Drill Web UI, and run this query:
> >
> > select * from dfs.`/sample-data/nation.parquet`
> >
> > This returns the following error, so it seems that impersonation is in
> > effect.
> >
> > Query Failed: An Error Occurred
> > org.apache.drill.common.exceptions.UserRemoteException: SYSTEM ERROR:
> > IOException: 2049.177.8452826 /sample-data/nation.parquet (Input/output
> > error) Fragment 0:0 [Error Id: 91684467-8a4f-4fb8-8ad7-6ee04b7f8f53 on
> > node3:31010]
> >
> > When drill.exec.impersonation.enabled = false, the query above returns
> > multiple rows.
> >
> > Is this expected behavior? Does the document need to be updated?
> >
> > Thanks,
> > Aki
>
>

Re: Impersonation with Drill Web Console or REST API

Posted by Sudheesh Katkam <sk...@maprtech.com>.

Maybe the doc should say that Drill supports impersonation through web console. These clients use Java client library, just like JDBC.

Note that *inbound* impersonation is not supported yet because Drill does not expose an “impersonation_target” field through the web login form.

Thank you,
Sudheesh

> On Dec 21, 2016, at 10:08 AM, Akihiko Kusanagi <ak...@maprtech.com> wrote:
> 
> Hi,
> 
> The 'Impersonation Support' table In the following page says that
> impersonation
> is not supported with Drill Web Console or REST API.
> http://drill.apache.org/docs/configuring-user-impersonation/
> 
> However, when authentication and impersonation are enabled, impersonation is
> in effect through Web UI.
> 
> $ cat drill-override.conf
> ...
> drill.exec: {
> ...
> impersonation: {
>   enabled: true
> },
> ...
> 
> Only mapr user has read permission for nation.parquet, and Drillbit is
> running as mapr user.
> 
> $ hadoop fs -ls /sample-data
> ...
> drwx------   - mapr mapr       1210 2016-01-11 19:58 nation.parquet
> ...
> 
> Then, login as the other user via Drill Web UI, and run this query:
> 
> select * from dfs.`/sample-data/nation.parquet`
> 
> This returns the following error, so it seems that impersonation is in
> effect.
> 
> Query Failed: An Error Occurred
> org.apache.drill.common.exceptions.UserRemoteException: SYSTEM ERROR:
> IOException: 2049.177.8452826 /sample-data/nation.parquet (Input/output
> error) Fragment 0:0 [Error Id: 91684467-8a4f-4fb8-8ad7-6ee04b7f8f53 on
> node3:31010]
> 
> When drill.exec.impersonation.enabled = false, the query above returns
> multiple rows.
> 
> Is this expected behavior? Does the document need to be updated?
> 
> Thanks,
> Aki