You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@drill.apache.org by "Rahul Challapalli (JIRA)" <ji...@apache.org> on 2015/09/23 03:30:05 UTC
[jira] [Created] (DRILL-3825) Metadata Caching + Impersonation : A
count(*) query can bypass security checks
Rahul Challapalli created DRILL-3825:
----------------------------------------
Summary: Metadata Caching + Impersonation : A count(*) query can bypass security checks
Key: DRILL-3825
URL: https://issues.apache.org/jira/browse/DRILL-3825
Project: Apache Drill
Issue Type: Bug
Components: Metadata
Reporter: Rahul Challapalli
Assignee: Aman Sinha
Priority: Critical
git.commit.id.abbrev=3c89b30
The below testing has been done with impersonation enabled
User A has 755 permissions on the 'lineitem' folder and does not have read access to the subfolder 'lineitem/2006'. The below query rightly fails
{code}
select count(*) from dfs.`/drill/testdata/metadata_caching/lineitem`;
Error: PERMISSION ERROR: Not authorized to read table [/drill/testdata/metadata_caching/lineitem] in schema [dfs.default]
[Error Id: c3238ee0-4338-46bf-ba7c-875d995d62d0 on qa-node190.qa.lab:31010] (state=,code=0)
{code}
Now some other user who has access to 'lineitem' and its sub-folders ran the 'refresh table metadata" command.
Now user A executes the above same query and gets the result back skipping the security checks
{code}
select count(*) from dfs.`/drill/testdata/metadata_caching/lineitem`;
+---------+
| EXPR$0 |
+---------+
| 60175 |
+---------+
{code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)