[
https://issues.apache.org/jira/browse/DRILL-6906?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Hou updated DRILL-6906:
------------------------------
Description:
I ran sqlline with user "kuser1".
{noformat}
/opt/mapr/drill/drill-1.15.0.apache/bin/sqlline -u
"jdbc:drill:drillbit=10.10.30.206" -n kuser1 -p mapr
{noformat}
I tried to access a file that is only accessible by root:
{noformat}
[root@perfnode206 drill-test-framework_krystal]# hf -ls
/drill/testdata/impersonation/neg_tc5/student
-rwx------ 3 root root 64612 2018-06-19 10:30
/drill/testdata/impersonation/neg_tc5/student
{noformat}
I am able to read the table, which should not be possible. I used this commit
for Drill 1.15.
{noformat}
git.commit.id=bf2b414ac62cfc515fdd77f2688bb110073d764d
git.commit.message.full=DRILL-6866\: Upgrade to SqlLine 1.6.0\n\n1. Changed
SqlLine version to 1.6.0.\n2. Overridden new getVersion method in
DrillSqlLineApplication.\n3. Set maxColumnWidth to 80 to avoid issue described
in DRILL-6769.\n4. Changed colorScheme to obsidian.\n5. Output null value for
varchar / char / boolean types as null instead of empty string.\n6. Changed
access modifier from package default to public for JDBC classes that implement
external interfaces to avoid issues when calling methods from these classes
using reflection.\n\ncloses \#1556
{noformat}
This is from drillbit.log. It shows that user is kuser1.
{noformat}
2018-12-15 05:00:52,516 [23eb04fb-1701-bea7-dd97-ecda58795b3b:foreman] DEBUG
o.a.d.e.w.f.QueryStateProcessor - 23eb04fb-1701-bea7-dd97-ecda58795b3b: State
change requested PREPARING --> PLANNING
2018-12-15 05:00:52,531 [23eb04fb-1701-bea7-dd97-ecda58795b3b:foreman] INFO
o.a.drill.exec.work.foreman.Foreman - Query text for query with id
23eb04fb-1701-bea7-dd97-ecda58795b3b issued by kuser1: select * from
dfs.`/drill/testdata/impersonation/neg_tc5/student`
{noformat}
It is not clear to me if this is a Drill problem or a file system problem. I
tested MFS by logging in as kuser1 and trying to copy the file using "hadoop fs
-copyToLocal /drill/testdata/impersonation/neg_tc5/student" and got an error,
and was not able to copy the file. So I think MFS permissions are working.
I also tried with Drill 1.14, and I get the expected error:
{noformat}
0: jdbc:drill:drillbit=10.10.30.206> select * from
dfs.`/drill/testdata/impersonation/neg_tc5/student` limit 1;
Error: VALIDATION ERROR: From line 1, column 15 to line 1, column 17: Object
'/drill/testdata/impersonation/neg_tc5/student' not found within 'dfs'
[Error Id: cdf18c2a-b005-4f92-b819-d4324e8807d9 on perfnode206.perf.lab:31010]
(state=,code=0)
{noformat}
The commit for Drill 1.14 is:
{noformat}
git.commit.message.full=[maven-release-plugin] prepare release drill-1.14.0\n
git.commit.id=0508a128853ce796ca7e99e13008e49442f83147
{noformat}
This problem exists with both Apache JDBC and Simba ODBC.
Here is drill-distrib.conf. drill-override.conf is empty. It is the same for
both 1.14 and 1.15.
{noformat}
drill.exec: {
cluster-id: "secure206-drillbits",
zk.connect:
"perfnode206.perf.lab:5181,perfnode207.perf.lab:5181,perfnode208.perf.lab:5181",
rpc.user.client.threads: "4",
options.store.parquet.block-size: "268435456",
sys.store.provider.zk.blobroot: "maprfs:///apps/drill",
spill.directories: [ "/tmp/drill/spill" ],
spill.fs: "maprfs:///",
storage.action_on_plugins_override_file: "rename"
zk.apply_secure_acl: true,
impersonation.enabled: true,
impersonation.max_chained_user_hops: 3,
options.exec.impersonation.inbound_policies:
"[{proxy_principals:{users:[\"mapr\"]},target_principals:{users:[\"*\"]}}]",
# security.auth.mechanisms: ["MAPRSASL", "PLAIN", "KERBEROS"],
security.auth.mechanisms: ["PLAIN", "KERBEROS"],
security.auth.principal : "mapr/maprs...@qa.lab",
security.auth.keytab : "/etc/drill/mapr_maprsasl.keytab",
security.user.auth.enabled: true,
security.user.auth.packages += "org.apache.drill.exec.rpc.user.security",
security.user.auth.impl: "pam4j",
security.user.auth.pam_profiles: ["sudo", "login"],
http.ssl_enabled: true,
ssl.useHadoopConfig: true,
http.auth.mechanisms: ["FORM", "SPNEGO"],
http.auth.spnego.principal: "HTTP/perfnode206.perf....@qa.lab",
http.auth.spnego.keytab: "/etc/drill_spnego/perfnode206.keytab"
}
{noformat}
was:
I ran sqlline with user "kuser1".
{noformat}
/opt/mapr/drill/drill-1.15.0.apache/bin/sqlline -u
"jdbc:drill:drillbit=10.10.30.206" -n kuser1 -p mapr
{noformat}
I tried to access a file that is only accessible by root:
{noformat}
[root@perfnode206 drill-test-framework_krystal]# hf -ls
/drill/testdata/impersonation/neg_tc5/student
-rwx------ 3 root root 64612 2018-06-19 10:30
/drill/testdata/impersonation/neg_tc5/student
{noformat}
I am able to read the table, which should not be possible. I used this commit
for Drill 1.15.
{noformat}
git.commit.id=bf2b414ac62cfc515fdd77f2688bb110073d764d
git.commit.message.full=DRILL-6866\: Upgrade to SqlLine 1.6.0\n\n1. Changed
SqlLine version to 1.6.0.\n2. Overridden new getVersion method in
DrillSqlLineApplication.\n3. Set maxColumnWidth to 80 to avoid issue described
in DRILL-6769.\n4. Changed colorScheme to obsidian.\n5. Output null value for
varchar / char / boolean types as null instead of empty string.\n6. Changed
access modifier from package default to public for JDBC classes that implement
external interfaces to avoid issues when calling methods from these classes
using reflection.\n\ncloses \#1556
{noformat}
This is from drillbit.log. It shows that user is kuser1.
{noformat}
2018-12-15 05:00:52,516 [23eb04fb-1701-bea7-dd97-ecda58795b3b:foreman] DEBUG
o.a.d.e.w.f.QueryStateProcessor - 23eb04fb-1701-bea7-dd97-ecda58795b3b: State
change requested PREPARING --> PLANNING
2018-12-15 05:00:52,531 [23eb04fb-1701-bea7-dd97-ecda58795b3b:foreman] INFO
o.a.drill.exec.work.foreman.Foreman - Query text for query with id
23eb04fb-1701-bea7-dd97-ecda58795b3b issued by kuser1: select * from
dfs.`/drill/testdata/impersonation/neg_tc5/student`
{noformat}
It is not clear to me if this is a Drill problem or a file system problem. I
tested MFS by logging in as kuser1 and trying to copy the file using "hadoop fs
-copyToLocal /drill/testdata/impersonation/neg_tc5/student" and got an error,
and was not able to copy the file. So I think MFS permissions are working.
I also tried with Drill 1.14, and I get the expected error:
{noformat}
0: jdbc:drill:drillbit=10.10.30.206> select * from
dfs.`/drill/testdata/impersonation/neg_tc5/student` limit 1;
Error: VALIDATION ERROR: From line 1, column 15 to line 1, column 17: Object
'/drill/testdata/impersonation/neg_tc5/student' not found within 'dfs'
[Error Id: cdf18c2a-b005-4f92-b819-d4324e8807d9 on perfnode206.perf.lab:31010]
(state=,code=0)
{noformat}
The commit for Drill 1.14 is:
{noformat}
git.commit.message.full=[maven-release-plugin] prepare release drill-1.14.0\n
git.commit.id=0508a128853ce796ca7e99e13008e49442f83147
{noformat}
This problem exists with both Apache JDBC and Simba ODBC.
> File permissions are not being honored
> --------------------------------------
>
> Key: DRILL-6906
> URL: https://issues.apache.org/jira/browse/DRILL-6906
> Project: Apache Drill
> Issue Type: Bug
> Components: Client - JDBC, Client - ODBC
> Affects Versions: 1.15.0
> Reporter: Robert Hou
> Assignee: Pritesh Maker
> Priority: Blocker
> Fix For: 1.15.0
>
>
> I ran sqlline with user "kuser1".
> {noformat}
> /opt/mapr/drill/drill-1.15.0.apache/bin/sqlline -u
> "jdbc:drill:drillbit=10.10.30.206" -n kuser1 -p mapr
> {noformat}
> I tried to access a file that is only accessible by root:
> {noformat}
> [root@perfnode206 drill-test-framework_krystal]# hf -ls
> /drill/testdata/impersonation/neg_tc5/student
> -rwx------ 3 root root 64612 2018-06-19 10:30
> /drill/testdata/impersonation/neg_tc5/student
> {noformat}
> I am able to read the table, which should not be possible. I used this
> commit for Drill 1.15.
> {noformat}
> git.commit.id=bf2b414ac62cfc515fdd77f2688bb110073d764d
> git.commit.message.full=DRILL-6866\: Upgrade to SqlLine 1.6.0\n\n1. Changed
> SqlLine version to 1.6.0.\n2. Overridden new getVersion method in
> DrillSqlLineApplication.\n3. Set maxColumnWidth to 80 to avoid issue
> described in DRILL-6769.\n4. Changed colorScheme to obsidian.\n5. Output null
> value for varchar / char / boolean types as null instead of empty string.\n6.
> Changed access modifier from package default to public for JDBC classes that
> implement external interfaces to avoid issues when calling methods from these
> classes using reflection.\n\ncloses \#1556
> {noformat}
> This is from drillbit.log. It shows that user is kuser1.
> {noformat}
> 2018-12-15 05:00:52,516 [23eb04fb-1701-bea7-dd97-ecda58795b3b:foreman] DEBUG
> o.a.d.e.w.f.QueryStateProcessor - 23eb04fb-1701-bea7-dd97-ecda58795b3b: State
> change requested PREPARING --> PLANNING
> 2018-12-15 05:00:52,531 [23eb04fb-1701-bea7-dd97-ecda58795b3b:foreman] INFO
> o.a.drill.exec.work.foreman.Foreman - Query text for query with id
> 23eb04fb-1701-bea7-dd97-ecda58795b3b issued by kuser1: select * from
> dfs.`/drill/testdata/impersonation/neg_tc5/student`
> {noformat}
> It is not clear to me if this is a Drill problem or a file system problem. I
> tested MFS by logging in as kuser1 and trying to copy the file using "hadoop
> fs -copyToLocal /drill/testdata/impersonation/neg_tc5/student" and got an
> error, and was not able to copy the file. So I think MFS permissions are
> working.
> I also tried with Drill 1.14, and I get the expected error:
> {noformat}
> 0: jdbc:drill:drillbit=10.10.30.206> select * from
> dfs.`/drill/testdata/impersonation/neg_tc5/student` limit 1;
> Error: VALIDATION ERROR: From line 1, column 15 to line 1, column 17: Object
> '/drill/testdata/impersonation/neg_tc5/student' not found within 'dfs'
> [Error Id: cdf18c2a-b005-4f92-b819-d4324e8807d9 on
> perfnode206.perf.lab:31010] (state=,code=0)
> {noformat}
> The commit for Drill 1.14 is:
> {noformat}
> git.commit.message.full=[maven-release-plugin] prepare release drill-1.14.0\n
> git.commit.id=0508a128853ce796ca7e99e13008e49442f83147
> {noformat}
> This problem exists with both Apache JDBC and Simba ODBC.
> Here is drill-distrib.conf. drill-override.conf is empty. It is the same
> for both 1.14 and 1.15.
> {noformat}
> drill.exec: {
> cluster-id: "secure206-drillbits",
> zk.connect:
> "perfnode206.perf.lab:5181,perfnode207.perf.lab:5181,perfnode208.perf.lab:5181",
> rpc.user.client.threads: "4",
> options.store.parquet.block-size: "268435456",
> sys.store.provider.zk.blobroot: "maprfs:///apps/drill",
> spill.directories: [ "/tmp/drill/spill" ],
> spill.fs: "maprfs:///",
> storage.action_on_plugins_override_file: "rename"
> zk.apply_secure_acl: true,
> impersonation.enabled: true,
> impersonation.max_chained_user_hops: 3,
> options.exec.impersonation.inbound_policies:
> "[{proxy_principals:{users:[\"mapr\"]},target_principals:{users:[\"*\"]}}]",
> # security.auth.mechanisms: ["MAPRSASL", "PLAIN", "KERBEROS"],
> security.auth.mechanisms: ["PLAIN", "KERBEROS"],
> security.auth.principal : "mapr/maprs...@qa.lab",
> security.auth.keytab : "/etc/drill/mapr_maprsasl.keytab",
> security.user.auth.enabled: true,
> security.user.auth.packages += "org.apache.drill.exec.rpc.user.security",
> security.user.auth.impl: "pam4j",
> security.user.auth.pam_profiles: ["sudo", "login"],
> http.ssl_enabled: true,
> ssl.useHadoopConfig: true,
> http.auth.mechanisms: ["FORM", "SPNEGO"],
> http.auth.spnego.principal: "HTTP/perfnode206.perf....@qa.lab",
> http.auth.spnego.keytab: "/etc/drill_spnego/perfnode206.keytab"
> }
> {noformat}
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
