[jira] [Created] (DRILL-8135) Option to prevent Impersonation for Metastore

["Christian Pfarr (Jira)" <ji...@apache.org>]

Christian Pfarr created DRILL-8135:
--------------------------------------

             Summary: Option to prevent Impersonation for Metastore
                 Key: DRILL-8135
                 URL: https://issues.apache.org/jira/browse/DRILL-8135
             Project: Apache Drill
          Issue Type: Improvement
          Components: Metadata
    Affects Versions: 1.20.0
         Environment: * drill-1.20.0-hadoop2
 * hadoop 2.9.2
 * ranger 1.2.0
            Reporter: Christian Pfarr
         Attachments: analyze-table-refresh-metadata.json

After enabling iceberg metastore within a kerberized hadoop cluster and enabled impersonation, i have to give all users full access to the metastore directory in hdfs.

If not, i get an _Permission denied_ when a non-admistator tries to call
{code:java}
analyze table hdfs.`dataset` refresh metadata{code}
I attached the profile with the permission denied error from hdfs/ranger.

Im not sure if i should call this a bug, because drill should impersonate everything, and so its also impersonating the iceberg metastore. But as an admin i dont want to give all users full write access to the metastore. A unexperienced user could accidentally overwrite something and corrupt the iceberg table or delete metadata completly.

Maybe we could add a option to drill-metastore-overwrite.conf
{code:java}

drill.metastore: {
  implementation.class: "org.apache.drill.metastore.iceberg.IcebergMetastore",
  iceberg: {
    location: {
      relative_path: "hdfs://nameservice/drill-metastore"
    },
    impersonation: {
      enabled: true,
      max_chained_user_hops: 3
    }
  }
}{code}

In my case, i would of course disable it, but to match the behaviour of the general impersonation it could look like this.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)