You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@drill.apache.org by "Zelaine Fong (JIRA)" <ji...@apache.org> on 2015/10/26 19:02:28 UTC
[jira] [Updated] (DRILL-3825) Metadata Caching + Impersonation : A
count(*) query can bypass security checks
[ https://issues.apache.org/jira/browse/DRILL-3825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Zelaine Fong updated DRILL-3825:
--------------------------------
Fix Version/s: 1.3.0
> Metadata Caching + Impersonation : A count(*) query can bypass security checks
> ------------------------------------------------------------------------------
>
> Key: DRILL-3825
> URL: https://issues.apache.org/jira/browse/DRILL-3825
> Project: Apache Drill
> Issue Type: Bug
> Components: Metadata
> Reporter: Rahul Challapalli
> Assignee: Parth Chandra
> Priority: Critical
> Fix For: 1.3.0
>
>
> git.commit.id.abbrev=3c89b30
> The below testing has been done with impersonation enabled
> User A has 755 permissions on the 'lineitem' folder and does not have read access to the subfolder 'lineitem/2006'. The below query rightly fails
> {code}
> select count(*) from dfs.`/drill/testdata/metadata_caching/lineitem`;
> Error: PERMISSION ERROR: Not authorized to read table [/drill/testdata/metadata_caching/lineitem] in schema [dfs.default]
> [Error Id: c3238ee0-4338-46bf-ba7c-875d995d62d0 on qa-node190.qa.lab:31010] (state=,code=0)
> {code}
> Now some other user who has access to 'lineitem' and its sub-folders ran the 'refresh table metadata" command.
> Now user A executes the above same query and gets the result back skipping the security checks
> {code}
> select count(*) from dfs.`/drill/testdata/metadata_caching/lineitem`;
> +---------+
> | EXPR$0 |
> +---------+
> | 60175 |
> +---------+
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)