[jira] [Commented] (DRILL-4029) Non admin users should not be allowed to execute RESET ALL at SYSTEM level

Wed, 04 Nov 2015 10:57:04 -0800 

    [ 
https://issues.apache.org/jira/browse/DRILL-4029?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14990173#comment-14990173
 ] 

Khurram Faraaz commented on DRILL-4029:
---------------------------------------

Another observation, in this case with impersonation enabled we can execute 
RESET ALL options at SYSTEM level as non ADMIN user (user is test in this 
example). Note that user test does NOT exist.

{code}

[root@centos-01 conf]# clush -g khurram grep "MAPR_IMPERSONATION_ENABLED" 
/opt/mapr/drill/drill-1.3.0/conf/drill-env.sh
10.10.100.203: export MAPR_IMPERSONATION_ENABLED=true
10.10.100.202: export MAPR_IMPERSONATION_ENABLED=true
10.10.100.204: export MAPR_IMPERSONATION_ENABLED=true
10.10.100.201: export MAPR_IMPERSONATION_ENABLED=true

[root@centos-01 bin]# ./sqlline -u "jdbc:drill:schema=dfs.tmp -n test -p test"
apache drill 1.3.0-SNAPSHOT
"what ever the mind of man can conceive and believe, drill can query"
0: jdbc:drill:schema=dfs.tmp> ALTER SYSTEM RESET ALL;
+-------+---------------+
|  ok   |    summary    |
+-------+---------------+
| true  | ALL updated.  |
+-------+---------------+
1 row selected (0.627 seconds)
{code}

> Non admin users should not be allowed to execute RESET ALL at SYSTEM level
> --------------------------------------------------------------------------
>
>                 Key: DRILL-4029
>                 URL: https://issues.apache.org/jira/browse/DRILL-4029
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Execution - Flow
>    Affects Versions: 1.3.0
>         Environment: 4 node cluster CentOS
>            Reporter: Khurram Faraaz
>            Priority: Critical
>
> Set MAPR_IMPERSONATION_ENABLED=false and connect to Drill as user test (which 
> is not admin user) I was able to RESET all options at SYSTEM level, this does 
> not look right.
> {code}
> [root@centos bin]# ./sqlline -u "jdbc:drill:schema=dfs.tmp -n test -p test"
> apache drill 1.3.0-SNAPSHOT
> "say hello to my little drill"
> 0: jdbc:drill:schema=dfs.tmp> ALTER SYSTEM RESET ALL;
> +-------+---------------+
> |  ok   |    summary    |
> +-------+---------------+
> | true  | ALL updated.  |
> +-------+---------------+
> 1 row selected (2.013 seconds)
> 0: jdbc:drill:schema=dfs.tmp> !q
> Closing: org.apache.drill.jdbc.impl.DrillConnectionImpl
> [root@centos bin]# clush -g khurram grep "MAPR_IMPERSONATION_ENABLED" 
> /opt/mapr/drill/drill-1.3.0/conf/drill-env.sh
> : export MAPR_IMPERSONATION_ENABLED=false
> : export MAPR_IMPERSONATION_ENABLED=false
> : export MAPR_IMPERSONATION_ENABLED=false
> : export MAPR_IMPERSONATION_ENABLED=false
> [root@centos bin]# clush -g khurram tail -n 5 
> /opt/mapr/drill/drill-1.3.0/conf/drill-override.conf
> :
> : drill.exec: {
> :   cluster-id: "my_cluster_com-drillbits",
> :   zk.connect: "10.10.100.201:5181"
> : }
> :
> : drill.exec: {
> :   cluster-id: "my_cluster_com-drillbits",
> :   zk.connect: "10.10.100.201:5181"
> : }
> :
> : drill.exec: {
> :   cluster-id: "my_cluster_com-drillbits",
> :   zk.connect: "10.10.100.201:5181"
> : }
> :
> : drill.exec: {
> :   cluster-id: "my_cluster_com-drillbits",
> :   zk.connect: "10.10.100.201:5181"
> : }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to