You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@drill.apache.org by "Kunal Khatua (JIRA)" <ji...@apache.org> on 2019/01/05 21:41:00 UTC

[jira] [Resolved] (DRILL-6906) File permissions are not being honored

     [ https://issues.apache.org/jira/browse/DRILL-6906?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kunal Khatua resolved DRILL-6906.
---------------------------------
    Resolution: Workaround

> File permissions are not being honored
> --------------------------------------
>
>                 Key: DRILL-6906
>                 URL: https://issues.apache.org/jira/browse/DRILL-6906
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Client - JDBC, Client - ODBC
>    Affects Versions: 1.15.0
>            Reporter: Robert Hou
>            Assignee: Kunal Khatua
>            Priority: Major
>             Fix For: 1.16.0
>
>
> I ran sqlline with user "kuser1".
> {noformat}
> /opt/mapr/drill/drill-1.15.0.apache/bin/sqlline -u "jdbc:drill:drillbit=10.10.30.206" -n kuser1 -p mapr
> {noformat}
> I tried to access a file that is only accessible by root:
> {noformat}
> [root@perfnode206 drill-test-framework_krystal]# hf -ls /drill/testdata/impersonation/neg_tc5/student
> -rwx------   3 root root      64612 2018-06-19 10:30 /drill/testdata/impersonation/neg_tc5/student
> {noformat}
> I am able to read the table, which should not be possible.  I used this commit for Drill 1.15.
> {noformat}
> git.commit.id=bf2b414ac62cfc515fdd77f2688bb110073d764d
> git.commit.message.full=DRILL-6866\: Upgrade to SqlLine 1.6.0\n\n1. Changed SqlLine version to 1.6.0.\n2. Overridden new getVersion method in DrillSqlLineApplication.\n3. Set maxColumnWidth to 80 to avoid issue described in DRILL-6769.\n4. Changed colorScheme to obsidian.\n5. Output null value for varchar / char / boolean types as null instead of empty string.\n6. Changed access modifier from package default to public for JDBC classes that implement external interfaces to avoid issues when calling methods from these classes using reflection.\n\ncloses \#1556
> {noformat}
> This is from drillbit.log.  It shows that user is kuser1.
> {noformat}
> 2018-12-15 05:00:52,516 [23eb04fb-1701-bea7-dd97-ecda58795b3b:foreman] DEBUG o.a.d.e.w.f.QueryStateProcessor - 23eb04fb-1701-bea7-dd97-ecda58795b3b: State change requested PREPARING --> PLANNING
> 2018-12-15 05:00:52,531 [23eb04fb-1701-bea7-dd97-ecda58795b3b:foreman] INFO  o.a.drill.exec.work.foreman.Foreman - Query text for query with id 23eb04fb-1701-bea7-dd97-ecda58795b3b issued by kuser1: select * from dfs.`/drill/testdata/impersonation/neg_tc5/student`
> {noformat}
> It is not clear to me if this is a Drill problem or a file system problem.  I tested MFS by logging in as kuser1 and trying to copy the file using "hadoop fs -copyToLocal /drill/testdata/impersonation/neg_tc5/student" and got an error, and was not able to copy the file.  So I think MFS permissions are working.
> I also tried with Drill 1.14, and I get the expected error:
> {noformat}
> 0: jdbc:drill:drillbit=10.10.30.206> select * from dfs.`/drill/testdata/impersonation/neg_tc5/student` limit 1;
> Error: VALIDATION ERROR: From line 1, column 15 to line 1, column 17: Object '/drill/testdata/impersonation/neg_tc5/student' not found within 'dfs'
> [Error Id: cdf18c2a-b005-4f92-b819-d4324e8807d9 on perfnode206.perf.lab:31010] (state=,code=0)
> {noformat}
> The commit for Drill 1.14 is:
> {noformat}
> git.commit.message.full=[maven-release-plugin] prepare release drill-1.14.0\n
> git.commit.id=0508a128853ce796ca7e99e13008e49442f83147
> {noformat}
> This problem exists with both Apache JDBC and Simba ODBC.
> Here is drill-distrib.conf.  drill-override.conf is empty.  It is the same for both 1.14 and 1.15.
> {noformat}
> drill.exec: {
>   cluster-id: "secure206-drillbits",
>   zk.connect: "perfnode206.perf.lab:5181,perfnode207.perf.lab:5181,perfnode208.perf.lab:5181",
>   rpc.user.client.threads: "4",
>   options.store.parquet.block-size: "268435456",
>   sys.store.provider.zk.blobroot: "maprfs:///apps/drill",
>   spill.directories: [ "/tmp/drill/spill" ],
>   spill.fs: "maprfs:///",
>   storage.action_on_plugins_override_file: "rename"
>   zk.apply_secure_acl: true,
>   impersonation.enabled: true,
>   impersonation.max_chained_user_hops: 3,
>   options.exec.impersonation.inbound_policies: "[{proxy_principals:{users:[\"mapr\"]},target_principals:{users:[\"*\"]}}]",
>   security.auth.mechanisms: ["PLAIN", "KERBEROS"],
>   security.auth.principal : "mapr/maprsasl@QA.LAB",
>   security.auth.keytab : "/etc/drill/mapr_maprsasl.keytab",
>   security.user.auth.enabled: true,
>   security.user.auth.packages += "org.apache.drill.exec.rpc.user.security",
>   security.user.auth.impl: "pam4j",
>   security.user.auth.pam_profiles: ["sudo", "login"],
>   http.ssl_enabled: true,
>   ssl.useHadoopConfig: true,
>   http.auth.mechanisms: ["FORM", "SPNEGO"],
>   http.auth.spnego.principal: "HTTP/perfnode206.perf.lab@QA.LAB",
>   http.auth.spnego.keytab: "/etc/drill_spnego/perfnode206.keytab"
> }
> {noformat}



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)