You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@drill.apache.org by ve...@apache.org on 2015/09/09 04:51:49 UTC
drill git commit: DRILL-3467: Restrict visibily of workspaces in
'show schemas' based on access permissions of querying user.
Repository: drill
Updated Branches:
refs/heads/master 2a1918471 -> 0686bc23e
DRILL-3467: Restrict visibily of workspaces in 'show schemas' based on access permissions of querying user.
Also:
Fixed failing tests in TestJdbcMetadata as the result depends on whether /tmp/drill_test is available on
test system or not. Change it to use the default connection test parameters (which creates a unique tmp directory)
so that the test result doesn't depend on individual machine.
Project: http://git-wip-us.apache.org/repos/asf/drill/repo
Commit: http://git-wip-us.apache.org/repos/asf/drill/commit/0686bc23
Tree: http://git-wip-us.apache.org/repos/asf/drill/tree/0686bc23
Diff: http://git-wip-us.apache.org/repos/asf/drill/diff/0686bc23
Branch: refs/heads/master
Commit: 0686bc23e8fbbd14fd3bf852893449ef8552439d
Parents: 2a19184
Author: vkorukanti <ve...@gmail.com>
Authored: Tue Sep 8 00:39:38 2015 -0700
Committer: vkorukanti <ve...@gmail.com>
Committed: Tue Sep 8 16:30:56 2015 -0700
----------------------------------------------------------------------
.../exec/store/dfs/FileSystemSchemaFactory.java | 6 ++--
.../exec/store/dfs/WorkspaceSchemaFactory.java | 28 ++++++++++++++++
.../TestImpersonationMetadata.java | 34 ++++++++++++++++++--
.../drill/jdbc/test/JdbcTestActionBase.java | 2 +-
4 files changed, 64 insertions(+), 6 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/drill/blob/0686bc23/exec/java-exec/src/main/java/org/apache/drill/exec/store/dfs/FileSystemSchemaFactory.java
----------------------------------------------------------------------
diff --git a/exec/java-exec/src/main/java/org/apache/drill/exec/store/dfs/FileSystemSchemaFactory.java b/exec/java-exec/src/main/java/org/apache/drill/exec/store/dfs/FileSystemSchemaFactory.java
index f9445e6..526dfb1 100644
--- a/exec/java-exec/src/main/java/org/apache/drill/exec/store/dfs/FileSystemSchemaFactory.java
+++ b/exec/java-exec/src/main/java/org/apache/drill/exec/store/dfs/FileSystemSchemaFactory.java
@@ -75,8 +75,10 @@ public class FileSystemSchemaFactory implements SchemaFactory{
public FileSystemSchema(String name, SchemaConfig schemaConfig) throws IOException {
super(ImmutableList.<String>of(), name);
for(WorkspaceSchemaFactory f : factories){
- WorkspaceSchema s = f.createSchema(getSchemaPath(), schemaConfig);
- schemaMap.put(s.getName(), s);
+ if (f.accessible(schemaConfig.getUserName())) {
+ WorkspaceSchema s = f.createSchema(getSchemaPath(), schemaConfig);
+ schemaMap.put(s.getName(), s);
+ }
}
defaultSchema = schemaMap.get(DEFAULT_WS_NAME);
http://git-wip-us.apache.org/repos/asf/drill/blob/0686bc23/exec/java-exec/src/main/java/org/apache/drill/exec/store/dfs/WorkspaceSchemaFactory.java
----------------------------------------------------------------------
diff --git a/exec/java-exec/src/main/java/org/apache/drill/exec/store/dfs/WorkspaceSchemaFactory.java b/exec/java-exec/src/main/java/org/apache/drill/exec/store/dfs/WorkspaceSchemaFactory.java
index 22d00a2..fb48a80 100644
--- a/exec/java-exec/src/main/java/org/apache/drill/exec/store/dfs/WorkspaceSchemaFactory.java
+++ b/exec/java-exec/src/main/java/org/apache/drill/exec/store/dfs/WorkspaceSchemaFactory.java
@@ -17,6 +17,7 @@
*/
package org.apache.drill.exec.store.dfs;
+import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.OutputStream;
import java.util.Collections;
@@ -52,6 +53,7 @@ import org.apache.drill.exec.store.SchemaConfig;
import org.apache.drill.exec.util.ImpersonationUtil;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileStatus;
+import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import com.fasterxml.jackson.databind.ObjectMapper;
@@ -75,6 +77,7 @@ public class WorkspaceSchemaFactory {
private final String schemaName;
private final FileSystemPlugin plugin;
private final ObjectMapper mapper;
+ private final Path wsPath;
public WorkspaceSchemaFactory(DrillConfig drillConfig, FileSystemPlugin plugin, String schemaName,
String storageEngineName, WorkspaceConfig config, List<FormatMatcher> formatMatchers)
@@ -88,6 +91,7 @@ public class WorkspaceSchemaFactory {
this.dirMatchers = Lists.newArrayList();
this.storageEngineName = storageEngineName;
this.schemaName = schemaName;
+ this.wsPath = new Path(config.getLocation());
for (FormatMatcher m : formatMatchers) {
if (m.supportDirectoryReads()) {
@@ -114,6 +118,30 @@ public class WorkspaceSchemaFactory {
}
}
+ /**
+ * Checks whether the given user has permission to list files/directories under the workspace directory.
+ *
+ * @param userName User who is trying to access the workspace.
+ * @return True if the user has access. False otherwise.
+ */
+ public boolean accessible(final String userName) throws IOException {
+ final FileSystem fs = ImpersonationUtil.createFileSystem(userName, fsConf);
+ try {
+ // We have to rely on the listStatus as a FileSystem can have complicated controls such as regular unix style
+ // permissions, Access Control Lists (ACLs) or Access Control Expressions (ACE). Hadoop 2.7 version of FileSystem
+ // has a limited private API (FileSystem.access) to check the permissions directly
+ // (see https://issues.apache.org/jira/browse/HDFS-6570). Drill currently relies on Hadoop 2.5.0 version of
+ // FileClient. TODO: Update this when DRILL-3749 is fixed.
+ fs.listStatus(wsPath);
+ } catch (final UnsupportedOperationException e) {
+ logger.trace("The filesystem for this workspace does not support this operation.", e);
+ } catch (final FileNotFoundException | AccessControlException e) {
+ return false;
+ }
+
+ return true;
+ }
+
private Path getViewPath(String name) {
return DotDrillType.VIEW.getPath(config.getLocation(), name);
}
http://git-wip-us.apache.org/repos/asf/drill/blob/0686bc23/exec/java-exec/src/test/java/org/apache/drill/exec/impersonation/TestImpersonationMetadata.java
----------------------------------------------------------------------
diff --git a/exec/java-exec/src/test/java/org/apache/drill/exec/impersonation/TestImpersonationMetadata.java b/exec/java-exec/src/test/java/org/apache/drill/exec/impersonation/TestImpersonationMetadata.java
index 998e35d..db81129 100644
--- a/exec/java-exec/src/test/java/org/apache/drill/exec/impersonation/TestImpersonationMetadata.java
+++ b/exec/java-exec/src/test/java/org/apache/drill/exec/impersonation/TestImpersonationMetadata.java
@@ -177,12 +177,40 @@ public class TestImpersonationMetadata extends BaseTestImpersonation {
assertNotNull("UserRemoteException is expected", ex);
assertThat(ex.getMessage(),
containsString("Permission denied: user=drillTestUser2, " +
- "access=READ_EXECUTE, inode=\"/drillTestGrp1_700\":drillTestUser1:drillTestGrp1:drwx------"));
+ "access=READ_EXECUTE, inode=\"/drillTestGrp1_700\":drillTestUser1:drillTestGrp1:drwx------"));
}
@Test
- public void testShowSchemasSanityCheck() throws Exception {
- test("SHOW SCHEMAS");
+ public void testShowSchemasAsUser1() throws Exception {
+ // "user1" is part of "group0" and has access to following workspaces
+ // drillTestGrp1_700 (through ownership)
+ // drillTestGrp0_750, drillTestGrp0_770 (through "group" category permissions)
+ // drillTestGrp0_755, drillTestGrp0_777 (through "others" category permissions)
+ updateClient(user1);
+ testBuilder()
+ .sqlQuery("SHOW SCHEMAS LIKE '%drillTest%'")
+ .unOrdered()
+ .baselineColumns("SCHEMA_NAME")
+ .baselineValues(String.format("%s.drillTestGrp0_750", MINIDFS_STORAGE_PLUGIN_NAME))
+ .baselineValues(String.format("%s.drillTestGrp0_755", MINIDFS_STORAGE_PLUGIN_NAME))
+ .baselineValues(String.format("%s.drillTestGrp0_770", MINIDFS_STORAGE_PLUGIN_NAME))
+ .baselineValues(String.format("%s.drillTestGrp0_777", MINIDFS_STORAGE_PLUGIN_NAME))
+ .baselineValues(String.format("%s.drillTestGrp1_700", MINIDFS_STORAGE_PLUGIN_NAME))
+ .go();
+ }
+
+ @Test
+ public void testShowSchemasAsUser2() throws Exception {
+ // "user2" is part of "group0", but part of "group1" and has access to following workspaces
+ // drillTestGrp0_755, drillTestGrp0_777 (through "others" category permissions)
+ updateClient(user2);
+ testBuilder()
+ .sqlQuery("SHOW SCHEMAS LIKE '%drillTest%'")
+ .unOrdered()
+ .baselineColumns("SCHEMA_NAME")
+ .baselineValues(String.format("%s.drillTestGrp0_755", MINIDFS_STORAGE_PLUGIN_NAME))
+ .baselineValues(String.format("%s.drillTestGrp0_777", MINIDFS_STORAGE_PLUGIN_NAME))
+ .go();
}
@Test
http://git-wip-us.apache.org/repos/asf/drill/blob/0686bc23/exec/jdbc/src/test/java/org/apache/drill/jdbc/test/JdbcTestActionBase.java
----------------------------------------------------------------------
diff --git a/exec/jdbc/src/test/java/org/apache/drill/jdbc/test/JdbcTestActionBase.java b/exec/jdbc/src/test/java/org/apache/drill/jdbc/test/JdbcTestActionBase.java
index 1950e44..e065c8c 100644
--- a/exec/jdbc/src/test/java/org/apache/drill/jdbc/test/JdbcTestActionBase.java
+++ b/exec/jdbc/src/test/java/org/apache/drill/jdbc/test/JdbcTestActionBase.java
@@ -116,7 +116,7 @@ public class JdbcTestActionBase extends JdbcTestBase {
@BeforeClass
public static void openClient() throws Exception {
- connection = DriverManager.getConnection("jdbc:drill:zk=local", null);
+ connection = DriverManager.getConnection("jdbc:drill:zk=local", JdbcAssert.getDefaultProperties());
}
@AfterClass