You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@drill.apache.org by "Terence Namusonge Sifuna (JIRA)" <ji...@apache.org> on 2019/06/18 11:10:00 UTC

[jira] [Created] (DRILL-7296) No way to limit kerberos access to a particular group

Terence Namusonge Sifuna created DRILL-7296:
-----------------------------------------------

             Summary: No way to limit kerberos access to a particular group
                 Key: DRILL-7296
                 URL: https://issues.apache.org/jira/browse/DRILL-7296
             Project: Apache Drill
          Issue Type: Bug
          Components:  Server
    Affects Versions: 1.16.0
         Environment: drill version 1.16

drill host ubuntu 1804

kerberos: FreeIPA (hbac rules)
            Reporter: Terence Namusonge Sifuna


Currently there is no way to limit drill user access to a particular LDAP group when kerberos is used for authentication.Its not an issue with PAM as it supports sssd which knows how to do this.

So the sum effect is that any valid kerberos user can access drill while typically access would be limited to particular groups. So to test I have a kerberos enviroment with freeIPA and set up with a user tuser2 who has no host access on the drill server (hbac rule). 

Access is denied when I try and connect using sqlLine using user/password credentials ( correct) but access it granted if I connect with an acquired TGT ticket then access is granted ( wrong)



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)