You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "Christian Pfarr (Jira)" <ji...@apache.org> on 2022/02/15 12:29:00 UTC
[jira] [Created] (DRILL-8135) Option to prevent Impersonation for Metastore
Christian Pfarr created DRILL-8135:
--------------------------------------
Summary: Option to prevent Impersonation for Metastore
Key: DRILL-8135
URL: https://issues.apache.org/jira/browse/DRILL-8135
Project: Apache Drill
Issue Type: Improvement
Components: Metadata
Affects Versions: 1.20.0
Environment: * drill-1.20.0-hadoop2
* hadoop 2.9.2
* ranger 1.2.0
Reporter: Christian Pfarr
Attachments: analyze-table-refresh-metadata.json
After enabling iceberg metastore within a kerberized hadoop cluster and enabled impersonation, i have to give all users full access to the metastore directory in hdfs.
If not, i get an _Permission denied_ when a non-admistator tries to call
{code:java}
analyze table hdfs.`dataset` refresh metadata{code}
I attached the profile with the permission denied error from hdfs/ranger.
Im not sure if i should call this a bug, because drill should impersonate everything, and so its also impersonating the iceberg metastore. But as an admin i dont want to give all users full write access to the metastore. A unexperienced user could accidentally overwrite something and corrupt the iceberg table or delete metadata completly.
Maybe we could add a option to drill-metastore-overwrite.conf
{code:java}
drill.metastore: {
implementation.class: "org.apache.drill.metastore.iceberg.IcebergMetastore",
iceberg: {
location: {
relative_path: "hdfs://nameservice/drill-metastore"
},
impersonation: {
enabled: true,
max_chained_user_hops: 3
}
}
}{code}
In my case, i would of course disable it, but to match the behaviour of the general impersonation it could look like this.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)