You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@drill.apache.org by "Krzysztof Styrc (Jira)" <ji...@apache.org> on 2019/12/10 12:12:00 UTC
[jira] [Created] (DRILL-7475) Impersonation on local file system
Krzysztof Styrc created DRILL-7475:
--------------------------------------
Summary: Impersonation on local file system
Key: DRILL-7475
URL: https://issues.apache.org/jira/browse/DRILL-7475
Project: Apache Drill
Issue Type: Bug
Affects Versions: 1.16.0
Reporter: Krzysztof Styrc
Hi,
we'd like to setup Drill to as SQL interface for files stored on local file system (non HDFS) with multi user access - each user/group authorized to access only selected tables/views.
In order to achieve this we've configured Drill with plain PAM authentication + impersonation following the docs:
[https://drill.apache.org/docs/configuring-plain-security/]
[https://drill.apache.org/docs/configuring-user-impersonation/]
We've ended up with the following ```drill-override.conf``` config:
{code:java}
drill.exec: {
cluster-id: "unit8drill",
zk.connect: "localhost:2181",
impersonation: {
enabled: true,
},
security: {
auth.mechanisms : ["PLAIN"],
},
security.user.auth: {
enabled: true,
packages += "org.apache.drill.exec.rpc.user.security",
impl: "pam4j",
pam_profiles: [ "sudo", "login" ],
}
}
{code}
The Drill process runs as root in order to have access to ```/etc/shadow``` etc.
Authentication works fine. We're able to use sqlline as well as Web UI in order to run SQL queries. Also, users that are in the root group have access to Storage, Threads and Logs tabs.
Unfortunately, all the users have access to all tables/directories/views, regardless of the permissions set on the local file system. Furthermore, inspecting the Drill process with auditctl reveals that the Drill process user (root) is accessing the files instead of impersonating user as one would expect while using impersonation.
Attaching with java debugger also reveals that even though it's local file system, Drill uses ```ProxyLocalFileSystem``` from hive-exec JAR in ```ImpersonationUtil.createFileSystem(...)```.
The question is, does Drill support RBAC on local file system? If so, what could we be doing wrong?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)