You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "Vitalii Diravka (Jira)" <ji...@apache.org> on 2021/03/26 14:27:00 UTC
[jira] [Assigned] (DRILL-7475) Support impersonation on local file
system
[ https://issues.apache.org/jira/browse/DRILL-7475?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Vitalii Diravka reassigned DRILL-7475:
--------------------------------------
Assignee: Vitalii Diravka
> Support impersonation on local file system
> ------------------------------------------
>
> Key: DRILL-7475
> URL: https://issues.apache.org/jira/browse/DRILL-7475
> Project: Apache Drill
> Issue Type: Improvement
> Affects Versions: 1.15.0
> Reporter: Krzysztof Styrc
> Assignee: Vitalii Diravka
> Priority: Major
> Fix For: Future
>
>
> Hi,
> we'd like to setup Drill to as SQL interface for files stored on local file system (non HDFS) with multi user access - each user/group authorized to access only selected tables/views.
>
> *Environment:*
> CentOS 6.7
> {code:java}
> [dataiku@quickstart apache-drill-1.16.0]$ lsb_release -a
> LSB Version: :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch
> Distributor ID: CentOS
> Description: CentOS release 6.7 (Final)
> Release: 6.7
> Codename: Final{code}
> Apache Drill 1.16.0 with the following config (drill-override.conf, Drill running as root user):
> {code:java}
> drill.exec: {
> cluster-id: "unit8drill",
> zk.connect: "localhost:2181",
> impersonation: {
> enabled: true,
> },
> security: {
> auth.mechanisms : ["PLAIN"],
> },
> security.user.auth: {
> enabled: true,
> packages += "org.apache.drill.exec.rpc.user.security",
> impl: "pam4j",
> pam_profiles: [ "sudo", "login" ],
> }
> }
> {code}
> DFS Storage definition from Drill:
> {code:java}
> {
> "type": "file",
> "connection": "file:///",
> "config": null,
> "workspaces": {
> "tmp": {
> "location": "/tmp",
> "writable": true,
> "defaultInputFormat": null,
> "allowAccessOutsideWorkspace": false
> },
> "drill": {
> "location": "/home/dataiku/drill_datasets",
> "writable": false,
> "defaultInputFormat": null,
> "allowAccessOutsideWorkspace": false
> },
> "views": {
> "location": "/home/dataiku/views",
> "writable": true,
> "defaultInputFormat": null,
> "allowAccessOutsideWorkspace": false
> }
> },
> "formats": {
> "psv": {
> "type": "text",
> "extensions": [
> "tbl"
> ],
> "delimiter": "|"
> },
> "csv": {
> "type": "text",
> "extensions": [
> "csv"
> ],
> "delimiter": ","
> },
> "tsv": {
> "type": "text",
> "extensions": [
> "tsv"
> ],
> "delimiter": "\t"
> },
> "httpd": {
> "type": "httpd",
> "logFormat": "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\""
> },
> "parquet": {
> "type": "parquet"
> },
> "json": {
> "type": "json",
> "extensions": [
> "json"
> ]
> },
> "pcap": {
> "type": "pcap"
> },
> "pcapng": {
> "type": "pcapng",
> "extensions": [
> "pcapng"
> ]
> },
> "avro": {
> "type": "avro"
> },
> "sequencefile": {
> "type": "sequencefile",
> "extensions": [
> "seq"
> ]
> },
> "csvh": {
> "type": "text",
> "extensions": [
> "csvh"
> ],
> "extractHeader": true,
> "delimiter": ","
> },
> "image": {
> "type": "image",
> "extensions": [
> "jpg",
> "jpeg",
> "jpe",
> "tif",
> "tiff",
> "dng",
> "psd",
> "png",
> "bmp",
> "gif",
> "ico",
> "pcx",
> "wav",
> "wave",
> "avi",
> "webp",
> "mov",
> "mp4",
> "m4a",
> "m4p",
> "m4b",
> "m4r",
> "m4v",
> "3gp",
> "3g2",
> "eps",
> "epsf",
> "epsi",
> "ai",
> "arw",
> "crw",
> "cr2",
> "nef",
> "orf",
> "raf",
> "rw2",
> "rwl",
> "srw",
> "x3f"
> ]
> }
> },
> "enabled": true
> }
> {code}
> Created a view on *local file system* (not HDFS) that is configured to be accessible only by bob user:
> {code:java}
> [xyz@quickstart views]$ ls -l
> total 4
> -rwx------ 1 bob bob 247 Dec 5 11:57 project_1_abc.view.drill
> {code}
>
> *Steps to reproduce:*
> Use sqlline to query project_1_abc view as alice user:
> {code:java}
> apache drill> select count(*) from dfs.views.project_1_abc;
> +--------+
> | EXPR$0 |
> +--------+
> | 418 |
> +--------+
> 1 row selected (0.461 seconds)
> {code}
> *Expected result:*
> Querying project_1_abc view as user alice should throw an error, as only bob user has access to this view.
>
> *Actual result:*
> User alice is able to query project_1_abc view even though she doesn't have permissions on file system. The question is, does Drill support RBAC on local file system? If so, what could we be doing wrong?
>
> *Additional Information:*
> The Drill process runs as root in order to have access to ```/etc/shadow``` etc.
> Authentication works fine. We're able to use sqlline as well as Web UI in order to run SQL queries. Also, users that are in the root group have access to Storage, Threads and Logs tabs.
>
> Unfortunately, all the users have access to all tables/directories/views, regardless of the permissions set on the local file system. Furthermore, inspecting the Drill process with auditctl reveals that the Drill process user (root) is accessing the files instead of impersonating user as one would expect while using impersonation.
>
> Attaching with java debugger also reveals that even though it's local file system, Drill uses ```ProxyLocalFileSystem``` from hive-exec JAR in ```ImpersonationUtil.createFileSystem(...)```.
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)