You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@drill.apache.org by "Rahul Challapalli (JIRA)" <ji...@apache.org> on 2015/09/23 03:30:05 UTC

[jira] [Created] (DRILL-3825) Metadata Caching + Impersonation : A count(*) query can bypass security checks

Rahul Challapalli created DRILL-3825:
----------------------------------------

             Summary: Metadata Caching + Impersonation : A count(*) query can bypass security checks
                 Key: DRILL-3825
                 URL: https://issues.apache.org/jira/browse/DRILL-3825
             Project: Apache Drill
          Issue Type: Bug
          Components: Metadata
            Reporter: Rahul Challapalli
            Assignee: Aman Sinha
            Priority: Critical


git.commit.id.abbrev=3c89b30

The below testing has been done with impersonation enabled

User A has 755 permissions on the 'lineitem' folder and does not have read access to the subfolder 'lineitem/2006'. The below query rightly fails
{code}
select count(*) from dfs.`/drill/testdata/metadata_caching/lineitem`;
Error: PERMISSION ERROR: Not authorized to read table [/drill/testdata/metadata_caching/lineitem] in schema [dfs.default]


[Error Id: c3238ee0-4338-46bf-ba7c-875d995d62d0 on qa-node190.qa.lab:31010] (state=,code=0)
{code}

Now some other user who has access to 'lineitem' and its sub-folders ran the 'refresh table metadata" command.
Now user A executes the above same query and gets the result back skipping the security checks
{code}
select count(*) from  dfs.`/drill/testdata/metadata_caching/lineitem`;
+---------+
| EXPR$0  |
+---------+
| 60175   |
+---------+
{code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)