[jira] [Commented] (DRILL-3820) Nested Directories : Metadata Cache in a directory stores information from sub-directories as well creating security issues

[Steven Phillips (JIRA)]

    [ 
https://issues.apache.org/jira/browse/DRILL-3820?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14941735#comment-14941735
 ] 

Steven Phillips commented on DRILL-3820:
----------------------------------------

My initial thought was to simply set the permissions to 700 for the metadata 
file. But that would cause problems when there is impersonation, as the 
impersonated user would not be able to read the metadata file.

I actually think the best approach is to have the REFRESH command run as the 
user who gave the command, not the drill process user. That way, only a user 
who has permission to read all of the subdirectories and files, as well as 
write to all of the directories, will be able to run the REFRESH command. The 
metadata file should have the same owner and permissions as the directory it is 
placed in. It should be documented that running this command will expose some 
amount of metadata in all underlying directories to anyone who has permission 
to read the top level directory.

This will at the very least prevent someone from exploiting the REFRESH command 
in order to access metadata in a directory that don't have permission to read.

> Nested Directories : Metadata Cache in a directory stores information from 
> sub-directories as well creating security issues
> ---------------------------------------------------------------------------------------------------------------------------
>
>                 Key: DRILL-3820
>                 URL: https://issues.apache.org/jira/browse/DRILL-3820
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Metadata
>            Reporter: Rahul Challapalli
>            Assignee: Steven Phillips
>            Priority: Critical
>             Fix For: 1.2.0
>
>
> git.commit.id.abbrev=3c89b30
> User A has access to lineitem folder and its subfolders
> User B had access to lineitem folder but not its sub-folders.
> Now when User A runs the "refresh table metadata lineitem" command, the cache 
> file gets created under lineitem folder. This file contains information from 
> the underlying sub-directories as well.
> Now User B can download this file and get access to information which he 
> should not be seeing in the first place.
> This can be very easily reproducible if impersonation is enabled on the 
> cluster.
> Let me know if you need more information to reproduce this issue



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)