You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "Arina Ielchiieva (JIRA)" <ji...@apache.org> on 2019/05/20 11:12:00 UTC

[jira] [Updated] (DRILL-7250) Query with CTE fails when its name matches to the table name without access

     [ https://issues.apache.org/jira/browse/DRILL-7250?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Arina Ielchiieva updated DRILL-7250:
------------------------------------
    Labels: ready-to-commit  (was: )

> Query with CTE fails when its name matches to the table name without access
> ---------------------------------------------------------------------------
>
>                 Key: DRILL-7250
>                 URL: https://issues.apache.org/jira/browse/DRILL-7250
>             Project: Apache Drill
>          Issue Type: Bug
>    Affects Versions: 1.16.0
>            Reporter: Volodymyr Vysotskyi
>            Assignee: Volodymyr Vysotskyi
>            Priority: Major
>              Labels: ready-to-commit
>             Fix For: 1.17.0
>
>
> When impersonation is enabled, and for example, we have {{lineitem}} table with permissions {{750}} which is owned by {{user0_1:group0_1}} and {{user2_1}} don't have access to it.
> The following query:
> {code:sql}
> use mini_dfs_plugin.user0_1;
> with lineitem as (SELECT 1 as a) select * from lineitem
> {code}
> submitted from {{user2_1}} fails with the following error:
> {noformat}
> java.lang.Exception: org.apache.hadoop.security.AccessControlException: Permission denied: user=user2_1, access=READ_EXECUTE, inode="/user/user0_1/lineitem":user0_1:group0_1:drwxr-x---
> 	at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.check(FSPermissionChecker.java:317)
> 	at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:229)
> 	at org.apache.hadoop.hdfs.server.namenode.FSPermissionChecker.checkPermission(FSPermissionChecker.java:199)
> 	at org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPermission(FSDirectory.java:1752)
> 	at org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPermission(FSDirectory.java:1736)
> 	at org.apache.hadoop.hdfs.server.namenode.FSDirectory.checkPathAccess(FSDirectory.java:1710)
> 	at org.apache.hadoop.hdfs.server.namenode.FSDirStatAndListingOp.getListingInt(FSDirStatAndListingOp.java:70)
> 	at org.apache.hadoop.hdfs.server.namenode.FSNamesystem.getListing(FSNamesystem.java:4432)
> 	at org.apache.hadoop.hdfs.server.namenode.NameNodeRpcServer.getListing(NameNodeRpcServer.java:999)
> 	at org.apache.hadoop.hdfs.protocolPB.ClientNamenodeProtocolServerSideTranslatorPB.getListing(ClientNamenodeProtocolServerSideTranslatorPB.java:646)
> 	at org.apache.hadoop.hdfs.protocol.proto.ClientNamenodeProtocolProtos$ClientNamenodeProtocol$2.callBlockingMethod(ClientNamenodeProtocolProtos.java)
> 	at org.apache.hadoop.ipc.ProtobufRpcEngine$Server$ProtoBufRpcInvoker.call(ProtobufRpcEngine.java:616)
> 	at org.apache.hadoop.ipc.RPC$Server.call(RPC.java:982)
> 	at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2217)
> 	at org.apache.hadoop.ipc.Server$Handler$1.run(Server.java:2213)
> 	at java.security.AccessController.doPrivileged(Native Method)
> 	at javax.security.auth.Subject.doAs(Subject.java:422)
> 	at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1746)
> 	at org.apache.hadoop.ipc.Server$Handler.run(Server.java:2213)
> 	at .......(:0) ~[na:na]
> 	at org.apache.drill.exec.util.FileSystemUtil.listRecursive(FileSystemUtil.java:253) ~[classes/:na]
> 	at org.apache.drill.exec.util.FileSystemUtil.list(FileSystemUtil.java:208) ~[classes/:na]
> 	at org.apache.drill.exec.util.FileSystemUtil.listFiles(FileSystemUtil.java:104) ~[classes/:na]
> 	at org.apache.drill.exec.util.DrillFileSystemUtil.listFiles(DrillFileSystemUtil.java:86) ~[classes/:na]
> 	at org.apache.drill.exec.store.dfs.FileSelection.minusDirectories(FileSelection.java:178) ~[classes/:na]
> 	at org.apache.drill.exec.store.dfs.WorkspaceSchemaFactory$WorkspaceSchema.detectEmptySelection(WorkspaceSchemaFactory.java:669) ~[classes/:na]
> 	at org.apache.drill.exec.store.dfs.WorkspaceSchemaFactory$WorkspaceSchema.create(WorkspaceSchemaFactory.java:633) ~[classes/:na]
> 	at org.apache.drill.exec.store.dfs.WorkspaceSchemaFactory$WorkspaceSchema.create(WorkspaceSchemaFactory.java:283) ~[classes/:na]
> 	at org.apache.drill.exec.planner.sql.ExpandingConcurrentMap.getNewEntry(ExpandingConcurrentMap.java:96) ~[classes/:na]
> 	at org.apache.drill.exec.planner.sql.ExpandingConcurrentMap.get(ExpandingConcurrentMap.java:90) ~[classes/:na]
> 	at org.apache.drill.exec.store.dfs.WorkspaceSchemaFactory$WorkspaceSchema.getTable(WorkspaceSchemaFactory.java:439) ~[classes/:na]
> 	at org.apache.calcite.jdbc.SimpleCalciteSchema.getImplicitTable(SimpleCalciteSchema.java:83) ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
> 	at org.apache.calcite.jdbc.CalciteSchema.getTable(CalciteSchema.java:286) ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
> 	at org.apache.calcite.sql.validate.SqlValidatorUtil.getTableEntryFrom(SqlValidatorUtil.java:1046) ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
> 	at org.apache.calcite.sql.validate.SqlValidatorUtil.getTableEntry(SqlValidatorUtil.java:1003) ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
> 	at org.apache.calcite.prepare.CalciteCatalogReader.getTable(CalciteCatalogReader.java:120) ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
> 	at org.apache.drill.exec.planner.sql.SqlConverter$DrillCalciteCatalogReader.getTable(SqlConverter.java:741) ~[classes/:na]
> 	at org.apache.drill.exec.planner.sql.SqlConverter$DrillValidator.validateFrom(SqlConverter.java:283) ~[classes/:na]
> 	at org.apache.calcite.sql.validate.SqlValidatorImpl.validateSelect(SqlValidatorImpl.java:3302) ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
> 	at org.apache.calcite.sql.validate.SelectNamespace.validateImpl(SelectNamespace.java:60) ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
> 	at org.apache.calcite.sql.validate.AbstractNamespace.validate(AbstractNamespace.java:84) ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
> 	at org.apache.calcite.sql.validate.SqlValidatorImpl.validateNamespace(SqlValidatorImpl.java:977) ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
> 	at org.apache.calcite.sql.validate.SqlValidatorImpl.validateQuery(SqlValidatorImpl.java:953) ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
> 	at org.apache.calcite.sql.validate.WithNamespace.validateImpl(WithNamespace.java:57) ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
> 	at org.apache.calcite.sql.validate.AbstractNamespace.validate(AbstractNamespace.java:84) ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
> 	at org.apache.calcite.sql.validate.SqlValidatorImpl.validateNamespace(SqlValidatorImpl.java:977) ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
> 	at org.apache.calcite.sql.validate.SqlValidatorImpl.validateWith(SqlValidatorImpl.java:3750) ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
> 	at org.apache.calcite.sql.SqlWith.validate(SqlWith.java:71) ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
> 	at org.apache.calcite.sql.validate.SqlValidatorImpl.validateScopedExpression(SqlValidatorImpl.java:928) ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
> 	at org.apache.calcite.sql.validate.SqlValidatorImpl.validate(SqlValidatorImpl.java:632) ~[calcite-core-1.18.0-drill-r1.jar:1.18.0-drill-r1]
> 	at org.apache.drill.exec.planner.sql.SqlConverter.validate(SqlConverter.java:212) ~[classes/:na]
> 	at org.apache.drill.exec.planner.sql.handlers.DefaultSqlHandler.validateNode(DefaultSqlHandler.java:663) ~[classes/:na]
> 	at org.apache.drill.exec.planner.sql.handlers.DefaultSqlHandler.validateAndConvert(DefaultSqlHandler.java:200) ~[classes/:na]
> 	at org.apache.drill.exec.planner.sql.handlers.DefaultSqlHandler.getPlan(DefaultSqlHandler.java:173) ~[classes/:na]
> 	at org.apache.drill.exec.planner.sql.DrillSqlWorker.getQueryPlan(DrillSqlWorker.java:226) ~[classes/:na]
> 	at org.apache.drill.exec.planner.sql.DrillSqlWorker.convertPlan(DrillSqlWorker.java:133) ~[classes/:na]
> 	at org.apache.drill.exec.planner.sql.DrillSqlWorker.getPlan(DrillSqlWorker.java:90) ~[classes/:na]
> 	at org.apache.drill.exec.work.foreman.Foreman.runSQL(Foreman.java:593) ~[classes/:na]
> 	at org.apache.drill.exec.work.foreman.Foreman.run(Foreman.java:276) ~[classes/:na]
> 	at .......(:0) ~[na:na]
> {noformat}
> It should pass since table {{lineitem}} is not used in the query, but Drill is trying to access this table.
> Partially this problem is caused by CALCITE-3061 and the way how Drill determines whether the schema is valid.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)