[jira] [Commented] (DRILL-4029) Non admin users should not be allowed to execute RESET ALL at SYSTEM level

Wed, 04 Nov 2015 15:26:38 -0800 

    [ 
https://issues.apache.org/jira/browse/DRILL-4029?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14990704#comment-14990704
 ] 

Khurram Faraaz commented on DRILL-4029:
---------------------------------------

The question still remains as to why we allow non-admin users to RESET ALL 
options at SYSTEM level.

{code}
Each of the drillbit-override files on the cluster has this entry, with this 
setting ALTER SYSTEM RESET ALL failed, which is expected.
 impersonation: {
             enabled: true,
             max_chained_user_hops: 3
           }

[root@centos-01 bin]# ./sqlline -u "jdbc:drill:schema=dfs.tmp -n test -p test"
apache drill 1.3.0-SNAPSHOT
"what ever the mind of man can conceive and believe, drill can query"
0: jdbc:drill:schema=dfs.tmp> ALTER SYSTEM RESET ALL;
Error: SYSTEM ERROR: IOException: Error getting user info for current user, test


[Error Id: 254b672e-324e-484f-a918-61c44519e01e on centos-01.qa.lab:31010] 
(state=,code=0)
{code}

> Non admin users should not be allowed to execute RESET ALL at SYSTEM level
> --------------------------------------------------------------------------
>
>                 Key: DRILL-4029
>                 URL: https://issues.apache.org/jira/browse/DRILL-4029
>             Project: Apache Drill
>          Issue Type: Bug
>          Components: Execution - Flow
>    Affects Versions: 1.3.0
>         Environment: 4 node cluster CentOS
>            Reporter: Khurram Faraaz
>            Priority: Critical
>
> Set MAPR_IMPERSONATION_ENABLED=false and connect to Drill as user test (which 
> is not admin user) I was able to RESET all options at SYSTEM level, this does 
> not look right.
> {code}
> [root@centos bin]# ./sqlline -u "jdbc:drill:schema=dfs.tmp -n test -p test"
> apache drill 1.3.0-SNAPSHOT
> "say hello to my little drill"
> 0: jdbc:drill:schema=dfs.tmp> ALTER SYSTEM RESET ALL;
> +-------+---------------+
> |  ok   |    summary    |
> +-------+---------------+
> | true  | ALL updated.  |
> +-------+---------------+
> 1 row selected (2.013 seconds)
> 0: jdbc:drill:schema=dfs.tmp> !q
> Closing: org.apache.drill.jdbc.impl.DrillConnectionImpl
> [root@centos bin]# clush -g khurram grep "MAPR_IMPERSONATION_ENABLED" 
> /opt/mapr/drill/drill-1.3.0/conf/drill-env.sh
> : export MAPR_IMPERSONATION_ENABLED=false
> : export MAPR_IMPERSONATION_ENABLED=false
> : export MAPR_IMPERSONATION_ENABLED=false
> : export MAPR_IMPERSONATION_ENABLED=false
> [root@centos bin]# clush -g khurram tail -n 5 
> /opt/mapr/drill/drill-1.3.0/conf/drill-override.conf
> :
> : drill.exec: {
> :   cluster-id: "my_cluster_com-drillbits",
> :   zk.connect: "10.10.100.201:5181"
> : }
> :
> : drill.exec: {
> :   cluster-id: "my_cluster_com-drillbits",
> :   zk.connect: "10.10.100.201:5181"
> : }
> :
> : drill.exec: {
> :   cluster-id: "my_cluster_com-drillbits",
> :   zk.connect: "10.10.100.201:5181"
> : }
> :
> : drill.exec: {
> :   cluster-id: "my_cluster_com-drillbits",
> :   zk.connect: "10.10.100.201:5181"
> : }
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to