You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "Venki Korukanti (JIRA)" <ji...@apache.org> on 2015/05/13 00:10:02 UTC
[jira] [Comment Edited] (DRILL-3041) Impersonation-user can create
view against file that user doesn't have read access
[ https://issues.apache.org/jira/browse/DRILL-3041?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14540870#comment-14540870 ]
Venki Korukanti edited comment on DRILL-3041 at 5/12/15 10:09 PM:
------------------------------------------------------------------
This is because when creating the view, we check if the table exists or not. In this case table is a single file. To check if the file exists, we need read permissions on the parent directory (which we have in this case). When querying the view, we actually read the file at that point we fail due to permissions.
was (Author: vkorukanti):
This is because when creating the view, we check if the table exists are not. In this case table is a single file. To check if the file exists, we need to read permissions on the parent directory (which we have in this case). When querying the view, we actually read the file at that point we fail due to permissions.
> Impersonation-user can create view against file that user doesn't have read access
> -----------------------------------------------------------------------------------
>
> Key: DRILL-3041
> URL: https://issues.apache.org/jira/browse/DRILL-3041
> Project: Apache Drill
> Issue Type: Bug
> Components: Execution - RPC
> Affects Versions: 1.0.0
> Reporter: Krystal
> Assignee: Venki Korukanti
> Fix For: 1.1.0
>
>
> git.commit.id.abbrev=d10769f
> I have a file that has the following permission:
> -rwx------ 3 qa2 users 63078 2015-01-30 21:19 /drill/testdata/csv/voter.csv
> The directory right above the file has the following permission:
> drwxr-xr-x - qa2 users 3 2015-05-12 14:22 /drill/testdata/csv
> Logged into sqlline as a different user and attempted to create a view:
> 0: jdbc:drill:schema=dfs.root> CREATE VIEW `dfs.qa1`.`test_v4` AS SELECT columns[0] as column_0, columns[1] as column_1, columns[2] as column_2, columns[3] as column_3, columns[4] as column_4, columns[5] as column_5, columns[6] as column_6 FROM `dfs`.`default`.`drill/testdata/csv/voter.csv` LIMIT 100;
> The view got created successfully. However if I tried to read from the view, I can't because of the lack of permission to the voter.csv table:
> 0: jdbc:drill:schema=dfs.root> select * from `dfs.qa1`.`test_v4`;
> Error: SYSTEM ERROR: org.apache.hadoop.security.AccessControlException: Open failed for file: /drill/testdata/csv/voter.csv, error: Permission denied (13)
> Currently drill only check if the folder contains correct permission and not at the file level when creating views. It seems odd that a user is allowed to create the view then not being able to access it afterwards.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)